We’re staunch believers in the adage:
“You can’t manage what you don’t measure.”
It's not surprising that one of the top priorities we’re hearing from security leaders this year is how they can gain a better understanding of residual risk. Attackers are shifting targets and evolving their tactics, techniques, and procedures (TTPs) quickly, which makes it difficult to know if the defenses currently in place are effective against the threats that matter to the organization.
Making an educated guess as to whether you’re protected and, if not, what to do about it is not an effective strategy. Security is complex, and most teams don’t have the data and systems in place to pinpoint where they have exposure and how to efficiently invest their time and money to address gaps in defensive coverage.
Continuous Threat Exposure Management (CTEM) focuses on the challenge of tackling the exposures that most threaten the business. It’s a strategy that has been capturing security leaders’ attention as Gartner estimates CTEM can help organizations reduce breaches by two-thirds over the next two years.
Tidal Cyber’s top-down approach to CTEM provides a practical and accurate way for defenders to measure residual risk and manage exposure. The Tidal Cyber platform organizes and synthesizes threat and defensive intelligence, automates the process to calculate residual risk, and provides recommendations for how to prioritize security operations and investments.
The Tidal Cyber Enterprise Edition platform provides security teams with:
- A deep understanding of relevant threats
- Granular visibility into defensive capabilities as they are deployed
- A clear picture of residual risk and recommendations for risk reduction
Understanding the Threat
The MITRE ATT&CK® knowledge base is the foundation for how we categorize threats, supplemented with additional threat intelligence to deliver the most complete view of the threat possible. The Tidal Cyber platform continually collects, evaluates, and maps open-source intel, and integrates with customer provided threat intel and multiple threat intel providers. Our AI-driven threat behavior mapping to ATT&CK techniques, alongside technical details for how they are implemented, takes this even further.
We believe the next leap in threat understanding comes from capturing and contextualizing the specific ways adversaries operationalize these techniques, providing defenders with even deeper technical fidelity. This direction informs our ongoing development and reflects our commitment to delivering actionable, relevant threat intelligence.
We create Threat Profiles specific to your sector and weight techniques based on risks that matter to you. Informed by reported threat activity, behaviors are automatically prioritized and reprioritized based on relevance to the organization to ensure these residual risk calculations reflect actual risk to your organization.
Visibility into Defensive Capabilities
It isn’t unusual for each individual security tool to have a thousand or more distinct defensive capabilities. We work with vendors to aggregate and maintain a detailed database of product capabilities and what those capabilities do (i.e., mitigate, protect, detect, log, response, test). We then assign a level of risk reduction to each capability based on the capability type.
You want to make sure you are accounting for every defensive capability you have. The platform integrates via read-only API with your security platforms to pull configuration data that lets us know which of those thousands of capabilities are configured “on,” and which are still dormant.
Our deep ATT&CK domain expertise gives us knowledge into which adversary techniques and sub-techniques are mitigated by each of those capabilities (typically several techniques per capability). Sometimes even if a configuration is dormant, another security tool in your stack could be filling the gap. Stacking defenses as they are deployed on a capability-by-capability basis provides an aggregate understanding of coverage.
A Clear Picture of Residual Risk and Reduction
The final step is to map Threat Profiles and Defensive Stacks to create Coverage Maps that show how well you are defended against a given technique, campaign, adversary group, or portfolio of adversary groups. The Tidal Cyber Enterprise Edition platform calculates a confidence score for an accurate measure of your residual risk.
You get a rank-ordered list of dormant capabilities to see what to enable to maximize the reduction of residual risk. If the recommendation is to consider adding a new tool, you have the justification you need to build a case for additional investment to fill a gap. You may even be able to show that there’s an opportunity to eliminate redundancies or retire tools and reallocate funds.
Finally, every time a threat or a defensive capability changes, not only does your residual risk recalculate but the prioritized list of recommended actions also changes automatically.
If understanding your organization’s residual risk is a priority, we’d be happy to show you how Tidal Cyber can help.
