Core to Tidal Cyber’s mission is empowering organizations big and small to adopt threat-informed defense and give them confidence they are prepared to defend themselves against the threats that are most likely to target them. In addition to Tidal’s threat-informed defense platform, we also offer services designed to help accelerate an organization’s adoption of threat-informed defense.
The Tidal Threat-Informed Assessment works with the customer to understand their processes, threats, and solutions. A key aspect to any assessment is understanding how solutions map to MITRE ATT&CK®, both from a capability and data perspective. Transparency around ATT&CK is often challenging, simply because the right questions aren’t being asked. Tidal utilizes its deep expertise and relationships with solution providers to improve this transparency, and we then develop your custom Tidal Confidence Score™ to let you know exactly where you stand. Finally, utilizing your as-is state, Tidal leverages its large knowledge base of defensive solutions to identify near-term improvements to increase your Confidence Score. At the conclusion of the engagement, you can consider yourself threat-informed, and in a position to continually evolve and improve your defenses.
Covering the History of Coverage
ATT&CK Coverage is a concept that in many ways predates ATT&CK itself. Back when I was at MITRE, we were researching post-exploit detection. I was developing analytics with a team of researchers using new technology, and a red team was coming in to validate them. You can read more on these early days of ATT&CK and threat-informed defense in a blog I wrote earlier this year. Something we were missing at the time was a way of communicating results to leadership. What emerged was an early version of ATT&CK, which happened to live in an Excel spreadsheet as any good tool does, and the natural next step was coloring it in with red, yellow, green to show how we performed.
As ATT&CK gained in popularity, this stoplight chart became a primary use case and gained a formal name, “ATT&CK Coverage.” ATT&CK Coverage was used to describe everything from vendor capabilities (as talked about in our Product Registry announcement blog and subsequent “We Got This Covered” fireside chat series) to an entire enterprise’s security stack.
With this effective communication device came misuse and overgeneralization. Users and marketing alike started to strive for “all green”, so they could declare the problem solved. This is an overly aggressive goal to shoot for, for multiple reasons. There are simply too many ever-changing techniques and variations, and so-called procedures, to make “all green” credible. Additionally, what is the right level of defense? What “green” means comes into question, and even in the best of circumstances delivers a false sense of security.
This doesn’t mean ATT&CK Coverage visualizations and calculations aren’t useful. They are still effective, as they always have been, at summarizing how your defenses align to your threats at a high level and showing where you have gaps and where you have strengths. But you need to strike the balance between over-generalization and diminished value on accuracy. Figuring out the balance can be hard, and this is a main driver for why we founded Tidal Cyber.
A New Way of Defining Coverage
The challenge with existing methods of measuring coverage is that there is a lack of granularity. Coverage isn’t as simple as yes or no, green or red. Instead, we need to look at your defense in-depth and take into account what threats matter more than others.
When Tidal looks at coverage, we look at it through the lens of confidence. This confidence needs to be driven by the capabilities you have, the data you are collecting, and the tests that you are running. It must recognize that all techniques are not created equal, let alone every threat. In that same vein, not every technique needs a protection capability, let alone an alert or detection.
We are working to move beyond the infamous ATT&CK stoplight chart and instead give it depth and context with a confidence score that provides clear understanding and actionable results. It’s your way of tracking your threat-informed progress, ensuring recommendations are meaningful to address your gaps, and understanding the relative value of the solutions you have towards defending your organization against the threats most relevant to you.
Tidal’s Got You Covered
At Tidal, our mission is to make threat-informed defense both practical and sustainable. This means giving users the tools and the data they need so that they can understand what threats matter to them, how they are able to defend against them, and what they can do to improve. Practical and sustainable are key words. We want to make ATT&CK more accessible and coverage mean something to the end user.
Requiring everyone to be an expert in ATT&CK to leverage the benefits of threat-informed defense isn’t practical. At Tidal, we offer both services and products that will help organizations improve their ability to be threat-informed, but that’s only part of our mission. We also want to be able to help the global user community extend the great things that ATT&CK and its practitioners have been doing for years. We created the Tidal Platform and the Tidal Product Registry™ to help users and enterprises adopt threat-informed defense, and now our Threat-Informed Assessments will help organizations jump start their threat-informed defense journey. Use the button below to schedule a call with us to learn more about these assessments.
