Published on: May 13, 2024
SafetyDetectives is recently had the pleasure of a Q&A with Rick Gordon, CEO of Tidal Cyber. Bringing over 25 years of experience in technology investing and cybersecurity, Rick co-founded Tidal Cyber to address the pressing need for Threat-Informed Defense strategies in today’s complex cyber landscape. Prior to Tidal Cyber, Rick served as the Managing Director of Programs at MITRE Engenuity, contributing significantly to initiatives like the Center for Threat Informed Defense. In this interview, Rick dives into the origins and ambitions of Tidal Cyber, detailing how their innovative approach is transforming enterprise cybersecurity. Join us as we explore the integration of the MITRE ATT&CK framework into Tidal Cyber’s services and discover the latest advancements they are bringing to the cybersecurity industry.
Thank you for your time, can you start by sharing a bit about yourself and what inspired you to co-found Tidal Cyber?
Sure thing. I’m currently the CEO of Tidal Cyber, which was built to more efficiently bring Threat-Informed Defense to enterprises. My career has been focused on technology investing and early-stage venture development, with more than 25 years of experience in providing organizations with strategic growth as well. Before all of this, I served as a submarine officer in the U.S. Navy after receiving my MBA from the University of Virginia and a B.S. in engineering from the U.S. Naval Academy.
More relevant, ahead of co-founding Tidal Cyber, I served as MITRE’s Managing Director of Programs, leading programs for MITRE Engenuity, a tech foundation for public good dedicated to solving problems for a safer world. In this role, I was responsible for the growth and operation of multiple initiatives, including the Center for Threat Informed Defense (CTID), ATT&CK® Evaluations, and MITRE ATT&CK® Defender (MAD) Training.
My co-founders, who also hail from MITRE, and I were inspired to build Tidal Cyber because we understood there was a need for a platform that makes the benefits of Threat-Informed Defense easier to achieve and sustain. Threat intelligence has not historically been democratized or easy to access and implement. The release of the MITRE ATT&CK framework created a language for how we all could share threat intelligence in a standardized way, and our mission was to make it practical and operational for all enterprises to adopt MITRE ATT&CK.
What sparked the initial concept behind Tidal Cyber’s Threat-Informed Defense strategy
Simply: enterprises needed an easier way to verify the coverage of their existing defenses against attacker TTPs and other defensive and threat intelligence types. Threat-Informed Defense involves knowing adversary behaviors and implementing that intelligence into your security program through architecture, threat hunting, SecOps, detection Engineering and more. It used to be a challenge to integrate cyber threat intelligence (CTI) into these programs because there wasn’t a clear structure on how to do so – the insights were not framed in an actionable way.
We built our Threat-Informed Defense platform to provide tangible insight into how a company’s defenses compare with the tactics, methods and attacks that are targeting their system so that they can know they are safe and are getting the most out of their existing security stack. We’ve taken a two-pronged approach with this: a Community Edition that helps users get the basic details they need to inform their decisions, and an Enterprise Edition that allows organizations to truly optimize and prioritize the defensive decisions against the information we provide.
Can you explain how the MITRE ATT&CK framework integrates into your services and why it’s crucial for your clients?
As most know, MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This knowledge base enables organizations to classify and analyze cyberattacks and develop threat models and defense strategies accordingly.
We compile and leverage the intelligence within the MITRE ATT&CK knowledge base, along with additional open-source intelligence, into accessible and understandable frameworks. We then enable organizations to evaluate how well they detect vulnerabilities or weaknesses by mapping out how a company’s security stack covers them against the types of adversary tactics, techniques and procedures (TTPs) laid out in these knowledge bases, so they make better-informed security decisions and design strategic defense programs. Our relationship with MITRE is important, too, and we have a good partnership, and are even part of their Benefactor Program to specifically support the work they do around ATT&CK.
I understand you’ve released enhancements to the Enterprise Edition platform, what key features should customers be most excited about and how do these new enhancements help organizations measure and improve their cyber defenses more effectively?
Our new enhancements offer more powerful customizations and integrations that improve data-driven defense against adversaries.
At the forefront of these enhancements are continual ATT&CK assessments, confidence scoring and recommendations for improving defensive efforts, all of which provide customers with increased confidence in their protection and in the efficacy of the required controls they’ve implemented. These capabilities and controls are customizable through user-defined extensions to ATT&CK, allowing users to tailor ATT&CK to their own business.
Our Get CTI integration expands ATT&CK capabilities and visibility across existing defensive stacks, allowing users to create or edit threat object(s) in their Tidal Cyber knowledge base, predicated on other CTI sources, such as threat intelligence platforms (TIPs) or content repositories. Building on this visibility, users will gain immediate insights into how their security solutions are performing, along with recommendations for improving defenses. This guidance is powered by our Vendor Registry, which now maps to nearly 100 security vendors.
Ultimately, we’re enabling organizations to prioritize what they test in their security stacks, leading to increased confidence in defensive capabilities and controls; better customization of user-defined extensions to ATT&CK based on detailed coverage mapping; flexibility and power to expand ATT&CK capabilities and visibility across existing defensive stacks; and better focus for offensive security teams who now have more visibility, confidence and empirical data for the efficacy of their defensive capabilities.
Can you share more insights into today’s top malicious actors, such as Volt Typhoon, and what companies should prioritize to defend against them?
There are all kinds of malicious actors today, such as Volt Typhoon or LockBit, that specialize in different attack techniques or have different motivations for who they target. It can be challenging to hear of new cyberattacks reported everyday and not be tempted to peruse every cybersecurity solution out there to defend against every new attack, adversary or threat. However, not every threat or adversary technique is relevant to every organization.
This is why we tell our customers not to “boil the ocean.” They need to start by prioritizing the threats that matter most. They need to understand the behaviors of the threat actors that indeed are targeting companies like themselves and identify where they are at risk. From there, they can determine which solutions will most effectively and efficiently reduce their risk.
For example, say a CISO gets word of a new threat or actor and asks their team to assess their risk of attack. The team can quickly create a threat profile in Enterprise Edition based on what we know of the tactics or techniques, compare that against their defensive stack, and provide an immediate confidence score to the CISO on that particular threat. We can also provide detailed instructions on how to fine-tune their defensive stack to better protect their organization.
What best practices would you recommend for companies looking to tailor their security measures to their specific environments?
Take a good look at what your team is doing. There is a 99 percent chance they are trying to manually do everything that we have outlined, and especially in today’s resource-constricted environments, consider a way to make that work more automated, informed, and precise. Using Threat-Informed Defense to understand your adversaries’ tactics and techniques and evaluate which behaviors you are good at blocking and which you are not, is going to help you more quickly shore up your defenses with the tools you may already have.
Visibility into how you are leveraging all the capabilities of your existing security stacks is crucial. Once this is attained, you can then scale your defenses from there based on where there are weak points or residual risk that needs mitigation. Truthfully, because there’s never enough money or resources to do everything and invest in every solution, defining your risk upfront and analyzing which security measures reduce risk by the greatest amount for your organization will put you on the right track.