Rick Gordon, CEO & Co-Founder, Tidal Cyber and expert in technology investing, business strategy, and early-stage venture development.
Security starts by answering a basic question. “Can we defend Y against X?”
Whether our mission is national security, physical security or cybersecurity, this fundamental question gets to the root of what we do as security professionals to understand the evolving tradecraft that our adversaries use against us, design and operate security infrastructure to mitigate the likelihood of success of that tradecraft, continually measure the efficacy of our security infrastructure against it, and reallocate precious resources to maximize the reduction of residual risk per dollar invested.
But the dirty little secret in cybersecurity is that most of us can’t answer this basic security question cost-effectively with reasonable analytical integrity.
Why Is This So Hard?
The objective of a security professional is to develop an accurate understanding of residual risk and to steward precious resources to cost-effectively reduce residual risk to the lowest affordable level. The problem is getting to a reliable view of residual risk has always been incredibly difficult.
Unless your cybersecurity organization has a seasoned, well-resourced threat intelligence team, most companies can’t answer the following:
• Which adversaries are targeting us at any given point in time?
• Which behaviors are those adversaries known to employ against us?
• Which of those behaviors have been described with enough specificity to prescribe effective countermeasures?
• How much risk does each of those behaviors represent to the enterprise?
Most security leaders admit they struggle to answer the first part of this basic question. But, for argument’s sake, let’s say we were able to develop a solid understanding of the tradecraft we need to defend against. The next step is even more difficult.
Most organizations lack a clear view of how their defenses align to real adversary behaviors. We can’t confidently answer:
• Which behaviors our stack can defend against today
• How effective those defenses are at reducing adversary success
• Whether those capabilities are configured properly
• The aggregate total risk reduction provided by all deployed capabilities against those behaviors
Without these answers, we can’t see where risk is high, where it’s been reduced enough, what residual risk remains unacceptably high, or how to best allocate resources to eliminate it by the greatest amount possible.
When I speak privately with security leaders, most admit they can’t cost-effectively answer this basic security question, “Can we defend X against Y?” Even with large budgets, they can’t deliver a rigorous answer quickly, so they guess and hope no one finds out.
While many organizations have historically relied on maturity models, compliance checklists or static control frameworks to guide their cybersecurity posture, these approaches can fall short when faced with dynamic and evolving threats. Threat-led defense has emerged as a complementary strategy—one that aims to align defensive investments directly with known adversary behavior. Rather than replacing existing models, it adds a layer of threat-contextual prioritization that helps security leaders focus on the most relevant risks to their organization.
Now, We Can Finally Stop Guessing
Threat-led defense makes answering this question automated, affordable and easy by automatically prioritizing the techniques that matter most to your company, identifying important coverage gaps, recommending the most impactful actions to take to fill those gaps, and recalculating this analysis as adversaries and the products in your defensive stacks evolve. No longer does it take months and hundreds of thousands of dollars a year to know whether your defenses can protect against the techniques that adversaries currently use. The answer is instantaneous.
The approach begins by organizing your threat and defensive intelligence using the same hierarchical structure created by MITRE in its ATT&CK framework.
On the threat intelligence side, cyber threat intelligence objects (groups, software and campaigns) are automatically updated as their motivations, targets and techniques evolve. At its core, threat-led defense relies on the MITRE ATT&CK knowledge base, but also continually updates as new threat intelligence emerges.
Based on type of industry, threat profiles can easily be created to track how active given threat objects are in your sector. Threat profiles continually decompose those threat objects into their component techniques and weigh each technique based on its relative level of risk.
On the defensive intelligence side, data are collected at a granular level within your security platforms, focusing on key tools like SIEM, EDR and XDR. All tools, architectural decisions and related investments that contribute to reducing this risk associated with a specific technique should be considered for inclusion.
Many platforms offer thousands of atomic defensive capabilities that impact your perspective on how much the likelihood is reduced that an adversary can implement a technique against a given target. Defensive stacking aggregates the risk reductions offered by each capability across all tools to calculate cumulative risk reductions on a technique-by-technique basis.
As tools are added or improved and configurations change, those risk reduction calculations are re-executed automatically. By maintaining these knowledge bases of adversary behaviors and defensive capabilities, threat-led defense can eliminate thousands of hours of expensive human analysis required annually to continually answer the basic security question.
Residual Risk Revealed
Because threat profiles and defensive stacks are structured against techniques, it is trivial to build coverage maps to illuminate whether a given defensive stack can defend against a given technique, a campaign, an adversary group or a portfolio of adversary groups.
A coverage map illustrates where risk exists and has been effectively mitigated, and where there is work left to do … or where important coverage gaps exist.
When building a defensive stack, you not only know what your tools are capable of, you also know which of those capabilities are on, and which are turned off (often by mistake). Because threat-led defense is performed in software, it’s simple to match a dormant capability to a coverage gap. Instead of spending tens of hours investigating potential approaches to fill an important coverage gap, software can investigate thousands of capabilities from existing and prospective security tools within a few minutes.
Keep in mind: Adopting a threat-led approach is not without its challenges. It requires a cultural shift toward continuous measurement, dedicated resources to maintain threat intelligence accuracy and tight integration between teams and tools.
Conclusion
Whenever a threat or capability changes in the defensive stack, not only does the coverage map recalculate automatically but with it, the priorities for which capabilities to add next.
Threat-led defense makes answering the basic security question achievable. By structuring threat and defensive intelligence using the same MITRE ATT&CK framework, we can automatically understand residual risk and effectively allocate resources to eliminate it cost-effectively.
Why on earth would you want to keep guessing?
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?