Resilience Requires a Strategy

Tenet3 was established in 2013 with a passion to make cyber resilience easy. We automate digital engineering model building for cyber risk assessment and mitigation. We specialize in cyber security economics. Specifically, we employ authoritative models to identify the strategies and tactics that lead to optimal security investments for our clients. Our automated metrics assess threat mitigation strategies, cyber security costs, residual risks, and resiliency in complex systems. We believe that the best way to achieve cost effective cyber security is through strategic analysis of a system "as designed", "as built", and "as operating".

Our Vision - Cost Effective Cyber Resilience

Our vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

Our Mission - Make Resilience Planning Easy

Our mission is to make it easy to enumerate system components, track how they are organized, model how they are connected, and document their operating assumptions across their lifecycle. We make it easy to track changes in system composition enabling resilient strategies and responsive threat countermeasures.

Zero Trust is all about planning. It espouses many of the same principles used in anti-tamper for weapon systems. If you desire a Zero Trust resilience strategy, you need to make security planning a regular regimen. Performing regular planning exercises with information updated by current events and utilizing a common operating picture such as MeTRA®, keeps your security team on the same page. If you don't have a cybersecurity plan, we can help you get started on the road to Zero Trust. Contact us to start planning today.

Why is our name Tenet3 and our tagline cybernetics?

Our name is based on a methodology called the The Three Tenets of Cyber Security. The third tenet is "Detect, React, Adapt" and is an essential element of our approach to resilience. Cybernetics is a branch of systems engineering that specifically studies the optimal governance and control of complex automatic (or autonomous) networked systems. Detecting changes in systems, automating planned reactions, and adapting controls for networked systems requires a combination of machine learning and human cognitive input. Through our solutions and services, Tenet3 provides this combination of AI/ML and human insights to detect, react, and adapt to the changing cyber threat landscape.

Zero Trust Strategy Requires Planning

Cyberspace is an adversarial domain. Securing cyberspace is hard because systems are complex and built with components from across the globe. Most cyber-physical systems are constructed using commercial parts where time-to-market is the measure of success, not security. This results in the hope that other peoples’ work is inherently correct and secure from adversary influence. Hope is not a strategy.

Our approach to cyber strategy is grounded by our foundational work in anti-tamper, software protection, and trustworthy hardware. Tenet3 personnel were developing quantitative "Zero Trust" strategies in the late 1990s before Zero Trust was cool.

Strategy is Born of Planning

In preparing for battle I have always found that plans are useless but planning is indispensable.

Zero Trust fundamentally requires planning. Start by taking stock. Enumerate the software and hardware components in your systems and facilities. Organize things by what is critical. Identify how your people interact with the elements of your systems and company processes. Show how everything is connected or related to your mission. We call this planning process Count-Collect-Connect® and the result is a digital system map or knowledgebase (a Model Based System Engineering database) for your systems, networks, or organization.

A Zero Trust Planning Axiom - The System Defines Its Own Threat

Murphy was right. Edward A. Murphy, Jr. was an engineer with the US Air Force and spent time at Wright-Patterson Air Force Base. He was said to state "Anything that can go wrong will go wrong". This is especially true in cyber-physical systems today. All systems have access points, weaknesses, and ways to connect the two.

The system knowledgebase developed in the Count-Collect-Connect® step is used with this planning axiom to assess possible threat actions and the likelihood of adversary induced failures. Cybersecurity is a study of failure modes in a system and how best to mitigate them. Tenet3 personnel learned this well when leading anti-tamper programs for the Department of Defense. Using a property graph knowledgebase, we automate the computations of Zero Trust metrics over system models. Quantitative cyber risk mitigation strategies are developed based on these computed metrics.

Cyber Resilience - From Art to Craft to Science

Art requires innate talent. A craft is a teachable skill. A science is predictive, quantitative, and testable.

Mindful of this, Tenet3 is developing the science of cybersecurity. We bring together expertise in reverse engineering, anti-tamper techniques, AI/ML driven property graph modeling, cloud scale data science, and game theory to formulate a scientific framework. Elements of our framework are described in our publications.

We quantitatively assess risk by constructing "digital thread models" of systems across multiple levels of detail and throughout the system lifecycle. Our digital thread models are key to our System Security Engineering analytics that reveal the cyber security trade space. We model both physical and logical systems and processes. Our digital threads range in detail from hundreds of millions of transistors, to firmware/software models, to models of boards and units connected via networks and buses. Tenet3 digital threads model systems "as designed", "as built", and "as operating".

Tenet3 solutions can ingest supply chain and design documents to create system models or construct them via highly sophisticated "tear downs" of existing systems. Tenet3 technologies include: rapid system data ingestion and curation using our data crawling agents, data lake, and patent pending blockchain technology; highly scalable and rapid system modeling via property graphs; AI/ML graph driven data analytics; and game theoretic analyses of adversary versus defender cost drivers. These core competencies support vulnerability analyses, quantitative system risk assessments for enlightened mission planning and operation, efficient continuous monitoring for system diagnostics, complete system penetration testing, and cyber security economics evaluation.

Our approach to Zero Trust is based on seminal work in DoD Anti-Tamper and cyber-physical system security. Model based system engineering (MBSE) models are an essential authoritative source of truth for subject matter experts and system stakeholders alike. Construction of MBSE "Cyber Twins" begins with hardware and software component enumeration. Data about the system or components is collected from disparate souces. This data is organized and curated into information. Information is transformed into knowledge graphs. Our MBSE solution, MeTRA® manages this Count-Collect-Connect® process and databases these models as essential digital engineering system baselines.

MeTRA® Curate is our AI/ML based information gathering and curation engine. When construct system models by enumeration of components and associated data. Curate includes: our patent pending blockchain based data ingestion software and data lake; our NLP based automated entity/relation builder for parsing system documents and building system model primitives; and our computer vision based automated system diagram to property graph generator.

MeTRA® Model is our flagship software (most often just called MeTRA® - Measured Threat Risk Assessment). MeTRA® provides a web-based modeling framework and analysis tool suite that delivers visual and interactive complex system knowledge capture, management, analysis and transfer. The intuitive software guides security, engineering, and program management personnel through a methodical decomposition of the system using standard program documentation and Tenet3’s Count-Collect-Connect® methodology. This provides a “Digital Thread” for systems - as designed - as built - as operating. These highly scalable property graph system representations model systems from transistor level designs, software, and circuit boards, through weapon systems and factories. MeTRA® supports quantifiable metrics that inform system security assessments.

MeTRA® Assess is a collection of web browser dashboards that operate on the property graph models above to compute attack paths, vulnerabilities, and defensive mitigations via calculations of adversary versus defender work factor. This includes our RMF & CMMC based security compliance tools. Assess utilizes simulations based on various mathematical, statistical, optimization, game theoretic, and property graph theoretic analyses implemented at cloud scale.

Supply Chain Tools include Tenet3’s SAFELib™ and MeTRA® Discover tools to examine risk in software and hardware components. SAFELib™ technology enables seamless and fast code assessment in a CI/CD pipeline without any of the weaknesses of static analysis solutions. The capability hinges on a trained deep learning model (neural network) designed to evaluate, at the function level, whether a block of committed code exhibits patterns that are indicative of one of many vulnerability types. MeTRA® Discover is our highly scalable sub-graph matching implementation which permits us to search large property graphs for specified subgraph structures. This capability enables us to search advanced microelectronic circuits for unwanted components.

Automating Cyber Resilience
Contact us to learn more about our latest results automating cyber resilience, formulating cyber security science, and realizing cost effective Zero Trust strategies.

Contact us about cyber resilience.