Enterprises have a substantially lower level of confidence in their MSSP (managed security services provider) support than they do in their in-house capabilities, according to a recent survey commissioned by R&D foundation MITRE Engenuity.
To address these concerns, the organisation — part of MITRE, a not-for-profit US-based corporation that operates government funded research facilities focusing on safety and security — has a recommendation.
To better evaluate and gain a sense of confidence in service providers' capabilities, MITRE says, companies should apply the ATT&CK (adversarial tactics, techniques, and common knowledge) security evaluation framework, often used for endpoint vendor assessment, to MSSPs.
To that end, MITRE has come out with an open source threat intel platform, MITRE ATT&CK Evaluation for Managed Security Services, an extension to the existing MITRE ATT&CK evaluations program, intended to zoom in on what it calls the "people responsible for keeping us secure."
To understand how companies use managed security services, MITRE Engenuity commissioned a survey conducted by Cybersecurity Insiders — a global online community of cyber security professionals. The survey polled 311 IT security professionals in industries including technology, healthcare, retail, government, and finance,
While 68 per cent of the respondents used MSSP/MDR (managed detection and response), almost half (47 per cent) expressed low confidence in managed services technology and people, according to the survey. Moreover, 44 per cent confirmed lack of confidence in managed services security processes.
Companies trust in-house staff more than MSSPs
“Based on the results of this survey, it is clear that the participants’ level of confidence in their managed services is much lower compared to their in-house security people and technology, in which 78 per cent reported feeling confident,” said Holger Schulze, CEO of Cybersecurity Insiders, in a press release.
Sixty-five per cent of the respondents confirmed they use a "threat-informed" defence approach to their security efforts, tapping knowledge databases of adversary techniques and technology to protect against cyber attacks, and about two-thirds of those use ATT&CK evaluations to assess their endpoint vendor decisions, according to the report.
A major chunk of the participants have adopted offensive testing approaches while onboarding security technology. Among these, 39 per cent use breach and attack simulation tools, 34 per cent turn to external red teaming services, and 30 per cent stick with in-house red teaming. Red teaming refers to the process of simulating the entire life cycle of a real-world cyber attack.
While 59 per cent of respondents used offensive testing on the selection process for products, only 53 per cent used this type of testing on services.
A more "alarming" finding, according to the survey report, is that 28 per cent of respondents follow a “no news is good news” kind of approach when it comes to validating their security performance, rather than engage in offensive testing.
Though survey respondents expressed more confidence in their own security teams than in third-party service providers, they also conveyed doubts about in-house teams as well.
Forty-two per cent of those polled blamed lack of training as one of the key reasons for their lack of confidence in the security capabilities of their own organisations. Thirty-eight per cent and 35 per cent pin their doubts on inefficient hiring and lack of technology, respectively.
MITRE offers ATT&CK evaluation for MSSPs
Noting the lack of confidence in managed service providers, issues with in-house security teams, and the high percentage of organisations that do not do offensive testing of either security products or MSSPs, the report suggests that businesses need to adopt informed evaluation processes for managed services.
“The ATT&CK Evaluations for Managed Services will be trying to showcase how any given participant addresses the threat,” says Frank Duff, MITRE Engenuity's general manager of ATT&CK Evaluations.
The evaluation framework comprises multiple test scenarios that can be applied to managed services, assessing how they respond. According to Duff, the data obtained through the new ATT&CK capability will provide users with information to review and decide whether the service in question is right for them in terms of context, form, scale and efficiency.
"In the results, we will describe what threat we emulated, what techniques we executed and how, and what context the vendor did or did not provide around that behaviour. We will show their results that they provided to us as if we were one of their customers," Duff says.