The foundation behind the MITRE ATT&CK cybersecurity framework is turning its considerable expertise to helping managed security services providers (MSSPs) better understand how prepared they are to protect the systems and data of their many end customers.
MITRE Engenuity recently announced that a call for participation in its ATT&CK Evaluations for MSSPs and managed detection and response (MDR) providers is open until Dec. 29. The new services evaluations represent a shift for the foundation, which in the past has been known for its evaluations that aim to improve how well security products detect and protect against known cybercriminal behaviors.
The new ATT&CK evaluations also come at a time when the demand for managed security services is growing and the cyberthreat against MSPs, MSSPs and other services providers themselves is expanding as bad actors see them as pathways for getting access into the networks and systems of their many enterprise customers.
The software supply chain and third-party risk are other threats affecting MSPs – as evidenced this week with the highest-severity Apache Log4j vulnerability.
Confidence in Service Providers Falters
As the reliance on security service providers increases, confidence in them continues to falter, as shown by the recent “2021 Managed Services Report: No Rest for the Wary,” conducted by Cybersecurity Insiders.
“We are extremely excited to extend ATT&CK Evaluations to the managed services industry, highlighted by both MSSPs and MDR capabilities,” Frank Duff, general manager of ATT&CK Evaluations, said in a statement. “Building on our Enterprise Evaluations, this evolution of the ATT&CK Evaluations program will enable us to assess and improve the services that leverage these technologies to secure networks.”
See our list of The Top 15 MSSPs
According to the foundation, the service providers participating in the Managed Services ATT&CK Evaluations will be presented with an emulated adversary prior to the evaluation. The emulated adversary won’t be disclosed to the service provider until after the evaluation is complete, but it will be based on publicly available threat intelligence and will be conducted in Microsoft’s Azure cloud environment, similar to MITRE Engenuity’s Enterprise evaluations.
The foundation will run the emulation and participating MSSPs and MDRs will provide their evaluations of the event as if MITRE Engenuity was the customer being attacked. The goal of the evaluation will be to test the participants’ ability to detect the problem using self-supplied tools and to understand the activities of the attackers. The evaluations will look at such actions as real-time alerts, daily roll-up reports and dashboard access.
Afterward, MITRE Engenuity will disclose the adversary that was emulated and the behavior that was run and show how the foundation mapped the service providers’ analyses to the behavior. It also will work with the participants to improve their ability to detect issues.
After the evaluations are completed, the conclusions will be released publicly, the foundation said.
See our picks for The Top MDR Service Providers
Important Step for Managed Security
Chris Gonsalves, senior vice president of research at channel industry firm Channelnomics, applauded what MITRE Engenuity is doing.
“This is sorely, sorely, sorely needed,” Gonsalves told eSecurity Planet. “I don’t even have words to tell you from our view of the MSSP environment how badly something like this is needed.”
He noted that in 2014, Verizon in its influential annual Data Breach Investigations report (DBIR) for the first time stated how organizations determine that they have been breached. The number-one way was being contacted by either a customer or a law enforcement agency. The least likely was via their MSSP.
“You’re paying this person to protect your business and they’re the least likely to even know whether you’ve been breached,” Gonsalves said. “Why is that? It’s because while MSSP appears to be a lucrative marketplace, it is a significantly difficult technology sub-domain that requires expertise in information security that most managed services providers lack.”
Lack of Expertise as Demand Grows
As the demand for managed security services has increased over the past several years, players in the channel like VARs that had little to no expertise in that area have begun to offer such services, Gonsalves said.
They wanted to present themselves as practitioners in this increasingly lucrative space but many didn’t do the hard work necessary to become experts. There are very good MSSPs in the market that have all the necessary skills, tools and understanding of the threats in the space to protect their end customers. The problem is that they’re a minority.
Many of the newcomers “have been told by the vendors that there’s a lot of money in managed security services, so why wouldn’t they try to dabble in it?” Gonsalves said. “But this is a place where you do not dabble. You are taking on a great deal of responsibility when you tell your clients that you are going to safeguard their crown jewels.”
However, the need for skilled MSSPs and MDRs is out there. Many organizations don’t have the skill set to protect themselves at a time when the number and complexity of cybercriminals and threats are growing, so they look for outside help to protect their infrastructure, applications and data.
“MSSPs act as force multipliers,” he said. “You can put a great deal of information security and defensive expertise in one place and that one organization can protect thousands of organizations. That is absolutely vital right now because we don’t have enough skilled information security people to put one at every single organization. We have to centralize the expertise and act as force multipliers to protect many organizations.”
MSSP Market to Triple by 2028
Analysts at Verified Market Research said the global managed security services market last year was $19.76 billion in size and will increase to $58.15 billion by 2028, growing an average of 14.31 percent a year. Driving that growth will be such benefits as improved cost effectiveness, deep and broad security protection and continuous security monitoring, they said.
Half of managed security customers aren’t confident in the people or technology used by their managed security solution
However, an issue is the conflict between rising enterprise and SMB demand for such benefits and increasing skepticism in the service providers’ abilities to deliver them, according to MITRE Engenuity. Pointing to the Cybersecurity Insiders report, the foundation noted that 68 percent of respondents to the survey said they were using an MSSP or MDR services provider, but that about 50 percent were not confident in the people or technology used by their managed security solution.
The MSSP and MDR testing will help providers identify weaknesses. And while MITRE doesn’t provide ratings or rankings, security product vendors often tout the results, so there’s a potential marketing benefit too.
See the Best Endpoint Security and EDR Tools for MSPs
Bringing MITRE to MSSPs
The MITRE service provider evaluations will enable MSSPs and MDRs to better understand their strengths and weaknesses, Gonsalves said.
“The beauty of the MITRE ATT&CK framework at large is that it doesn’t really look at the efficacy of products,” he said. “It’s not solutions-based. It looks at security literally from the attacker’s point of view. It creates a framework based on the way they know attackers behave and what attackers are trying to do. There are parts of the framework that deal with lateral movement or evading defenses or exfiltrating data. What are the objectives of the attacker and how do they go about doing the bad stuff that they do? That’s how it gets the view of the wider attack framework.”
Transferring that viewpoint to MSSPs gives them insight they don’t have right now. Even if MSSPs have the staff, toolsets, platforms and everything else in place, they still need to understand what they’re trying to protect, how the bad actors will try to attack, and the risks to each individual asset in the organizations.
“This is what MITRE is going to bring to the MSSP space: A much higher level of maturity in their thinking about security policy and the approach that they take when they’re trying to safeguard this,” Gonsalves said. “Not just, ‘Should I settle on Cylance or CrowdStrike or SentinelOne endpoint protection?’ That’s not the question anymore. The question is, ‘What is the attacker going to try to do to my client’s endpoint? How are they most likely to do it when they get it? What are they going to do once they get past the perimeter and what do I need to do to stop that from happening?’ That’s a completely different set of questions that MSSPs are not asking themselves right now that this MITRE ATT&CK approach to raising the bar for MSSPs is going to address.”
Further reading: Best Backup Solutions for MSPs to Protect Against Ransomware