Companies have greater confidence in their own security teams than in MSSPs, according to a new survey. To better evaluate service provider capabilities, companies can apply techniques used by the ATT&CK (adversarial tactics, techniques, and common knowledge) assessment framework to MSSPs, MITRE says. Enterprises have a substantially lower level of confidence in their MSSP (managed security services provider) support than they do in their in-house capabilities, according to a recent survey commissioned by R&D foundation MITRE Engenuity.To address these concerns, the organization — part of MITRE, a not-for-profit corporation that operates federally funded research facilities focusing on safety and security — has a recommendation. To better evaluate and gain a sense of confidence in service providers’ capabilities, MITRE says, companies should apply the ATT&CK (adversarial tactics, techniques, and common knowledge) security evaluation framework, often used for endpoint vendor assessment, to MSSPs.To that end, MITRE has come out with an open-source threat intel platform, MITRE ATT&CK Evaluation for Managed Security Services, an extension to the existing MITRE ATT&CK evaluations program, intended to zoom in on what it calls the “people responsible for keeping us secure.” To understand how companies use managed security services, MITRE Engenuity commissioned a survey conducted by Cybersecurity Insiders — a global online community of cybersecurity professionals. The survey polled 311 IT security professionals in industries including technology, healthcare, retail, government, and finance, While 68% of the respondents used MSSP/MDR (managed detection and response), almost half (47%) expressed low confidence in managed services technology and people, according to the survey. Moreover, 44% confirmed lack of confidence in managed services security processes.Companies trust in-house staff more than MSSPs“Based on the results of this survey, it is clear that the participants’ level of confidence in their managed services is much lower compared to their in-house security people and technology, in which 78% reported feeling confident,” said Holger Schulze, CEO of Cybersecurity Insiders, in a press release. Sixty-five percent of the respondents confirmed they use a “threat-informed” defense approach to their security efforts, tapping knowledge databases of adversary techniques and technology to protect against cyberattacks, and about two-thirds of those use ATT&CK evaluations to assess their endpoint vendor decisions, according to the report.A major chunk of the participants have adopted offensive testing approaches while onboarding security technology. Among these, 39% use breach and attack simulation tools, 34% turn to external red teaming services, and 30% stick with in-house red teaming. Red teaming refers to the process of simulating the entire life cycle of a real-world cyberattack.While 59% of respondents used offensive testing on the selection process for products, only 53% used this type of testing on services.A more “alarming” finding, according to the survey report, is that 28% of respondents follow a “no news is good news” kind of approach when it comes to validating their security performance, rather than engage in offensive testing.Though survey respondents expressed more confidence in their own security teams than in third-party service providers, they also conveyed doubts about in-house teams as well. Forty-two percent of those polled blamed lack of training as one of the key reasons for their lack of confidence in the security capabilities of their own organizations. Thirty-eight percent and 35% pin their doubts on inefficient hiring and lack of technology, respectively.MITRE offers ATT&CK evaluation for MSSPs Noting the lack of confidence in managed service providers, issues with in-house security teams, and the high percentage of organizations that do not do offensive testing of either security products or MSSPs, the report suggests that organizations need to adopt informed evaluation processes for managed services. “The ATT&CK Evaluations for Managed Services will be trying to showcase how any given participant addresses the threat,” says Frank Duff, MITRE Engenuity’s general manager of ATT&CK Evaluations.The evaluation framework comprises multiple test scenarios that can be applied to managed services, assessing how they respond. According to Duff, the data obtained through the new ATT&CK capability will provide users with information to review and decide whether the service in question is right for them in terms of context, form, scale and efficiency.“In the results, we will describe what threat we emulated, what techniques we executed and how, and what context the vendor did or did not provide around that behavior. We will show their results that they provided to us as if we were one of their customers,” Duff says. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe