New Research from MITRE Engenuity and Cybersecurity Insiders Finds Low Confidence in Managed Services Security Solutions

Majority of survey respondents (68%) use MSSP/MDR solutions to fill security gaps, yet nearly half (47%) are not confident in the technology or the people

McLean, Va. & Bedford, Mass., December 16, 2021 — MITRE Engenuity™, MITRE’s tech foundation for public good, today announced the results of the “2021 Managed Services Report: No Rest for the Wary”. The research was conducted in collaboration with Cybersecurity Insiders, an online community of 400,000 information security professionals worldwide, to understand the state of affairs in managed services security. The survey of IT security professionals representing organizations of all sizes from industries such as Technology, Healthcare, Retail, Government, Financial, and others set out to discover if organizations are adopting a threat-informed approach to cybersecurity, how they are adopting threat-informed approaches, and what organizations and IT security professionals are doing to improve their confidence in their ability to defend against cyber intrusions.

Are organizations adopting threat-informed defense?

The survey, which polled individuals in IT security and operations across a wide range of industries, found that organizations largely conduct various offensive tests on products and services before and after purchasing them, and actively seek to become threat-informed by utilizing ATT&CK^® Evaluation’s data. Key findings include:

• 65% of respondents said they utilize a threat-informed approach to security and 41% use ATT&CK evaluations to assess endpoint vendor decisions.
• 59% of respondents conduct offensive testing on products before investing in a new solution and 53% of respondents conduct offensive testing on services before investing in a new solution.
• 64% of respondents conduct offensive testing on products after investing in a new solution and 56% of respondents conduct offensive testing on services after investing in a new solution.

How are organizations actually doing?

While there appears to be positive results in recognizing the importance of being threat-informed, as well as testing and evaluating products and services before and after investment, the survey found concerning factors relating to utilization of the tools, and challenges hiring and training staff that leads to low confidence in security:

• 47% of respondents are using detection and response tools to gain visibility into their networks.
• 28% of those respondents still rely on perimeter defenses.
• 42% of respondents note a lack of training, while 31% note a lack of hiring as a limiting factor to high confidence in organizational security.

“While many organizations have the intent to operate as threat-informed and do the right things, such as conducting offensive testing, there are still a significant number of organizations that aren’t leveraging the data ATT&CK tells us we should look at,” said Frank Duff, MITRE Engenuity’s general manager, ATT&CK Evaluations. “We have an over-reliance on keeping the adversary out, and we also are limited by hiring and training.”

What are organizations doing to improve?

Perhaps recognizing their own limitations in their tools and people, the survey found that there is a commitment to improving who watches the environment. In fact, 68% of respondents report using MSSP/MDR to fill security gaps, however there is still a substantial need for improvement in the trust of MSSP/MDR technology, people, and processes.

• 48% of respondents are not confident in MSSP/MDR technology or the people providing the protection.
• 44% of respondents are not confident in the managed services security processes.

“Based on the results of this survey, it is clear that the participants’ level of confidence in their managed services is much lower compared to their in-house security people and technology, in which 78% reported feeling confident,” added Holger Schulze, CEO, Cybersecurity Insiders.

Something needs to be done to allow organizations to have similar confidence levels in their managed services as they have with their in-house security operations. The need for open, transparent, and threat-informed evaluations for managed services is clear and evident. The MITRE ATT&CK Evaluations for managed services extend the ATT&CK Evaluation program from the technology that enables us to be secure, to the people who are responsible for keeping us secure. The execution of the managed services evaluations will take place in Q2 2022 with the results expected to be released in Q3 2022. The call for participation closing date has been extended to February 25^th, 2022.

For a complete overview of the evaluation process, to learn more, or to contact the ATT&CK Evaluations team, visit https://attackevals.mitre-engenuity.org/.

###

About MITRE Engenuity

MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for the public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.

MITRE Engenuity brings MITRE’s deep technical know-how and systems thinking to the private sector to solve complex challenges that government alone cannot solve. MITRE Engenuity catalyzes the collective R&D strength of the broader U.S. federal government, academia, and private sector to tackle national and global challenges, such as protecting critical infrastructure, creating a resilient semiconductor ecosystem, building a genomics center for public good, accelerating use case innovation in 5G, and democratizing threat-informed cyber defense.

 www.mitre-engenuity.org.