MITRE Engenuity™ today announced its first ever ATT&CK® Evaluations for Managed Services call for participation specifically designed for managed security service providers (MSSP) and managed detection and response (MDR) competencies. The objective of this new offering is to provide transparency into the capabilities of MSSPs and MDRs. The inaugural Managed Service ATT&CK Evaluations Call for Participation is open until December 29, 2021.
To date, MITRE Engenuity ATT&CK Evaluations have focused on evaluating the potential capability of products to detect and protect against known adversary behavior. "This has helped lift the entire endpoint security market through transparency to end-users and collaboration with the capability providers," said Holger Schulze, CEO and publisher at Cybersecurity Insiders, an infosec industry surveyor. By extending ATT&CK Evaluations to evaluate managed services, MITRE Engenuity will aid in increasing the community's trust in their providers and help advance the services and expertise offered.
Designed to focus on the people who manage security technology, versus the efficacy of vendor products per se, the Managed Services ATT&CK Evaluations will not disclose the emulated adversary prior to the evaluation. This is a significant shift from the open-book format used in the Enterprise ATT&CK Evaluations that seeks to remove the human element from the evaluation of the technology. The participants will reconstruct the behavior as if a normal user were being breached, truly testing skills in a threat-informed scenario. Results will be released publicly following the conclusion of the evaluations.
"We are extremely excited to extend ATT&CK Evaluations to the managed services industry, highlighted by both MSSPs and MDR capabilities," said Frank Duff, general manager of ATT&CK Evaluations. "Building on our Enterprise Evaluations, this evolution of the ATT&CK Evaluations program will enable us to assess and improve the services that leverage these technologies to secure networks."
The need for these new evaluations is underscored by preliminary results from the "2021 Managed Services Report: No Rest for the Wary" conducted by Cybersecurity Insiders. The report found that the community has a high reliance on services, but wavering confidence in the security that managed detection and response (MDR) and managed service security providers (MSSPs) deliver to businesses. The survey to date reveals that:
About 50% of respondents are not using detection and response tools to gain visibility to their networks. More than 25% of those still rely on perimeter defenses.
More than 40% of participants note training, and more than 30% note hiring problems as one of the greatest limiting factors for confidence.
68% report using MSSP/MDR, but roughly 50% are not confident in the people and technology used by their managed security solution.
This evaluation will provide MSSP and MDR capability providers an opportunity to showcase their ability to identify threats within an organization. This will also benefit prospective customers of these capabilities as the end-user will garner a clearer understanding of how threats are addressed, all while the capability providers will learn their own strengths and weaknesses to validate and improve their post-exploit analysis capabilities.
The execution of the Managed Services ATT&CK Evaluations will take place in Q2 2022 with the results expected to be released in Q3 2022. For a complete overview and to learn more about our evaluation process, or contact the ATT&CK Evaluations team, please visit https://attackevals.mitre-engenuity.org.