MITRE Evaluations for MSSPs and MDRs a Giant Step for the Channel

The foundation behind the MITRE ATT&CK cybersecurity framework is turning its considerable expertise to helping managed security services providers (MSSPs) better understand how prepared they are to protect the systems and data of their many end customers.

Important Step for Managed Security

Chris Gonsalves, senior vice president of research at channel industry firm Channelnomics, applauded what MITRE Engenuity is doing.

“This is sorely, sorely, sorely needed,” Gonsalves told eSecurity Planet. “I don’t even have words to tell you from our view of the MSSP environment how badly something like this is needed.”

He noted that in 2014, Verizon in its influential annual Data Breach Investigations report (DBIR) for the first time stated how organizations determine that they have been breached. The number-one way was being contacted by either a customer or a law enforcement agency. The least likely was via their MSSP.

“You’re paying this person to protect your business and they’re the least likely to even know whether you’ve been breached,” Gonsalves said. “Why is that? It’s because while MSSP appears to be a lucrative marketplace, it is a significantly difficult technology sub-domain that requires expertise in information security that most managed services providers lack.”

Lack of Expertise as Demand Grows

As the demand for managed security services has increased over the past several years, players in the channel like VARs that had little to no expertise in that area have begun to offer such services, Gonsalves said.

They wanted to present themselves as practitioners in this increasingly lucrative space but many didn’t do the hard work necessary to become experts. There are very good MSSPs in the market that have all the necessary skills, tools and understanding of the threats in the space to protect their end customers. The problem is that they’re a minority.

Many of the newcomers “have been told by the vendors that there’s a lot of money in managed security services, so why wouldn’t they try to dabble in it?” Gonsalves said. “But this is a place where you do not dabble. You are taking on a great deal of responsibility when you tell your clients that you are going to safeguard their crown jewels.”

However, the need for skilled MSSPs and MDRs is out there. Many organizations don’t have the skill set to protect themselves at a time when the number and complexity of cybercriminals and threats are growing, so they look for outside help to protect their infrastructure, applications and data.

“MSSPs act as force multipliers,” he said. “You can put a great deal of information security and defensive expertise in one place and that one organization can protect thousands of organizations. That is absolutely vital right now because we don’t have enough skilled information security people to put one at every single organization. We have to centralize the expertise and act as force multipliers to protect many organizations.”

Bringing MITRE to MSSPs

The MITRE service provider evaluations will enable MSSPs and MDRs to better understand their strengths and weaknesses, Gonsalves said.

“The beauty of the MITRE ATT&CK framework at large is that it doesn’t really look at the efficacy of products,” he said. “It’s not solutions-based. It looks at security literally from the attacker’s point of view. It creates a framework based on the way they know attackers behave and what attackers are trying to do. There are parts of the framework that deal with lateral movement or evading defenses or exfiltrating data. What are the objectives of the attacker and how do they go about doing the bad stuff that they do? That’s how it gets the view of the wider attack framework.”

Transferring that viewpoint to MSSPs gives them insight they don’t have right now. Even if MSSPs have the staff, toolsets, platforms and everything else in place, they still need to understand what they’re trying to protect, how the bad actors will try to attack, and the risks to each individual asset in the organizations.

“This is what MITRE is going to bring to the MSSP space: A much higher level of maturity in their thinking about security policy and the approach that they take when they’re trying to safeguard this,” Gonsalves said. “Not just, ‘Should I settle on Cylance or CrowdStrike or SentinelOne endpoint protection?’ That’s not the question anymore. The question is, ‘What is the attacker going to try to do to my client’s endpoint? How are they most likely to do it when they get it? What are they going to do once they get past the perimeter and what do I need to do to stop that from happening?’ That’s a completely different set of questions that MSSPs are not asking themselves right now that this MITRE ATT&CK approach to raising the bar for MSSPs is going to address.”

Read the entire article, MITRE Evaluations for MSSPs and MDRs a Giant Step for the Channel, at