How confident can organizations be in their managed services security?

MITRE Engenuity and Cybersecurity Insiders announced the results of a research about the state of affairs in managed services security.

The survey of IT security professionals representing organizations of all sizes from industries such as Technology, Healthcare, Retail, Government, Financial, and others set out to discover if organizations are adopting a threat-informed approach to cybersecurity, how they are adopting threat-informed approaches, and what organizations and IT security professionals are doing to improve their confidence in their ability to defend against cyber intrusions.

Are organizations adopting threat-informed defense?

The survey, which polled individuals in IT security and operations across a wide range of industries, found that organizations largely conduct various offensive tests on products and services before and after purchasing them, and actively seek to become threat-informed by utilizing ATT&CK Evaluation‘s data. Key findings include:

• 65% of respondents said they utilize a threat-informed approach to security and 41% use ATT&CK evaluations to assess endpoint vendor decisions.
• 59% of respondents conduct offensive testing on products before investing in a new solution and 53% of respondents conduct offensive testing on services before investing in a new solution.
• 64% of respondents conduct offensive testing on products after investing in a new solution and 56% of respondents conduct offensive testing on services after investing in a new solution.

How are organizations actually doing?

While there appears to be positive results in recognizing the importance of being threat-informed, as well as testing and evaluating products and services before and after investment, the survey found concerning factors relating to utilization of the tools, and challenges hiring and training staff that leads to low confidence in security:

• 47% of respondents are using detection and response tools to gain visibility into their networks.
• 28% of those respondents still rely on perimeter defenses.
• 42% of respondents note a lack of training, while 31% note a lack of hiring as a limiting factor to high confidence in organizational security.

“While many organizations have the intent to operate as threat-informed and do the right things, such as conducting offensive testing, there are still a significant number of organizations that aren’t leveraging the data ATT&CK tells us we should look at,” said Frank Duff, MITRE Engenuity‘s general manager, ATT&CK Evaluations. “We have an over-reliance on keeping the adversary out, and we also are limited by hiring and training.”

What are organizations doing to improve their managed services security

Perhaps recognizing their own limitations in their tools and people, the survey found that there is a commitment to improving who watches the environment. In fact, 68% of respondents report using MSSP/MDR to fill security gaps, however there is still a substantial need for improvement in the trust of MSSP/MDR technology, people, and processes.

• 48% of respondents are not confident in MSSP/MDR technology or the people providing the protection.
• 44% of respondents are not confident in the managed services security processes.

“Based on the results of this survey, it is clear that the participants’ level of confidence in their managed services is much lower compared to their in-house security people and technology, in which 78% reported feeling confident,” added Holger Schulze, CEO, Cybersecurity Insiders.