Alex -

Making sense of conflicting third-party security assessments

Third-party security assessments from different sources may not always agree, but that doesn't mean they can be ignored. Learn how Mitre ATT&CK can provide perspective.

Research reports from Enterprise Strategy Group, a division of TechTarget, reveal that organizations value outside guidance, including analyst recommendations and independent, third-party testing reports. Yet, outside testing often includes conflicting results, so how do security teams sort through these assessments to find answers that best fit their individual needs?

All too often, security architects come to analyst firms looking for recommendations with the expectation that we will be able to share our "favorite" solutions based on all the research we do. We are often asked to recommend specific security vendors and products to satisfy the needs of individual organizations.

As industry analysts, we have tremendous visibility into what security vendors and product suites are available, including great detail about specific capabilities, customer experiences and partnerships. However, we don't have the same level of insight into the specific strategies and needs -- current and future -- of individual organizations and associated security teams. One thing we do know is that there is no one-size-fits-all in the security industry. Here are five reasons why:

  1. Every organization has its own, unique attack surface to defend. This includes some combination of devices, workloads, SaaS applications, partners, locations and networks.
  2. Security leaders develop specific, individual strategies in support of their organization's security objectives.
  3. Risk posture and tolerance vary widely across organizations of all sizes, industries and competencies.
  4. Resources and skills vary dramatically across organizations, as do staffing models associated with security operations.
  5. Growth trajectories of different organizations impact scale and scope requirements, driving some to focus more on openness, while others focus more on convergence and reduced complexity.

Despite the best efforts of industry analyst firms and other third-party testing organizations, few can make accurate predictions about which security options fit the specific needs of individual organizations. In my alternate life, I play in a classic rock band, so I'll use a hokey analogy to make the point. The famous song "Looking for Love in All the Wrong Places" reminds us that, despite what others might find a perfect fit or think might be a perfect fit, to find love, people have their own unique personality, quirks, expectations, goals and lifestyle. Careful attention to all of these individualized needs ultimately leads to finding true love. Maybe a bit oversimplified -- OK, not that finding love is simple -- but finding the right security solution provider requires careful attention to the specific needs, objectives and strategies within each organization.

Mitre ATT&CK framework earns industry trust

But most agree on one common requirement: threat prevention and detection. Despite these variations, the ability to uncover malicious activities and translate those activities into threats is a common element in the equation. This is likely why the Mitre ATT&CK framework and Mitre ATT&CK testing have gained recognition and respect as the industry's foremost, trusted assessment of detection capabilities, making the Mitre test result king of the castle when it comes to proving efficacy. ESG research helps confirm that organizations that understand, adopt and embrace the Mitre ATT&CK framework achieve better results than those who do not.

My recommendation is to continue to use third-party assessments wherever possible but to do so in the context of your organization's needs, objectives and strategies. Pick and choose what assessments can provide specific insights in support of your unique situation. Don't be looking for love in all the wrong places, but instead, take the time to do the diligence that can support finding the best security solution for your specific organization.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing