How To Test Your MSSP/MDR?

As customary in our beloved domain of “cyber”, I will start with a depressing quote:

“If you really knew how to test an MSSP properly, you likely didn’t need an MSSP.” (source: in this thread somewhere, if the author reads this, I am happy to ack by name)

On a more serious note, clients must test their Managed Security Services (MSS) or Managed Detection and Response (MDR) provider! In fact, there are two different things to discuss:

  • TEST BEFORE CONTRACT SIGNING in order to pick the partner with the quality of security you a/ need and b/ are willing to pay for.
  • TEST DURING ONGOING OPERATION in order to …and this is tricky!… test for ongoing value, check for degradation of service effectiveness, and even check to remind the MSSP that you care about the quality of delivery.

Before we talk more, we need to get this out of the way: we all know that some clients who sign up with an MSSP do NOT want quality. They need a checkbox, a party to scream at (and possible to sue) when they are hacked. We are not going to discuss this case…today.

While we want a framework to emerge eventually, here are some ideas, from heavy/deep to light/shallow tests:

  • HEAVY (and expensive): A full red team test or a quality pentest [without telling the MSSP/MDR]; your partner should catch them reliably and early in their process.
  • MEDIUM: some people reported using threat simulation tools that generate [hopefully] realistic attack or exfiltration traffic and other “bad-looking” activities; you can probably just vuln scan a box too…
  • LIGHT: A basic test can be as easy as unplugging an MSSP hardware sensor or blocking its network access (or log flow) and checking how fast they notice :-)

Look, if you work for a good, solid MSSP or for a cutting edge MDR, you will laugh at the above! And you should. However, you do realize that some of your competition cannot even spell “IDS” …yet their facility bears the same proud sign on their door: Managed Security Services …

Got more ideas for MSSP / MDR testing?

Related blog posts from our MSSP research:

This is a Security Bloggers Network syndicated blog post. Read the original at: Anton Chuvakin 2017-10-11.