Security is one of the hardest things in IT to get right, so why not make it someone else’s problem? That’s where a managed security service provider (MSSP) can help.
Not surprisingly, with major data breaches seemingly a daily occurrence, the MSSP market is strong despite already being pretty sizeable. Gartner estimated that the MSSP market was worth almost $16 billion in 2016, and the analyst firm predicts it will grow at a compound annual growth rate of 12% for the next few years.
Despite the strong growth, the market is becoming mature. Many of the leading MSSPs are large companies such as IBM, Verizon, Symantec and BT, and their offerings are broadly similar. No one, in other words, has a product that particularly stands out.
What is a managed security service provider (MSSP)?
So what do MSSPs offer organizations looking to boost their security defenses?
At the core of what MSSPs do are two basic things: security event monitoring and management, and device management. This involves monitoring and managing firewalls, intrusion prevention and detection systems, secure web gateways and other network security devices, analyzing and reporting on events recorded from IT infrastructure logs or SIEM systems, scanning networks, servers, applications and databases for vulnerabilities, and sometimes mitigating DDoS attacks.
But despite their similarities, MSSP offerings are not identical. Some of the differentiators include the ability to secure operations running in the cloud (for example, in virtual infrastructures running on AWS), or to provide security for data used by SaaS applications.
It is also notable that although there are a number of security pure-plays like Symantec and SecureWorks in the market, many others, such as Verizon, BT, and IBM, are either telecommunications companies or IT outsourcers. That means that while some companies have the expertise to produce their own threat intelligence in-house, others purchase it from one or more external sources. This leads to differences in threat intelligence quality.
Managed detection and response an emerging capability
Although the market is mature, it is undeniably still developing. In particular, one area that is emerging is what Gartner calls “managed detection and response” (MDR). This often involves placing turnkey hardware stacks on customer premises, coupled with proprietary analytics systems that are designed to detect threats and provide information for incident response and remediation. “MDR tries to act as an extension of an organization’s own security team,” said Toby Bussa, a research director at Gartner. “MDRs provide the technology to get the data needed to do a deep investigation, and they tend to offer more guidance [than a conventional MSSP] on what to do to mitigate the problem, or help with containment.”
There are many reasons why the MSSP market is growing so strongly, and why so many organizations of all sizes are becoming MSSP customers. “Many organizations are looking to cut their security costs by outsourcing, and others want to bolster their security incident detection and response capabilities,” said Bussa.
Another key driver is the need – in order to satisfy regulatory requirements – for many companies to have 24 x 7 monitoring and response capability. This can be hard for larger organizations, let alone SMEs and small businesses. And while it may seem unlikely that many small businesses would be involved in activities with such tight regulatory requirements, Bussa points out that risk management also drives this need for 24 x 7 monitoring. “Many smaller companies don’t have security teams of their own, but they are a critical part of the supply chain of larger companies,” he said. That means that if a larger company in the supply chain demands that stringent measures be in place to protect its data, smaller companies in the supply chain may have no option but to use an MSSP to help them comply.
MSSP pricing and SLAs
Many companies face difficulties recruiting and keeping suitably skilled security staff, especially smaller companies that do not have the expertise to know what they need, or the budget to employ more than a limited number of security staffers and are unlikely to have all the skills needed to provide the required level of security and compliance.
By outsourcing security to an MSSP, organizations of all sizes can in theory take advantage of highly skilled security teams that can provide 24 x 7 coverage, and with the resources to provide additional expertise or manpower on very short notice during a security incident.
That help is also likely to come at a lower cost than the equivalent security in-house, but the actual cost of an MSSP will depend on a number of factors. Some provide a degree of cost certainty by offering pricing based on the type and size of the security technology to be monitored, based on the number and types of sources or the number of events per time period. Alternative models charge by the amount of data collected over a given time period – although this can create cost issues if the amount of data rises rapidly, as during a DDoS attack – or by the number of data sources, or even by the number of incidents detected.
Most companies recognize that MSSPs are not perfect, meaning they cannot prevent all threats and may not detect some successful breaches. The problem for buyers of MSSP services is that there is no guarantee that they will do a good enough job, and service level agreements typically don’t guarantee that all threats will be detected, or offer compensation if they are not. More commonly, SLAs are based on availability of the service itself, or how quickly the MSSP will issue an alert once a threat is detected.
However, in practice, most companies expect their MSSP to do a better job than they could do themselves, all of the time. “If a customer detects a breach and their MSSP has missed it, then this often has a strong effect on the desire to change provider,” Bussa said.
How MSSPs work
Perhaps the most important question to ask is how MSSPs actually operate: How do they offer their managed security services? The answer is fairly straightforward: They remotely manage network devices and security appliances, typically using a VPN, although they may also have out-of-band fall-back methods such as cellular connections or even POTS to access devices like firewalls in an emergency. Software agents can also be used to access logs for security event monitoring.
The technical side is the easy part. Far more important are the procedures and routines put in place to ensure that the MSSP knows what the customer is doing, and what it plans to do in the future. After all, there is not much point in employing an MSSP if a company purchases and implements new hardware or extends its network without informing the MSSP first so that it knows what it is supposed to be managing.
“Communication and frequent updates have to be baked in to a customer-MSSP relationship. That means communicating on a daily basis across established reporting and escalation tiers,” said Bussa. “Setting this up and documenting it is one of the strongest indicators of how successful an MSSP relationship will be. For a successful outcome, customers need to put in as much as the MSSP does.”
The internal IT team will also have to make some changes to the way it operates when using an MSSP to manage security, he added. For example, where in the past a firewall change could be carried out whenever required, under an MSSP there needs to be a recognition that firewall changes will be made by the MSSP only within an agreed change window. This may be inconvenient or frustrating until the IT team becomes accustomed to giving notice of changes a suitable amount of time in advance.
For end users of IT systems, however, there should be no change in the way they operate, and it should very much be a case of business as usual.
Top MSSP vendors
Top MSSP vendors include:
- NTT Security
- BAE Systems
- Orange Business Services