Blog post

How To Work With An MSSP Effectively?

By Anton Chuvakin | September 03, 2014 | 2 Comments

securityMSSPannouncement

My next research project at Gartner GTP will be about working with managed security services providers (MSSPs). We have great content that compares major MSSPs (such as MSSP Magic Quadrant), but none yet on how to work well with one.

In the past, our team’s work focused on helping people who “do stuff” (as opposed to those who “find people to pay for doing their stuff for them”), and this document would be a bit of a departure from that tradition.

In my effort, I plan to tackle questions such as these:

  • What can an MSSP do well in security monitoring vs just OK vs not at all?
  • How to onboard an MSSP provider and prepare for an effective joint operation?
  • How to provide the right information for the MSSP to succeed?
  • How to work together with MSSP for improving security?
  • How to learn from the MSSP operations and improve yours?
  • How to define the right SLAs for various security activities?
  • How to build joint workflows with an MSSP?
  • How to MSSP-enhance various security operational practices?
  • How to avoid pitfalls with security monitoring outsourcing?
  • How to run a hybrid MSSP+SIEM operation?

(Got any other ideas? Hit the comments!)

And here is my call to action:

  • Are you at least a semi-decent MSSP and have something useful to say about it? Here is a briefing link … you know what to do! I’d love to hear what advice you give clients on how to succeed with your services
  • A consultant who advices clients to select [or avoid] MSSPs, care to share your experience?
  • Enterprises, got an MSSP story to share – both WIN stories or FAIL stories will do fine? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).

Comments are closed

2 Comments

  • Matt says:

    Almost all of the MSSPs also provide IR services. Ask them how many IR engagements they participated in the last 12 months. Then ask them how many of those IR engagements were the result of their own MSSP service identifying and escalating an incident. They probably can’t tell you. Crickets chirping. Does it seem at all unusual that IR isn’t the intentional and natural byproduct of security monitoring? That MSSPs don’t even attempt to track that relationship? The real challenge with security monitoring, whether managed or not, is making sure it’s not just theater, and that you’re actually positioning the organization to identify incidents quickly. What are some things we can do to make sure we’re getting that from an MSSP?

  • Thanks for an excellent point, Matt! IR services from MSS which are not triggered by the MSS monitoring would worry me a lot