Let’s get this out of the way: some MSSPs REALLY suck! They have a business model of “we take your money and give you nothing back! How’d you like that?” A few years ago (before Gartner) I’ve heard from one MSSP client who said “I guess our MSSP is OK; it is not too expensive. However, they never call us – we need to call them [and they don’t always pick up the phone].” This type of FAIL is not as rare as you might think, and there are managed security services providers that masterfully create an impression in their clients’ minds along the lines of “security? we’ll take it from here!” and then deliver – yes, you guessed right! – nothing.
At the same time, I admit that I need to get off the high horse of “you want it done well? do it yourself!” Not everyone can boast about their expansive SOC with gleaming screens and rows of analysts fighting the evil “cyber threats”, backed up by solid threat intelligence and dedicated teams of malware reversers and security data scientists. If you *cannot* and *will not* do it yourself, MSSP is of course a reasonable option. Also, lately there have been a lot of interesting hybrid models of MSSP+SIEM that work well … if carefully planned, of course. I will leave all that to later posts as well as my upcoming GTP research paper.
So let’s take a hard look at some challenges with using an MSSP for security:
- Local knowledge – be it of their clients’ business, IT (both systems and IT culture), users, practices, etc – there is a lot of unwritten knowledge necessary for effective security monitoring and a lot of this is very hard to transfer to an external party (in our MSSP 2014 MQ we bluntly say that “MSSPs typically lack deep insight into the customer IT and business environment”)
- Delineation of responsibilities – “who does what?” has lead many organizations astray since gaps in the whole chain of monitoring/detection/triage/incident response are, essentially, deadly. Unless joint security workflows are defined, tested and refined, something will break.
- Lack of customization and “one-size-fits-all” – most large organizations do not look like “a typical large organization” (ponder this one for a bit…) and so benefiting from “economies of scale” with security monitoring is more difficult than many think.
- Inherent “third-partiness” – what do you lose if you are badly hacked? Everything! What does an MSSP lose if you, their customer, are badly hacked? A customer… This sounds like FUD, but this is the reality of different position of the service purchaser and provider, and escaping this is pretty hard, even with heavy contract language and SLAs.
In essence, MSSP may work for you, but you need to be aware of these and other challenges as well as to plan how you will work with your MSSP partner!
So, did your MSSP caused any challenges? Hit the comments or contact me directly.
Blog posts related to this research on MSSP usage:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
7 Comments
Anton,
Considering I have known you since the 90’s you continue to nail things right, especially your first paragraph.
Glenn
@Glenn Thanks a lot for the comment!! Sadly, this is true — I just need to know how pervasive is such situation.
Anton, great topic.. I do feel MSSPs never do any good expect for regulatory compliance, as most of the organizations don’t seem to be good or too interested in planning these stuffs (as you have explained in .. How To Work With An MSSP Effectively?)
I could not agree with you more. As someone that works for a large consulting firm, time and time again I see “MSSPs” that are of no value to the client. I refer to most of them as the “undercarriage rust protection” of the IT world. Done properly it could be valuable, but in most cases a complete waste of money and for lack of better word a scam to the clients. The biggest issue you point out is that they generally have no idea what is going on within the client’s environment. If you couple this with perhaps a client side security team that is not as proficient as they should be, then you have two layers of “protection” that are really adding no security. As you point out, if you do not sync up your security operations and procedures, who handles alerting and remediation can be a complete disaster. I had one MSSP from a major vendor that couldn’t tell automatically when the IPSEC tunnel to the client site went down, as they had someone manually checking connections every few hours. I received an email 18 hours after the tunnel went down saying there may be an “issue”. I would laugh if it weren’t so sad.
I really think if you have the money and the talent, with so many bad MSSPs out there you could really take a lions share of the market. The fees for MSSP are pretty insane, with the lowest I have seen starting at $18k a month.
Thanks again for a great post!
@prabhat Thanks for the insight – indeed, it seems like some client to get that “for compliance” only and thus choose by price.
@Colin Thanks lot for the insight! Indeed, the case of an incompetent MSSP serving an even less competent security team is a pure and unmitigated disaster in case of a breach and overall too.
Anton – I have at least one very formidable MSSP partner of ours who would be more than happy to speak with you. I will shoot you an email.
—Tom
@Tom Thanks a lot — looking forward to it!