Let’s get this out of the way: some MSSPs REALLY suck! They have a business model of “we take your money and give you nothing back! How’d you like that?” A few years ago (before Gartner) I’ve heard from one MSSP client who said “I guess our MSSP is OK; it is not too expensive. However, they never call us – we need to call them [and they don’t always pick up the phone].” This type of FAIL is not as rare as you might think, and there are managed security services providers that masterfully create an impression in their clients’ minds along the lines of “security? we’ll take it from here!” and then deliver – yes, you guessed right! – nothing.
At the same time, I admit that I need to get off the high horse of “you want it done well? do it yourself!” Not everyone can boast about their expansive SOC with gleaming screens and rows of analysts fighting the evil “cyber threats”, backed up by solid threat intelligence and dedicated teams of malware reversers and security data scientists. If you *cannot* and *will not* do it yourself, MSSP is of course a reasonable option. Also, lately there have been a lot of interesting hybrid models of MSSP+SIEM that work well … if carefully planned, of course. I will leave all that to later posts as well as my upcoming GTP research paper.
So let’s take a hard look at some challenges with using an MSSP for security:
- Local knowledge – be it of their clients’ business, IT (both systems and IT culture), users, practices, etc – there is a lot of unwritten knowledge necessary for effective security monitoring and a lot of this is very hard to transfer to an external party (in our MSSP 2014 MQ we bluntly say that “MSSPs typically lack deep insight into the customer IT and business environment”)
- Delineation of responsibilities – “who does what?” has lead many organizations astray since gaps in the whole chain of monitoring/detection/triage/incident response are, essentially, deadly. Unless joint security workflows are defined, tested and refined, something will break.
- Lack of customization and “one-size-fits-all” – most large organizations do not look like “a typical large organization” (ponder this one for a bit…) and so benefiting from “economies of scale” with security monitoring is more difficult than many think.
- Inherent “third-partiness” – what do you lose if you are badly hacked? Everything! What does an MSSP lose if you, their customer, are badly hacked? A customer… This sounds like FUD, but this is the reality of different position of the service purchaser and provider, and escaping this is pretty hard, even with heavy contract language and SLAs.
So, did your MSSP caused any challenges? Hit the comments or contact me directly.
Blog posts related to this research on MSSP usage: