Gartner Blog Network


The Curse of A Black MSSP

by Anton Chuvakin  |  September 25, 2017  |  3 Comments

I think I accidentaly discoverd a new curse, The Curse of a Black MSSP. In recent weeks I’ve spoken to several organizations who has fallen to this particular affliction. They all …

  • have relatively stringent security requirements including that for 24/7 security monitoring
  • do not have internal resources even remotely close to sufficient for their requirements (such as no people, no money, no tools, no processes)
  • despite the above, they will not use an MSSP or MDR.

When asked about this situation, they told me that “all MSSPs are shit” and that “our management (!) will not let us use one.” Now, understand that a much more typical situation would be for the CIO to push the MSSP route and for the valiant technical security team to push back and lose

Once I joked that “MSSP is by far the best way to do securty monitoring once you realized you can use no other way.” (please tell me this is actually funny). So, what other choices do they have? If they had people, they could have used open source tools. If they had tools with more automation (SOAR perhaps), they could have managed with fewer people. But having neither of the above AND having security requirements will typically push you into the MSSP sweet spot.

Yet, a horrible MSSP experience perhaps scarred them for life, and now they are stuck in limbo…. instead of enjoying a quiet mediocrity of MSSP monitoring.

stop-mediocrity

(source: http://dilbert.com/strip/2008-09-03)

How to help them? By giving them tools and methods to separate shitty MSSPs from merely mediocre ones (with perhaps one or two MDRs with real threat detection excellence thrown in).

So, how did you test your MSSP, before and after contract signing? How do you tell the experts-for-hire from the clowns?

BTW, we are updating our super-popular “How to Work With an MSSP to Improve Security” somewhere late in Q4 2017.

Possibly related blog posts:

Category: monitoring  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on The Curse of A Black MSSP


  1. Adrian Grigorof says:

    MSSPs as the best solution when there is no other way? That’s actually really funny.
    Now, for the “no people, no tools” dilemma, does it mean they also have no money? If they don’t have money, how can they afford an MSSP? If they do have money, why can’t they buy tools? Apart from that, I would experiment with different MSSPs, with smaller projects until I would find one that is not 100% bad. Maybe use 2 MSSPs to keep them on their toes? There is nothing more scary for an MSSP than the competition getting a foothold on their territory.

    • Hey Adrian, thanks for the comment. This can evolve into an extended debate, and there is definitely much to hate with how many MSSPs do stuff.

      I’ve joked that MSSP is the best choice…when there is no other choice. Frankly, I assumed this is as pessimistic as they go. Apparently, you think me an optimist :-)

      So, with money they can buy tools, but often not people to run them. We know people buy too much security boxes anyway. Why can’t they hire? Location, money [they need 24/7 which is a team of 9-10, but they have money for 2, hence MSSP]

      I think an idea to experiment is great, BUT many will force you into a 1-3 year contract, and you may not have any choice to do a trial contract. If this is on offer (not sure who does it), the pricing pressures may convince them to sign for 1 year anyway (how bad can it be if on paper it looks OK? —Well… :-))

      Getting 2 MSSPs seems like an expensive way to pay for 2 groups to fingerpoint after every failure, not sure this is such a great idea.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.