The Curse of A Black MSSP - Anton Chuvakin

I think I accidentaly discoverd a new curse, The Curse of a Black MSSP. In recent weeks I’ve spoken to several organizations who has fallen to this particular affliction. They all …

have relatively stringent security requirements including that for 24/7 security monitoring
do not have internal resources even remotely close to sufficient for their requirements (such as no people, no money, no tools, no processes)
despite the above, they will not use an MSSP or MDR.

When asked about this situation, they told me that “all MSSPs are shit” and that “our management (!) will not let us use one.” Now, understand that a much more typical situation would be for the CIO to push the MSSP route and for the valiant technical security team to push back and lose…

Once I joked that “MSSP is by far the best way to do securty monitoring once you realized you can use no other way.” (please tell me this is actually funny). So, what other choices do they have? If they had people, they could have used open source tools. If they had tools with more automation (SOAR perhaps), they could have managed with fewer people. But having neither of the above AND having security requirements will typically push you into the MSSP sweet spot.

Yet, a horrible MSSP experience perhaps scarred them for life, and now they are stuck in limbo…. instead of enjoying a quiet mediocrity of MSSP monitoring.

stop-mediocrity

(source: http://dilbert.com/strip/2008-09-03)

How to help them? By giving them tools and methods to separate shitty MSSPs from merely mediocre ones (with perhaps one or two MDRs with real threat detection excellence thrown in).

So, how did you test your MSSP, before and after contract signing? How do you tell the experts-for-hire from the clowns?

BTW, we are updating our super-popular “How to Work With an MSSP to Improve Security” somewhere late in Q4 2017.

Possibly related blog posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

2 Comments

Adrian Grigorof says:

MSSPs as the best solution when there is no other way? That’s actually really funny.
Now, for the “no people, no tools” dilemma, does it mean they also have no money? If they don’t have money, how can they afford an MSSP? If they do have money, why can’t they buy tools? Apart from that, I would experiment with different MSSPs, with smaller projects until I would find one that is not 100% bad. Maybe use 2 MSSPs to keep them on their toes? There is nothing more scary for an MSSP than the competition getting a foothold on their territory.

October 18, 2017 at 12:06 am

Anton Chuvakin says:

Hey Adrian, thanks for the comment. This can evolve into an extended debate, and there is definitely much to hate with how many MSSPs do stuff.

I’ve joked that MSSP is the best choice…when there is no other choice. Frankly, I assumed this is as pessimistic as they go. Apparently, you think me an optimist 🙂

So, with money they can buy tools, but often not people to run them. We know people buy too much security boxes anyway. Why can’t they hire? Location, money [they need 24/7 which is a team of 9-10, but they have money for 2, hence MSSP]

I think an idea to experiment is great, BUT many will force you into a 1-3 year contract, and you may not have any choice to do a trial contract. If this is on offer (not sure who does it), the pricing pressures may convince them to sign for 1 year anyway (how bad can it be if on paper it looks OK? —Well… :-))

Getting 2 MSSPs seems like an expensive way to pay for 2 groups to fingerpoint after every failure, not sure this is such a great idea.

October 18, 2017 at 2:42 pm