Mid-sized organizations often consider Managed Security Service Providers (MSSP) for their security. There are a few reasons; the shortage of available cybersecurity talent, or the (seemingly) compelling business case presented by MSSPs. Yet, if organizations were to analyze what outcomes they’re attempting to achieve, many (most?) would realize that there are comparable alternatives that are more closely aligned, that also save money and reduce risk in the long run. In this post, I discuss how MSSPs work, the business reasons behind the functions they offer, and the main reasons why an MSSP won’t necessarily help you in achieving your own business goals… and certainly will not make significant improvements to your security posture.
Low Barrier of Entry
The concept behind an MSSP is that they have the skill and personnel to manage your tools on your behalf. In the mid-market space (organizations between 250 and 5,000 endpoints), there are hundreds of MSPs and dozens of MSSP vendors vying for your attention. It’s easy to start up; all that’s needed is a small team of junior technical analysts (as few as two or three), familiar with tools that most midmarket organizations have, such as firewall and AV. Assign them a handful of environments to manage (likely not on a 24/7 basis), and voila!
The business becomes more compelling as analysts further divide their time. The value proposition to clients seems attractive; they don’t need to hire/train/retain their internal resources. However, this (lower) barrier of entry means that there are numerous small MSSPs, running on minimal staff, with semi-mature processes, who can create compelling business cases to their clients… and yet, deliver no real tangible results.
The lower skill/experience level of analysts means that the first line of defense is often the more junior people in the MSSP – you may have heard of SOC analysts having a “tier number” in their job title. They (the lower ones) are burdened with the responsibility of having to triage the information coming at them. Having more experienced (and thus more costly) analysts means that the MSSP’s business model is not as compelling. This is a trend you’ll see as we analyze further.
This poses a significant problem because the skill level required to properly manage cybersecurity tools, especially advanced ones, is greater than the average analysts’ knowledge and expertise.
In other words, in an MSSP world, the least experienced cybersecurity analysts are tasked with making some of the most critical decisions as they attempt to protect your network.
False Positives Galore
Most, if not all, of MSSP contracts state that upon the discovery of an alarm or breach, the MSSP will alert the client so they can investigate the specific circumstances around it. Unfortunately, this shifts the burden of investigation and response back to the client. In an effort not to miss any event of significance, the MSSP is thus conditioned to send any and all alerts to the client, to absolve them of responsibility. The result is many false positives, that are sent to the client to investigate; further burdening their team and consuming resources they likely don’t have, thereby negating any of the alleged efficiencies gained by moving to an MSSP in the first place.
Your Mess, for Less
MSSPs simply manage the tools within your environment. In cases where tools are inadequate, need updating/refreshing, or replacing, the costs are passed to you, the client, either as a capital expense or built into your recurring fees. This further diminishes the financial benefits of the MSSP and does not improve the cybersecurity posture of the client. As an analogy, this is akin to the client owning (or purchasing) a car, and the MSSP simply provides a driver who is (somewhat) familiar with operating this car. However, different clients may have different cars, requiring different licenses, with different features. What you really need is to get from point a to point b; the outcomes of improved security. mitigating the risk of a breach, and adherence to compliance requirements.
As discussed, the MSSP is not an outcome-based service by design – their processes push the responsibility for achieving outcomes to you (they just provide information that may or may not help you do so). The MSSP's typical KPIs include:
- Mean Time to Respond
- Quantity of Alerts
- Number of Rules Changed (in a period)
None of the KPIs measured are aligned to specific business outcomes. See our post on KPIs for SMB here. Many MSSPs can answer quantitative questions, but can’t answer qualitative questions, such as:
- Are we more secure today than we were in the past?
- Who is targeting us?
- Are the investments we are making justified?
- Am I hacked today? Could I be hacked tomorrow?
The outcome essential for MSSPs is maintaining the business case of their services being cheaper than staffing your own team to manage your security investments. To that effect, their contracts are often set at a three to five-year duration, due to the need to amortize equipment costs and/or renewals of existing 3rd-party tools. We believe that this is far too long for organizations to commit to. The cybersecurity world changes very quickly with business demands, compliance requirements, and even expected business outcomes changing frequently as well.
No Proactivity, No Improvement
MSSPs offer basic alerting capability to provide an organizations’ IT administrators with visibility into events that are happening inside their network that may or may not (hence the high volume of false positives) warrant investigation. This is typically achieved by the MSSP sifting through logs from a Firewall or *gulp* SIEM, and passing off any events that trigger at certain thresholds.
This is (by definition) a reactive function, that does not contribute to the overall security posture of an organization. It’s not the alerting or detection function that needs to be challenged, but rather the notion that after an alarm is triggered, the MSSP contacts the client to have them investigate.
In summary, the MSSP model is broken. It does not conform to organizations’ business requirements and does not drive outcomes that mitigate cybersecurity risk. There are alternatives. The MDR market was born because some vendors (like IntelliGO) recognized that organizations are looking for help, a partnership, and results that they can’t achieve on their own. A Managed Detection & Response Service offers a more attractive alternative, at a better price point, with more flexible, shorter contracts… and yields results that demonstrate, month over month, ongoing improvement in security and tangible reduction of risk.