With enterprise adoption of managed security services gradually maturing, the rewards and risks of using such services have become a lot clearer for current and potential customers.
A recent survey by Forrester Research of 140 managed security service provider (MSSP) customers found some organisations are leveraging third-party security providers successfully while many others are struggling to extract value from their relationships.
The analyst firm discovered that CISOs everywhere are struggling to justify their spending on MSSPs to non-security executives because of a lack of proper metrics and because of technology complexity -- among other things.
At the same time managed security services vendors themselves are struggling to tie the benefits they offer to the things that really matter to organisations -- for their customers and stakeholders and how they support business requirements.
Using an MSSP is not outsourcing
"The number one mistake organisations make when using an MSSP is thinking that managed security services is outsourcing," says Jeff Pollard, an analyst at Forrester and one of the authors of the survey report. The reality is that most firms consistently spend more time on security after adopting an MSSP, not less, he says.
Often the time they spend might be on more valuable activities such as tracking down serious threats and incidents, and on vulnerability remediation activities. "If the company went in expecting to spend less time and needing less resources, that rarely becomes the case."
Companies of all sizes tap MSSP services these days though bigger organisations tend to do it for different reasons than small- and medium-sized businesses.
Daniel Kennedy, an analyst at 451 Research, says that some 30 per cent of companies with fewer than 1,000 employees and four out of ten organisations with more than 1,000 workers have implemented managed security services.
451 Research data shows that larger companies with relatively well-resourced information security organisations tend to use MSSPs for security operations functions such as intrusion management and SIEM. Many large enterprises also use MSSPs for incident response services like managed detection and response (MDR).
Smaller organisations, on the other hand, more typically use MSSPs for infrastructure related capabilities such as endpoint security and in other areas where the vendor is providing an IT services replacement capability rather than a security augmentation function. The goal for SMBs more often is to drive down security costs and in ensuring proper coverage of basic security functions.
Forrester found that when harnessed properly, a skilled MSSP could help organisations improve the overall quality of protection and help customers augment onsite talent and breadth of skills especially in areas with deep skills shortages.
"Often, in the SMB space, ROI comes from the payback associated with not having to fund all of the costs associated with finding, hiring and maintaining a 24x7 security operations centre team," says Marcus Bragg, VP of sales at AT&T Cybersecurity. "In larger organisations, the use of the MSSP can allow existing in-house security personnel to focus on more strategic and impactful security work."
Getting such ROI though can be a challenge for organisations that are not prepared for what they are letting themselves into.
Forrester's survey showed that the best MSSP engagements result when CISOs have a clear idea of their own capabilities and program and have specific demands for their vendor. In these relationships the right expectations were set upfront and then managed appropriately.
MSP versus MSSP
Managed service providers (MSPs) traditionally have offered primarily managed IT services. Given the rise in ransomware and other threats, nearly all MSPs (99 per cent) offer some form of security services, according to Datto's Global State of the MSP Report.
Be careful when considering an MSP, as their security capabilities might be limited. Datto's report shows that while most offer basic protections such as endpoint security, only 66 per cent offer basic firewall capability and 68 per cent can provide two-factor authentication. Remote access technologies and mobile device management are even lower at 63 per cent each.
Consider how an MSP has acquired its security capabilities, too. Most are outsourced. The Datto survey shows that 67 per cent use co-managed security tools and 61 per cent partner with an MSSP. Only 51 per cent use internal security talent.
Biggest MSSP risks
Others hoping to achieve similar success need to consider these six potential risks when implementing an MSSP program.
1 - Failing to assess internal own security strengths and weaknesses
"The biggest risks for customers when working with an MSSP is picking a provider that doesn’t complement or augment your teams well," Pollard says. Organisations need to understand their own capabilities first to be able to select an MSSP that can truly help address gaps. They also need to assess the MSSPs strengths and weaknesses to ensure they match internal requirements.
Selecting an MSSP that's great at device and technology management is of little use when what an end-user really requires is help with incident response and forensics, Pollard says.
2 - Assuming the vendor knows how internal systems work
Sometimes companies make the mistake of relying too heavily on their MSSP to understand the internal IT environment and how it works, says Pete Lindstrom, an analyst with IDC. That includes the office culture and an understanding of the risks associated with different types of systems.
"If enterprises don’t manage the process, conduct risk assessments, and actively review the work being done then there’s a chance things will drop through the cracks," he adds.
For example, MSSPs are unlikely to know about new systems or architectures that might be deployed to support IT projects. "It is up to the security folks to fully brief them and integrate any monitoring requirements into the contract," Lindstrom says.
Not including the IT team when bringing in an MSSP is also a mistake, adds Bragg from AT&T Cybersecurity. Often, not having access to or information on key systems or individuals prevents the MSSP onboarding from happening quickly and can drastically reduce the visibility of the MSSP for the life of the service, he says.
3 - Being unprepared for information asymmetry
Companies often hire an MSSP to perform a task for which they don't have any onsite skills. That also means they likely do not have the capability to determine if the vendor they have hired is delivering the services for which they have been contracted, says Kennedy of 451 Research. He points to one incident where a client was paying for a security monitoring service when in fact the MSSP was not monitoring anything at all.
The client had a sense that something was wrong but did not have the ability to independently figure out what was happening or the extent to which it was happening. "Where one is contracting for expertise, there is information asymmetry and it's a problem with some managed service providers," Kennedy says.
4 - Not understanding what was signed up for
The manner in which some MSSP’s structure their offerings can make it hard to understand what the actual service experience will look like and how it will be priced, says Bragg.
"How will they monitor your use of cloud services like AWS or Azure or SaaS apps like GSuite or Office 365?" he asks. How has their approach evolved over the past couple of years, and what’s their near-term roadmap to enabling additional visibility or for new capabilities they’re working on?
If a customer has existing or upcoming compliance initiatives, it is especially important to involve the compliance team when evaluating an MSSP so the right questions can be asked, Bragg says.
5 - Limited integrations and analytics
Forrester's survey showed that MSSPs often refuse to collaborate with non-contracted technologies, resulting in limited integration with all the other security controls that an organisation might have in place. "Most customers talk of the complexity of having to micromanage their MSSP’s interaction with the ecosystem of IT suppliers when it comes to fixing security issues," the Forrester report noted.
In addition, many MSSP alerts also can lack context and criticality and force organisations to work overtime verifying and double-checking every alert they receive. "The false positives further exacerbate the frustrations of failed integrations," the research firm noted.
6 - Not verifying the security practices of an MSSP
Recently, attackers have targeted MSSP systems and networks to then access their clients’ systems. In several of these incidents, threat actors have exploited weaknesses in the remote admin tools that MSSPs use to gain access to their customer systems.
One of the best-known examples is China-based APT10 threat group's Operation Cloud Hopper campaign targeting hundreds of managed service providers worldwide.
Attackers know that compromising one MSP is all that is needed to gain access to many customer networks, says Brian Downey, vice president of product management for security at Continuum, a company that helps other MSPs deliver security services to clients. "MSPs are an entry point for attackers and need to be held to the highest security standards," Downey says.
Organisations need to make sure that any MSP they sign up with can talk through how they will drive risk down. "I would try to understand their portfolio of options, how they stay current with their expertise, how they are keeping up with the latest risks, and how they are providing response around the clock," Downey says. "MSPs need to have a strategy around security."
Many of these risks can be addressed during the vendor evaluation stage, but to do it properly, organisations need to know what to probe. The best questions to ask are around the tools and processes that the vendor uses, and the qualification level of the operations people being employed by the provider,
Kennedy says. Vendor opacity is not a good thing in this regard, and neither are certifications and attestations alone. "While purveyors of certifications and the like would claim they're a proxy for determining qualification… in security they're at best an indicator."
Companies should dig deep into the vendor's service delivery model. Figure out how their deployment and onboarding processes work and how they will stay in touch with and interact with your team on a daily, weekly and monthly basis, Bragg says.
Make sure to understand the MSSPs technology platform and the controls they have for incident response. "Early in the evaluation cycle, companies should be sure to understand what services are sold as separate modules or packages and map it to their security needs," says Bragg.