What the analysts say about selecting a managed security services provider

Nemertes, the technology analyst firm, is helping security and IT leaders address this problem with its new MSSP Buyer’s Guide and accompanying infographic. These help clients evaluate potential providers, including those offering Managed Detection and Response (MDR) and Security Operations Centers-as-a-service, also known as SOCaaS. Their suggested criteria range from basic elements of operational excellence like depth-of-bench and process maturity to more sophisticated, and important, issues like competency with advanced security tools including machine learning, behavioral analytics, and “artificial intelligence (AI).” Here’s a recap of Nemertes’ top tips.

Why an MSSP, detection & response service, or SOCaaS is in your future

If I were to look into a crystal ball and make a prediction for 2022, I would say an MSSP, MDR service or SOCaaS is in your future. Nemertes analysts agree, because the alternative is to take on what amounts to an open-ended expansion of your cybersecurity staff, toolset, and budget. The increase in the threat environment is just one driver of this reality. There’s also been a major shift in compliance requirements and how IT assets are deployed, which affects security risk, policies, and processes.

The days of the traditional enterprise, with a clear perimeter, are over. Nemertes studies tell us that since 2020, more than half of enterprise workloads are running outside enterprise data centers. Why? Factors include remote work, cloud applications, more use of personal devices on company WLANs, the “Internet of Things” (IoT), as well as the accelerating pace of software releases from DevOps and related methodologies. All of this makes security far more challenging.

It will be difficult, if not impossible, to recruit and retain enough people who have the skill sets to keep such distributed and technologically varied environments secure. And, even if you can find the talent, it may not be financially feasible to have a large SOC staff to monitor incidents and respond on a 24/7 basis. Managing security can put companies in an endless responsive mode that Nemertes describes as a “whack-a-mole” situation that benefits no one. So, you can see why outsourcing security tasks starts to look very appealing when all of these issues are taken into consideration.

MSSP selection criteria

What makes for an effective MSSP, MDR service, or SOCaaS? Every client will have to find a service provider that meets its distinctive requirements. However, as Nemertes lays out in their paper, the best practice is to assess prospective vendors according to criteria that include the basics, as well as more nuanced qualities like their ability to work with a risk-based approach.

Core elements of operational excellence

Any MSSP worthy of serious consideration must offer the core elements creating the foundation for the relationship. These include:

• Staffing and Skills: Ask how many staffers will be assigned to your account, how many other accounts each staffer supports, and their specific skills and technology certifications. How long do staff typically stay with an account and with the MSSP?
• Industry and business expertise: Ask the provider to demonstrate expertise in your industry, ideally both via reference accounts and through a thorough demonstration of knowledge of relevant regulations and compliance requirements.
• Geographic familiarity: Has the provider worked in your geographies, and is it familiar with the relevant privacy regulations (e.g. GDPR) or other compliance requirements that apply?
• Relationship management: Ask the provider to walk you through their onboarding and offboarding processes, including any aspects specific to your industry, location, and practices. Ask if they can help transfer your services from an existing MSSP (e.g. get custom runbooks and scripts, transfer software licenses, and ensure destruction of any of your data the old MSSP may retain).

Tech stack and tool competency

An MSSP will ideally offer a tool chest of ready-to-go technologies, allowing the client to select the ones they need to fill any gaps in their existing security investments. Most companies already have their own tools, and the best providers will integrate with those rather than asking clients to rip and replace.

For instance, Masergy offers a toolbox covering network, cloud, and endpoint security:

• Network Tools: SIEM log monitoring, advanced IDS and raw packet capture, vulnerability scanning, network visibility (flow data), shadow IT discovery, network microsegmentation, user identity analytics, and threat intelligence
• Cloud Tools: Cloud Access Security Broker (CASB), Office 365 monitoring, and third-party integration options
• Endpoint Detection and Response: Endpoint protection platforms coupled with threat detection and response services, as well as proactive threat hunting capabilities

Flexibility is key for cost savings and for gaining wide security awareness, but equally important are the back-end technologies the provider uses behind the scenes of their SOC operations. MSSPs should leverage:

• Security analytics (machine learning, behavioral analytics) to speed detection and response — Nemertes calls AI for security “the only scalable and sustainable solution to the problem of identifying the events requiring human attention and response amid the sea of notifications and alerts an infrastructure will generate.” They also credit AI for “powering any real approach to Zero Trust.”
• Integration capabilities to work with the client’s own systems including their IT ticketing system.
• Automation tools like Security Orchestration Automation and Response (SOAR) systems to help accelerate response processes — making SOAR work will likely require integrating your SOAR with their toolset, or their SOAR with your security tech stack.
• Consolidation — not only should your partner be a master of a constellation of security technologies, they should also be good at pumping all those tech-born data feeds into one analytics engine and management platform.

Frameworks to progressively improve security

Another area to probe is the MSSP’s ability to help your organization with important security frameworks. Can an MSSP, MDR service or SOCaaS be a strategic partner in improving your security through the National Institute of Standards (NIST) Cybersecurity Framework, Center for Internet Security (CIS) controls, a Zero Trust architecture and the like? Providers should be intimately familiar with these best practices and able to help you implement and improve your security program by aligning it with such well-respected, systematic security frameworks.

A risk-based approach

A risk-based approach is helpful in an MSSP relationship, so it is a valid criterion for vendor selection. The idea here is to frame the MSSP’s services and responses in terms of risk, such as financial impact on your business. By taking a risk-based approach, you and the MSSP can come to an understanding of what each threat response should be and what does not constitute a real threat. This way, you can avoid wasting time and resources on low-risk issues.

Preparing for a security services partner

You’ll also have to take care of “your side of the street,” so to speak. For instance, if your team doesn’t have its own security processes in order, for things like escalation and notifications, then adding an MSSP to the mix can complicate things. At a minimum, you’ll struggle in the on-boarding phase of the relationship. On a related front, you need to understand your own security objectives and sense of risk before you engage with an MSSP. The MSSP could help you develop a risk “heat map” to determine your focal areas (what needs the most protection) and most valuable digital assets, but it’s a good idea to discuss this before you bring on a new vendor.

Conclusion: Investments now avoid trouble later

Choosing the right MSSP, MDR service or SOCaaS may turn out to be a challenging endeavor. But, given the importance of the relationship, it’s worth making the investment of time up front to avoid trouble down the road. I invite you to explore the Nemertes MSSP Buyer’s Guide, a methodical and insightful approach to making a decision that will bode well for your security posture going forward.