A Guide to Managed Security Services
Download as PPT, PDF2 likes1,189 views
The document provides a comprehensive overview of the managed security services provider (MSSP) market, highlighting the variations in size and capabilities among MSSPs, with a focus on the predominance of small organizations. It emphasizes the importance of careful selection, including evaluating platforms, understanding onboarding processes, and maintaining security compliance, particularly in light of regulations like GDPR. The conclusion stresses the maturity of the MSSP market and the need for organizations to clearly define their security requirements before entering into long-term contracts.
![Geographical Differences
With 50% of all MSSPs US registered, as in other areas
of cyber security, they dominate the MSSP market, not
only domestically but internationally, with many US based
MSSP providing their services globally [see figure on
slide 10, which graphically demonstrates this].
Europe has a significant market share but unlike the US,
the MSSP’s tend to operate often within their local
geography.
Some MSSPs choose to site their SOC in another
country to the one in which they operate, often for
economic reasons in order to maintain competitive
advantage. Although availability of staff is also a factor for
many MSSPs.](https://image.slidesharecdn.com/managedsecurityserviceproviderstats-180221175311/85/A-Guide-to-Managed-Security-Services-9-320.jpg)
More Related Content
Similar to A Guide to Managed Security Services (20)
A Guide to Managed Security Services
- 1. A Guide to Managed Security Services Graham Mann Managing Director & Co-founder CyberSpace Defence Ltd. International House, 24 Holborn Viaduct, London EC1A 2BN [email protected] Mobile 07714210433
- 2. Global MSSP Market Based on data extrapolated from some 600 MSSPs globally, 57% had less than 200 employees, which suggests that the majority of MSSPs are pure play providers, offering only consultancy services in addition. Assuming in order to provide a 24x7x365 single SOC operation you’d need a staff of more than 20, it’s obvious that around 10% have insufficient resources to provide this. That’s not to say that the sub-20 employee MSSPs can’t offer a comparable service. They may not operate 24/7/365 or simply outsource the monitoring to a 3rd party provider
- 3. MSSP by Employee Size
- 4. The Major Players Perhaps surprisingly, the third largest segment is the 5,000+ employee band (20%), indicating the move in recent years of the major consultancies, telecoms operators, etc. into the MSSP market. Despite their size and resources, many do not have their own MSSP platform, preferring to subcontract or OEM a platform. The attraction of these major players in providing MSS is obvious; they already have contractual arrangements in place with large numbers of customers for whom they are the trusted partner.
- 5. The Major Players (cont.) Whilst the business logic seems compelling, there are two potential issues to be addressed: 1. The nature of the MSSP is such that it could be argued that it would be better to employ an independent provider, to ensure complete impartiality. 2. Do they offer the best value for money and is their service necessarily best suited to your needs?
- 6. Demarcation of Duties The issue of impartiality is also one that impacts on the MSP sector, who have increasingly sought to add managed security to their growing list of services. Whilst, like the telecoms operators and consultancies, it seems a natural progression, there remains that issue of impartiality. If your network is being monitored and managed by the same organisation there are clear operational savings. However, one could argue that a demarcation of duties should exist between managing and monitoring, for obvious reasons. A well written SLA and granular reporting system can overcome many of these issues.
- 7. Does Size Matter? When we consider the breakdown of vendors by size, 13% are relatively large organisations, having over 500 employees. Perhaps surprisingly, almost 70% of the vendors are sub- 200 employees, with most in this sector having less than 50 employees. This suggests that the industry is dominated by established but small, pure-play cyber security companies focused on a narrow range of cyber security solutions.
- 8. HQ Location of MSSPs
- 9. Geographical Differences With 50% of all MSSPs US registered, as in other areas of cyber security, they dominate the MSSP market, not only domestically but internationally, with many US based MSSP providing their services globally [see figure on slide 10, which graphically demonstrates this]. Europe has a significant market share but unlike the US, the MSSP’s tend to operate often within their local geography. Some MSSPs choose to site their SOC in another country to the one in which they operate, often for economic reasons in order to maintain competitive advantage. Although availability of staff is also a factor for many MSSPs.
- 10. MSSP – Activity by Region
- 11. Deciding on an MSSP It’s worth considering some basic points prior to even approaching the market
- 12. Tendering Process When deciding on an MSSP there are a number of details to consider, and that’s why more and more organisations are using the tendering system when determining the most appropriate provider. That’s fine but tendering often fails because of three simple reasons:
- 13. Reasons for Failure 1. The invitee list doesn’t contain a broad range of providers. This can be overcome by issuing a RFI to a much larger base and then whittling down the responders to a manageable number. This strategy, however, still requires that the RFI list is comprehensive and representative. 2. The RFP is poorly constructed and fails to address key issues, vital in determining the most appropriate provider. 3. The SLA isn’t sufficiently detailed enough or fails to address the customers’ specific requirements. The SLA must be clearly articulated in the RFP and can’t simply be left until a provider has been selected, as it’s a key
- 14. Which MSSP is Best for You? Do you want an MSSPs with their own monitoring platform or would you prefer an MSSP that uses a third- party platform like that provided by Fortinet? A quarter of MSSP’s are software vendors in their own right. Fortinet, like others, provides a complete management solution to MSSPs that do not have an inhouse developed solution. You can benefit from a small, focused MSSP but whose able to provide a robust enterprise-level managed security platform. Do you want an MSSP with global coverage or a local MSSP with their SOC in your country?
- 15. Types of MSSPs Security management & monitoring service Security monitoring only Managed Detection and Response (MDR) Managed SIEM Managed firewall, IPS/IDS and/or other security devices Managed vulnerability scanning, DDoS protection and/or other externally initiated security services Many of the larger MSSPs have numerous SOCs, positioned in strategically around the globe. Whilst, with 24/7/365 service, this isn’t absolutely necessary, it does provides failover and local representation. SaaS and/or on premise
- 16. Understand the Platform There are also a number of platforms that were architected and indeed developed for a different era and a different set of security vectors, when protecting the perimeter was the issue. Later MSSP platforms have been developed specifically designed to detect advanced cyber attacks and insider activity, and it’s important to understand this. Whilst platforms built in the early noughties can still function well, particularly if used in conjunction with cutting-edge technologies like security analytics products, they were designed for a different function. It’s important to understand this when evaluating an MSSP.
- 17. It’s about what’s under the Hood Sexy looking UIs and reporting can be enticing but it’s what’s under the hood that’s important. Sometimes, a good looking exterior can mask operational deficiencies. The detection of advanced, focused cyber attacks is critical but often difficult to achieve. Make sure that the chosen MSSP understands that you will be undertaking a range of penetration tests, including a “red teaming” exercise to test out their claims post implementation. Ensure that the contract contains a clause giving you the right to terminate should the MSSP fail any of these tests.
- 18. Onboarding Process Onboarding can still represent a considerable overhead, particularly for the uninitiated. Whilst SaaS delivery remains the direction of travel, many providers still require some elements of the service to be installed locally on the clients site or network changes made. Ensure that you understand precisely what resources you will be expected to provide during the onboarding process and beyond. The devil really is in the detail here. Roles and responsibilities need to be agreed before contracts are signed, along with a comprehensive onboarding schedule.
- 19. There’s no Substitute for Research Reference sites are rarely representative of the service the MSSP provides. It’s most unlikely that the reference(s) will provide much insight into the issues you may face. They are usually carefully selected evangelists. It’s worth seeking out reviews on the Internet or better still if you can identify a customer yourself, speak to them. Spend time researching the market or use a third-party list of MSSP/MDRs, not just the major players though, you’ll miss some great providers otherwise. Be clear on your requirements before approaching the market
- 20. MSSPs have “come of age”
- 21. MSSP Market is Growing The trend towards MSSPs grows apace as organisations struggle to maintain an acceptable level of security through the deployment of inhouse resources. Driven by this insatiable appetite, there are new MSSPs appearing almost daily. This is no more evident than in geographies where compliance and governance are mature, take the EU, for example. The EU General Data Protection Regulation (GDPR) comes into effect in May 2018, heralding a seed change in the way data on EU citizens are held and processed globally. Whilst GDPR is not about cyber security per se, one element of this new law specifically addresses breach reporting and the implications arising from this.
- 22. Breach Notification In Europe, GDPR Article 34 states that organisations will be required to inform their local supervisory authority within 72 hours of a breach of personal data being detected. Clearly, it is important that any breaches or potential breaches are detected early, before any personal data is stolen. The consequences of losing personal data under GDPR are potentially significant both in terms of the notification process, compensation, and the penalties. MSSPs automatically maintain or indeed should maintain, detailed record keeping of events, required under GDPR.
- 23. Stress Test your MSSP now Those that already have an MSSP contract must ensure that their MSSP are suitably capable of detecting attacks before any data is exfiltrated and in maintaining detailed record keeping. It’s advisable to “Stress Test” your MSSP rigorously against all forms of potential attack. It could be very costly for you later otherwise. Under GDPR you can’t devolve responsibility to your provider. If you don’t already use the services of as an MSSP and are subject to GDPR, it’s wise to review that decision urgently.
- 24. Conclusion
- 25. To Conclude The MSSP market is 20 years old, relatively mature and there is considerable choice, with new entrants offering inventive solutions along with established players. MSSPs have come into their own recently, partly because of the difficulty in securing the network and partly because the lack of availability of good professional security personnel. The important thing in deciding on an MSSP is to be clear what your requirements are and define your prerequisites, including areas of compromise. MSSP deals are usually for three years or more and so it’s important to get it right. Getting it wrong could prove very costly.