In the space of barely 20 years, cyberattacks have gone from an inconvenient but relatively predictable IT problem to something that is often so complex in nature that only the largest organizations have the resources to defend themselves. Initially, organizations reacted to the surge in cyberattacks by doubling down on the traditional corporate model. More staff were hired, bigger firewalls bought, and layers of intrusion detection and prevention (IDS/IPS) filtering and malware detection added. However, in time the glaring limitations of this model have become more and more apparent. Such as:
- Buying more equipment leads to ever more complex security systems, monitoring and management.
- Demand for cybersecurity skills has made hiring specialized and experienced security staff more difficult.
- The combination of these factors has caused costs to rise and become unpredictable.
- Whole supply chains need to be secured in ways that are hard for SMEs to fund without increasing their costs.
- Ultimately, organizations don’t want to waste energy solving complex security problems when they could be doing profitable business.
Managed Security Service Providers (MSSPs)
The emergence of MSSPs, which evolved from simpler outsourced managed services, was a market reaction to this. Instead of investing in complex equipment and skills, these could be bought as a service package from a specialist company for a predictable sum. In addition to solving the problems listed above, this approach has other advantages:
- Accounting efficiency – buying security as a managed service reduces the need to invest in a depreciating equipment asset from capital expenditure (CapEx) budget into one funded as an ongoing operational expense (OpEx).
- Gives organizations access to additional services such as advanced threat intelligence and research which might be difficult to justify or set up inhouse.
- Gives smaller organizations access to new cybersecurity technologies which might otherwise be beyond their means.
- Buying cybersecurity as a modular service hides a huge amount of complexity behind a service wrapper.
Basic MSSP services
The standard suite of MSSP protections includes managed Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), IPS, centralised anti-malware and email filtering, and virtual private networks (VPN) remote access. Add-ons to these packages include patch management, vulnerability scanning, identity access management (IAM), authentication services, threat intelligence feeds, and web application firewalls to defend and manage public-facing web servers.
Advanced MSSP services
More complex MSSP services include compliance assessment, cyberattack forensics, read teaming and penetration testing, application testing, specialized device management (Internet of Things networks), mobile device management (MDM), and consultancy around setting up inhouse security operations centres (SoCs) for organizations that want to keep certain aspects of their security under tight control.
Incident response and compliance
A fundamental issue is how an MSSP reacts should one of its systems detect a threat on a customer’s network. Simply detecting a threat is only one part of the; at a time when threats such as ransomware can spread in seconds, rapid containment should be a core part of an MSSP contract. Ditto remediation, rolling back the damage an attack has done or advising the customer on how to do that. This is critical – should an attack succeed a customer will need somewhere to turn to within minutes of that event so partnering with a skilled MSSP is essential.
Service level agreements (SLAs)
Although superficially many MSSPs appear to do the same things they do, don’t necessarily do them in the same way. The first area of differentiation is the SLA, which sets out parameters for customer response times and conditions. In the past, the assumption was that rapid response and 24x7x365 MSSP services were something that only enterprise customers wither needed or could afford. However, because many cyberattacks against even smaller companies are being timed to coincide with public holidays, weekends, or changes in shift, this is no longer always true. One of the biggest strains of modern cybersecurity is that every customer now needs, indeed expects, 24×7 monitoring.
MSSPs don’t remove all effort. Medium and large companies will still need a lot of oversight on their security procedures to ensure compliance with data protection laws and regulations. Organizations also need to ensure they are comfortable with the level of control and oversight they are left with once they move to using an MSSP.
Conclusion: are MSSP platforms the future?
Over time, the services offered by MSSPs has continued to expand, with new innovations being added all the time. However, challenges remain such as whether MSSPs can move from a model based on alerting and logging to proactive security in which threats are detected before they cause problems. The issue of control and value-for money has still to be answered for certain use cases.
MSSPs are also offering a wider range of more complex services. This begs the question of whether the future of MSSP services lies in all-in-one platforms that offer a range of services customers can pick and choose from. An MSSP service isn’t just something provided, the choice and management of that choice could become an integrated service. At the very least, this would reduce costs, another issue that must scale as organizations find themselves buying more services over time.
We’re not there yet, perhaps, but it’s at least possible to imagine a world in which MSSP platforms become a routine software service for every and any organization.