CxO Decision Brief: Managed Security Service Providers (MSSP)

1. Solution Value

This GigaOm CxO Decision Brief report was commissioned by OTAVA.

Managed security service providers (MSSP) fill a critical need for businesses struggling to secure and protect their operations against cyberthreats and attacks. These companies provide monitoring and analysis of network traffic to maintain security software, safeguard digital identities, and lend expertise on security best practices and events. In short, they enable organizations to focus on their core competencies by addressing many of the expensive and complex challenges around security operations.

With its subscription-based contract model and more than a decade serving the infrastructure and cloud needs of a broad customer base, OTAVA is well-positioned to partner with enterprises on their security challenges. The company is an established provider of managed SIEM and SOAR solutions, offers fully managed SOC and MSSP services, and boasts an impressive compliance and governance practice.

2. Urgency and Risk

Security is the only part of the business where you must participate. Every other aspect presents options. If you don’t want to digitally transform, you don’t have to. If you don’t want to move into new markets or protect your base, you have choices. Security is the exception. External forces are working tirelessly to attack your business; thus, you must respond. Failure to do so invites potentially crippling losses, both financially and reputationally.

The risk of attack is exacerbated by market dynamics that make it difficult to retain qualified security personnel, resulting in urgent gaps that can end in disaster. MSSPs such as OTAVA are dedicated to closing these gaps.

Risk

Three risks stand out with an MSSP engagement, two of which OTAVA addresses through its tailored, “white glove” engagements:

Dependency: Security management imposes a degree of dependency. An outage or disruption with the MSSP can impact your organization’s security posture. OTAVA mitigates this risk by maintaining a baseline SLA with a 99.99% uptime guarantee and offering a high availability (HA) SLA with a 100% uptime guarantee. Our review confirms that OTAVA meets its SLA with its customers. This is not a concern we have with OTAVA.
Loss of control: Outsourcing security likewise means ceding a level of control over security posture—problematic for organizations with strict security processes and requirements. In the case of OTAVA, the provider acts as a true partner that engages in high levels of discovery and strategic planning, ensuring its plan is in lockstep with your risk tolerance, compliance and governance needs, and strategic objectives. For customers seeking a higher level of control, OTAVA offers a hybrid model that provides Level 2 or Level 3 support and staff training.
Cost: Miscounting assets under management is a common source of cost drift, and OTAVA finds that it frequently engages customers to resolve this issue through the accuracy and quality of its discovery. Discovering unmanaged resources will increase costs but prevent these systems from becoming primary attack vectors that create serious problems. A related note: we broadly advise against a partial-coverage model (and OTAVA will not accept such contracts).

3. Benefits

The benefits of partnering with an MSSP are significant, from simplified regulatory compliance to leveraging on-demand security expertise—all of which impact the bottom line through reduced incidents and more effective and immediate response. Among key benefits:

Clarity of operation: A service designed with specific customer technologies and requirements in mind can reduce alert fatigue and drive down technical debt. OTAVA’s SIEM and SOAR services are designed to reduce chatter and normalize log data before ingestion, easing the investigation required to link events and create an incident story to speed up resolution. Monthly and quarterly reviews with OTAVA and the customer ensure that OTAVA remains in lockstep with upcoming changes, events, or customer requirements. Larger clients gain access to a dedicated technical account manager (TAM) focused specifically on their requirements.
Time to value: MSSPs can deliver early value by applying proven teams, processes, and systems to customers’ security. For its part, OTAVA can begin ingesting events and triaging alerts over a weekend, so time to value is excellent. As a Trend Micro and Fortigate partner, OTAVA streamlines onboarding for organizations aligned on those platforms, extending benefits beyond SIEM and SOAR functionality. Even for non-aligned shops, full onboarding can occur within 90 days.
Skills development: In addition to identifying and mitigating security threats, MSSP experts can upskill customers’ staff. OTAVA’s services range from security awareness training for employees to technical instruction for clients’ security staff.
Scalable security: MSSPs can operate on a scale that many companies cannot match, especially when experiencing rapid growth or fluctuating security needs. OTAVA has the flexibility to be your SIEM and SOAR provider, to expand to meet changing compliance and governance needs, to perform SOC buildouts, and to engage your IT and cloud optimization strategies.

4. Best Practices

Choosing to partner with an MSSP is a risk-based decision, but there are high-level best practices that can help avoid common pitfalls while optimizing the relationship between the MSSP and the customer.

Understand the service agreement: Review and update the service agreement with the MSSP regularly to ensure it reflects the current state of play. OTAVA’s monthly and quarterly reviews help ensure a mutual understanding of the partnership.
Establish clear lines of communication: Define upfront the flow of communication between MSSP and the customer to avoid missteps during an incident. Likewise, routine security operations should communicate with the MSSP for evidence gathering, change window notifications, outages, and other information. Think of your MSSP as an extension of your team. Again, monthly and quarterly business reviews are impactful and, combined with proper planning, ensure that OTAVA works in lockstep with customers.
Define scope of services: Identify what the MSSP will be responsible for and what will be managed in-house to eliminate confusion over responsibility for specific tasks or deliverables. Also, include compliance audits in your early conversations—according to OTAVA, integrating compliance with the security platform shrinks the window of disruption for an audit from six weeks to two. It also offers an opportunity to verify spending. For example, if there is no hard requirement for long retentions, you can trim expensive log storage to reduce costs.
Integrate compliance auditing: Your MSSP should be a key partner for all compliance auditing needs. Talk to your provider early in the onboarding process. OTAVA has years of experience in this space, serving as a hosted data center provider and achieving SOC2 Type2, SOC 3, HiTrust, ISO27001, PCI, and HIPAA certifications, and more recently, enabling GDPR compliance.

5. Organizational Impact

An MSSP engagement impacts employees, communication channels, workflows, and finances. As security operations shift to the service provider, it frees resources for projects like compliance and governance. The flow of information in nearly all security operation tasks will now include a third party, the MSSP, which needs to be accounted for in data flows and notifications.

People Impact

There are several specific issues to consider when assessing the impact of MSSP engagement on the technical workforce.

Work displacement: Managed services can free in-house security teams from day-to-day tasks, so they are available to align on efforts like data governance, compliance posture, and more granular access policies. Remember that an MSSP engagement requires adding a vendor management role to the team, likely requiring five to ten hours per month.
Operational workflows: Security operations must adapt to the demarcation point of the MSSP, and policy, process, and procedure should reflect this. Identifying the support tiers offered by the MSSP (Tier 0 through Tier 3 or higher) will help define the type of work performed by the client organization and MSSP alike.
Budgets: The predictable nature of MSSP billing simplifies budgeting. Organizations should verify the MSSP’s impact on security staffing and opportunities to free up budget previously allocated to staffing costs.

Investment Outlook

MSSPs typically sell services based on solution size, so that each solution tier can handle a predetermined number of connections, users, or other metrics. While this approach ensures that an appropriately sized solution is selected, it fails to consider required capabilities. Customers should refer to the challenges that are solved by the MSSP, then use these as the requirements for both capabilities and capacity.

This is where the OTAVA SIEM service provides a critical differentiator. Many of the solutions we see have complex billing based on traffic, storage, and number of endpoints as a blended metric, which makes it difficult to be accurate in financial predictability. OTAVA solves this issue by simply billing for storage consumed. Once you know your disk utilization, you can turn the dial to manage the level of detail, archive length, and cost to find the ideal balance for your organization.

A typical MSSP service contract runs 12 months, but discounts are often available for 24- and 36-month terms. OTAVA’s most common contract length is 36 months, while offering contracts ranging from month-to-month to five years. Providers that oversell solutions can burden customers with expensive contracts, so a principled approach anchored in customer requirements should be employed. This, in conjunction with a review of the risks identified above, provides a foundation for decision-making.

Ultimately, the main cost points are the total number of endpoints (devices, firewalls, servers, etc.) and the size in terabytes (TB) of SIEM and SOAR logs. The best way to manage cost is to understand your environment and retention policies relative to business needs and compliance.

6. Solution Timeline

The solution timeline depends on the scope and complexity of the services engaged. For single-service engagements (managed SIEM, for example), a typical deployment will complete within 60 days. OTAVA’s managed SIEM can be onboarded as quickly as a weekend. Still, we advise reserving ample time in the planning phase to ensure the go-live deployment ingests the correct data to the right level and that escalation routes are clearly defined. More complex scenarios will lengthen the timeline.

Plan, Test, Deploy

A deployment plan for an MSSP is a roadmap that outlines the key tasks and goals the MSSP should accomplish in each phase of engagement. This plan can help the MSSP and the organization align expectations.

Plan and Deploy
The focus here is on collaboration, which is essential for pinpointing integration points and setting major objectives. Managing expectations is a point of focus here. Cutovers of services (like MX record changes) will incur an outage, so plan accordingly. Also, OTAVA will tighten your security posture, which may cause more observed friction in your security tools. It is important to start from a position of heightened security and then discuss if a change needs to be made rather than ratchet it up on the fly.

Another point of emphasis is your organizational change control plan, which should be discussed with the MSSP. OTAVA singles out change control as a primary point of improvement because a good plan ensures everyone knows the proper paths for support and escalation.

Finally, be prepared for surprises. OTAVA’s experience is that very few customers have an accurate count of their devices or their total log data sizes. Be ready to adapt once the platform is rolled out.

Observe and Validate
A gap analysis can identify potential weaknesses in the customer’s system. With at least 30 days of telemetry available, linear trends, cyclical patterns, and areas of friction can be identified and addressed. This assessment process verifies that the proper measures are in place to protect customer systems from attack.

Downfield Concerns
With the MSSP functioning as an extension of the client’s security team, the provider should focus on monitoring and maintaining a security posture. Communication should be effective, security events quickly identified, and the overall relationship between MSSP and the customer resemble its mature final state.

Also, leverage your business reviews to gather input from your trusted security advisor and apply it to your security strategy. Your MSSP will be one of your best sources of market direction.

Future Considerations

Consumers of an MSSP service should not adopt a “set it and forget it” attitude. While MSSP services can make client security processes easier and more manageable, active governance is needed, just as with any internal security program, and modifications may be necessary.

Customers should establish fundamental metrics to measure how well the MSSP reduces risk, workload, and overall security technology spending. The method used to collect the data to drive these metrics will vary by organization, but the overall goal will remain the same: validation of solution effectiveness and suitability.

7. Analyst’s Take

Selecting a managed security service provider can be daunting; however, there is a method to reduce this complexity. Customers should anchor the selection process to real problems identified in their organization, whether it be unmitigated risks, staff and skill shortages, architectural uncertainty, or other challenges.

Consumers of MSSP services should be wary of “one size fits all” solutions. Selecting MSSP service providers like OTAVA that are flexible in their approach and can adapt to challenges unique to their clients will yield a comprehensive solution. A tailored approach is vital to the success of the partnership.

8. Report Methodology

This GigaOm CXO Decision Brief analyzes a specific technology and related solution to provide executive decision-makers with the information they need to drive successful IT strategies that align with the business. The report is focused on large impact zones that are often overlooked in technical research, yielding enhanced insight and mitigating risk. We work closely with vendors to identify the value and benefits of specific solutions, and to lay out best practices that enable organizations to drive a successful decision process.

9. About Chris Ray

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

10. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.