For a long time, cybersecurity was something smaller organisations either did themselves or tried to ignore on the assumption they wouldn’t become a target. Those days are long gone and now many are using third parties to provide the expertise they need.
Sadly, the days of smaller organisations staying off the radar of cybercriminals are a distant memory yet the fundamental challenge of securing networks without exceeding budgets remains live. For many organisations Managed Service Security Providers are one of the solutions.
What Is a Managed Service Security Provider (MSSP)?
The idea of getting a third party to look after IT first emerged in the 1990s before evolving into today’s managed service providers (MSPs), which supervise telecoms, connectivity, websites, online applications, and remote support. MSSPs, in contrast, have a narrower but more specialised cybersecurity remit. This encompasses a range of tasks such as threat hunting, responding to alerts, supporting an organisation during and after an attack, and ensuring its systems meet compliance standards.
Why Use an MSSP?
The short answer is convenience. Large organisations use MSSPs for specific capabilities such as 24×7 support across multiple geographies, which can be logistically complex to organise. They also offer specialised services such as cloud threat response which might tie up inhouse teams. For smaller organisations, the decision to take on an MSSP usually starts with the realisation that they don’t have sufficient security expertise or equipment in their in-house operations to cope with security threats such as ransomware. Buying this capability as a service is appealing because it solves the tricky problem of ongoing investment and staffing in a way that can be paid for as an operational expense (Opex) rather than from the constrained capital budget (Capex).
MSSPs and SaaS
What transformed the services MSSPs offer to SMEs was the arrival of software-as-a-service (SaaS). Setting up SaaS security is a relatively simple process of connecting the network to the service using standard interfaces. MSSPs package their services in different ways but all will have their own security operations centres (SoCs), trained analysts, security information and event management (SIEM), and core security hardware/software platform bought from a security vendor.
MSPs vs MSSPs
Some people get confused about the difference between MSPs and MSSPs. In fact, organisations typically use both to do different jobs, with MSPs looking after connectivity and infrastructure and MSSPs focusing specifically on the specialised issue of cybersecurity. A few MSPs have become MSSPs in recent times as cybersecurity has become a theme but doing so is a big undertaking requiring a lot of investment. Today, MSPs and MSSPs are still seen as separate sectors.
What Services Do MSSPs Offer?
MSSP services tend to be modular, allowing customers to secure different parts of their security problem, for example, email security, vulnerability management, the management of endpoint devices (through endpoint detection and response, or EDR), SIEM, managed detection and response (MDR), and incident response. These are sold with varying levels of coverage up to 24×7, weekends and holidays. Many also offer handholding during a cyberattack, for example, ransomware.
- The most basic tier which every organisation will want is infrastructure monitoring, which includes firewalls, the VPN, checking logs, and responding to any alerts that indicate a problem. Usually, alerts will be dealt with according to an agreed workflow but some of this might require communication with the in-house IT personnel.
- The next tier is the management of important applications such as Microsoft 365, email, and possibly in-house HR and databases. This is probably essential for any SME as many cyber attacks start at this layer, which makes the close monitoring of alerts essential.
- Third, and increasingly popular, is some form of device monitoring, which includes servers, laptops, and possibly mobile devices. This usually includes scheduled patching of those devices, and remote management using protocols such as RDP. Given that the latter is a big target for ransomware attackers, getting an MSSP to look after and secure RDP ports to a high standard is a big worry off the shoulders of in-house IT.
- Full incident response is the service every SME fears it might need at some point. This can usually be bought as an add-on as and when needed is invaluable. No small company will have the expertise and experience to cope with a ransomware attack on its own so this aspect of an MSSP should be assessed very carefully.
- MSSPs at the SME end of the market increasingly offer more sophisticated services such as risk assessments, penetration tests, vulnerability scanning, and patch management.
- MSSPs offer rapid response to real incidents, rooting out the malware, dealing with its many effects, and assessing the root causes. If that terrible day comes, the MSSP subscription will seem like good value for money.
Choosing an MSSP
The biggest factor in MSSP selection is likely to be the service level offered at a given cost. Comparing providers can still be tricky because what is included varies from provider to provider. The best way to simplify things is to identify which services are required and then select MSSPs that can meet those criteria. All MSSPs will offer affordable email and infrastructure security but integration with specific applications (e.g. Microsoft 365) will depend on being an accredited partner. Beyond that, it’s a menu of options, which can sometimes end up being expensive.
The first technical issue to look out for is the sort of visibility the MSSP can achieve without a direct network monitoring ‘tap’. While overkill for smaller networks, this sort of setup does make it much easier to identify rogue devices on a customer’s network. A second thing to ask about is which technology platform the MSSP is using for its MDR system (there are dozens of these but Fortinet, Sophos, Cybereason, Rapid7, and Alert Logic are often cited names).
There’s no specific certification for MSSPs, although ISO 270001 and SOC 2 compliance is a good starting point. In addition, staff qualifications should include things like Certified Information Systems Security Professional (CISSP), GIAC Certified Incident Handler (GCIH) Certified Information Security Manager (CISM). If an incident response is critical, ask for references of real incidents the MSSP helped with.
MSSP Limitations
The limitations of hiring an MSSP boil down to trust. How do you know the MSSP is doing what it says it is doing? For a business owner that is not experienced in this area that can be difficult to assess from the outside, especially response times. This puts the onus on the in-house security people to pick the right partner and not one that is ‘piling the service high and selling it cheap’. The only solution to that is to ask around and seek references.
A second dimension to the trust theme is the possibility of a security problem at the MSSP itself. This has always been theoretically possible – any third-party supplier represents a hypothetical risk – but in early July 2021 the nature of that became more concrete when around 60 MSPs in the US were hit by a cyberattack attack targeting a vulnerability in a remote management tool, Kaseya’s VSA. Bad news for their downstream customers, an estimated 1,600 of which were hit by ransomware exploiting the weakness. Although only a small minority of the 60 service providers might be described as MSSPs, the incident serves as a reminder that outsourcing security doesn’t outsource the underlying risk.
Conclusion: Be Choosy
In the future, the idea that small organisations managed their own security could sound quaint as the idea they should install their own phone lines. Cybersecurity is simply the latest specialism that organisations used to do on their own, but it has now been turned into a convenient service. That said, the market aimed at SME cybersecurity is immature and not all providers have long service histories to back up their service claims. Consolidation and maturity could take most of the next decade.
