10 Tips For Choosing The Best MSSP For Your Company

From probing the MSSP’s reporting and quality management process to using a third-party adviser to benchmark competing MSSPs on price and scope, here are 10 things customers should consider when selecting an MSSP.

Mastering Managed Security

There has been a shift in the managed security industry over the past two years from identifying and alerting customers to incidents toward building services around the MSSP’s ability to resolve incidents, according to Forrester. Customers should seek MSSPs that can support any type of development model, automate actions and offer remediation support, Forrester said.

Specifically, Forrester said customers should look for MSSPs that understand APIs, provide solutions to the problem of data silos, and are looking to accelerate processes to create efficiency. Quality MSSPs should also be able to analyze, investigate and remediate cloud and application incidents as well as data breaches dating back to 2013, according to Forrester.

As part of Cybersecurity Week 2020, CRN spoke with 10 cybersecurity vendors, solution providers and industry organizations about the most important thing customers should consider when choosing an MSSP. From probing the MSSP’s reporting and quality management process to using a third-party adviser to benchmark competing MSSPs on price and scope, here are 10 tips for choosing the best MSSP.

Benchmark Pricing And Scope Using Third-Party Adviser

Customers should ensure an MSSP’s pricing is competitive and meets all of their requirements by conducting negative testing to determine what is outside the MSSP’s scope or not included in the bundle, according to Harpreet Sidhu, who leads the global managed security services for Accenture, No. 2 on the 2020 CRN Solution Provider 500.

Accenture typically encourages customers to baseline their service costs and get a third-party adviser to help with the benchmark process, Sidhu said. By submitting an RFP to prospective MSSPs, Sidhu said customers can define their expectations for the service and leverage the skills of an outside adviser to make an apples-to-apples comparison between the proposals and figure out what’s not included.

Third-party advisers will typically come in with their own pricing templates and standardize the responses from the prospective MSSPs to allow customers to make easy pricing comparisons between the various service options, Sidhu said. He cautioned that customers looking for bargain-basement pricing will often find that the services provided fail to live up to their expectations or requirements.

Verify Reporting And Quality Management Process Aligns With Company Needs

Customers need to get into the details of the quality management process with prospective MSSPs to figure out how often independent peer review takes place and how they can ensure incident tickets are complete, accurate and provide good recommendations, according to Chris Crevits, U.S. cybersecurity managed services leader and principal at Ernst & Young (EY).

Crevits said customers should at a minimum expect a peer review before a deliverable is sent out, with senior resources conducting monthly or quarterly reviews of the work that’s being done. The review should go beyond spell check and be analytical, Crevits said, looking for false positives, areas of possible disconnect, actionable and clear information, and data that can be easily turned into action.

Reporting is a big part of any managed service since it describes the value the MSSP is providing as well as insight they’ve obtained from the customer’s environment, Crevits said. Customers should seek custom reporting when possible to make it easier for CISOs to leverage MSSP data in their reports and ensure that descriptions of what’s happening in specific business units are put in the language of customers.

Seek More Than Just Monitoring Firewall And Router Logs

Monitoring a network and collecting logs won’t give organizations much of an idea of the threats they face, which assets are most critical to them, how the network is architected and if it’s OK for packets from one system to be able to cross over to another system, according to Kieran Norton, cyber risk services infrastructure solution leader for Deloitte Risk & Financial Advisory.

Router and firewall logs can identify potential threats, but Norton said the data and context are quite limited. Aggregating multiple sources of information such as telemetry from endpoints or DNS increases the likelihood that the MSSP will be able to identify issues and incidents that really matter with fewer false positives since they’re not missing part of the picture, Norton said.

As recently as five years ago, Norton said it was fairly common for MSSPs to focus on putting appliances in an environment and running and generating reports, an approach he said was not proactive. MSSPs must move away from a model of having lots of eyes on logs and transition to a more modern approach that uses automation to proactively address things as they’re happening in the real world.

Seek A Broad Offering With Tools Around Multiple Security Technologies

There are multiple entry points into a company that cybercriminals can use, meaning that if an MSSP is focused on just email, cloud or endpoint, they’re leaving the customer susceptible to risk, according to Brian Babineau, senior vice president and general manager for Barracuda MSP. If an MSSP just manages firewalls or offers endpoint security, hackers will find and exploit the areas where there isn’t coverage.

MSPs who have been doing RMM (remote monitoring and management) will often try to rebrand themselves as MSSPs by merely adding an endpoint security offering, but this approach misses out on common threat vectors like applications, email or public cloud, Babineau said. MSSPs must be able to adapt to changes in the threat landscape by being able to adjust their offerings over time, he said.

Just like a quality automaker wouldn’t sell a car without a seatbelt, Babineau said a quality MSSP should have a bundle with specific security tools that meet basic protection requirements that they’re only willing to sell as a package. If an MSSP is willing to sell security tools to customers on an a la carte basis, Babineau said it’s probably a decent indicator that they care more the customer’s money than security.

Look For Ability To Keep Data In A Single Instance

Multitenancy is great in terms of cost and scalability, but issues can arise around data bleed where data jumps from one actor to another, said Morey Haber, chief technology officer and chief information security officer at BeyondTrust. Misconfigurations in multitenant environments can lead to data ending up on a different machine, with MSSPs offering programs that can bridge different instances, he said.

Single instances can be more expensive since the customers have to pay a one-time setup fee for the associated labor, but Haber said it’s extremely valuable when sensitive data is at play. Most MSSPs run multitenant since it’s more cost-effective, and if all the customer is looking for is monitoring and patching-type services, Haber said that’s an acceptable way to go.

Most people think of cloud and SaaS as a multitenant environment, but by opting for a single instance, Haber said customers can take advantage of many of the efficiencies offered by the cloud while still fully protecting their data from leaks or disclosure. BeyondTrust keeps its data in a single instance and still has a small number of functions that are on-premises and nearly impossible to move, Haber said.

Make Sure They Have Expertise Around Managing Data

Customers increasingly want proof that a prospective MSSP knows what it’s doing around managing data and is able to provide detailed explanations of how it protectss data, maintains privacy, addresses workforce education and keeps up to speed on the regulatory environment, according to Seth Robinson, senior director of technology analysis on the CompTIA research team.

Credentialing is still a relatively new concept in the MSP space, but Robinson said it could be an effective way of addressing common concerns without forcing the customer to come up with a laundry list of questions or dig through massive amounts of data. Credentials would offer MSSPs a way of proving their competency through a trusted third party, Robinson said.

Credentialing isn’t very common in the service provider space today, but Robinson said it’s very beneficial to have around security since there’s a higher level of concern there than for other IT operations. As customers become more focused on security, Robinson said they are demanding an extra layer of discipline and rigor.

Ensure Data Is Stored Locally To Satisfy Regulators

Customer information is critical, and it’s very important to many American businesses that their data be stored locally rather than overseas, according to Hannah O’Donnell, director of sales at Collabrance. If the data remains in the U.S. and is safe and in the right hands, O’Donnell said it will usually satisfy regulatory and compliance requirements.

But states and industries such as health care are increasingly not allowing sensitive customer data like medical care or Social Security numbers to be stored or held outside the U.S., O’Donnell said. If a customer is working with an MSSP abroad, it should ensure the MSSP has an American partner who can satisfy the data residency requirements being enacted in states like California and New York.

Customers should also pay attention to other elements of the MSSP’s setup such as where its employees are working, how the MSSP evaluates emerging vendors or technology, and the extent to which the MSSP can explain how its tools make customers more productive and efficient in a way that goes beyond terms and conditions, O’Donnell said.

Pursue Alignment With Internal Team And Security Tools

Partnering with an MSSP is best for organizations that have some internal capability to do security but need assistance with refining logs or getting alerts since they’re not operating a multimillion-dollar Security Operations Center (SOC) of their own, according to (ISC)2 Chief Information Officer Bruce Beam. MSSPs are good for companies that already have competent staff and tools they’re comfortable using.

MSSPs often have less experience than MDR (Managed Detection and Response) vendors interacting with non-technology areas of the organization like legal, human resources and public relations since it’s assumed those interfaces already exist internally, Beam said. But since customers are expected to provide some toolsets and personnel, Beam said MSSPs are normally a little less expensive than MDR vendors.

On the other hand, Beam said MSSPs tend to provide more personalized service than their MDR counterparts with dedicated staffers supporting customer accounts and providing insight around the tools. Customers with significant security and IT investments often won’t even look at MDR providers since they fear replacing their existing endpoint security or logging tools would limit internal visibility.

Seek The Delivery Of Multiple Managed Services In The Cloud

For customers to have confidence in a prospective MSSP, the company must be able to offer a robust package that goes beyond one or two security services to provide protection for employees in remote locations as well as critical back-office workers, according to Frank Lento, senior director and global head of Cisco’s Global Security Sales Partner Organization.

As customers move data, applications and workloads to the cloud, Lento said there’s an increased need for MSSPs to provide tools that show customers the vulnerabilities and security gaps in their portfolio, as well as how extensive they are. When an MSSP is able to show customers deficiencies in their security strategy, Lento said they often become more willing to buy a tool that addresses the gap.

There’s been a huge uptick in customers looking for cloud-based validation or multifactor authentication services that can be delivered quickly and at a low cost since the onset of the COVID-19 pandemic, according to Lento. Customers should also ensure that MSSPs offer a secure and reliable environment and can remediate any issues that arise extremely quickly, Lento said.

Ensure Company Size And Vertical Focus Is Similar To Other Customers

Most MSSPs tend to be better in certain fields than others since there are commonalities within certain verticals or industries around how servers are organized, where data is stored and what kinds of security breaches are most common, according to Hal Lonas, chief technology officer of SMB and consumer for OpenText.

Lonas recommended that customers look for “birds of a feather,” speaking with peers at industry functions or professional symposiums to see who others in the industry are using and what they think of them. Although MSSPs often claim to be industry-agnostic, Lonas said there’s typically some specialization around what they most commonly do.

Bigger customers typically have a bigger IT footprint and therefore might get more attention from an MSSP since they’re paying more money, Lonas said. Smaller customers therefore must ensure they don’t get lost in the shuffle and that their MSSP is providing them with the same level of access and attention as their larger counterparts if an event occurs or if they need help or guidance, according to Lonas.