What is an MSSP?

In today’s fast-paced and complex threat environment, DIY cybersecurity management isn’t for everyone.

Organizations wishing to outsource all or a portion of their cybersecurity program can contract with a managed security service provider, or MSSP. These third parties provide a range of monitoring and management services for networks, security devices, and security systems. An MSSP can take over a company’s security function, fill gaps in in-house skills, conduct staff training, or provide back-up assistance as needed.

In addition to monitoring, MSSPs perform vulnerability scanning and implement upgrades, changes, and modifications to security tools. Depending upon the service offering, an MSSP may respond to a detected threat, or simply send alerts and leave incident response and remediation to the customer’s internal team.

Typical security devices and systems that MSSPs monitor and manage:

• Intrusion prevention systems (IPS)
• Identity access management (IAM)
• Privileged access management (PAM)
• Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solutions
• Firewalls
• VPNs
• Data loss prevention (DLP) systems

One of the hallmarks of an MSSP is “always-on” coverage. To ensure continuous monitoring and rapid response, MSSPs deliver security operations center (SOC) services either directly through their staff or by subcontracting to onshore or offshore resources. They typically use advanced tools, such as a SIEM, and employ cybersecurity professionals, including analysts, engineers, developers, and compliance managers, to evaluate anomalies, events, and potential threats.

The MSSP category emerged in the late 1990s when internet service providers (ISPs) began providing customers with firewall appliances. This offering evolved to include firewall management, which formed the basis for the MSSP function.

Today, the MSSP market is growing by double digits. This trend is being propelled by factors such as increasing cyberthreats, the explosion of cybersecurity tools and sensitive data, a shortage of cybersecurity talent, and stringent government security and privacy regulations.

Outsourcing to an MSSP can solve a range of strategic and tactical challenges, from scaling up resources and optimizing security posture to preventing security team burnout. Following are potential benefits of MSSPs.

Easy access to critical security resources

Many organizations, especially smaller ones, are unable to maintain a 24/7 SOC in house because of budget and staffing constraints. Contracting with an MSSP gives them access to around-the-clock threat detection, helping to minimize attacker dwell time and lateral movement.

The ongoing shortage of security professionals is another issue that MSSPs can address. An MSSP’s personnel can augment or replace in-house staff to provide expanded resources. Economies of scale allow the MSSP to distribute staffing expenses over multiple clients to reduce costs vs. hiring an in-house team. Further, an MSSP can provide access to scarce specialists, such as professionals with cloud security expertise.

Still another valuable resource is analysis and interpretation of threat intelligence feeds to help clients stay abreast of the latest malicious actors and their tactics, techniques, and procedures (TTPs). While organizations can subscribe to these feeds themselves, they may lack the expertise to translate threat data into actionable intelligence.

An MSSP typically acquires and implements the latest security technologies and tools to stay competitive and help clients further strengthen their defenses. By engaging with an MSSP, an organization benefits from powerful new tools without the burden of evaluation, deployment, and training.

Faster threat detection and response

Because cyber threats can arise at any time, continuous monitoring is critical for detecting and responding to anomalies or incidents as soon as possible to minimize impacts. Many organizations do not have enough staff to provide 24/7 monitoring, raising the possibility of delays in identifying and addressing a security breach. Perhaps the greatest benefit of an MSSP to an organization’s security defenses is constant surveillance.

Automation also plays an increasingly important role in prompt and effective threat detection and response. MSSPs use automated tools and systems that can boost speed, efficiency, and coverage, reduce costs, and counter the growing use of automation by threat actors.

Support for auditing and compliance

Most organizations must comply with a growing range of government and industry regulations and standards pertaining to cybersecurity. These mandates include implementing specified security controls, maintaining visibility into sensitive or private data, and reporting data breaches and other incidents to regulators.

An MSSP can support an organization’s compliance management program by implementing security controls, automating collection of data required for compliance reporting, and assisting with audits.

Increased scalability and flexibility

An organization may need to quickly increase its security capabilities, whether it’s due to a merger or acquisition, market or geographic expansion, or new vulnerabilities or regulatory requirements. But scaling up an in-house SOC can take a long time and require heavy investments in technology and staffing. An MSSP offers clients rapid scale-up without the need to purchase and deploy new tools or hire new people.

Predictable costs

Contracting with an MSSP for a specific tier of services, whose cost is usually billed as a monthly subscription fee, allows an organization to budget accurately. In contrast, in-house cybersecurity programs typically incur periodic—and often unplanned—expenses for new tools, new hires, or consulting assistance.

With their focus on cybersecurity monitoring and management, MSSPs are considered a subset of managed service providers (MSP). MSPs are third-party generalists that handle IT administrative services, such as network management, data backup, software updates, cloud services, and technical support.

To underscore the distinction between these service providers, consider the type of operations center they use:

• An MSP typically operates a network operations center (NOC) to monitor and manage client networks.
• An MSSP operates a security operations center (SOC), which provides continuous security monitoring and management for threat detection and alerting.

Another key difference is the customer team or teams that these service providers interact with:

• An MSP usually works with a company’s IT or operations staff
• An MSSP works with the security team

Customers that engage with an MSSP may be large enterprises with complex security exposures and regulatory requirements. In contrast, many smaller entities that lack robust IT resources and expertise use MSPs. However, because of their different roles, both MSPs and MSSPs can be useful to an organization.

While the managed services sector as a whole is expanding, MSP and MSSP growth rates are related to different factors.

• Demand for MSPs is being driven by digital transformation, cost concerns, and the need for easy scalability of IT services.
• MSSP market growth, on the other hand, is being propelled by the increase in number and severity of cyberthreats, and new or more-stringent regulatory requirements for data security and privacy.

Another type of third-party managed security service is managed detection and response (MDR). Compared to MSSPs, MDR providers are more specialized, with a focus on threat detection, incident response, and threat hunting.

MSSPs typically focus on basic security tasks like monitoring standard ingress-egress traffic on perimeter products and vulnerability management. They are meant to provide high-level security coverage for basic and repetitive tasks across an organization’s entire security stack. It is not uncommon to find an MSSP advertising that they use hundreds of security tools. A detailed look will often show that they employ inexperienced staffers trained to capably operate only a small fraction of those.

MSSPs mostly rely on signatures and rule-based detection and frequently miss advanced threats (and increasingly even basic attack tactics). When incidents are discovered, many MSSP customers are still responsible for managing containment and mitigation unless they pay the provider’s incident response team extra for help. Even then, the MSSP’s staff may not be specifically trained to effectively respond to an incident.

Conversely, MDR services focus specifically on improving an organization’s advanced threat detection, investigation, and response. They are used to augment and enhance internal capabilities. They frequently examine similar data sets as MSSPs such as network logs or endpoint telemetry, but at a much greater depth. They are specifically tailored to use advanced technologies such as endpoint detection and response (EDR), behavioral analytics, specialized forensics tools, and custom security event management platforms.

The most sophisticated MDR providers focus heavily on detecting behaviors like lateral movement, credential theft, and credential escalation, all behaviors of today’s advanced attacks. Some even operate large software and security engineering teams to design their own detection and response technology. MDR services are usually built with integration in mind so that they can be plugged into a pre-existing security program and workflow.

In theory: yes, MSSPs could provide MDR services. But the majority of MSSPs are not offering true MDR capabilities at this time—even when they advertise that they do. The current business model used by traditional MSSPs cannot support a specialty service like MDR. MSSP infrastructure is typically designed around signature-based detection and perimeter defense. And generally MSSPs employ Tier 1 SOC analysts who are there to monitor rather than investigate.

To add MDR services, most MSSPs would need to completely retrofit their SOC architecture and hire veteran security engineers with experience in threat hunting, malware analysis, incident response, and data science. Complicating the matter, the most mature MDR providers are technology companies that run full software development, PM, QA, and DevOps teams. These changes require a massive investment and culture shift that most MSSPs cannot make. In fact, these service providers’ inability to deliver MDR services is partially what drove the rise of MDR. As the MDR market grows, buyers must be careful when considering a detection and response solution from an MSSP. Many MSSPs may try to dress up existing offerings without making the necessary investments.

Enterprise, mid-market, and SMB firms are turning to MDR because they want the benefits of today’s most advanced detection technology and practitioners to defend their organization. They might not have the resources to build a highly specialized team, or they might want to layer a specialized solution on top of their existing security program. Advanced collection and detection technology is the first step to detecting previously unseen threats and remediating them. These new tools—endpoint detection and response (EDR), User Behavior Analytics (UBA), thorough network analysis engines examining full PCAP records, etc.—require constant monitoring, tuning, and process improvement.

Additionally, advanced detection tools detect potential threats. They will generate hundreds to thousands of events per day that need to be investigated prior to mitigation. Investments in these advanced tools will be largely wasted without an advanced security team who knows how to run an in-depth investigation, understands malware analysis, and has a sixth sense about how attackers operate. A true detection and response capability requires equal investments in advanced technology, experienced security practitioners, and a process that focuses on efficiency and accuracy.

With this in mind, organizations are choosing MDR for two primary reasons:

1. The opportunity costs and actual costs of acquiring advanced technology and talent and building an operational capability are extremely high and sometimes unrealistic. MDR providers offer organizations a full capability that doesn’t require a dozen individual investments and months to years of implementation. Most MDR providers are priced significantly below what it would cost an organization to build internally.

2. MDR solutions work. They accurately detect threats ranging from malware to advanced attackers and support customers to ensure threats are addressed. Organizations that enlist an MDR provider have a reliable partner who stands by their side to defend against the worst types of threats. Organizations that partner with an MDR provider have a reliable team who stands by their side to defend against the worst types of threats.