With hundreds of prospective providers and tons of marketing buzzwords to wade through, choosing the best managed security service providers (MSSPs) to effectively protect both your MSP business and your customers is no easy task. However, as C-suite leaders increasingly push back against security expenditures where there’s little or no proof that they mitigate real-world risks, finding objective, evidence-based criteria to evaluate vendors is essential.
To help navigate the complexities of the market—and better compare providers’ offerings—there are eight key considerations and tips to keep in mind when evaluating the best MSSPs for you and your clients.
1. Understand core objectives
The first issue to consider is the primary objectives for your security stack. Are your clients most concerned with achieving compliance or thwarting attackers? The unfortunate reality of the current threat landscape is that compliance and security are not equivalent concepts. Though most regulatory requirements were enacted in hopes of enhancing security, they’re static, and the audit process captures only a moment-in-time snapshot of your security posture. Meanwhile, attacker tactics and techniques are always changing, as is the technology environment. Simply put, if all your clients want is compliance, choose the cheapest solution for your stack.
If, however, a careful evaluation of your firm’s—and your customers’—business risks reveals that gaining security visibility and responding quickly to attacks is most valuable, look for the provider that can best achieve the objective of detecting and responding to attacks within these various environments.
2. Enhance visibility
An essential truth about today’s computing environments is that infrastructures are more diverse and distributed, systems are increasingly interconnected, and attack surfaces continue to expand. As a result, security visibility is harder than ever to maintain, yet without the correct security logs, data, and visibility, effective threat monitoring and detection is impossible.
Look for a provider that can eliminate blind spots where it matters most to achieve visibility by focusing on your detection objectives. These detection objectives should ideally be the outcome of a threat modeling exercise. Additionally, seek out a provider that offers visibility across multiple environments, including on-premises infrastructures, cloud resources, endpoints, industrial control systems (ICS) / operational technology (OT). You should validate the provider has experience monitoring environments like yours. They should also be able to leverage a formal framework or methodology (such as MITRE ATT&CK) to ensure there are no major visibility gaps into attack techniques a lot of adversaries are likely leveraging.
3. Negotiate contract scope and pricing
If a provider is a good fit in all ways but their cost, keep in mind that pricing is almost always negotiable. Don’t settle for a provider that can’t deliver the value and capabilities your MSP needs just because they’re more affordable.
One way to reduce the cost of a provider’s managed detection and response (MDR) services is to reduce the scope of engagement. For example, eliminating lower-level, tactical activities like identity and access management (IAM) services from a contract ensures you’ll get the best an MDR provider must offer: finding threat actors in your environment and responding on your behalf.
It’s also relatively easy to train someone in-house or hire a less-specialized provider to carry out commodity functions. In the current cybersecurity market, it’s more difficult to hire internal detection engineers and response playbook writers.
4. Partner with a single provider for mission-critical work
While removing less-than-essential functions from the scope of a provider’s responsibilities can be an effective cost-limiting measure, it shouldn’t be done in a way that limits visibility.
For example, if you have multiple security service providers with one vendor monitoring your environment, another monitoring your endpoint detection and response (EDR) tool, and another monitoring your security information and event management (SIEM) tool, visibility gaps are all but inevitable for all your providers.
In these “split brain” scenarios, none of your providers will be as effective as they could be. Cyberattacks involve multiple stages and tactics; to fully comprehend a sequence of events, security teams need to be able to understand what happened throughout your customer’s environment—endpoint, network traffic, Azure AD logs, etc.
5. Focus on outcomes
The way to achieve a better overall security posture is by doing the fundamentals consistently, not just relying on flashy new technology. Rather than looking for a provider that can support the trendiest toolsets, concentrate on outcomes. To make fact-based investments, you need to understand where your visibility and detection gaps are so that you can close them effectively.
Also, look for gaps in internal training, policies, and processes. An experienced provider can work closely as a partner and guide you toward greater security maturity by enhancing your fact-based understanding of strengths and weaknesses.
6. Replace legacy technologies if they don’t deliver on necessary outcomes
Although buying the latest and greatest security tools will not improve outcomes on their own, there are times when it makes sense to modernize your security stack. In some cases, you can’t achieve better outcomes just by leveraging technology that’s already in place.
Have an honest conversation with prospective MSSPs about which technologies they support and why.
There’s no way a high-quality MDR provider can be equally effective with every SIEM, EDR, or cloud security platform on the market today.
Technology sprawl affects all information security teams, including MDR providers and MSSPs. Learning each additional tool requires time, money, and training. Like everyone else, security providers must make tradeoffs about which technologies to prioritize. Any MDR provider who says they support every technology is either dishonest or ineffective.
7. Look for meaningful SLAs
Meaningless service-level agreements (SLAs) are all too common today. If your desired outcome is to be able to detect and respond to malicious activities quickly enough to prevent ransomware from spreading across your environment, does the number of “dedicated” resources assigned to your account matter?
I’ve seen organizations request SLAs such as “critical alerts must be triaged within five minutes, and low-criticality alerts within six hours.” How could your provider possibly validate that a new alert is critical without triaging it?
Sure, providers can look at the criticality of the technique detections are trying to find. However, waiting six hours to triage a low-severity detection could be detrimental. A small breadcrumb that triggers a low-severity alert can lead to the discovery of a seasoned and methodical threat actor.
Note that attackers also use MITRE ATT&CK to identify likely gaps in visibility or to build novel techniques not currently included in the knowledge base.
8. Engage key stakeholders
It’s important to manage your customer’s procurement process carefully. Decision makers often seek to achieve business objectives at the lowest cost possible and may not understand the nuanced differences between vendors or the desired security objectives.
Make sure all the key stakeholders thoroughly understand how well the provider can support outcomes that will meaningfully reduce business risk.