With hundreds of prospective providers and tons of marketing buzzwords to wade through, choosing the best managed security service providers (MSSPs) to effectively protect both your MSP business and your customers is no easy task. However, as C-suite leaders increasingly push back against security expenditures where there’s little or no proof that they mitigate real-world risks, finding objective, evidence-based criteria to evaluate vendors is essential.
To help navigate the complexities of the market—and better compare providers’ offerings—there are eight key considerations and tips to keep in mind when evaluating the best MSSPs for you and your clients.
1. Understand core objectives
The first issue to consider is the primary objectives for your security stack. Are your clients most concerned with achieving compliance or thwarting attackers? The unfortunate reality of the current threat landscape is that compliance and security are not equivalent concepts. Though most regulatory requirements were enacted in hopes of enhancing security, they’re static, and the audit process captures only a moment-in-time snapshot of your security posture. Meanwhile, attacker tactics and techniques are always changing, as is the technology environment. Simply put, if all your clients want is compliance, choose the cheapest solution for your stack.
If, however, a careful evaluation of your firm’s—and your customers’—business risks reveals that gaining security visibility and responding quickly to attacks is most valuable, look for the provider that can best achieve the objective of detecting and responding to attacks within these various environments.
2. Enhance visibility
An essential truth about today’s computing environments is that infrastructures are more diverse and distributed, systems are increasingly interconnected, and attack surfaces continue to expand. As a result, security visibility is harder than ever to maintain, yet without the correct security logs, data, and visibility, effective threat monitoring and detection is impossible.
Look for a provider that can eliminate blind spots where it matters most to achieve visibility by focusing on your detection objectives. These detection objectives should ideally be the outcome of a threat modeling exercise. Additionally, seek out a provider that offers visibility across multiple environments, including on-premises infrastructures, cloud resources, endpoints, industrial control systems (ICS) / operational technology (OT). You should validate the provider has experience monitoring environments like yours. They should also be able to leverage a formal framework or methodology (such as MITRE ATT&CK) to ensure there are no major visibility gaps into attack techniques a lot of adversaries are likely leveraging.
3. Negotiate contract scope and pricing
If a provider is a good fit in all ways but their cost, keep in mind that pricing is almost always negotiable. Don’t settle for a provider that can’t deliver the value and capabilities your MSP needs just because they’re more affordable.
One way to reduce the cost of a provider’s managed detection and response (MDR) services is to reduce the scope of engagement. For example, eliminating lower-level, tactical activities like identity and access management (IAM) services from a contract ensures you’ll get the best an MDR provider must offer: finding threat actors in your environment and responding on your behalf.
It’s also relatively easy to train someone in-house or hire a less-specialized provider to carry out commodity functions. In the current cybersecurity market, it’s more difficult to hire internal detection engineers and response playbook writers.
4. Partner with a single provider for mission-critical work
While removing less-than-essential functions from the scope of a provider’s responsibilities can be an effective cost-limiting measure, it shouldn’t be done in a way that limits visibility.
For example, if you have multiple security service providers with one vendor monitoring your environment, another monitoring your endpoint detection and response (EDR) tool, and another monitoring your security information and event management (SIEM) tool, visibility gaps are all but inevitable for all your providers.
In these “split brain” scenarios, none of your providers will be as effective as they could be. Cyberattacks involve multiple stages and tactics; to fully comprehend a sequence of events, security teams need to be able to understand what happened throughout your customer’s environment—endpoint, network traffic, Azure AD logs, etc.
