ronstik - stock.adobe.com
Managed security service providers (MSSPs) are constantly bombarded by vendors and have to do some serious due diligence to ensure the relationship will stand the test of time.
One thing they cannot afford is for the vendor roadmap to take an unexpected turn, resulting in the product no longer providing the functionality or stability required. And yet very few vendors will work closely with MSSPs when it comes to product development, which seems something of a missed opportunity.
MSSPs don’t want to be limited by an interface that provides a one-size-fits-all menu of clickable boxes and buttons. For this reason, many resort to developing their own tools in-house, or augmenting those they have, to give them the ability to adapt and roll out services across their client base.
Security orchestration, automation and response (SOAR), for example, typically requires set-up, rule configuration and playbook tweaking, which can be time consuming. As a result, MSSPs tend to activate only some automation features and build custom use cases and advanced correlations together with their clients. In doing so, however, they end up missing out on some of the functionality.
Bespoke is not best
In-house solutions can present future challenges too, by making it difficult to introduce new features or to scale these offerings.
What MSSPs far prefer are solutions that offer out-of-the-box integrations and flexible feature sets, saving them time and effort. This is especially true for those MSSPs that bundle components together at a single price point or wish to enable their customers to plug their own technologies, such as firewalls and endpoint detection and response (EDR), into the MSSP’s security incident and event management (SIEM) solution.
Further complicating matters is the way security solutions are licensed. The customer base is highly price sensitive, with many organisations choosing to outsource to MSSPs to keep costs low and predictable. Consequently, MSSPs tend to be cautious about adopting new technologies as this may change the vendor licensing scheme and raise costs. This means they seek platforms and tools that can be integrated or swapped out, and that can be deployed on-premise, in the cloud or a hybrid of both, with a predictable licensing structure.
These constraints can make it highly difficult for MSSPs to exploit technologies to create new value-added service packages, which is why to move the market forward, vendors need to become more in tune with MSSP needs.
So, what would managed security service providers like to see? A recent survey of MSSPs across Europe and the US, conducted by Take Point, found unanimous demand for vendor solutions that are highly scalable, backed by support and regular updates, and offer a roadmap of advanced future features.
MSSPs revealed they want the ability to influence vendor roadmaps, in terms of feature requests and timelines, and to ensure that scalable management is factored in at the design phase. Such strong partnerships would then give the MSSP the confidence to recommend a particular solution because they would know where the vendor was headed.
Interestingly, those that had developed or tweaked solutions in-house were also keen to share their experience with vendors to better leverage what they had. They also said having a close working relationship with the vendor was essential to understanding the inner working of the security platform to enable them to customise it. This suggests the exchange of ideas could go both ways, helping educate vendors on how to better tailor their solutions to the MSSP market.
Developing new services
With regards to emerging technologies such as SOAR, it was recognised that such solutions were necessary to grow the business and provide customers with automated response, but there was reticence over deploying such technologies without vendor support. The surveyed MSSPs said they wanted flexible licensing options and hands-on training to teach their analysts how to design playbooks and implement use cases to speed response and shorten service-level agreements.
Finally, desire was also expressed for simple customer-facing dashboards that the MSSP could manage centrally for their entire customer base. Some had resorted to building this themselves to swap out solutions without disrupting the customer view, while others had used open interfaces and standard protocols to integrate solutions to provide a smooth customer experience. But there’s really no reason why a pivotal technology such as SIEM cannot be used in this way as it already collects and centralises data from any device.
Ultimately, MSSPs want to bundle multiple services into a single package with a simple – and low – price tag. So, those vendors that are able to converge new technologies such as SOAR with existing SIEM platforms, making it easier to deliver a wide array of cyber security services under a converged and predictable licensing structure, are likely to be favoured.
Going forward, it’s in the interests of MSSPs and vendors alike to work more closely together when it comes to product development, deployment and customisation. Involving the MSSP in the vendor roadmap and feature request discussions can ensure the end solution has the capability to carry out incident response, for example, across thousands of customers.
Educating MSSP analysts can give them the confidence to offer a much wider range of service options and to fully exploit the automation offered by technologies such as SOAR. And listening to how MSSPs have tweaked their tools can enable vendors to adapt their offerings and make their solutions more appealing to this important market.