Managed Security Services Providers (MSSPs) that provide outsourced monitoring and management of security devices and systems have risen in popularity in the past decade. Several factors are driving increased demand for MSSPs, including the expense of building and maintaining a 24/7 Security Operations Center (SOC), the need for visibility into cloud applications and infrastructure and the shortage of trained cybersecurity personnel. MSSPs can close the gaps in all of these areas.
If you’re thinking about hiring an MSSP, but don’t know where to start, you’re not alone. Not all MSSPs are created equal and none have identical offerings and capabilities. Selecting the best match for your organization can be complex, so here are some essential questions to help you succeed.
1) What Is the MSSP Staff’s Average Number of Years of Experience and Certifications?
Staffing costs are the number one reason to seek out MSSP help. Depending on your requirements, for the same cost of hiring one or two full-time security analysts, you can get the expertise of an entire MSSP staff to keep an eye on your network, cloud and endpoints and alert you to any issues.
Ask the MSSP what certifications their staff has and the average number of years of experience on the team. We believe five to eight years of average experience across the team is essential. Also, a good rule of thumb is that at least 75 percent of the staff has completed rigorous certifications such as CISSP, GCIH, GCIA, CCNP Security, or OSCP.
If you have someone technical on your team, you can ask more in-depth questions around APIs and detailed specifications. Then again, it’s more likely than not that you’re seeking an MSSP because your team wouldn’t know a SQL injection from fleecewear.
2) What Is the Scale and Reach of the MSSP’s Security Operations?
A service provider with global capabilities can learn from diverse customers across the globe, constantly improving service delivery governance, platforms and processes. At the same time, local expertise and community presence ensures compliance with specific regulatory and legal requirements. You are best serviced by providers offering a combination of both.
3) What Was the Last Remediation the MSSP Performed and How Was It Executed?
When the MSSP does find something malicious, who’s responsible for taking action? Do they provide remediation services? If so, what actions are they allowed to perform? For example, can they block an inbound connection? If so, on which device? Are you able to see what the SOC analysts see in real time? Can the MSSP remediate attempted attacks in real time, or does your team need to get involved?
If you and your IT staff perform the actual remediation with advisory assistance from your MSSP, you can retain administrative control over your devices. If you don’t have the internal resources to manage monitoring and remediation, your MSSP should be able to do this for you.
4) What Type of Information Is the MSSP Pulling from Devices and Where Is It Going?
Your MSSP is most likely going to aggregate your logs and events from multiple systems in your environment. Typically, it’s an aggregation of ones, zeros and the occasional alert. However, in some cases, it could include Privacy Act information or information your organization may deem confidential.
Ask your candidate MSSP what kind of information they’ll be pulling from your devices and where that information will go. Some MSSPs’ security architecture will involve keeping your data on your premises. Keeping the information at your site is ideal. However, if they need to take it offsite, they should encrypt the data in transit and at rest at the storage location.
5) What Kind of Reports Will the MSSP Provide and How Often?
Ask your MSSP for a sample report or two and get them to walk you through what type of information they report on. Find out if they can customize reports for you if and when you need them. If you fall under a compliance or regulatory scheme, remember that there are certain reports you’ll have to run periodically (i.e., account lockouts). Your MSSP should be able to provide all this for you.
Other questions you should consider: Is there a “self-help” function you can use to run a report yourself? How can your organization consume these reports? Does the MSSP provide KPIs you can easily share with your management team?
When it comes down to it, try to brainstorm questions that revolve around the people, processes and technology of the MSSP and how those functions align with yours. Finding an MSSP is like adopting a rescue puppy – sometimes you need to meet a few before you find the one that you want to take home.
For additional advice on how to select the right MSSP for your organization, check out our 2020 State of Managed Security Report.