Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
I've said it a lot over the last few years: the legacy black box managed security services provider (MSSP) model is dying a slow death. I wish I had a nickel for each time I've heard someone say they're dissatisfied with their black box MSSP. Truth is, it's just a change in times. Even the horse and carriage gave way to the Ford Model T. Now the gas automobile engine is feeling pressure from the enhancement in electric motor development.
As with all technology, the barrier to entry gets reduced over the years. At first the technology is revolutionary and groundbreaking, and over time, new competitors find ways to compete for less money. It's capitalism and competition at it's finest.
The black box MSSP market is suffering from advancement in modern technology. Examples come in the form of Splunk, LogRhythm, or other like solutions that give companies the ability to build their own MSSP or security operations center (SOC) in-house. The best analogy I can think of is that the Splunk's and LogRhythm's of the world are replacing legacy MSSPs just like the PlayStation and Nintendo replaced the video game arcade. Security folks don't need to "go out" for a security service when they can build their own MSSP or SOC solution in-house with freely available technology.
The black box MSSP market is dying the death of a thousand cuts. There's still value in the solution, but someone needs to change the client optics and try to regain the value. It's an uphill battle. Between new MSSP competitors coming to the space, a shifting threat landscape that makes threat intel obsolete in minutes, new technology entering the market, and competing sales reps pitching empty two-dimensional solutions like a cardboard saloon in an old western movie, it's becoming tough for these providers to compete. But for some, black box MSSPs remain the regular type of vendor, and it keeps them in the fight.
Before you make a bad decision on your MSSP or security partner, there are a few things you should know about the security space players. To be clear, there is value in using a security firm as your security partner.
To understand what's good and what's bad, you need understand the market a bit. So, here goes!
There are generally three types of MSSPs:
Black Box MSSP
I'll spare the names of the common players, but they're the "regular type of vendor." The model looks like this. They'll give you a log aggregator or log forwarder that is installed on your company system. This log aggregator sends your log files to a monitoring service, and you never see your logs again. If there's an issue, your MSSP will email you with the alert, but they won't help you investigate if there is an issue. This in itself becomes an issue because they have your log files! If you need to investigate, that's another team at that company, and they charge you $500+/hour to look at your log files and do an "investigation."
Gray Box MSSP
A gray box MSSP is usually a provider that will take custody of your log files and keep them stored at their facility for you. These providers will usually give you access to your log files so you can view them, and they'll likely send you a weekly status report, but you'll be limited as to what you can do with your log files. Let the buyer beware: If a company is hosting your software license in a multi-tenant instance and they have your data, and you need to go a different route, deciding who gets the kids in the divorce can be tough. For example, if you buy a Splunk or LogRythm instance and your security company hosts the license in a multi-tenant fashion, be sure to get termination terms in your contract so there are no surprises. There's also this. Gray and black box MSSPs are a cyber crime target:
White Box MSSP (co-managed)
A white box MSSP is considered a co-managed provider. This means you own the technology, you keep possession of your data, you can use your systems with support from a security partner that will help you build an in-house MSSP or SOC. Basically, when your provider does their security investigation and hunting, they do it on your single-tenant instance.
The key benefits and advantages of this solution include:
If you're looking for a managed security service provider (MSSP), check out NuHarbor's best-of-breed white-box, co-managed, SOC as a Service Solution.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
Subscribe to our blog to get insights sent directly to your inbox.