I've said it a lot over the last few years: the legacy black box managed security services provider (MSSP) model is dying a slow death. I wish I had a nickel for each time I've heard someone say they're dissatisfied with their black box MSSP. Truth is, it's just a change in times. Even the horse and carriage gave way to the Ford Model T. Now the gas automobile engine is feeling pressure from the enhancement in electric motor development.
As with all technology, the barrier to entry gets reduced over the years. At first the technology is revolutionary and groundbreaking, and over time, new competitors find ways to compete for less money. It's capitalism and competition at it's finest.
The black box MSSP market is suffering from advancement in modern technology. Examples come in the form of Splunk, LogRhythm, or other like solutions that give companies the ability to build their own MSSP or security operations center (SOC) in-house. The best analogy I can think of is that the Splunk's and LogRhythm's of the world are replacing legacy MSSPs just like the PlayStation and Nintendo replaced the video game arcade. Security folks don't need to "go out" for a security service when they can build their own MSSP or SOC solution in-house with freely available technology.
The black box MSSP market is dying the death of a thousand cuts. There's still value in the solution, but someone needs to change the client optics and try to regain the value. It's an uphill battle. Between new MSSP competitors coming to the space, a shifting threat landscape that makes threat intel obsolete in minutes, new technology entering the market, and competing sales reps pitching empty two-dimensional solutions like a cardboard saloon in an old western movie, it's becoming tough for these providers to compete. But for some, black box MSSPs remain the regular type of vendor, and it keeps them in the fight.
Partner Pedigree Matters
Before you make a bad decision on your MSSP or security partner, there are a few things you should know about the security space players. To be clear, there is value in using a security firm as your security partner.
- Accounting firms play in the MSSP space (trust me…it's real, see the Big 4). You'd never hire a security firm to do your taxes, so what makes an accounting firm qualified to do security?
- IT service providers play in the MSSP space (this is also real). Besides creating a massive conflict of interest, running a mean help desk operation doesn't qualify them to hunt for emerging security threats or make them experts on command and control. Knowing about laptops doesn't translate to server and networking expertise, and definitely doesn't translate to security of any of these things. In other words, an HVAC technician probably wouldn't be a good car mechanic and a car mechanic probably isn't good at repairing HVAC issues.
- Lastly, if you work with a security firm, make sure they have some real security chops and their sales rep isn't just pitching 400 different security technologies they learned about in a 30-minute online training. Security engineering is a real discipline, and reading a sales brochure doesn't make you a security engineer.
To understand what's good and what's bad, you need understand the market a bit. So, here goes!
There are generally three types of MSSPs:
Black Box MSSP
I'll spare the names of the common players, but they're the "regular type of vendor." The model looks like this. They'll give you a log aggregator or log forwarder that is installed on your company system. This log aggregator sends your log files to a monitoring service, and you never see your logs again. If there's an issue, your MSSP will email you with the alert, but they won't help you investigate if there is an issue. This in itself becomes an issue because they have your log files! If you need to investigate, that's another team at that company, and they charge you $500+/hour to look at your log files and do an "investigation."
Gray Box MSSP
A gray box MSSP is usually a provider that will take custody of your log files and keep them stored at their facility for you. These providers will usually give you access to your log files so you can view them, and they'll likely send you a weekly status report, but you'll be limited as to what you can do with your log files. Let the buyer beware: If a company is hosting your software license in a multi-tenant instance and they have your data, and you need to go a different route, deciding who gets the kids in the divorce can be tough. For example, if you buy a Splunk or LogRythm instance and your security company hosts the license in a multi-tenant fashion, be sure to get termination terms in your contract so there are no surprises. There's also this. Gray and black box MSSPs are a cyber crime target:
- https://www.cso.com.au/article/643350/managed-service-providers-new-target-cybercriminals/
- https://www.msspalert.com/cybersecurity-news/dhs-warning-msps-csps/
- https://www.us-cert.gov/ncas/alerts/TA18-276B
White Box MSSP (co-managed)
A white box MSSP is considered a co-managed provider. This means you own the technology, you keep possession of your data, you can use your systems with support from a security partner that will help you build an in-house MSSP or SOC. Basically, when your provider does their security investigation and hunting, they do it on your single-tenant instance.
The key benefits and advantages of this solution include:
- The ability to see and access your log data when you want and how you want.
- All your data stays at your company.
- Your security partner can help build your security team through shadowing.
- You own the licensing, so if you decide to start with a white box MSSP but decide to fly solo, the good work stays behind with your company.
- You can track and inspect actions of your MSSP provider.
- If you operate a capital expenditure model, your technology asset will have residual value.
If you're looking for a managed security service provider (MSSP), check out NuHarbor's best-of-breed white-box, co-managed, SOC as a Service Solution.
