MSSP is dead. Long live MSSP! There was once a time when we had to go to an arcade to play video games. However, technologies like the Xbox and PlayStation have made it possible to access those same video games from the comfort of our own home. The managed security service provider industry referred to as an MSSP, is experiencing a similar technology shift today.
I spent some time last week visiting with a large organization in New York City. The question is, how many organizations do you see building their own Security monitoring capability and MSSP? This conversation started on the 17th floor In the conference room And ended up In a Starbucks in midtown on 42nd street. When it’s not raining, we’ve had some great fall temperatures so why not play a little Frogger in New York traffic while chatting MSSP on the way to Starbucks.
What is an MSSP?
Let's start by what we mean by an MSSP. The definition is a Managed Security Service provider.
What's the history of MSSPs?
Roots of an MSSP Originally started By Internet service providers in the late 1990s. Those ISPs would sell customers a firewall appliance and for an additional fee would manage the customer owned firewall over Internet connection. Today in 2018 the idea of an MSSP has become a lot of different things and an MSSP is encompassing of log monitoring, end point monitoring, firewall management…I would go out on a limb to say there's an MSSP offering for almost any major security technology in the market today. There are many different categories of MSSPs including the 5 common ones on site, perimeter management, Managed security monitoring, and penetration testing and vulnerability assessments, and compliance monitoring. For the purposes of the conversation in NY we focused on security monitoring category.
To understand where we are today it would help to understand where we’ve been. In the legacy model, which is still widely used today, a company sends their log files off premise to an MSSP in a blackbox arrangement. By black box I mean once you send you log files you don’t see those files anymore unless you’ve made a copy locally. With the historical technology MSSPs are limited to the types of log files that could be monitored due to the format of the log file. For example common log files such as Cisco and Juniper are very common, are often seen, and subsequently easier to enrich with threat Intel data or advanced correlations. Other less common log file formats can be a little more challenging to correlate or enrich if they have a non standard log format.
So from a legacy MSSPs standpoint it really makes a strong business sense to invest into common log types and only support those log types only. Most often times MSSP's will support a non common log file format but often results in a custom development effort.
Pain points of the legacy MSSP model:
As a former customer of a legacy MSSP I can honestly say one of my more significant pain points of the legacy model was the black box model where that I would forward my logs off premise and never see them again. If I was alerted to an issue and needed to do an investigation I did not have the tools or platforms in order to do a proper investigation and rarely could see the data points, correlations, or threat intel enrichment that validated the security event. The black box model was truly black box.
So where are we today?
In the late 2000 the security industry so rise of new security technologies that allowed organizations are to ingest their own log streams in data sources for the purposes of performing their own in-house security analysis. Over the last 10 years those security technology providers have only improved on that technology making it better faster and easier to perform security investigations in house. These technologies have made it possible to create a white box MSSP in house for any organization. In other words, if an organization wanted to build an in-house MSSP or security ope…