MSPs and MSSPs Guide to Building Comprehensive Managed Security Services Portfolio

With the volume of cyber threats on the rise, organizations are scrambling to stay one step ahead of cybercriminals. This spells big opportunities for MSPs and MSSPs. But to get an edge on the competition, you need to pick the right security tools. In this report you’ll learn:

  • Which managed security services to offer
  • Why the layered managed security services approach is so important
  • What areas security service providers should avoid when first starting out

MSPs and MSSPs Guide to Building Comprehensive Managed Security Services Portfolio

Content Summary

Recommended Managed Security Services
Connectivity Issues
Layered Approach Is Important
Areas to Avoid if Starting Out

In this age of devastating data breaches, managed service providers have no choice but to start providing security services. Here’s how to pick the right security tools for your tool belt.

Cybersecurity increasingly is top of mind among organizations of all sizes as massive breaches regularly grab headlines. Recent breaches such as the unauthorized access of Under Armour’s MyFitnessPal database that exposed or compromised 150 million accounts underscore the fact that organizations increasingly need help to stay one step ahead of cybercriminals and are turning to the channel to do so.

Transparency Market Research expects the global cybersecurity services market to experience strong growth, registering a 15.6 percent compound annual growth rate (CAGR) and reaching $63.5 billion in revenue by the end of 2026.

All of this spells big opportunities for managed service providers (MSPs) and managed security service providers (MSSPs) that want to either start offering security or add to their arsenal of security tools. But deciding which services to add and whether they are worth the investment can be a daunting task.

“The fundamental measure of what makes a managed security service effective is the intersection between customer experience and an effective technology that integrates several silos of information into one usable security tool,” said Dave Venable, vice president of cybersecurity at managed security company Masergy. “These two elements feed into one another, and without either one, a tool is less likely to result in the desired security outcomes. By merging and analyzing multiple sources of information—e.g., server and firewall logs, endpoint security, IDS/IPS, CASB, user behavior, etc.—a good security tool can detect threats long before any discrete tool could.”

Global Managed Security Services Market By Region, 2014-2024 (USD Million)
Global Managed Security Services Market By Region, 2014-2024 (USD Million)

By focusing on customer experience, a provider ensures the customer receives their desired outcome. Companies looking for a managed security service provider can get a good gauge on customer experience by looking at a provider’s net promoter score (the number of customers that are highly likely to endorse a provider’s brand relative to the detractors that are unlikely to recommend the provider to another customer).

Organizations should think about what they do and where their expertise lies, said Doug Steelman, senior vice president of managed services at cybersecurity solutions provider Optiv. If it’s not cybersecurity, then they should consider bringing in an expert, he said.

“There is a zero percent unemployment rate for cybersecurity talent,” Steelman said. “MSPs have the advantage of giving security practitioners interesting problems to solve in every vertical [and] industry, and in some cases [government]. Therefore, it is easier for MSPs to attract and retain security talent. This leads to institutional knowledge, continuity and repeatability. This naturally lends itself to better execution over time in executing security program elements.”

In this article, we look at the top managed security services to add to your portfolio, as well as the various issues, such as investment and connectivity, that go along with the decision-making process.

So how do you know if you should add security services to your portfolio? According to Dave Sobel, SolarWinds MSP’s director of MSP evangelism, MSPs really don’t have a choice if they want to stay in business.

“Customers have an expectation that you’re going to be delivering security, so the only way to properly do it is add an organized, thoughtful, procedure-based offering,” he said.

As far as getting started, Sobel said it’s “like eating an elephant, one bite at a time.” Work on the technologies you already have, making sure you systemize your delivery, and then look at how you’re going to add the next complementary piece.

“If you’re not offering web filtering on endpoints today, that might be a logical first step if you’re already offering antivirus services,” he said. “If you aren’t offering endpoint backup, that’s a great place to get started. If you’re already offering backup on servers, you can look at the way workstations get rolled into it.”

When building your complete security portfolio one offering at a time, instead of all at once, there’s always a logical next step. You build out the offering technology by technology and piece by piece because “the skill of constantly adding [to your portfolio] is actually one of the pieces that’s most valuable in security,” Sobel said.

Motivations Behind Attacks
Motivations Behind Attacks

MSSPs should move beyond traditional services such as perimeter security controls like firewalls and intrusion prevention systems (IPS) and consider offering more modern and advanced security services focused on protecting data, applications and users in a multicloud, mobile environment. Such security services may include identity access management, cloud security management and data encryption, said Aaron Sherrill, senior analyst at IT research and advisory firm 451 Research.

“Avoid adding services that only appeal to a few customers or lack long-term growth potential,” he said. “Obviously, managed security services that can add high value at high margin with low to no capital expense and minimal ongoing management are ideal.”

Managed detection and response (MDR): an all-encompassing cybersecurity service used to detect and respond to cyberattacks. It is a valuable managed security service option, Masergy’s Venable said. But having the right implementation is key.

“For instance,” he said, “having an MDR solution that effectively integrates with top-of-the-line endpoint and cloud application security tools under a single pane of glass can make all the difference in the world for a security provider detecting and responding to incidents in real time.”

Demand is steadily growing for MDR and threat hunting, said Mike Suby, vice president of research at business consulting and market research firm Stratecast/Frost & Sullivan.

“It’s that idea of look, we know we are probably compromised in some way or we will be compromised in some way, but right now we don’t have the technology, the know-how or the personnel to detect what’s going on [and] understand what’s going on and then take action— and then do all of that in a faster time frame than the attackers can run through the course of their exploits, which in many cases is exfiltrating data,” he said. “You’ve got to be on your toes 24/7.”

Cloud access security broker (CASB): a software tool or service that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure, and acts as a gatekeeper, allowing the organization to extend the reach of its security policies beyond its own infrastructure to the cloud.

“As enterprises move more and more into the cloud, finding an effective CASB solution is key,” Venable said. “But even more important is having that CASB solution integrate effectively with the enterprise’s detection and response capabilities to detect threats faster and more effectively.”

Penetration testing and red teaming: fullscope, multilayered attack simulations designed to measure how well a company’s people, networks, applications and physical security controls can withstand an attack from a real-life adversary.

More advanced partners like Optiv are offering penetration testing and red teaming, said Christina Richmond, IDC’s program vice president of worldwide security services. It is important to forge partnerships with vendors and MSSPs in order to offer higher-level services. Eventually, some of those capabilities can be taken in-house if you are willing to make that investment.

Deceptive networks: deception technology can discover, analyze and defend against zero-day and progressive attacks, often in actual time. The global deception technology market is expected to exceed $2 billion by 2021, accelerating at a 15 percent CAGR, according to a report by Market Research Engine.

“This is all about using deception technology to lure … hackers who have gotten into the system into traps, of which by doing so you’re identifying who is in your system [and] what they’re doing within your system and taking them away from your prized assets, and you’re observing what they’re doing,” Suby said. “And with high forensic material about what they’re doing, then you can determine, ‘Where am I vulnerable in my networking systems and applications, and what should I do now? Which of my devices have been compromised, and which ones need to be cleaned up?’ Two companies already have managed deception in place: Kudelski Security and Scitum.”

Threat intelligence and visibility: the in-depth analysis of internal and external threats to an organization in a systematic way. “It’s an area where partners are getting in on some of the advanced capabilities, where they’re starting to look for threat intelligence and visibility into the architecture for their customers,” Richmond said. “They might do it through a partnership with a vendor, or they might sign on with what we call a TIP, a threat-intelligence platform, like the company Anomali, which used to be called ThreatStream. So they might sign up with them and then resell those capabilities to their customers just to provide the visibility internal to the customer’s network. So that’s a newer, more interesting area for the channel to play in.”

SOC management: Security Operations Center management and monitoring is “a very big leap” for partners at lower levels in terms of managed security services, Richmond said.

“That’s a lot of money, and it has to be a directional thing for them that they really want to do,” she said. “Like Herjavec in Canada, they built out their own SOC, one in Canada and one in the United States, and they have security analysts who are the eyes on screen. They’re the ones watching the customer’s network, and they’re alerting on it.”

Penetration testing: an interesting option for partners, which is white hat hacking, where you’re trying to break into a customer’s network and gain access to data that they shouldn’t have access to.

“You’re doing it to prove there’s vulnerability, to prove that it’s doable. And then [you] show that to the customer and say, ‘Here is where you’re vulnerable, and we can help you fix that. We can remediate that with certain technologies or certain services,’” Richmond said. “That’s another step up from just offering threat intelligence through a third party. It’s actually hiring the personnel who can do these penetration tests.”

Security automation: the growing threat landscape and the cybersecurity skills shortage are increasing demand for automation as a key ingredient in the game against cyberattacks, according to McAfee. By pairing human intelligence with automated tasks, and putting human-machine teaming in practice, automated programs handle basic security protocols while practitioners have their time freed up to proactively address unknown threats.

“Managed security services can no longer be offered as a one size fits all,” 451 Research’s Sherrill said. “MSSPs need to offer fully managed, co-managed and customized solutions and services. Services offered should be integrated and automated to the greatest extent possible. Transparency is also an important factor to consider as enterprises look to validate the services being delivered.”

Managed Security Providers Can Deliver:

  • 24×7 Correlated Log Monitoring & Management
  • 24×7 Threat Mitigation
  • Firewalls
  • Intrusion Prevention
  • Vulnerability Scanning
  • Content Filtering
  • Encryption
  • Endpoint Security
  • Host-intrusion Prevention Security
  • Secure Mobile Device Management
  • Phishing Detection & Takedowns

Connectivity Issues

There are many factors that determine connectivity of managed services at a client’s site, and they are not limited to technology in use and the architecture of the environment. The advent of cloud environments has provided an alternative to the traditional on-premises approach, but either way, it’s inevitable that security partners will need mechanisms for connectivity into client environments, particularly where security instrumentation management is required on behalf of the client from the MSP.

“There’s definitely an investment there, and they need to be able to get access to the customer’s network if they are going to be doing threat hunting or penetration testing,” Richmond said. “If they’re not actually taking actions on behalf of the customer, they don’t have to have administrative rights. They can just go in through whatever access rights the customer gives them, or they can try hacking into the customer from their own network to do the penetration testing. So there’s lower level requirements.

“Until they get to the actual management and monitoring—and the management is kind of the traditional MSS [managed security service], the on-premises management, patching and making sure things are configured properly—that’s where they do need more access, more connectivity,” she continued. “It’s a higher level of requirement to be able to get visibility into the customer’s network and then to be able to effect changes on that. So to go in and patch a firewall, you have to have access to that device, which can cause its own vulnerabilities.”

Managed services are very hybrid in nature, from at least where the technology exists and where technology is being enforced. A lot of the technology from an analytical standpoint is occurring within a cloud environment, in which somebody has created an environment where the information is shuttled into that area where the analysis is taking place.

“Enforcement could still be done at a network gateway, a WAN gateway or even deeper within a customer’s environment, depending on what they need,” Suby said. “So it’s always going to be a combination of network, cloud or on-premises equipment. And frankly all of the MSPs that I know of are cognizant of the potential bandwidth consumption their services may have and have done what they can to reduce that bandwidth demand, and at the same time work with the customer to make sure that the information flow to them does not damage their ongoing business. So there’s traffic prioritization activity going on. I would be surprised if bandwidth was a problem from the standpoint of delivery of managed security services.”

Layered Approach Is Important

A number of solution providers are embracing a proper layered managed security services approach. With such an approach, the solution providers bake all of the security technologies into the way they address their managed services on an ongoing basis and they make sure they cover their customers beyond just the basic security solutions.

“The solution providers that are doing really well are the ones that have embraced proper layered security,” Sobel said. “They’re looking at endpoint security [and] web filtering to make sure customers don’t go to the wrong places; they’re looking at mail security; they’re making sure they’ve got proper firewalls; and then they’re adding advanced things like the ability to do risk intelligence so they can get a sense of what data in their customer’s network is really valuable. And then they’re expanding beyond just backup to make sure that they’re looking at backup at all the right places, so including backup all the way to the endpoint.”

While technology will continue to advance, it will also continue to be flawed, Optiv’s Steelman said. And so threat actors will continue to find vulnerabilities to exploit in new technology, as well as through users via social engineering.

“We cannot believe that just because we move to cloud, containers, microservices, mobile and so on, that threat actors will give up chasing the things they want,” he said. “The best MSPs will adapt to ensure appropriate visibility of the contested space wherever technology takes us, so we can contest threat actors for our clients.”

Areas to Avoid if Starting Out

Unless security service providers want to do something cutting edge, it’s best for them to steer clear of anything involving manufacturing, utilities and critical infrastructure. Managed security services in those areas require a very particular set of capabilities and tools.

“There are some security service providers, whether they’re MSSPs or just consulting companies … who can handle that utility or critical infrastructure environment, but it’s still really the wild west,” Richmond said. “It’s difficult to monitor, very difficult to find challenges in.”

Beginners should also avoid the Internet of Things (IoT).

“They tend to go together with IoT because quite often you need to have IoT sensors in places like, for example, an oil rig out in the flats of Texas and you have IoT sensors checking the pressure gauge of the rig to make sure that it’s not going to blow, and it then alerts back to let you know that it is getting a little bit too hot and you need to make some adjustments,” Richmond said. “Some of those adjustments can be made remotely through IoT, and some require people to go on site. But it’s very specific. Those industries are very difficult and challenging. I would say that the channel initially would want to steer clear of that and look toward doing it as they advance and mature.”

Source: Channel Futures