5 Tips to Choose the Best Managed Security Service Provider

By Roman Nazarov

Roman Nazarov

Managed security service providers (MSSPs) have become an increasingly popular choice for organizations that want to improve their security posture. According to a recent survey, most companies reported seeking out MSSPs as they offer higher efficiency and special knowledge that internal teams lack.

Since these third-party partners take on a responsibility with very high stakes, it’s vital to choose them particularly carefully. Here are five easy steps on how to do it.

When choosing an MSSP, consider the potential partner’s experience with other companies in your region of operation and industry, or choose a player with worldwide expertise. Confirm how long the provider has been in this business as it’s usually safer to find a recognized provider than to pick a new player. Another significant point is the team you will be working with. Make sure the MSSP you choose has qualified personnel with the required education and globally recognized certifications.

It’s also important to check if an MSSP has research capabilities. These can be measured by the number and depth of publications related to new APT groups, tools, techniques, and investigations. Strong expertise will contribute to delivering high levels of threat detection and hunting and will also prevent incidents or minimize the consequences if they do happen.

Before selecting your MSSP, ensure that the relevant technology and tools to provide effective security that is specific to your company are available. A simple example of this is an MSSP that is focused on Windows protection will not fit an environment built on Unix.

In most cases, MSSPs can be split into two large groups. One uses well-known enterprise solutions that can be bought by any company from corresponding vendors, while others employ self-developed tools or open source with customization. Your choice should depend on various factors, such as whether it suits your technologies, the MSSP’s ability to transform into an in-house SOC, the value after the contract ends, and others.

Consider what metrics you’re planning to use to measure a provider’s effectiveness, and how these will be tracked and calculated. The most widespread metrics for MSSPs are reaction time and response time. The latter is qualified in many ways by providers, starting from the time when the initial recommendations for mitigation were provided, to the completion of the containment stage of incident handling life cycle. However, there can be other indicators tailored specifically to your needs. For example, if your company is aiming to grow quickly, time to cover new assets will be important to you. The ability to set target values for the SLA that can be provided by the vendor is also very important.

Does the vendor pay attention to security measures such as cybersecurity hygiene and regular assessments by external experts? Since a lack of available resources is common in the pursuit of profit, MSSPs may neglect spending resources on their own security in favor of handling a greater number of commercial contracts. Keeping in mind that the MSSP will become a part of your threat landscape and potential attack vector, you don’t want to decrease your protection.

In the initial stages of planning, it’s important to determine if outsourcing security functions across multiple MSSP providers makes sense for your organization. Choosing the best provider for specific services is useful, but you can benefit from the synergy of the bundled services provided by the same vendor. For example, having monitoring and digital forensics and incident response (DFIR) services from the same company will have a positive effect because teams can exchange historical information about incidents, as well as indicators of compromise (IoCs).

When buying defensive services, don’t forget about offensive assessments. Check contract conditions for information on red teaming, pen tests or conducting cyber-ranges. Any type of assessment will be valuable to proof maximum segment size (MSS) value and train your team.

Roman Nazarov is the head of security operations center consulting services at Kaspersky. You may follow him on LinkedIn or @kaspersky on Twitter.