Zhero report: Managed Security Services 

Why use an MSSP 

Enterprises, irrespective of size, face never-ending challenges. Not only do competitors provide obstacles to increased productivity, growth and higher revenue generation, but threats such as fluctuating consumer confidence and escalating operating expenditure are problematic, specifically for small-to-medium-size businesses (SMBs). 

A significant challenge facing all SMBs is the prospect of cyber attack. Statistics from the 2017 Cyber Security Breaches Survey revealed that 46% of UK businesses identified either a security breach or hacking incident last year. The victims of cybercrime include Lloyds Bank, Three Mobile and the NHS, to name a few. Cybercrime experienced by SMBs is not deemed newsworthy. 

Research confirms that 42% of SMB employees do not have the knowledge to deal with the consequences of a cyber attack. 47% of workers are not educated in IT security awareness. It is with these figures in mind that managed security service providers (MSSPs) are fast becoming a necessity for SMBs wishing to keep cyber crime at bay. 

This report details the role of MSSPs in securely monitoring and managing IT devices and systems. The services provided by MSSPs are also examined and these are juxtaposed with those of managed service providers (MSPs). The report also explores the relationship between MSSPs and the General Data Protection Regulation (GDPR) which comes into force in all EU member states in May 2018. 

What MSSPs do 

Managed security service providers supply outsourced monitoring and management of IT devices and systems to ensure security and data protection. MSSP technology offerings include deployment and management of firewalls, intrusion prevention systems (IPS) and intrusion detection, VPN, vulnerability scanning, anti-virus and anti-malware, patch management and data loss prevention (DLP). Put simply, MSSPs focus on IT security, providing a systematic management platform for business IT security and compliance needs. 

MSSP services may extend to offer broader provisions such as risk assessments, risk management, IT policy development, security updates and solution implementation. An experienced MSSP can also provide onsite training and education, audit systems and report on their status, and ensure that companies are compliant with data protection laws and regulations. An MSSP may offer a generalised suite of security capabilities and services or may deliver fewer key specialities. 

Five core MSSP categories 

Services provided by MSSPs can be assigned to one or more of five categories. These are: network perimeter management, managed security monitoring, penetration testing, compliance monitoring and consultancy. Spend a few moments examining each of these categories in order to obtain a wider perspective of MSSP operations. 

Network perimeter management 

Perimeter management involves installing, configuring, upgrading and managing several fundamental components of a client’s IT network. The service typically encompasses the firewall, intrusion detection hardware and software, email and data traffic filtering, and VPN. MSSPs focusing on network perimeter management will regularly report on any intrusion attempts or activity. 

Managed security monitoring 

Managed security monitoring (MSM) is the daily monitoring of system events throughout the entire IT network. Any unauthorised and anomalous behaviour such as malicious hacks, denial-of-service (DoS) and accidental data leakage are interpreted and reported using MSM. MSM is the first step in an incident response process and is also a vital feedback loop that makes all other network security activities effective. 

Penetration testing 

Penetration testing involves a one-off or periodic simulated attack on part or all of an IT network in order to evaluate the security of the system. Penetration tests are useful in determining whether a system is vulnerable to a real attack or not; if vulnerabilities are detected, the tests pinpoint specific weaknesses within the network. Penetration tests enable a full risk assessment to be completed and form a primary component of a security audit. MSSPs provide the results of penetration tests to clients in order to assess potential impacts for the SMB and to make recommendations on measures to reduce the risk. 

Compliance monitoring 

MSSP compliance monitoring is a watchdog service that monitors event logs for violations of internal IT security policy, not intrusions. For example, should a rogue administrator have too much access to a network, their access is flagged and reported to the client. The client is then able to take appropriate disciplinary action based on internal IT policy and the findings of the MSSP. 

Consultancy 

Consultancy is as it says. Through consultation, the MSSP will provide a bespoke assessment of risks, key requirements for IT security and develop appropriate security policies and processes. MSSPs may offer security product integration and mitigation support should an intrusion occur. 

Security as a service 

MSSPs are essentially IT service enterprises providing security-as-a-service (SECaaS) solutions to their customers and clients. SECaaS is a business model in which the MSSP integrates their own IT security products into corporate and entrepreneurial IT infrastructures. Integration operates on a subscription basis and is a scalable feature of the client’s service-level agreement (SLA). SECaaS is by far a more cost-effective strategy for IT security than most SMBs would be able to afford independently, particularly when the total cost of ownership (TCO) is taken into account. 

SECaaS is modelled on software-as-a-service (SaaS) but with a focus on the provision of specialised IT security services. As with SaaS, SECaaS information security offerings do not require on-site hardware. This means that SMBs avoid substantial capital outlay on equipment. Some key SECaaS services include antivirus, antimalware/spyware, intrusion detection, penetration testing, security event monitoring and management, and authentication of user credentials. Experienced MSSPs are likely to offer an even greater range of products, both at-hand and bespoke. 

Outsourced security licensing and delivery has recently gained considerable momentum. In the United States alone it is a multi-billion dollar industry. SECaaS provides businesses with the latest internet security services that almost guarantee protection from online threats such as distributed-denial-of-service (DDoS). DDoS is cybercriminal activity aimed at rendering a client’s website, network or hardware unavailable by disrupting the services of the internet hosting provider. 

You may be aware that the demand and use of the cloud are skyrocketing. This unprecedented growth in cloud computing and virtualisation technology also means that users are now more vulnerable than ever before. There are many more internet access points and consequently more opportunities for hackers to infiltrate a vulnerable or unsecured IT infrastructure. Some say that SECaaS is a resilient buffer against any persistent online threats. 

Benefits of SECaaS 

The major benefits of SECaaS can be summarised as: 

• Reduced capital and operating costs: By integrating security services without the need for on-site hardware systems, SECaaS positively impacts the IT budgets of businesses. Moreover, using cloud-based security products negates the need for expensive on-call security analysts and consultants.
• Continuous and standardised protection: SECaaS means that companies are continuously protected since databases are regularly updated to have the latest security software and technologies. SECaaS is also underpinned by uniformity, in which separate networks and infrastructures are combined into one manageable, synchronised system.
• SECaaS offers automated virus/malware definition updates that are not reliant on user compliance or availability.
• MSSPs providing SECaaS will have enhanced IT knowledge and expertise compared to most in-house engineers.
• SECaaS facilitates the outsourcing of administrative tasks such as log management. Besides saving time and money, this enables in-house IT employees to focus on projects that improve productivity and, by extension, leading to a greater turnover of revenue.
• SECaaS provides an intuitive web interface meaning that in-house administration of many tasks is possible. The interface is also a means of observing and monitoring the internal security environment.

When to outsource to an MSSP 

The criteria for outsourcing to an MSSP can vary, depending on client needs. Three factors are common denominators when it comes to taking an MSSP on board: cost-effectiveness, the need to focus on core competencies and having 24/7 up-to-date services. 

Outsourcing to an MSSP entails handing over critical control of a company’s IT infrastructure. It does not mean, however, that the MSSP is ultimately responsible for system failure, human negligence and other IT errors. As with any third-party agreement, the client is accountable for its own IT security and should be prepared to manage and monitor the contracted support from the MSSP. SMBs contemplating an MSSP partnership need to understand that the relationship is not a turnkey one but an ongoing commitment and effective IT management to ensure network and data security for which both parties take responsibility. 

While IT security remains pivotal to an SMB, outsourcing means that the MSSP manages daily routine, yet critical tasks, while in-house IT engineers have the time to work on development projects, such as intranet optimisation, website design and developing client services platforms. 

When information assets upon which a business depends are not securely configured and managed, data becomes vulnerable to compromise, loss and breach. A fundamental role of the MSSP is to secure assets, thereby significantly diluting the possibility of non-compliance with government-stipulated data protection regulations, such as the GDPR. 

MSSPs for SMBs 

The MSSP model among large enterprise and SMBs with 100 or more employees have been rooted in IT security practice for some time. However, with cybercrime on the up, SMBs are flocking to managed security services for several reasons. IT security has become specialised, complex and dynamic. Moreover, the number of data regulatory and legal requirements applied by both the government and clients has grown. This growth reflects the necessity to secure the digital safety and integrity of all personal and financial data, either stored or transmitted via SMB computer networks. 

Large organisations are able to afford a sustainable IT department to manage many IT security activities. Companies operating on a smaller scale, such as lawyers, accountants and marketing agencies, typically are constrained by budget limitations and are unable to employ full-time IT security specialists. The emergence of MSSPs for SMBs directly addresses the financial limitations, lack of expertise together with a short supply of time and human resources. 

The trend of outsourcing IT security jobs to MSSPs is growing at an appreciable pace. Having an outsourced vendor simply means that businesses are realigning their security strategies so as to focus on core operations. SMBs acknowledge that managed security providers will offer effective IT systems management along with seamless monitoring and reporting. MSSPs can offer comprehensive IT security using remotely managed technology that is easily installed and which operates in the background, thereby not disrupting vital SMB business functions. 

MSSPs usually contract on a monthly basis with fees that are highly affordable for the average SMB. Contracts are flexible and security provision is scalable as stipulated in any SLA. To ensure predictability of cost, a reputable MSSP will charge a flat rate. Depending on an SMB’s requirements, the MSSP will deliver IT security reports on a daily, weekly or monthly basis. The MSSP will also offer bespoke reporting in the event of unforeseen events such as downtime or potential data compromise. 

MSSP versus MSP 

To better distinguish the difference between a Managed Service Provider (MSP) and an MSSP, it is worthwhile to review the essential services that an MSP offers. Simply put, an MSP is a third-party company outsourced by a client or customer to perform IT services and management. The MSP contract is usually ongoing and they typically form partnerships with their clients over multi-year periods and receive monthly income for continuous service. 

MSPs are accessed by many SMB start-ups for support in the stages of their IT lifecycle. Support includes, but is not limited to, these areas: 

• crafting IT policies and procedures
• scoping solutions to network problems
• disaster recovery (DR) and business continuity (BC)
• provision of cloud services
• providing a range of business connectivity solutions
• full cycle data management solutions
• provision of scalable data centres

MSPs form part of an ongoing IT management strategy by updating systems and making configuration changes as business needs change and grow. MSP service line items include 24/7 help desk support, network and application management and monitoring, hardware procurement and repair, and more. These services are detailed and mutually agreed upon in an SLA. 

How MSSPs differ 

How is an MSSP different from an MSP? The additional ‘S’ should provide a clue. In simple terms, MSSPs are focused on security compared to their MSP counterparts and offer broad-based SECaaS. As discussed, MSSP technology encompasses an over-reaching umbrella of IT security services including anti-virus, firewalls, vulnerability scanning, threat intelligence and penetration testing. Lately, an increasing number of MSPs are offering security services and some have MSSP practice embedded in the larger MSP business model. MSSPs have several distinct advantages over MSPs when it comes to client bottlenecks with IT security. Specific ways in which an MSSP can step in and help are: 

• scaling up security in an IT landscape facing increasingly sophisticated cyber threat
• proving much-needed expertise at times of an internal IT skills shortage
• applying know-how to solve problems by drawing on experience from a diverse client environment
• increasing visibility to cyber [and other] threats
• leveraging their expertise to provide expedited security responses

Shawn Keve, VP of Simeio Solutions, an Atlanta-based Identity and Access Management (IAM) solution provider, believes this is why many organisations are reliant on MSSPs: 

“An MSSP can take over security and be proactive. They can fill the gaps, or they can provide backup, such as doing monitoring and alerting during employees’ off-hours.” 

As the IT threat landscape evolves, so does technology, probably more rapidly. The rate of technological evolution and morphing of threats in the blink of an eye can be a seemingly insurmountable challenge for internal IT staff. All the more reason to draw on the expert knowledge of the MSSP. Keve adds: 

“You’re talking about a ton of tools and technologies. This makes it incredibly challenging for the staff of non-security companies to learn and scale. And, when it comes to security, expertise is not something you want to have to gain on the job.” 

The GDPR 

The GDPR is unquestionably the buzz phrase in the tech and business world at the moment. The European Union’s new data protection policy comes into force on the 25^th May 2018 and is an overreaching net that will globalise rules for data protection, privacy and security. The GDPR applies to all personal data collected, handled, processed, stored and transmitted by EU companies, even if the data transactions are outside the border of the Union. The GDPR has six fundamental principles in Article 5 of the document and these can be summarised as: 

• Transparency is required for the handling and use of personal data.
• Personal data may only be processed for specified, legitimate purposes.
• Personal data collection and storage is limited to the purposes specified.
• Individuals have the right to correct or request deletion of their personal data.
• Personal data must be stored in an easily identifiable form and only for as long as necessary for its intended purpose.
• Personal data must be protected at all times using organisational and technical practices.

The GDPR is a definitive piece of legislation that requires all organisations, including corporations, non-profits, government entities and SMBs, to exercise vigilance when accessing, processing and storing any form of personal data. 

MSSPs and the GDPR 

At present, the Information Commissioner’s Office (ICO) in the UK is entitled to impose a maximum monetary penalty of £500,000 for serious breaches of the Data Protection Act. When the GDPR comes into play, organisations that have committed data breaches will see a dramatic increase in the fines they’ll be required to pay. Under the GDPR, penalties have an upper limit of €20 million or 4% of annual turnover – whichever is higher. With this number in mind, it is clear why data protection and security is more prevalent than ever before. 

A reliable and experienced MSSP will have a comprehensive knowledge of all facets and implications of the GDPR. SMBs, even those with a handful of employees, are advised to seek support from their local MSSP who can reduce and probably eradicate the risk of data compromise, consequential litigation and financial penalties exercised by the GDPR. Through consultation with an MSSP, an SMB can expect: 

• detailed explanation all aspects of the GDPR and their impact
• classification all forms of personal data that is accessed, processed and stored
• establishment of an in-house and remotely stored personal data inventory
• implementation of a robust data governance plan
• appropriate technical and organisational steps to avoid loss of personal data
• creation of systems to detect and respond to vulnerabilities and data breaches
• auditing tools for the tracking, recording and storing of processed data

MSSPs are GDPR accountable 

The GDPR also directly stipulates the requirements for cloud service providers (CSPs), and, by extension, MSSPs. Under the new laws, MSSPs and other IT service providers must provide assurances that they can implement data processing measures that are in line with the requirements of the legislation. Based on GDPR terminology, CSPs and MSSPs are classified as ‘processors’ since they sift, interpret and manipulate data for a ‘controller’. In plain language, a business is a controller of its clients’ personal data while the MSSP acts as the processor. 

 MSSPs will be aware of the broad scoping obligations of the GDPR and implement stringent data protection practices and policies themselves. With this in mind, SMBs can rest easy knowing that the GDPR aims to bring cloud and managed services into the spotlight and thereby provide an opportunity for MSSPs to ensure that their clients are GDPR compliant. 

SMB owners and executives needn’t worry that the GDPR will make it more difficult to outsource IT security to an MSSP. Quite the opposite. The GDPR aims to stimulate transparency amongst providers. The contrast between MSSPs that are GDPR compliant and those that are not will be obvious. Trustworthy MSSPs with solid transparency practices and rigorously documented procedures will be able to form long-lasting and mutually lucrative partnerships with SMBs, big or small. 

MSSPs in the future 

IT networks and environments are not static constructs. Improved applications, software and hardware are added almost every day, joining a vast array of technology. Along with these evolutionary changes and an increase in the number of operational SMBs, comes greater use of cloud computing and a massive increase in the quantity of data being processed. Quite simply, the more data or personal information there is out there, the greater the risk of a cyber attack or data compromise. 

While enterprise struggles to keep pace with virulent malware and ransomware incidents, MSSPs recognise the need to combat increasingly complicated and intelligent cyber attacks and are enhancing their portfolio of sophisticated security solutions. As more SMBs realise that robust data protection is vital for survival, the number of small business-MSSP partnerships may witness exponential growth. This growth guarantees data protection for individuals and productivity for businesses.