Questions to Ask a Managed Security Services Provider (MSSP)

Engaging a Managed Security Service Provider (MSSP) or a Managed Detection and Response (MDR) provider can help you strategically manage your cyber risk and augment your internal resources. In the current macroeconomic climate, where security leaders are facing more pressure to achieve more with less, selecting the right partner who can deliver measurable improvements to your security posture is critical.

Ensuring your team possesses 24/7 threat detection, investigation, and response capabilities to build cyber resilience and prevent revenue disruption is vital. However, navigating the competitive MSSP and MDR market riddled with marketing jargon and bold promises can be challenging even for the most experienced buyers.

In this post, we will explore the limitations of engaging a legacy MSSP, highlight how multi-signal MDR empowers organizations to achieve cyber resilience and emphasize the importance of considering MDR in your MSSP Request for Proposal (RFP).

We will also provide you with key questions to ask an MSSP during the RFP process, enabling you to navigate the complexities of the security provider market and make an informed choice.

What is an MSSP?

A Managed Security Services Provider (MSSP) is a specialized cybersecurity services provider that offers outsourced monitoring and management of security devices and systems to businesses. Common services offered by MSSPs include managed firewall, intrusion detection, virtual private network, vulnerability scanning and antiviral services.

MSSPs leverage their expertise, technology infrastructure, and advanced tools to remotely monitor network security events and alert your team if they notice any anomalies. MSSPs deliver continuous security monitoring and asset management, so they’re typically best used for threat prevention. With an MSSP, you can get the benefits of the latest monitoring technology without having to acquire, configure, and monitor it yourself.

MSSPs also augment your internal security team by monitoring security events 24/7, helping reduce the impact and cost to your company. This allows you to focus your internal cybersecurity resources on cyber threats that are more likely to become legitimate security incidents.

MSSP Differentiators and Limitations

Managed Security Services Providers (MSSPs) can play a critical role in enhancing your organization's cybersecurity posture. However, it's crucial to gain a comprehensive understanding of their differentiators and limitations before deciding to outsource your security to an MSSP.

MSSP Differentiators

1. Expertise and Resources
   MSSPs bring a team of skilled cybersecurity professionals with diverse knowledge and experience. Partnering with MSSPs allows you to fill your in-house cybersecurity skills gap and free your internal team to focus on the day-to-day business operations.
   
   
2. Advanced Technologies
   MSSPs have access to the latest tools and technologies that enable them to monitor and detect threats. An MSSP can also provide guidance on what solutions best fit your organization’s needs and assist with setup and configuration.
   
   
3. 24/7 Monitoring
   MSSPs often use a 24/7 Security Operations Center (SOC) to provide continuous monitoring and ensure potential threats are identified and addressed promptly.
   
   
4. Cost Efficiency
   Outsourcing cybersecurity to an MSSP can be cost-effective compared to maintaining a 24/7 in-house security team. Additionally, thanks to the scalability benefits available to MSSPs, they can equip your security team with advanced solutions at a reduced cost.

MSSP Limitations

1. Increased alert fatigue
   Most MSSPs only provide security monitoring and alerting, inundating your team with security alerts and false positives. The resulting alert fatigue can cause more strain on your in-house team, which may be already stretched thin.
   
   
2. Automated communication
   MSSPs often rely on a faceless portal to communicate with your team. In many cases, this isn't enough for security leaders who want more human involvement and expertise from their security providers.
   
   
3. Lack of complete response
   Most MSSPs simply send alerts about potential threats, so your team will still have to conduct threat investigations and remediate incidents in-house. Without appropriate tooling, security expertise, and threat intelligence, your team may be unable to conduct a complete threat response, leaving you open to attackers.
   
   

   “A CISO absolutely needs to value fast and accurate response, but what I’ve found is that not enough security leaders truly understand that the accuracy of the response is powered by the maturity of the threat investigation. As a security leader, you must question how can the vendor respond to a threat if they haven’t done the necessary legwork for the threat investigation portion?”
   - Tia Hopkins, Chief Cyber Resilience Officer & Field CTO, eSentire

4. Reactive approach
   Many MSSPs don’t take proactive measures within their threat hunting or threat intelligence programs. As a result, your security team will need to take reactive measures to address cyber threats that have already penetrated your environment or progressed to hands-on intrusion.
   
   

In summary, MSSPs are typically best used for threat prevention, so you get the benefits of the latest monitoring technology without having to acquire, configure, and monitor it yourself.

However, if you’re looking for threat detection, hypothesis-driven threat hunting, deep investigation and response to threats on your behalf, you need to be aware of the limitations MSSPs may have.

How to Choose a Managed Security Services Provider

Choosing the right Managed Security Services Provider (MSSP) is a significant decision that can greatly impact your organization's cybersecurity posture. Navigating through this process comes with its own set of challenges that require careful consideration and evaluation.

Understanding Your Security Requirements

Defining your organization's specific security requirements, compliance mandates and business objectives can help you select an MSSP that effectively addresses your needs.This process involves assessing your current cybersecurity posture, identifying vulnerabilities, and understanding the potential threats you face.

Evaluating Capabilities and Expertise

MSSPs vary in expertise, technologies, and services offered, so thoroughly evaluating their capabilities is essential. To ensure your provider has the necessary skills and knowledge, assess the MSSP's team expertise, certifications, and training programs. Consider what investigation processes and tools they use to learn how effective their incident response will be.

Look at their ability to provide actionable intelligence to ensure your MSSP can mitigate existing threats and proactively enhance your organization's defenses. This evaluation will help determine whether their offerings align with your organization's unique requirements.

Seamless Integration

Integrating an MSSP's services with your existing security infrastructure can be complex. To ensure an MSSP’s tools and processes complement your internal systems without causing disruptions, understand the technology stack the MSSP is using. A lack of integration with your existing tool stack can lead to inefficiencies in collecting or accessing critical data, delays in detecting security incidents and potential threats, reduced effectiveness of threat detection capabilities, and manual investigation required from your team.

Balancing Costs and Benefits

Many organizations partner with an MSSP to achieve cost efficiency by outsourcing security operations. Therefore, cost to value considerations are crucial in selecting an MSSP. Balancing the costs with the benefits, capabilities, and expertise of the MSSP is key to making an informed decision.

Long-Term Sustainability

Your cybersecurity needs will evolve as your organization grows or faces new security challenges. Choosing an MSSP that can scale with your growing requirements and adapt to changing threat landscapes is vital. To make sure your MSSP continues to strengthen your security posture, you need to understand its ability to adapt to changes, such as cloud migrations or remote workforce enablement, and evaluate contractual flexibility, including the possibility of adding or removing services based on your evolving needs.

In conclusion, selecting an MSSP requires a thorough and systematic approach. Understanding your organization's security needs, evaluating capabilities, ensuring seamless integration, and aligning with your organizational culture are all crucial considerations. By carefully assessing these factors, you can make a well-informed investment decision into a solution that strengthens your cybersecurity posture and augments internal resources.

What Should You Include in an MSSP RFP?

Crafting a thorough and well-structured Request for Proposal (RFP) is an essential in the evaluation cycle of Managed Security Services Providers (MSSPs. An effective RFP sets the stage for transparent communication, informed decision-making, and a successful partnership.

Clearly Defined Security Goals

Start by articulating your organization's security objectives. In the ever-expanding threat landscape, compliance adherence is rarely enough to anticipate, withstand and recover from sophisticated threats. Instead, focus on meaningful risk reduction and strategies that help you build long-term cyber resilience. Having clear security goals will help potential MSSPs understand the outcomes you seek from their services.

Compliance and Regulatory Requirements

Every year, new compliance regulations and frameworks are introduced globally. Whether HIPAA, PCI DSS, NIS2, Essential Eight, or other industry-specific standards, your MSSP provider should play an integral role in helping you achieve compliance and demonstrate adherence to compliance standards.

Scope of Services

Detail the specific services and capabilities you expect from a security provider in your MSSP RFP. This could include around-the-clock monitoring, advanced threat detection, complete incident response, regular vulnerability assessments, etc. If any third-party software or subscription services are required, ask your short-listed MSSPs to include these in this assessment. Clearly defining the scope helps the MSSP tailor their proposal to your organization's needs, avoiding misunderstandings later.

Technical Infrastructure

Alignment with your current security tools and system with technology solutions provided by MSSP is crucial for seamless integration. If you have existing security tools and systems, ask your potential MSSP to specify how their solutions will integrate with your existing infrastructure. This helps ensure their technology stack can provide full visibility across your attack surface and minimize setup challenges.

Reporting and Metrics

It’s crucial that you gain an understanding of how the provider will report on the efficacy, how often they will deliver the reports, how much visibility you will have into the health of your environment, and how your KPIs compare against those of your industry peers. Outline the reporting and metrics you require in your RFP. This will allow potential MSSPs to demonstrate how they measure and communicate their impact.

Budget and Pricing Structure

While not all MSSP RFPs include budget details, providing a budget range or understanding of your financial constraints can help potential MSSPs tailor their proposals accordingly. Ask to see the pricing model of each component of the service package to evaluate the value proposition and align the services to your organizational priorities. In addition, inquiring about discount rates for longer-duration contracts can help discover cost-saving opportunities.

Timeline and Expectations

Including timeline considerations in your MSSP RFP is essential. If you have a desired start date and critical service implementation milestones indicate them in your RFP. Request a proposed timeline for rollout, setup and deployment to align expectations and plan accordingly.

Modern threats can move to a hands-on intrusion phase in minutes, so consider any Incident Response time commitments your MSSP may have. If an incident occurs, you will need to have confidence that your security partner can rapidly contain threats, restore your systems and minimize business disruption.

Evaluation Criteria

Define how you evaluate the MSSP proposals. Whether based on technical capabilities, experience, references, cost, or a combination of factors, outlining your evaluation criteria ensures a fair and consistent assessment.

By crafting an MSSP RFP that covers these essential elements, you will set a foundation for meaningful proposals that potential providers can address effectively.

What Answers are the Top Red Flags in a Managed Service Provider RFP?

The MSSP market is saturated with vendors promising to end cyber risk and deliver complete protection. However, in this fiercely competitive market, it’s important that you know how to differentiate between different service delivery approaches and technologies used by MSSPs.

When reviewing MSSP RFP responses, be vigilant for red flags. Responses that lack detailed explanations, propose a one-size-fits-all solution or fail to address your questions and concerns may indicate an MSSP provider that doesn't fully grasp your requirements or prioritize your organization's security.

Instead, look for security service providers who demonstrate expertise in human-led investigation and response, the ability to drive multi-signal visibility, automated blocking and threat detection capabilities, and clearly outlined expectations around risk management and support after deployment in their RFP responses.

Top 5 Questions to Ask an MSSP

1. What's your approach to Incident Response?
   Understanding how the MSSP investigates, responds and remediates threats is essential to minimize disruption and prevent downtime.
2. How do you identify risk and test the efficacy of defenses against it?
   Knowing how an MSSP identifies systemic weaknesses and develops roadmaps to address them will help you gain a better understanding of whether this engagement will help you build cyber resilience.
3. What signals do you pull from my environment, and what information are you using for detection and investigation?
   This question is designed to test your MSSP’s ability to minimize blind spots, deliver complete visibility across your attack surface, and use multi-signal telemetry to drive deep threat investigations.
4. What methods do you use to identify and block potential threats?
   Learning an MSSP's approach to threat detection and containment will help you develop a better understanding of how effective they will be at discovering advanced threats and preventing attackers from gaining a foothold within your environment.
5. How can you help alleviate resource constraints and remove complexity in my security stack?
   It’s essential that your MSSP provides timely support to your in-house team and removes the burden of optimizing technologies and services.

MSSP vs. MDR: Key Differences Between MDR and MSSP

Given the limitations of traditional MSSPs, engaging a Managed Detection and Response (MDR) provider can be an effective way to build resilience, prevent business disruption and reduce downtime.

MDR focuses on delivering 24/7 threat detection, investigation, and response capabilities by ingesting multiple signals across endpoint, network, log, cloud, identity, and vulnerability sources. This multi-signal capability is crucial to maintain full visibility across your entire attack surface and rapidly contain threats – simply monitoring endpoints and network is no longer enough.

Unlike legacy MSSPs, MDR providers offer a more tailored approach to security, eliminating false positives, identifying real threats and helping remove the burden on your internal resources through automated threat blocking and expert-led threat response. 

Is an MSSP Right for You? Or Should You Turn to MDR?

Deciding between an MSSP and MDR provider depends on your organization's security needs, risk tolerance, and long-term goals. If you’re looking to respond to known and unknown advanced threats fast, minimize the risk of business disruptions and alleviate resource constraints, a true MDR provider will help you maximize the ROI on your investment and deliver stronger security outcomes than a legacy MSSP.

By taking on threat containment and response capabilities, MDR providers deliver greater value to IT teams that are unable to hire, train, and retain highly skilled and certified 24/7 cybersecurity staff. In addition, when you partner with an MDR provider, you adopt a collaborative approach to your cybersecurity program to provide the right level of support, guidance, and expertise you need to build cyber resilience.

To learn how eSentire MDR can help you build a resilient security operation, connect with an eSentire cybersecurity specialist.