Call security: the tussle between MSPs and MSSPs

Nick Sone Chief Customer Officer Linkedin Profile
Call security: the tussle between MSPs and MSSPs

Good on paper and great in theory, dedicated Managed Security Service Providers proclaim to have a business’ back. Until they can’t. Nick Sone, Chief Customer Officer, explores why a plethora of providers muddies the waters when threat actors knock, why the technology convergence gives MSPs the fighting edge in cyber defence delivery, and how to avoid the blame game when things go wrong.

The warning lights are blinking red. And a client is losing their mind. Bombarded with 1,000’s of failed log-on attempts, from an internal VPN interface on their main firewall against a domain controller, the client’s ‘specialist’ managed services security provider (MSSP) has missed an enormous security breach.

Maybe it’s because the all-out assault occurred in the small hours of a Sunday morning. But it’s now Tuesday, a full two days later. And the MSSP? Still MIA.

This is no drill, but a real incident that recently affected one of our clients. Had they also been our security partner, the response would have unfolded very differently. There’s no way we would have missed a brute force attack. Even at 3AM on a Sunday. And we hadn’t.

As their managed service provider (MSP), we had spotted the incursion, flagged it within minutes, and recommended a clear course of action. Regrettably, that was all we could do within our purview. Given full jurisdiction of their security controls, we’d have instantly blocked the attack, initiated emergency changes, then conducted a rigorous and coordinated post-incident investigation, rather than leaving the client hanging in the wind.

The emergence of convergence

There’s long been an argument that having specialised security providers offers copper-bottomed, gold-plated surety. That MSPs are only ever good for baseline security. That security shouldn’t be rolled up into broader MSP agreements. That MSPs shouldn’t be marking their own homework.

But when I hear of the security failings taking place on an MSSPs watch (and the one above is no isolated incident), and then think more broadly about the incredible convergence of security and technology we’ve witnessed in the past twenty years, the more sceptical I become of these claims.

Subjects that used to command boutique skillsets – be it a vendor for endpoint, a vendor for networks, or a vendor for applications – now operate as consolidated platforms.

Skills once seen as mystically complex have now been greatly simplified. These days, technology is far more capable, far simpler to use and work with, and far easier to respond to. And as the technology has simplified, the skills and capabilities of MSPs have grown.

A recipe ripe for conflict

Incident detection – once the bread-and-butter of an MSSP – is, by-and-large, now detected through technology and automation, rather than human intervention. All an MSSP can do is alert an organisation with the problem, potentially run a scan, and possibly isolate a machine. At that point, the ability of an MSSP to do anything of tangible value runs out.

Issues are inevitably handed off – be it to the client, their MSP, or, in some cases, multiple MSPs – and the solving (rebuilding Active Directories, networks, key infrastructure, and applications) is then shouldered by the MSP.

But in our experience, that’s not before fireworks and frustration. There are plenty of examples of MSSPs siloed in security, with an MSP working on everything else. But we rarely see it working as efficiently as if one organisation was handling it all. When it goes wrong, it’s a relationship ripe for conflict.

Defusing the blame game

“Who does what?”. That’s really at the core of this. When no-one is clear, it’s the client who loses out. The blame game gobbles up time. Inertia takes hold. And it’s those delays threat actors love. It simply creates space to seed more chaos, more destruction.

When incidents arise, we’ve seen clients unnecessarily involved in ugly dispute management and conflict resolution. It’s a bad look for everyone. And for business’ who assumed everyone knew their role at the outset, it’s stressful, frustrating, and costly.

But rolled up into a single provider, an MSP can detect, respond, and recover, all within the remit of a single business. One account team, one delivery manager, one organisation. It simply dissolves inertia. When handed the responsibility for everything – infrastructure, application security, network – an MSP can proactively coordinate a collective response, bringing in teams, and deploying fixes, rather than sitting on their hands awaiting further instructions.

Our approach to security

But how can you be sure that an MSP can deliver the goods and keep your organisation secure? Here are five core approaches Brennan take that consider the tactical, the practical, and the strategic.

1. Audits are sanity checks. If your business has been promised the world by an MSSP (and yes, even by an MSP), be sure to pressure test those assurances regularly, just as you would any other part of your business. Be it a penetration test, a risk assessment, or a maturity assessment, there’s always value in a second set of eyes. If your security is held by an MSSP, I’d argue your MSP is ideally placed to run pen testing. Your MSP should know your networks and infrastructure and applications inside out. It stands to reason they’ll also have the ability to exploit them better than an MSSP can.

2. Pick a few things. Do them well. One of the recurring security challenges we encounter are when organisations elect to do something, heroically complete 90%, then move on. But it’s that 10% gap that threat actors live to find, then exploit. Conversely, organisations electing to do 100 things (and doing all badly) will be far more susceptible to breaches and will struggle to detect and respond to incidents. Security doesn’t have to be hard. Focus on a handful of things that are relevant to your business’s risk, do them really well, and only then move on to the next things. 

3. Who’s holding what? When considering your ability to respond to incidents, it’s good to know who’s on the hook for what. If there are controls and alerts, who’s looking at them? What are they doing? Why are they doing it? Ensure someone is responsible and accountable for looking at your technology, for making sure it’s patched, and for ensuring alerts are monitored and responded to. Knowing exactly who’s holding the baby will get you through a lot of recurring business challenges.

4. Complexity is not your friend. When it comes to security, we’ve a two-fold philosophy: have as few service providers as possible; and have as simple a technology and operating model as possible. If it’s not clear who does what, or there are too many providers in the mix, you will pay the price when something goes wrong. By simplifying your IT environment and rolling your managed services and security into a single provider, the odds of a robust, timely, and effective response will only multiply.

5. Strike a posture. Reactivity and proactivity. These two postures are powerful allies in building and maintaining a robust security stance.

A strong proactive posture will focus on things like good vulnerability management and an associated programme of works. Look beyond subsets to scan as much as you possibly can, as regularly as you can, fixing vulnerabilities as they arise. Threat actors seeking weak spots run scans, much like vulnerability scans. If they can’t find the chinks, they’ll cut their losses and find something else to do.

A good reactive capability will run security operations 24/7/365, ensuring alerts and logs are generated, correlated, and looked at by security professionals. If someone does gain access to your environment, not only will there be a trigger, but someone will be primed to act on it. A good Security Operations Centre will also give ongoing guidance as to where your environment may need to be hardened.

And the additional dividend of aligning both postures under a single MSP: greater visibility on what else needs to be done in your business, be it end-of-life operating systems, exposing expired switches, or blacklisting applications in your environment.

Sure. There will always be exceptions that put an MSSP in the box seat. Some jobs – like P1 and P0 incident responses, and forensic analysis – will likely always command highly skilled security specialists.

But the vast majority of workloads can now be delivered in a more responsive and integrated fashion by MSPs. It’s time to debunk the myth that MSPs can’t deliver the security goods.

Join us on social

Get in touch

Tell us what you need help with, and we’ll send the right expert your way.