Our Updated MSSP and MDR Guidance Publishes

While Augusto may disagree, this is probably one of our top 3 favorite papers we’ve written, and it has been UPDATED. Hello world! Please welcome “How to Work With an MSSP to Improve Security”, 2018 update (Gartner GTP access required). Apart from content updates and new MDR coverage, it now features a juicy new guidance framework! And an additional co-author too.

The abstract states: “Managed security services are an increasingly popular way to improve information security, yet many engagements struggle to succeed. This guidance helps technical professionals shape the MSSP [A.C. – now also MDR! OMG… this is 2018 for realz! :-)] relationship, refine their expectations and co-develop successful security architectures.”

Some of my fave quotes follow below:

  • “Using a managed security service provider (MSSP) is not the same as shifting responsibility for your security to somebody else. It involves integrating with an external security monitoring and system management paradigm, often using the provider’s standardized processes.”
  • “Organizations that have not retained sufficient internal IR and remediation capabilities cannot benefit fully from either MSSP security monitoring or an MDR-level version. […] You need to adjust your processes to respond to alerts from an external source and provide feedback on their relevance.”
  • “Align your onboarding expectations to the complexity of the service, and make ongoing, bidirectional knowledge transfer a key part of the engagement. MSSPs can only work with the information you give them.
  • “In almost all cases, the organization will need to define and allocate some program management resources to keep the MSSP on task and evaluate its ongoing effectiveness. These reviews are necessary to keep the engagement fresh and maintain its value.”
  • Failure to detect does not necessarily equal incompetence. For example, a failed detection is only an MSSP failure if the MSSP was given access to the necessary log data. If the MSSP didn’t have such access, the real question is, “Why not?” Did the MSSP not ask for it, did the client not provide it, were there technical issues […], or was the area out of scope for the contract?”
  • “Sadly, some relationships come to an end, and your relationship with an MSSP may need to be one of these.” [A.C. – yes, this is an actual quote :-)]

Finally, PLEASE go and provide feedback after you read the paper at http://surveys.gartner.com/s/gtppaperfeedback

Related posts:



This is a Security Bloggers Network syndicated blog post authored by Anton Chuvakin. Read the original post at: Anton Chuvakin