ThetaPoint Blog

Traditional MSSPs – The land of missed expectations and how to fix it

The days of “one size fits all” with regards to Managed Security Service Providers (MSSPS) is over. I am not suggesting the role of the MSSP is dead. Far from it, in fact one could easily argue that they have never been more valuable. What I am advocating, however, is that organizations take a step back and understand the role an MSSP can play in optimizing their Security Operations Center (SOC) capabilities. ThetaPoint has introduced a new service to help leverage the benefits of an MSSP/MDR and our Co-Managed SIEM offering. This Hybrid SOC Offering  will help you get off the treadmill of MSSP dread and missed expectations.

What’s Wrong with the Current MSSP Landscape?

Over the past couple of years there has been a remarkable shift in sentiment over customers infatuation with their traditional MSSP. Highlighting this shift is a recent conversation with a CISO who bluntly stated, “I need to replace my current MSSP because they do not deliver on the service that I am paying them for. I’m looking to bring that function back in house.”

Based on a report published earlier this year by the Ponemon Institute paid for by Respond Software, it appears that this trend is accelerating. In this study, 40% of the organizations that had outsourced their Security Operations Center (SOC) to an MSSP were bringing it back in house as more than half felt that their MSSP was not effective. The reasons for this disdain can be boiled down to three larger issues:

Customers Suffer from False Positive Fatigue

The Ponemon study confirmed what was already assumed: 73% of organizations believe their SOC is essential or very important to their overall cybersecurity strategy. Many felt the most important task of a SOC is the reduction of false positives. While we have spoken about the value of enrichment of data in prior blog posts, the fundamental challenge for an MSSP is that they possess little to no business context of their customers’ environment. In essence, the MSSP is fighting a battle with one hand tied behind their back. Without threat intelligence, asset information, business process criticality or vulnerability management information, all events appear to be the exact same regardless of the customer. The end result: MSSPs creates a plethora of false positives, and over time, the customer ignores the alerts and states that the MSSP adds little to no value.

MSSPs can be 2X More Expensive that an Internal SOC

Surprisingly, the study brought to light something that seemed counter to the value of an MSSP. Price. The study indicated that those organizations that outsource their SOC to an MSSP are actually paying close to double that of an organization that hosts internally their own Security Operations Center. While it is important to note that the study did not indicate what specific services the MSSP was providing compared to an in house SOC, clearly there is a divide between perception and reality. Over the past several years, we have clearly seen a desire to offload lower level functions to an MSSP to help reduce costs (think Level 1 & 2 Analysts for off-hours monitoring), but if these statistics prove accurate, it is actually costing twice as much than doing it in house.

Unrealistic Expectations on Both Sides

Many organizations believe that they make themselves more efficient and thus, handle the larger workloads placed upon them, by offloading the burden of security monitoring and engineering to MSSPs. Many organizations outsource these functions to an MSSP to help minimize their own liability and risk. Unfortunately, it has resulted in frustration, inefficiencies, and wasted resources without really solving the problem, which is making their organization more secure. MSSPs are for-profit entities and must deliver quality service at a reasonable price. With high fixed costs, they must amortize these costs across multiple customers and to grow and scale, find ways to keep costs under control. This leads to what I call a “race to the bottom”.  Customer wants great service at a low price, MSSP must deliver value (alert fatigue). Customer finds little value so come contract renewal time wants lower price for perceived less value. MSSP must cut back on interaction and service to maintain profitability until both companies lose.

How Do We Fix the Problem?

ThetaPoint’s Hybrid SOC solution solves this problem by bridging the gulf between a traditional MSSP and an in-house SOC. Leveraging our Co-Managed SIEM service offering and adding 7x24x365 T1/T2 security monitoring of your environment, we help organizations mitigate the risk to find and retain top security talent, while utilizing our tremendous security engineering expertise required to maximize the return out of your SIEM investment. Leveraging the MITRE ATT&CK framework for TTPs, and custom runbooks (SOPs) for your environment, our clients benefit from a minimization of false positives, control over your data and content, and consistent and repeatable security outcomes. If you want to learn how a Hybrid SOC can help you realize your security goals and desires in a cost-effective model, please reach out to us directly.

About ThetaPoint, Inc.

ThetaPoint is a leading provider of strategic consulting and managed security services.  We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to client’s needs. Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector.  For more information, visit or follow us on Twitter or Linked-In. 

No Comments

Sorry, the comment form is closed at this time.