Managed Security Service Providers: A Primer

Managed Security Service Providers (MSSPs) have been a staple of the cybersecurity landscape for many years. Some companies have made a big name for themselves in the space, such as Symantec, Secureworks, Trustwave, etc. This blog post will explore what MSSPs do for you as an organization and what their capabilities and weaknesses are. It also will look at how the market is evolving to address issues of changing architectures, cloud infrastructure and cloud transformation projects, and the latest cybersecurity threats. This will allow us to place MSSPs in the evolution of the cloud security landscape and examine what the advancement of MSSPs means for the rest of the security space. It is a continuation of our exploration of the industry landscape that started with our posts on Cloud Workload Protection Platforms (CWPP), Managed Detection and Response (MDR), Security-as-a-Service (SECaaS), and Cloud Security Posture Management (CSPM). We’ll conclude the post by examining where Armor fits in relation to MSSPs and what this means for the security and compliance needs of your business.

What Are Managed Security Service Providers?

According to the Gartner IT Glossary, the definition of MSSP is as follows: “A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning, and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.”

MSSPs are primarily focused on managing a large part of the tools, capabilities, and people necessary to secure a client’s IT infrastructure. They largely can be viewed as a security outsourcing model where a client wants a combination of dedicated and remote cybersecurity resources to help them perform the daily operations of keeping their business compliant and secure. Below we have provided a table of some core and secondary capabilities of MSSPs.

Security event monitoring and management – firewalls, IDPS, UTM, WAFs, endpoint protection platform DDoS protection
Security analysis and reporting – log management is the foundation of this Dark web monitoring
Security and compliance reporting Identity and access management
Vulnerability scanning Managed detection and response
SIEM management  
Incident response – remote and on-site  

These capabilities and services usually serve the purpose of helping organizations address threat detection and monitoring, security tool/vendor management, and meeting compliance requirements. The first two use cases help solve the ever-prevalent problems within the cybersecurity space of alert and tool fatigue. MSSPs simplify the equation for customers looking to outsource their tool management to a third-party provider and make sense of the deluge of alerts that come from the tools and services within your IT infrastructures. The last use case is a major one, as clients are beholden to many regulatory compliance requirements such as PCI, GDPR, HIPAA, etc. The work it takes to ensure that both security and compliance is met is often a daunting task for clients. Incident response is the last major use case for organizations looking to MSSPs to help secure their environment. Part of the criticism of MSSPs in the past has been their tendency to do alert triage but not alert remediation. Increasingly, companies are looking for a service provider to handle the cybersecurity chain from alert inception to triage to remediation.

How MSSPs Have Evolved

These capabilities have caused the MSSP market to be a force to be reckoned with inside the cybersecurity industry. provides some insight into their growth: “The MSS market constitutes approximately 60% of the overall security outsourcing market that will generate $18.7 billion revenue in 2017, growing at a CAGR of 11% through 2021.” This growth is being driven, according to Gartner, by demand from enterprise and mid-size organizations due to budget and staffing shortages, adoption of EDR technologies, customized requirements, evolving compliance reporting, and demand for event monitoring of SaaS, IaaS, and PaaS services. However, despite the growth of this industry, MSSPs are facing pressure from several market forces. These forces include competing capabilities and industry categories, such as MDR, client demand for consolidation of the vendor landscape, and the cloud. Each of these forces presents unique challenges to MSSPs and paints a broader picture of the evolution taking place currently within the cybersecurity landscape.

Let’s look at the first two forces as they relate to each other. MDR companies were born out of a frustration that MSSPs were not focusing enough on the remediation piece and merely focused on solving alert fatigue. This lack of focus on incident response and lack of EDR tooling gave birth to an MDR market that captured the cyber landscape’s attention over the past few years. MSSPs became wise and started positioning MDR and managed EDR services as a capability of their services stack, rather than a totally separate market need that required multiple vendors. This is in line with broader trends in the cybersecurity landscape where vendors that are facing features, capability, and services pressure from other verticals within cybersecurity are trending towards consolidation, merger and acquisition, and integrating features into their platform. Companies are in the throes of extreme vendor fatigue and are looking to vendors who can provide a breadth of tools and services in one package.

MSSP and MDR providers are both experiencing pressure from the growing influence of the cloud to deliver their services in a Security-as-a-Service model that focuses on a consumption-based service delivery model and instant software-based turnup of security services. They are also challenged by the way the cloud is introducing new architectures and workload types that span SaaS, PaaS, and IaaS services. While MSSPs have primarily been focused on managing co-located, private, and company-owned IT environments in the past, it is now table stakes for them to have an answer to how they play in the cloud and provide the managed services in those environments. Companies who cannot adapt to these new architectures, tools, and methods of providing security in these environments will inevitably become a dying breed in the market.

The Future of Cloud Security and How Armor Can Help

Armor has experienced the same market trends over the years as the rest of the industry. As a result, Armor had to look at not only how to provide our traditional MSSP services in our own datacenters but also how to transition our public cloud security products and services to ones that meet the cloud workload security and compliance protections of modern environments. We have done so as part of a Security-as-a-Service business model that focuses on flexibility, ease of deployment, and consumption. Where traditional MSSPs tend to focus the bulk of their efforts on security tool management, Armor has shifted its focus to managing security policy and outcomes. Especially in the cloud, almost all of the tooling is software-based, and therefore, a focus on configuration and risk management supersedes many of your traditional security IT concerns. Gartner cites that by 2020, 95% of security breaches will be due to misconfiguration and breach of policy. That is why Armor has focused on providing many of the traditional threat detection and response capabilities at the workload level that MSSPs provide (malware protection, file integrity monitoring, intrusion detection, vulnerability scanning, etc.) with its Armor Anywhere product. We also offer asset identification, workload management, and security and compliance posture management with Armor Automated Security and Compliance, which addresses the ways in which the cloud is changing the security landscape. Together we can stop both accidental threats to your environment that come from daily use and the intentional ones where a threat actor is targeting your organization.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals