Today’s managed security service providers (MSSPs) are faced an eternal struggle when it comes to their customers. They must be able to provide a sufficient level of value while at the same time maintaining operational efficiency. This balancing act isn’t easy, especially since focusing on one side will have major knock-on effects to the other. Let’s dive into this conundrum.
What is value?
For a customer of an MSSP, their value expectation is to get the most for their money as possible, plain and simple. A base-line level of features is expected and required, but a customer will also be looking for “value-adds” like exclusive security tools, premium support agreements, or pre-built integrations, for example. They want to ensure they’re getting what they need & want, and perhaps more importantly what they don’t know they need & want (yet), in return for the investment they’re making to employ a MSSP.
For the MSSP themselves, providing value means ensuring that their customers’ needs & expectations are not only met but exceeded. Aiming to always do the bare minimum, i.e. what it takes to get the customer to go away, is certainly not the best way to grow a business. Overall, the theoretical goal should be maintaining customer satisfaction whilst keeping each customer engagement as profitable as possible.
Helping customers make an informed decision
Have you ever been paying for a service or using a product that you’ve recently purchased when suddenly, much to your dismay, you discover that one of the competitors has a cool, new feature that yours is lacking.
Chances are that this ‘thing’ is a function you didn’t take into consideration when initially making your decision. Now, you feel intrigued by this new function and the benefits it could have provided you with, not to mention some possible frustration and a feeling of “missing out.”
As time progresses, these missing features will become less awesome but more common if your service / product isn’t upgraded or evolves. As a customer paying for a service, you expect that service provider to have your best interests at heart and are investing in both yours and their future services.
The imbalance
As we examine the MSSP space, one of the key features required and provided is security investigations and alerting. This core function houses one of the biggest catch-22’s within cybersecurity - if, as the MSSP, you create and escalate too many security incident alerts to your customer, they will be eventually treated as noise and somewhat ignored. This certainly does not equal value in the eyes of the customer.
Similarly but conversely, sending too few or no escalations will leave the customers wondering what exactly they’re paying you for, leaving the MSSP to rely on fancy reports and dashboards to show what they’ve been doing for their customers.
This is a perfect example of the balancing act that MSSPs are controlled by, too much is too little whilst too little is nothing.
What can a potential MSSP customer do?
- Look for providers that a single product set to accomplish multiple functions, this will typically show a highly integrated feature set with ongoing development.
- Ask potential providers what additional use cases they accomplish outside of the core security alert use cases, lots of additional use cases highlight a feature rich service with visibility depth.
- Always ask for a proof of concept (POC) before making a purchase, this is a key step (and expected by the service provider) to ‘try before you buy’.
Make sure to try out some of those additional use cases you’ve already talked about. - Be clear in the features you require of a prospective MSSP. MSSP’s all provide slightly different service solutions in different ways; it isn’t a one size fits all market.
- Don’t just base your decision or research on the ‘big names’ in the industry. They have typically scaled to such sizes by focusing on operational efficiency rather than value provided.
What can an MSSP do?
- Don’t take your customer base for granted. Invest time to improve the overall customer experience with your services rather than for a few specific key customers.
- Look at your in-house knowledge strengths and build solutions that tailor to your knowledge and experience. Moving into a new market is often required but make sure it isn’t a completely new direction for your company as it will surely fail.
- Work on integration between products used within your solutions, bridging products and datasets together will strengthen your visibility, detection, and investigation workflows.
- Have alignment from executive to junior staff on the direction of the company and the services it provides.
- Avoid chasing the money engagements (easier said than done). If it sounds too good to be true, it most likely is. Short-term gains will always result in longer-term pains with these types of engagements.
Ideally, the relationship will be two-way, with each seeing the other’s point of view and having realistic expectations. That way, it’s easier to balance value and efficiency from the get-go so both parties can enjoy a maximum return on the time and money they put in.
You might also be interested in:
Compliance Does Not Equal Cybersecurity
Data Philosophy and Technology Combine for Better Endpoint Security
Comparing Sysmon and EclecticIQ Endpoint Response - Event Filters
About Endpoint Security Solution Assessment
The assessment should cover all aspects of our traditional People, Process, and Technology Framework. Check out the whitepaper on “5 Questions to Ask About Your EDR” to help you make an informed decision.
About EclecticIQ Endpoint Response
EclecticIQ Endpoint Response solution offers unapparelled visibility into endpoint telemetry - by using the proven open-source telemetry tool osquery as a foundation and adding our own custom extensions on top, achieving in a single agent what would otherwise require multiple tools running in unison. Interested to learn more, feel free to contact us.
About EclecticIQ Endpoint Response Community Edition
The EclecticIQ Community Edition platform is a sophisticated and flexible endpoint monitoring and response platform, based on the osquery agent. It provides endpoint monitoring and visibility, threat detection, and incident response for Security Operating Centers (SOCs). Download it on Github.
