The Forrester Wave™️_ Global Managed Security Services Providers, Q3 2020

Oct 16, 2020

Why Read This Report 

In our 26-criterion evaluation of global managed  security services providers (MSSPs), we  identified the 15 most significant ones —  Accenture, Alert Logic, AT&T Cybersecurity,  Capgemini, CenturyLink, Cognizant, Deloitte,  ElevenPaths, EY, IBM Security Services, NTT,  Optiv, Secureworks, Trustwave, and Wipro — and  researched, analyzed, and scored them. This  report shows how each provider measures up  and helps security and risk professionals select  the right one for their needs. 

Key Takeaways 

IBM Security Services, Trustwave, Alert Logic,  And Secureworks Lead The Pack 

Forrester’s research uncovered a market in which  IBM Security Services, Trustwave, Alert Logic,  and Secureworks are Leaders; Accenture, EY,  AT&T Cybersecurity, Optiv, Wipro, and Deloitte  are Strong Performers; CenturyLink, ElevenPaths,  NTT, and Capgemini are Contenders; and  Cognizant is a Challenger. 

Native Cloud Support, Automation, And  Remediation Are Key Differentiators As legacy approaches to managed security  services become outdated and less effective,  improved action-oriented services will dictate  which providers will lead the pack. Vendors that  can provide native cloud support, automation, and  remediation position themselves to successfully  deliver action- and resolution-driven services on  all types of infrastructure to their customers. 

Cloud, Automation, And Remediation Drive The MSSP Market Now 

In “The Forrester Wave™: Global Managed Security Services Providers (MSSPs), Q3 2018” Forrester  report, we introduced the concept of MSSPs as “alert factories.” In this model, raw logs came in,  alerts went out, and MSSPs overall felt great about it. Our analysis called for action-oriented MSSPs  that build services around the ability to resolve incidents rather than simply finding and alerting on  incidents. MSSPs have attempted to solve the alert-factory problem by adopting the philosophy that  any problem that exists can be solved by managed detection and response (MDR). This “MDR-will save-the-world” mindset pervades MSSPs now, and legacy services suffer as a result. Automation and  remediation capabilities exist, often paywalled behind a newer — and more expensive — MDR offering.  For clients, this means that improving services requires adopting an entirely new paradigm to achieve  the benefits promised all along. 

As a result of these trends, customers of global MSSPs should look for providers that: 

› Can support any type of deployment model. The ability to natively support cloud log data of any  type is still woefully behind in the MSSP world. MSSPs try to answer this problem by supporting  cloud access security broker logs (CASBs) and, at best in most cases, CloudTrail log data. MSSPs  still fail to understand that just because it runs in or comes from a cloud, that doesn’t mean that  they support cloud. Look for vendors that understand APIs, provide solutions to the problem of  data siloes, and work with SaaS, IaaS, and PaaS vendors of all types. 

› Will automate actions for their customers, not just themselves. Most MSSPs have now either  partnered with an automation vendor of some kind or built a homegrown solution, and they  discuss the importance of configurable playbooks. Closer examination, however, reveals that  most of the automation steps accelerate processes for the MSSP, not their clients. While this still  benefits the end customer, retrieving artifacts to accelerate incidents is something that helps the  MSSP gain efficiency — and margin — and doesn’t always translate to customer benefits. Look  for MSSPs that want to accelerate your processes to create efficiency where it matters most — in  your security program. › Offer remediation support across multiple platforms. Customers found little value in MSS when  all MSSPs did was offer templatized tickets with generic recommendations. Most MSSPs now  offer remediation options — even those behind the premium MDR paywall — that operate as if  every breach starts with a phishing email: The user clicks, malware gets installed, attackers move  laterally, and data gets exfiltrated. And yes, that happens, but not in every instance. MSSPs’ failure  to address issues with cloud leaves them drawing a blank when it comes to investigating and  remediating cloud-based and applications incidents. Look for vendors that prove they can analyze,  investigate, and remediate cloud and application incidents, as well as data breaches circa 2013.

Read the full report