Why Read This Report
In our 26-criterion evaluation of global managed security services providers (MSSPs), we identified the 15 most significant ones — Accenture, Alert Logic, AT&T Cybersecurity, Capgemini, CenturyLink, Cognizant, Deloitte, ElevenPaths, EY, IBM Security Services, NTT, Optiv, Secureworks, Trustwave, and Wipro — and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk professionals select the right one for their needs.
Key Takeaways
IBM Security Services, Trustwave, Alert Logic, And Secureworks Lead The Pack
Forrester’s research uncovered a market in which IBM Security Services, Trustwave, Alert Logic, and Secureworks are Leaders; Accenture, EY, AT&T Cybersecurity, Optiv, Wipro, and Deloitte are Strong Performers; CenturyLink, ElevenPaths, NTT, and Capgemini are Contenders; and Cognizant is a Challenger.
Native Cloud Support, Automation, And Remediation Are Key Differentiators As legacy approaches to managed security services become outdated and less effective, improved action-oriented services will dictate which providers will lead the pack. Vendors that can provide native cloud support, automation, and remediation position themselves to successfully deliver action- and resolution-driven services on all types of infrastructure to their customers.
Cloud, Automation, And Remediation Drive The MSSP Market Now
In “The Forrester Wave™: Global Managed Security Services Providers (MSSPs), Q3 2018” Forrester report, we introduced the concept of MSSPs as “alert factories.” In this model, raw logs came in, alerts went out, and MSSPs overall felt great about it. Our analysis called for action-oriented MSSPs that build services around the ability to resolve incidents rather than simply finding and alerting on incidents. MSSPs have attempted to solve the alert-factory problem by adopting the philosophy that any problem that exists can be solved by managed detection and response (MDR). This “MDR-will save-the-world” mindset pervades MSSPs now, and legacy services suffer as a result. Automation and remediation capabilities exist, often paywalled behind a newer — and more expensive — MDR offering. For clients, this means that improving services requires adopting an entirely new paradigm to achieve the benefits promised all along.
As a result of these trends, customers of global MSSPs should look for providers that:
› Can support any type of deployment model. The ability to natively support cloud log data of any type is still woefully behind in the MSSP world. MSSPs try to answer this problem by supporting cloud access security broker logs (CASBs) and, at best in most cases, CloudTrail log data. MSSPs still fail to understand that just because it runs in or comes from a cloud, that doesn’t mean that they support cloud. Look for vendors that understand APIs, provide solutions to the problem of data siloes, and work with SaaS, IaaS, and PaaS vendors of all types.
› Will automate actions for their customers, not just themselves. Most MSSPs have now either partnered with an automation vendor of some kind or built a homegrown solution, and they discuss the importance of configurable playbooks. Closer examination, however, reveals that most of the automation steps accelerate processes for the MSSP, not their clients. While this still benefits the end customer, retrieving artifacts to accelerate incidents is something that helps the MSSP gain efficiency — and margin — and doesn’t always translate to customer benefits. Look for MSSPs that want to accelerate your processes to create efficiency where it matters most — in your security program. › Offer remediation support across multiple platforms. Customers found little value in MSS when all MSSPs did was offer templatized tickets with generic recommendations. Most MSSPs now offer remediation options — even those behind the premium MDR paywall — that operate as if every breach starts with a phishing email: The user clicks, malware gets installed, attackers move laterally, and data gets exfiltrated. And yes, that happens, but not in every instance. MSSPs’ failure to address issues with cloud leaves them drawing a blank when it comes to investigating and remediating cloud-based and applications incidents. Look for vendors that prove they can analyze, investigate, and remediate cloud and application incidents, as well as data breaches circa 2013.