Followers of this site have likely heard about the “master MSP” business model. Once a dominant conversation in the channel, now something that has largely become extinct. Or has it?
Master MSPs, the Early Years
I won’t recount the exact reasons master MSPs came about, but the primary reason was to enable VARs and less mature MSPs to speed up more quickly and leverage a NOC and help desk if they had no intention of building them.
For a variety of reasons, the Master MSP business model began to phase out. One reason was MSPs’ ability to develop “virtual” NOCs, obviating the need to build more traditional telco-style operations facilities more typically seen during the late 1990s and early 2000s.
I make this point: the Master MSP model served a legitimate purpose for a time, and then that time passed. Today, we are witnessing a similar “master MSP” model gain momentum, this time in the form of the outsourced Security Operation Center (SOC).
Master MSSP?
All MSPs are involved in security at a fundamental level; This has been true almost from the beginning of our profession. The latest marketing trends to convince MSPs to become MSSPs are mostly a marketing message designed to sell software to MSPs.
Even if you agree with me that MSPs have been helping their clients with security since the beginning, there are undoubtedly some areas where MSPs need to update their service offerings. Developing a SOC is one of those areas. I’ll explain.
What’s in a SOC?
A security operation center differs in a few key areas from a network operation center (sometimes called a help desk by some MSPs). To make matters slightly more confusing, a NOC can also contain the same SOC functions, depending on its setup.
A NOC is composed of both people and software systems centrally monitoring and managing client systems and networks. The NOC can be a physical place (the traditional method), or it can be virtual (management/monitoring systems are hosted in the cloud, and the people are remote). The point is, if you are a real MSP, you have a NOC.
On the other hand, a SOC shares many of the same attributes of the NOC. It is a central location for analyzing security data, typically arriving from firewalls, IDS/IPS, and other perimeter and network security objects. The SOC, however, does differ in a few key areas from a typical NOC, and these areas deal mostly with the functional purpose of SOC analysis and actions.
The SOC has a primary purpose of ingesting, reviewing, and sometimes (depending on maturity and level of proactivity) acting upon security information received from the managed object. As stated previously, these managed security objects can be firewalls, IoT devices, servers, basically anything that collects useful information that needs to be analyzed to protect the client against cyber attack.
The SOC plays a more analytical role than the NOC and requires technology not typically seen in the NOC, notably a SIEM. The SIEM performs the tasks of ingesting security information from various objects. Depending on the sophistication of the SIEM tool and the SOC itself, the MSP will then analyze the data and either a) make recommendations or b) take action on behalf of the managed security client.
It is the step of taking action that makes the SOC more effective than if the SIEM performs analysis and issues a recommendation that needs to be performed by a human within the SOC. More proactive MSPs with SOCs will be able to take in the information and automate certain steps based on the SIEM products’ intelligence or the SOC process itself.
Summary
All this is to say, today’s MSP needs to quickly develop SOC-style service offerings if it intends to remain relevant. There are some exceptions to this, but for the most part, the SOC is becoming more critical for MSPs and their clients. For MSPs who do not wish to develop this internally, outsourcing to an MSSP or software system will make the most sense.
In this regard, the MSPs are looking at MSSPs similarly to how early MSPs worked with master MSPs.
Andrew
Posted at 16:49h, 16 FebruaryCouldn’t agree more. This is the classic case of buy vs. build, but regardless of which way you go, you’d better go one of them or you’re going to find yourself out of business as an MSP. We’ve spent much of the last two years analyzing many, many different platforms – from MSSP to co-managed to outsourced MDR, etc., etc., and have ultimately decided that we and our customers are going to better off if we build a full SIEM/SOC solution ourselves.
In our case, there’s one big reason this was an obvious decision for us – we’re also a Managed Cloud Service Provider. When 80+% of your clients already host their servers in your datacenter, and you’ve got piles and piles of previous-gen hypervisor and storage hardware sitting around, it just plain makes more sense to house this data yourself than it does to ship it all off to someone else that’s hosting it in Azure or AWS, which are extremely expensive by comparison.
That said, even if you don’t already have a cloud solution, I think that time will prove that MSP’s have plenty of recycled hardware and bandwidth available to deploy a SIEM and SOC for themselves. The alternative, depending on what market you’re in, is going to leave you going to your customers to, best case, get them to spend a TON more to get proper security or, worst case, just decline the offer altogether.
The bottom line is this – the best security stack is not just the one that’s highly effective, but is also the one your clients will actually pay for.