Followers of this site have likely heard about the “master MSP” business model. Once a dominant conversation in the channel, now something that has largely become extinct. Or has it?
Master MSPs, the Early Years
I won’t recount the exact reasons master MSPs came about, but the primary reason was to enable VARs and less mature MSPs to speed up more quickly and leverage a NOC and help desk if they had no intention of building them.
For a variety of reasons, the Master MSP business model began to phase out. One reason was MSPs’ ability to develop “virtual” NOCs, obviating the need to build more traditional telco-style operations facilities more typically seen during the late 1990s and early 2000s.
I make this point: the Master MSP model served a legitimate purpose for a time, and then that time passed. Today, we are witnessing a similar “master MSP” model gain momentum, this time in the form of the outsourced Security Operation Center (SOC).
All MSPs are involved in security at a fundamental level; This has been true almost from the beginning of our profession. The latest marketing trends to convince MSPs to become MSSPs are mostly a marketing message designed to sell software to MSPs.
Even if you agree with me that MSPs have been helping their clients with security since the beginning, there are undoubtedly some areas where MSPs need to update their service offerings. Developing a SOC is one of those areas. I’ll explain.
What’s in a SOC?
A security operation center differs in a few key areas from a network operation center (sometimes called a help desk by some MSPs). To make matters slightly more confusing, a NOC can also contain the same SOC functions, depending on its setup.
A NOC is composed of both people and software systems centrally monitoring and managing client systems and networks. The NOC can be a physical place (the traditional method), or it can be virtual (management/monitoring systems are hosted in the cloud, and the people are remote). The point is, if you are a real MSP, you have a NOC.
On the other hand, a SOC shares many of the same attributes of the NOC. It is a central location for analyzing security data, typically arriving from firewalls, IDS/IPS, and other perimeter and network security objects. The SOC, however, does differ in a few key areas from a typical NOC, and these areas deal mostly with the functional purpose of SOC analysis and actions.
The SOC has a primary purpose of ingesting, reviewing, and sometimes (depending on maturity and level of proactivity) acting upon security information received from the managed object. As stated previously, these managed security objects can be firewalls, IoT devices, servers, basically anything that collects useful information that needs to be analyzed to protect the client against cyber attack.
The SOC plays a more analytical role than the NOC and requires technology not typically seen in the NOC, notably a SIEM. The SIEM performs the tasks of ingesting security information from various objects. Depending on the sophistication of the SIEM tool and the SOC itself, the MSP will then analyze the data and either a) make recommendations or b) take action on behalf of the managed security client.
It is the step of taking action that makes the SOC more effective than if the SIEM performs analysis and issues a recommendation that needs to be performed by a human within the SOC. More proactive MSPs with SOCs will be able to take in the information and automate certain steps based on the SIEM products’ intelligence or the SOC process itself.
All this is to say, today’s MSP needs to quickly develop SOC-style service offerings if it intends to remain relevant. There are some exceptions to this, but for the most part, the SOC is becoming more critical for MSPs and their clients. For MSPs who do not wish to develop this internally, outsourcing to an MSSP or software system will make the most sense.
In this regard, the MSPs are looking at MSSPs similarly to how early MSPs worked with master MSPs.