QUESTION #4
How much support do I need?
There is a whole gamut of support options, but not every MSSP will offer all of them.
BACKGROUND
Support (or mismanaged expectations) can often make or break any outsourcing relationship. It’s important to be clear about the level of support your organization needs and what a prospective MSSP can actually provide. If it’s not written down in a service description or contract, you should not simply expect something to happen after signature.
Do you need global support or U.S./EMEA only? Do you require 24x7 coverage, 365 days a year? Or, can you manage with only off-hours assistance because you have matured workflows to manage transitioning workloads, events, investigations, hunts, incidents, etc. through shift changes?
Response is another subject.
It’s not only important to be clear about response time but also about what response means. What do you want the provider to do? Response can mean anything from sending an email to isolating a host on the network, often confused assumed to include fixing the problem, and putting it back online with no intervention from you, which falls more in the realm of remediation. This continuum from “alerting” to “response” to “remediation” should be kept in mind and will be a big variable in both scope and cost of the engagement. Alerting might be (only) email and/or SMS alerts.
Response is typically focused on leveraging your endpoint security software but can/should also be attentive to responses on user account. Remediation is the potential heaviest lift where the provider helps or completes clean-up in your environment. No matter where you end on this continuum, you will need response times and specific tasks to be commitments. How “hard” those commitments are may depend on how sensitive your environment is – but speed is increasingly of the essence in responding to threats and will become even more important as AI impacts the threat landscape.
Most competition between MSSPs in the market today is over response capabilities – what they can and will automate or perform on your behalf. Ask your potential MSSP to work through your incident response plans with a RACI chart together. Mapping out who does what and when is often part of the on-boarding, but you should ask for it before you buy so no one has missed expectations.
Integration and authorization factor in here as well and can influence your support decisions. If you have a SIEM, will it be co-managed? Do you need the MSSP to manage your firewalls or IDP? Some will do that; others won’t. Do you have a managed EDR solution in place now for endpoint protection? If so, will the MSSP cooperate with them? Do you need your MSSP to use certain authorization methods (e.g. Okta) to gain access or manage things in your environment?
TIP: Don’t assume anything when it comes to support. There is a wide range in response capabilities from MSSPs. Make sure you are very clear about what you need and what the provider can deliver, and put it in the contract. Also be open to the MSSPs experience-based input, where possible, as there might be places where better outcomes are achieved by adopting their processes over your own.