G00247003 Magic Quadrant for Global MSSPs Published: 26 February 2014 Analyst(s): Kelly M. Kavanagh Managed security services is a mature market with offerings from established service providers. This Magic Quadrant presents enterprise buyers with advice on selecting MSS providers to support global service requirements. remote monitoring or management of IT security functions delivered via shared services from remote security operations centers (SOCs), not through personnel on-site." Therefore, MSSs do not include staff augmentation, nor any consulting or development and integration services. MSSs broadly include: Monitored or managed intrusion detection systems (IDSs) Distributed denial of service (DDoS) protection Managed secure messaging gateways Managed secure Web gateways Security information and event management (SIEM) Managed vulnerability scanning of networks, servers, databases or applications Log management and analysis Reporting associated with monitored/managed devices and incident response (IDP) functions, as well as log management services, rather than other elements of the services we have listed. Firewall, IDP and log collection form the core of most MSS engagements. The vendors in the Magic Quadrant are evaluated on their ability to support customers with global service requirements.
Magic Quadrant Figure 1. Magic Quadrant for Global MSSPs Source: Gartner (February 2014) Vendor Strengths and Cautions AT&T monitoring and management services for customer-based and network-based security controls Page 2 of 25 Gartner, Inc. G00247003
including wireless in addition to a wide range of other IT and telecommunications services. AT&T MSSs are based on commercial and self-developed technologies for alert and log collection, real- BusinessDirect portal. Query and browsing of log data are supported via commercial and selfdeveloped technologies. AT&T offers log management via on-premises solutions. Log management and MSS functions must be accessed through separate portals. Integration of these functions into a single portal remains planned. AT&T's advanced threat offering is the Security Event and Threat Analysis (SETA) service, which includes correlation and analysis of data from customer devices and Enterprises should consider AT&T if they require a global service provider with a broad range of service offerings and deployment capabilities that include premises-based and network-based options. Customers of other AT&T services that seek MSSs from an incumbent provider should also consider AT&T. Strengths AT&T has good visibility among Gartner customers, and is often included in competitive MSS evaluations. AT&T's network-based security controls are mature security management and monitoring requirements. AT&T is an established and stable service provider, with delivery capabilities in multiple geographic regions. Cautions The MSS portal continues to lack standardized asset reporting as well as the log browsing capabilities that are available in several competitors' portals. Log management functions must be accessed from a portal that is distinct from the MSS portal. The customization features of the MSS portal are not as extensive or self-service-capable as those in competitors' portals. BT Texas and Hong Kong. BT's MSS offerings include monitoring and management of customer premises deployed devices and network-based security controls as part of its larger portfolio of telecommunications and IT services. BT uses self-developed technology for log and event collection, correlation, query, reporting, and device management. Commercial technology supports staffed 24/7, with an additional nine SOCs worldwide. Capabilities to detect targeted attacks and Gartner, Inc. G00247003 Page 3 of 25
provide advanced analytics are focused on larger customers and delivered via add-on services, including a social media monitoring service, Assure Analytics and consulting engagements. Customers of other BT services that are seeking MSS as well as additional analytics and visualization capabilities should consider BT. Strengths BT has a broad range of security offerings for MSS globally, as well as for security consulting, cybersecurity services, secure networking, business continuity, identity and access management, technology deployment, and integration. BT gets good marks from users for security expertise in support of its MSS delivery. Cautions BT continues to have much lower visibility among MSS buyers in North America and Asia/ Customers use the BT Assure Threat Monitoring Web portal for searching, browsing and reporting security-relevant raw log data, and a premises-based appliance user interface to access non-security-relevant raw log data. CenturyLink throughout North America. It provides MSS as well as infrastructure as a service, software as a service (SaaS), Web hosting, colocation and network services. MSS customers have primarily been customers of CenturyLink's infrastructure services. MSS is delivered through a combination of commercial and self-developed technology for data collection, correlation and analysis, reporting, and log management. CenturyLink has three SOCs in North America, with an additional SOC in the MSS capabilities, and are based on monitoring third-party security technologies. CenturyLink's infrastructure and network services customers should consider the company for managed security. Strengths CenturyLink's enterprise and small or midsize business customers for network services can augment their relationships with CenturyLink via MSSs. CenturyLink's rationalization of security services across its lines of business has enabled a more focused and consistent delivery of MSSs. Cautions CenturyLink does not appear on Gartner customer shortlists for MSSs. The CenturyLink MSS portal lags competitors' portals in several areas, including customization, asset tracking, and correlation across data sources and user data. Page 4 of 25 Gartner, Inc. G00247003
CSC U.K. CSC delivers its MSS as a stand-alone service, and as a complement to its IT outsourcing and consulting services to enterprises and government agencies. CSC is in the process of standardizing its MSS delivery capabilities across all regions using commercial SIEM technology for data collection and correlation, real-time alert generation, and log management. The self-developed are available and include network and payload analysis. Preliminary endpoint analysis and forensics are available via managed services, with more in-depth forensics available as a consulting engagement. CSC outsourcing customers and enterprises, especially those in the defense industrial Strengths CSC's efforts to standardize MSSs across regions now provide global event visibility to SOC analysts, and should result in enhanced effectiveness for multiregional customers. Customers give good marks for the security expertise of CSC's staff, as well as for their understanding of the customer environment. CSC's security expertise supports its strong presence in the U.S. federal government and the Cautions CSC does not fully market its stand-alone MSS. Also, CSC is rarely included on Gartner commercial customers' shortlists for stand-alone MSS deals. Organizations considering CSC for MSSs should evaluate the current state and progress toward the completion of global service standardization to ensure that the capabilities needed in all regions are available to meet deployment requirements. Dell SecureWorks and threat intelligence services. MSS delivery is based on self-developed technology for log and alert collection, for real-time correlation and analysis, and for presentation/reporting via portal. Premises-based log retention and reporting are delivered via commercial SIEM technology. The Dell SecureWorks Counter Threat Unit provides threat intelligence, malware analysis and analytic support for MSS operations. Customers may buy threat intelligence services as part of an MSS subscription. Five SOCs are located in the U.S., with additional SOCs in the U.K., India, Mexico and Eastern Europe. Advanced attack detection is offered within existing MSSs and includes threat feeds, correlation, and analysis of historical events to identify anomalies. Midsize organizations that Gartner, Inc. G00247003 Page 5 of 25
want to meet compliance requirements, and enterprises looking for full-featured MSSs, should consider Dell SecureWorks. Strengths Dell SecureWorks is very visible to Gartner customers and is typically included in competitive MSS deals. Gartner customers offer strong praise for Dell SecureWorks' MSS delivery, security expertise and relationship management. The security expertise available through the Counter Threat Unit is often cited as a differentiator. The MSS portal receives very good marks from customers. Cautions Dell's ownership changes offer less visibility into its business operations, including the positioning and emphasis placed on security products and services. Although reports of issues to Gartner have been minimal to date, customers should continue to monitor Dell SecureWorks' service delivery to ensure that MSS geographic expansion and any shift in Dell's business focus do not dilute its MSS delivery capabilities. Dell SecureWorks' cautious expansion beyond the Japanese market may result in prospects interaction. HP HP is headquartered in Palo Alto, California, with MSS locations in Australia, London and Plano, Texas. HP has a broad security portfolio of professional and managed services; technologies for SIEM, application security and network security; and extensive offerings of additional IT products and services. HP's MSS is based on several self-developed and commercial technologies for data ArcSight console for log management. HP offers a separate governance, risk and complianceoriented portal for executive dashboards. The HP MSS portal provides role-based access, ticketing and security reporting features. Log management is delivered via HP ArcSight ESM and ArcSight Logger in hosted or on-premises deployments. Log management features are available via the HP ArcSight portal. HP's targeted attack detection and advanced analytics capabilities are embedded in its MSS offerings, and are supported with threat feeds, vulnerability information, the detection capabilities of HP ArcSight, and expert analysis. Enterprises and midsize companies with HP IT services or security technology services should consider HP for MSSs. Page 6 of 25 Gartner, Inc. G00247003
Strengths HP is a large, stable provider of MSSs and other security services. It has a multiregional presence and delivery capabilities. HP's broad technology and service delivery options enable extensively customized MSS engagements, including technology bundling and hybrid delivery options. Cautions The HP MSS portal lacks the user correlation and asset and vulnerability reporting capabilities that are available in competitors' portals. Potential customers should validate that HP's current capabilities and enhancement plans meet their deployment and operations requirements. Gartner customers report challenges in differentiating and navigating among HP's security monitoring capabilities, which are available, in differing forms, from HP's product, outsourcing and discrete MSS delivery organizations. Prospective MSS customers should validate HP's coverage and monitor ongoing support when MSS engagement includes security technologies from HP's competitors. IBM full range of security consulting and integration services are available as stand-alone services, and as components of larger infrastructure outsourcing contracts. IBM uses self-developed technology offered as a hosted service, and with premises-based IBM QRadar and other SIEM technologies. regions. IBM's advanced analytics and targeted attack detection capabilities are embedded in its MSS and hosted SIEM offerings, and they are supported by IBM technology and third-party technology deployed by customers. Enterprises with global service delivery requirements, and those with strategic relationships with IBM, should consider IBM for MSSs. Strengths Gartner customers often include IBM in competitive MSS evaluations, and IBM has high IBM's MSS capabilities include support for customer-deployed SIEM (from IBM and other vendors) that is integrated into its standard MSS offerings. IBM is a large, stable provider of security and IT services and products, and it has global delivery capabilities. Gartner, Inc. G00247003 Page 7 of 25
Cautions Gartner customers report overall improvements and lingering challenges for IBM MSSs in sales, deployment and customer care. Although IBM's MSS supports multiple security technologies including many from IBM's competitors in the IPS and SIEM markets MSS customers should monitor planned and actual MSS support for the security technologies deployed in their environments. NTT adding to prior acquisitions of MSS capabilities in the NTT companies (such as NTT Com Security formerly Integralis and Dimension Data's earthwave). NTT is included in this Magic Quadrant on the basis of the combined offerings and scale of the various MSS entities, which it is in the process of rationalizing. NTT uses a variety of self-developed and commercial technologies to Europe and North America. Targeted attack protection is embedded in the MSS offering of each delivery group, and it differs among the groups, although cross-group data sharing for threat information is now being done. NTT customers and enterprises seeking a large global service Strengths Individual NTT MSS groups get good feedback from Gartner customers regarding MSS delivery. Across the NTT MSS offerings, the capabilities of NTT Com Security, Solutionary, Dimension Data's earthwave and NTT Data are well-known in Europe, North America, the Middle East/ NTT has a global presence as well as a broad range of security service offerings and delivery options, in addition to broader telecommunications and IT infrastructure service offerings. Cautions MSS operations across the regions are not yet fully integrated. Current MSS customers must monitor NTT's plans to rationalize its MSS delivery capabilities to ensure that any changes result in equal or better service delivery levels and options. Potential MSS buyers should get binding assurances from NTT regarding the capabilities they will receive globally and within regions to ensure that NTT's current and planned MSS Orange Business Services telecommunications and cloud-based IT infrastructure services, security consulting and integration Page 8 of 25 Gartner, Inc. G00247003
services, and MSSs. Orange MSSs are based on commercial SIEM technology for data collection, correlation and analysis, reporting, and log management, with self-developed technology for two in the Middle East/Africa regions. Advanced threat detection is provided by proprietary technologies as well as by commercial SIEM and network security products, with additional capabilities planned for 2014. Orange service customers and organizations seeking a large, global Orange. Strengths Orange offers a broad range of network and IT services that can be bundled with MSSs. Orange is a large, stable service provider with long-standing MSS and security consulting experience. Cautions Orange has lagged several MSS competitors in the introduction of advanced attack detection and analytics offerings. Orange rarely appears on Gartner customer shortlists for MSS procurement, and in North America, Orange has very limited market visibility. MSS customers in North America often express a preference for a SOC in-region. Although Orange has a North American SOC, it is not staffed 24/7. Symantec and Reading, U.K. Symantec offerings include security monitoring, security intelligence, messaging security services and a range of security products. Symantec's MSS architecture is based on selfdeveloped technology for event and log collection, with a combination of self-developed and management are based on commercial technology. Log query and browsing are enabled via selfplus a new SOC in Japan. Log management services are delivered via Symantec log collection platform, are stored in Symantec SOCs and are available to customers via the MSS portal. A distinct service level offers advanced attack detection analytics. Enterprises seeking an established MSSP should consider using Symantec. Strengths Symantec has strong visibility in the MSS market. Gartner customers very often consider Symantec's MSS offerings in competitive evaluations. Gartner, Inc. G00247003 Page 9 of 25
Symantec's Gartner customers generally offer positive reviews of Symantec's MSS delivery, and of the quality of their interactions with Symantec's SOC analysts. MSS customers indicate that the DeepSight threat feeds and intelligence reports are differentiators of Symantec's services. Cautions Prospective buyers should evaluate Symantec's optional enterprisewide pricing with realistic assumptions of the number of monitoring/log sources they can expect to incorporate into the scope of MSSs. Customer delays in bringing event sources into coverage will result in buyers paying for coverage that they are unable to receive. Symantec is rebuilding its security consulting capability. Prospective MSS customers should carefully evaluate whether Symantec's security consulting services will meet their needs, and whether they must engage with partner-led security services for service initiation and for ongoing project work throughout the course of the MSS relationship. Trustwave those as well as third-party products. MSSs are based on Trustwave's SIEM technology for data Trustwave SpiderLabs group. Trustwave has three U.S.-based SOCs, one in Europe and one in components of Trustwave MSSs, and they are delivered via three Trustwave activities: network monitoring, endpoint monitoring and managed WAF. Companies in the retail, healthcare and banking vertical industries and others that are subject to PCI compliance should consider Trustwave for MSSs. Strengths Trustwave has an extensive portfolio of security products and associated managed services that can be packaged as subscription-based solutions for customers with limited capital budgets and security resources. Trustwave remains a well-recognized provider of services and technologies to support PCI Data Security Standard (DSS) compliance. The Trustwave MSS portal provides extensive language support. Cautions Current customers and potential MSS buyers should continue to monitor Trustwave's ability to meet delivery and road map commitments as it navigates a possible initial public offering. Page 10 of 25 Gartner, Inc. G00247003
Potential MSS customers should evaluate whether the split of compliance reporting capabilities between the MSS portal and the log management portal meets their operational requirements. The Trustwave MSS portal lags several competitors' portals in providing correlation of user activities with infrastructure events. Except for PCI monitoring engagements, Trustwave very rarely appears in MSS deals among Gartner customers. Verizon Latin America and Asia. Verizon offers MSSs and security consulting, as well as a broad range of telecommunications and infrastructure services. Verizon's MSS architecture is based on selfdeveloped technologies for event collection, correlation and alerting, with commercial technologies developed and commercial technologies. Two SOCs are located in the U.S., two in Europe and two threat intelligence and malware detection signatures that support MSSs, and Verizon's breach response services inform MSS monitoring efforts. Targeted threat detection services are incorporated into the standard MSS delivery. They are based on commercial technologies, on Verizon's self-developed correlation and threat intelligence capabilities, and on network monitoring. A distinct advanced analytics service is available in the U.S. to governments and enterprises facing service provider that is capable of delivering a broad range of security services in multiple regions. Strengths and premises-based controls. Gartner customers often include Verizon in competitive MSS evaluations. Verizon's MSS receives generally positive reviews from Gartner customers for meeting their expectations for security expertise, and for effective security monitoring and alerting. Customers also indicate that Verizon's security expertise is a differentiator for MSSs. Cautions Verizon's MSS portal lacks the user activity correlation capabilities that are available from several competitors. Verizon's log management services currently lag those of its competitors. New capabilities are planned for 1Q14. Gartner, Inc. G00247003 Page 11 of 25
Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that or of a change of focus by that vendor. Added NTT was added to this Magic Quadrant based on its acquisition of Solutionary, and on the prior acquisitions of Integralis (now NTT Com Security) and Dimension Data's earthwave. NTT's capabilities across these organizations meet the criteria for inclusion in the Magic Quadrant. Orange Business Systems was added because it also meets the inclusion criteria. Dropped Allstream, Bell Canada, CGI, Clone Systems, Nuspire Networks and Perimeter E-Security (now named SilverSky) were dropped from this Magic Quadrant because they do not meet the inclusion North America. HCL Technologies was dropped because it is in the process of realigning its MSS capabilities and currently does not meet the inclusion criteria for this research. SAIC was dropped because of its split into two companies, SAIC and Leidos, and because the MSS Inclusion and Exclusion Criteria This Magic Quadrant expands the coverage from MSSPs in North America to include delivery that have operations in one geographic region can support customers in other regions. Gartner sees their region. Among global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more "local" support and also includes the MSSP's advanced support, and provide local language support, among other concerns. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers. Page 12 of 25 Gartner, Inc. G00247003
This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue. management, and a threshold for the number of MSS customers both distributed across multiple regions. MSSs refer to remote management and monitoring of security technologies. Several large infrastructure outsourcing vendors offer other service delivery options (such as staff augmentation) in addition to MSSs, but we don't evaluate these other delivery options. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies. 2013-2014 Global MSSP Magic Quadrant Inclusion Criteria Vendors must have: discrete service offerings, and shared service delivery resources Firewalls/IDP devices under remote management or monitoring for external customers External customers with those devices under management or monitoring Reference accounts that are relevant to Gartner customers in the appropriate geographic regions in multiple geographies A threshold for MSS revenue of $20 million in 2012 A SOC presence in multiple geographic regions 2,250 in North America and 25 in the rest of the world (ROW), in the following possible combinations: North America + ROW Europe + North America 10 in ROW, in the following possible combinations: Gartner, Inc. G00247003 Page 13 of 25
North America + ROW Europe + North America 2013-2014 Global MSSP Magic Quadrant Exclusion Criteria Vendors have: Service offerings that are available only to end users that buy other non-mss services Services that monitor or manage only their own technology Services delivered by their own resources and dedicated to a single customer Evaluation Criteria Ability to Execute Product or service refers to the service capabilities in areas such as event management and levels. Overall viability the overall company, and the likelihood that the business unit will continue to invest in the MSS offering. Sales execution/pricing includes the service provider's success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered. Market responsiveness/record evaluates the match of the MSS offering to the functional requirements stated by buyers at acquisition time. It also evaluates the MSSP's track record in delivering new functions when the market needs them. Marketing execution is an evaluation of the service provider's ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer. Customer experience is an evaluation of the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by conducting qualitative interviews of vendorprovided reference customers, as well as by feedback from Gartner customers that are using the MSSP's services, or have completed competitive evaluations of the MSSP's offerings. Operations Page 14 of 25 Gartner, Inc. G00247003
Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Product or Service Overall Viability Sales Execution/Pricing Market Responsiveness/Record Marketing Execution Customer Experience Operations Weighting High High Medium Medium Medium High Medium Source: Gartner (February 2014) Completeness of Vision Market understanding involves the MSSP's ability to understand buyers' needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to Marketing strategy refers to a clear, differentiated set of messages that is consistently communicated throughout the organization; is externalized through the website, advertising, market conditions in the MSS market. Sales strategy relates to the vendor's use of direct and indirect sales, marketing, service, and Offering (product) strategy is the vendor's approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated. Business model includes the process and success rate for developing features, innovations and service delivery capabilities. Vertical/industry strategy and geographic strategy include the ability and commitment to service geographies and vertical markets. Innovation refers to the service provider's strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements. Gartner, Inc. G00247003 Page 15 of 25
Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Weighting High Medium Medium High Low Medium High Medium Source: Gartner (February 2014) Quadrant Descriptions Leaders looking to buy an MSS as a discrete offering. These providers typically receive very positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring frequent interaction with the MSSP for analyst options. Challengers In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider's other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, it offers a "path of least resistance" to enterprises that need an MSSP and use the vendor's main services. Visionaries Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require frequent interaction with MSS analysts, Page 16 of 25 Gartner, Inc. G00247003
have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant. Niche Players segments, or primarily as part of other service offerings. These service providers often tailor MSS Context Prospective MSS buyers with threat management use cases should highly weight MSSPs' threat research and security intelligence capabilities. Current and prospective MSS users should require a proof of concept, or a demonstration of MSS offerings for advanced analytics and big data, to validate effectiveness and value. Current and prospective MSS users should validate MSSPs' services that are related to monitoring or management of third-party technologies or their own technologies to address advanced attacks. Market Overview The MSS market is mature, and prospective customers have numerous options among MSSPs and the types of services offered. The primary drivers for MSSs have been consistent for several years: 24/7 threat management and meeting compliance requirements. These may be complemented by related drivers, such as the desire to redirect existing resources to other security areas, or the need to engage deeper or broader expertise than is available in-house. An emerging driver is support for the protection from and detection of targeted attacks through MSSP knowledge of the external threat environment, through insight gained from monitoring events from a broad and global customer base, through MSSP-based advanced analytics, or through MSSP monitoring of customer-deployed next-generation protection and detection capabilities. the MSSPs included in the evaluation meet the minimum thresholds for MSS business in two or scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services. MSSPs that do not meet the customer or device thresholds for inclusion in this Magic Quadrant may still deliver high-quality services within a region, and can typically deliver in multiple regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their Gartner, Inc. G00247003 Page 17 of 25
Gartner expects that growing enterprise experience with cloud-based infrastructure and applications delivered as a service, as well as accommodating the access of consumer technology to corporate systems, will result in greater acceptance of, and reliance on, cloud-based security-asa-service offerings. In 2013, the global market for security outsourcing was $12 billion, with a forecast compound annual growth rate of 15.4% through 2017. Growth in enterprise demand for MSSs is driven primarily by four factors: Gartner sees continued expectations to reduce same time, increased monitoring of infrastructure logs, as well as privileged and application user activity and next-generation technologies, requires tool and analytical expertise that will be Evolving compliance reporting requirements: This involves the evolution of existing compliance requirements, and of corporate governance policies that create a secondary effect among business partners. As formal compliance regimes evolve or audit/enforcement activity increases, organizations consider external service providers to reduce the costs of meeting compliance requirements. PCI DSS remains an important driver; also, Gartner is starting to see the U.S. Federal Information Security Management Act's (FISMA's) continuous monitoring that sell to the U.S. government, and for organizations funded by government grants, such as universities. Adoption of security technologies and analytic tools focused on advanced attacks: As enterprises gain experience with technologies to analyze networks, payloads and endpoints for advanced attacks, they will look for opportunities to focus internal resources on prevention and response activities, and to augment those activities with external expertise to monitor and manage the technologies. Increased availability and adoption of cloud-based IT services: Increasing use of cloudbased IT services will drive security controls into those services, and will also lead to greater acceptance and adoption of cloud-based security services for controls that are best suited for to MSSs, such as secure Web gateways, email security, and identity and access management. MSS growth can also be constrained by a few factors: Enterprise deployment of SIEM technology to provide in-house alerting and log analysis: MSSPs typically lack deep insight into the customer IT and business environment; thus, they are less able to determine whether events involving users, administrators, internal applications and data are inappropriate or unacceptable. Wherever enterprises want close monitoring of internal activities, they may opt to do it themselves. Some organizations monitor internal Page 18 of 25 Gartner, Inc. G00247003
activities and also use an MSSP for external/perimeter monitoring. Such an arrangement still constrains the growth of MSSs in those organizations. Core competency: Organizations that provide security technology or services, or position their technology or services as secure, are likely to forgo outsourced security monitoring. Where security is a value proposition and a core competence, outsourcing security may not be an effective option. Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy regarding the use of external services can mean that MSSs are not considered effective options. MSS Portfolio The services that are core to MSS offerings involve the monitoring of perimeter network security technologies: Firewalls IDSs/IPSs WAFs In addition to monitoring, many MSSPs have management services for those technologies. It is increasingly common for MSSPs to also provide monitoring and log collection from IT infrastructure such as servers, user directories and applications. Among organizations that have deployed SIEM technology, Gartner sees increasing interest for services to monitor or run the SIEM. Several MSSPs have offerings to support customer-deployed SIEM. MSSPs may also provide cloud or SaaS-based services, including: DDoS protection Email security Vulnerability scanning MSSPs offer cloud services directly or via partnerships with other service providers. The degree of integration of partner-delivered services with MSSP services varies from little more than purchasing convenience to integration of partner data and management functionality into the MSSP's portal. Gartner, Inc. G00247003 Page 19 of 25
Deeper integration can provide operational and vendor management advantages, but may reduce the ability to "swap out" one cloud-based service for another. Buyers should take into consideration the degree of integration of any partner-delivered services end-of-contract switching costs. Threat Intelligence and Advanced Analytics Several MSSPs have created research groups to improve their understanding of the threat landscape that is, the identities, motives, targets and techniques of attackers. MSSPs use their subscription-based access to this research, or offer customers project-based access to the group for analysis/reverse engineering of malware. Potential customers of threat intelligence feeds from MSSPs should require proof-of-concept access to evaluate the relevance of the information, as well as their ability to consume and act on it. Many MSSPs claim capabilities to assist their customers in addressing advanced targeted attacks. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example: Correlation of alerts with IP reputation or known bad addresses to those of known attacks Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines These offerings are now primarily based on the security events monitored by the MSSPs; however, we expect that several MSSPs will introduce distinct service offerings to acquire, retain and analyze large volumes of customer data so called "security big data" from IT infrastructure and other sources. Gartner recommends that customers require a limited pilot or proof of concept to identify data, and to identify the service levels required. Based on feedback from Gartner customers, early adopters should plan for the inclusion of relevant domain experts who are typically outside the security group, such as line-of-business owners and application owners. Most MSSPs also offer incident response capabilities to assist customers with investigation and remediation activities in the event of a breach. These services are typically available on a consulting available within the context of the standard monitoring services, and when a consulting engagement is required. If the MSSP offers packaged or prepaid hours for incident response activities, then customers should ensure that those hours are available for other security services if they are not needed for incident response. Page 20 of 25 Gartner, Inc. G00247003
Pricing Models The typical pricing model for MSSs is based on the type and size of the security technology to be monitored for customer-premises-equipment-based devices, or on the bandwidth or number of users/endpoints for network-based controls. Log collection is typically priced by the number and types of sources, or on events per time period (device count pricing includes implicit expectations of event volumes). There is typically a clear distinction between technology that is monitored in real time, and subject to alerting service-level agreements (SLAs), and technology that is not that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and changes to be performed within a period of time. and management, to decline slightly. Price pressure is coming from new sources for these services, such as from the technology providers themselves, from other MSSPs and from continued corporate efforts to reduce IT budgets. In response, MSSPs have introduced new services to monitor and manage advanced threat detection technologies. MSSPs will continue trying to expand the number of devices and data sources to monitor, and will differentiate monitoring based on the availability of additional external intelligence feeds and analysis (such as reputation data, blacklists, behavioral data and cross-customer activity) that can be correlated with data from customers' monitored devices. MSSP Landscape The basic makeup of the MSSP vendor space has not changed fundamentally. There are three major types of MSSPs: Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. As seen in 2013, pure-play MSSPs will continue to be acquired by larger analytic services (such as user activity) or advanced threat detection technologies. System integrators/business process outsourcers: These are broad IT service providers that typically manage security devices as part of larger outsourcing deals. Where the integrator or outsourcer acquired a pure-play MSSP and maintained a discrete MSS delivery capability, these providers often compete for MSS-only deals. Carriers and network service providers: These are bandwidth and connectivity providers that manage network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their Internet connections. presence and global delivery capabilities. The vendors that meet those requirements fall into the latter two types of MSSPs. Gartner, Inc. G00247003 Page 21 of 25
In general, the MSS portfolios of these providers look broadly similar. Customer satisfaction with services can be strongly related to customer expectations. Customers occasionally report dissatisfaction related to objectively poor performance, including missed SLAs. However, it is more may never have been made explicit to prospective providers, or to the MSSP selected. Gartner customers using MSSPs express differing expectations regarding their type of relationship with MSSPs. Expectations may range from frequent interactions and knowledge sharing among the customer security staff and MSSP staff, to almost no interactions beyond the provision of periodic reports of monitoring activity. Gartner recommends that prospective MSS buyers develop explicit requirements for service delivery. MSSPs' responses to these requirements (including via demonstrations, proofs of concept and the like) will enable customers to discern distinct differences among the MSSPs. analysts, the features of the MSSP's portal that will support the customer's use cases, reporting for operational and management reporting, the depth of threat and security intelligence offerings, Not included in this Magic Quadrant analysis are smaller, regional or subregional providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria. Also excluded from this analysis are service providers that provide MSSs only for their own technology, and that do not deliver services for commercial technology. Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Forecast Overview: Information Security, Worldwide, 3Q13 Update" "How Gartner Evaluates Vendors and Markets in Magic Quadrants and MarketScopes" Evidence Gartner customer inquiries and information sharing related to MSSPs Analyst interactions with Gartner customers via inquiries and meetings Survey of MSSPs Survey of MSS reference customers Page 22 of 25 Gartner, Inc. G00247003
Ability to Execute Product/Service: market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as Overall Viability: the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest Gartner, Inc. G00247003 Page 23 of 25
degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to directly or through partners, channels and subsidiaries as appropriate for that geography and market. Page 24 of 25 Gartner, Inc. G00247003
GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp ates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, s Board of zation f Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G00247003 Page 25 of 25