Forrester Emerging MSSP Wave

  • Published on

  • View

  • Download

Embed Size (px)


Emerging Managed Security Service Providers 2013


<ul><li> 1. Forrester research, inc., 60 acorn Park Drive, cambridge, Ma 02140 uSatel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.comThe Forrester Wave: EmergingManaged Security Service Providers,Q1 2013by ed Ferrara, January 8, 2013 | updated: February 14, 2013For: Security &amp;risk ProfessionalsKey TaKeaWaysemerging Mssps have laudable Capabilities, Forward-Thinkingstrategies, and surprising Client listsThese emerging players deserve a hard look. They offer comprehensive, professionallydelivered security services. Some are pioneering cloud-based delivery, and othersresell their services through a growing MSSP reseller channel. All are growing at ratesof 30% to 40% per year and have great technical depth and flexibility.Being a Big Fish in a small pond Can Be a good ThingCISOs interviewed for this research indicated they liked being the vendors biggestcustomer. This offers better value. One CISO at a financial services company said, Idont need an MSSP with 10 SOCs and analysts fluent in 12 languages. When I callI want to know the name of the person on the other end of the phone and how theywill help me.Cloud, saas security, and Customer satisfaction are KeydifferentiatorsThe Leaders in this Forrester Wave want to grow their businesses. Some aspire toserve enterprise-class clients, while a few others think their future lies is servingsmall and midsize businesses. The cloud, software, and hardware-as-a-service playa big role with two of the Leaders differentiating them from the pack and otherMSSPs as well.</li></ul><p> 2. 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best availableresources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar,and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Topurchase reprints of this document, please email For additional information, go to Security &amp; Risk ProfessionalsWhy Read This ReportIn Forresters 15-criteria evaluation of the emerging managed security services provider (MSSP)market, we identified the 10 most significant providers in this category Alert Logic; CompuCom;Integralis; Network Box; Savvis, A CenturyLink Company; Secure Designs; SilverSky; StillSecure; TataCommunications; and Vigilant and researched, analyzed, and scored them. These 10 providers have lessrevenue, smaller physical plants, and fewer staff than the nine North American MSSP firms covered in ourForrester Wave published in March 2012, but they are growing rapidly. To help security and risk (S&amp;R)professionals select the right managed security services partner, this report uses our criteria to evaluateeach service provider and plots where they stand in relation to each other.Table Of ContentsCISOs Now Have Multiple Options ForManaged Security ServicesWhat It Means To Be EmergingEmerging MSSPs Address SecurityComplexity And Contain CostsManaged Security Services: Emerging PlayerEvaluation OverviewEvaluation Focused On Breadth Of Capabilities,Flexibility, And Customer SatisfactionEvaluated Vendors Offer A Full Suite OfManaged Security ServicesEvaluation AnalysisVendor ProfilesSupplemental MaterialNotes &amp; ResourcesForrester conducted services evaluationsin Q2 2012 and interviewed 10 managedsecurity service providers: Alert Logic;CompuCom; Integralis; Network Box; Savvis,A CenturyLink Company; Secure Designs;SilverSky; StillSecure; Tata Communications;and Vigilant.Related Research DocumentsSource Your Security ServicesApril 25, 2012The Forrester Wave: Managed SecurityServices: North America, Q1 2012March 26, 20122012 Budget And Planning Guide For CISOsDecember 15, 2011The Forrester Wave: Emerging ManagedSecurity Service Providers, Q1 2013Ten Emerging Service Providers That Have The Chops To Be YourManaged Security Service Providerby Ed Ferrarawith Laura Koetzle, Chris McClean, Nick Hayes and Kelley Mak224691114January 8, 2013Updated: February 14, 2013 3. For Security &amp; Risk ProfessionalsThe Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 2 2013, Forrester Research, Inc. Reproduction Prohibited January 8, 2013 | Updated: February 14, 2013CISOs now have multiple options for managed security servicesAlthough information security is a critical function, its no longer necessary to do it all in-house.Thus, 21% of those surveyed in Forresters Forrsights Security Survey, Q2 2012 planned to spendmore of their budget with managed security service providers (MSSP) in the coming year.1Thisgrowth percentage was the same in our 2011 survey, and MSSPs are currently reporting between18% and 21% growth on an annualized basis. The numbers show a clear trend, and theres a growingconsensus that outsourcing security is a viable option for many companies. In response to this newdemand, MSSPs are expanding and new firms are entering the managed security services (MSS)market. This is good news for security and risk (S&amp;R) professionals because it increases choice andmakes services pricing more competitive. It also makes provider selection more challenging becauseof the increased number of choices.WHAT IT MEANS TO BE EMERGINGThe companies in this Forrester Wave represent some of the best emerging players in the market.Forrester uses the term emerging to distinguish this group of MSSPs from the larger, moreestablished players in the market we covered in our March 2012 Wave.2Forrester divides the MSSPmarket into three categories or divisions (see Figure 1).3Division 1 includes the largest enterprise-class providers. These MSSPs offer multiple security operations centers (SOCs) in multiplegeographies, employ from 100 to more than 1,500 engineers, and have revenues between $70million and $400 million. Division 2 includes the emerging MSSPs. These companies have from 20to 100 engineers, one or two SOCs, and revenues between $25 million and $70 million. Division 3includes many smaller firms that serve the small business market. These companies have a singleSOC and a small staff of security analysts numbering no more than 10. Revenues for these firms areless than $25 million. This Forrester Wave evaluates nine Division 2 and one Division 3 emergingMSSPs. These firms offer:Competent security technology skills. These firms use both proprietary and licensedtechnology for their service offerings. In some cases, these firms will extend licensed technologyto improve the licensed technologys capabilities, and some firms resell other firms services.4These MSSPs support a variety of different technologies, including firewalls (current, next-generation, and web application); intrusion detection; endpoint and server antivirus; hostintrusion and detection and protection; log management, archival, and maintenance; systemsmanagement; threat intelligence; intrusion protection; proxies; security incident and eventmanagement; and web application monitoring technology.Effective pricing. The firms evaluated in this Wave dont have the same cost structures as largerfirms. They have smaller physical plants, lower marketing costs, and lower cost structuresoverall. These lower costs allow them to offer services that are similar to those provided by theDivision 1 MSSPs but with lower overall cost. 4. For Security &amp; Risk ProfessionalsThe Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 3 2013, Forrester Research, Inc. Reproduction Prohibited January 8, 2013 | Updated: February 14, 2013Excellent customer service. Clients of the emerging MSSPs gave their providers very positivefeedback on their pricing and quality of service. There was variability in the client responses, butoverall, the MSSPs in this Wave did well in the customer satisfaction category. When the clientsneeded help, the best MSSPs didnt simply point to a contract but demonstrated flexibility andworked with their clients to resolve the issue.Experienced and trained staff. The firms reviewed here, in general, have very capable staffs thatknow the technologies they support. All the firms have formal training programs and apprenticeprograms, to provide staff necessary skills and experience. These firms use their experience todetect network, application, and server intrusions. The firms also have the necessary experienceto identify and address cyberthreats in a number of modes, ranging from simple monitor andalert all the way to complete incident response management.5Although the number of stafffor these firms is not large the smallest has a staff of 10 and the largest a staff of 200 thesecompanies are able to demonstrate effective technical and operational competence.Flexibility. Clients praised these emerging MSSPs for their operational flexibility andappreciated their response during security incidents: Rather than spending time analyzing theSLAs and the contract to determine whether the incident was covered, the emerging MSSPsjumped in and worked with their customers to resolve the problems. 5. For Security &amp; Risk ProfessionalsThe Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 4 2013, Forrester Research, Inc. Reproduction Prohibited January 8, 2013 | Updated: February 14, 2013Figure 1 MSSP Market SegmentationSource: Forrester Research, Inc.86781MSS revenue $70M to $400MSOCs More than two, with significant redundancy and BCP-DRAnalysts/engineers More than 100 analysts, engineers, and advanced threat engineersTechnology Proprietary orsignificantly enhanced technologyPortfolio Full portfolio of standard services (someOEM and white-label possible,but a lowpercentage)Language support Multilanguage supportAverage client profile Morethan 2,000 employeesMSS revenue Greater than $25M and less than $70MSOCs One to two SOCsAnalysts/engineers More than 10 and fewer than 100 analysts, engineers, and advancedthreat engineersTechnology Significantly enhanced licensed technologyPortfolio Full portfolio of services (morewhite-label relationships thanin Division 1)Language support One to two languagesAverage client profile Morethan 100 but usually fewer than 2,000 employeesMSS revenue Less than $25MSOCs One, with limited redundancyAnalysts/engineers Fewer than 10 analysts, engineers, and advanced threat engineersTechnology No threat intelligence services, unless reselling another companys servicePortfolio Narrow portfolio of servicesLanguage support OneAverage client profile Fewer than 100 employees; 20to 50 employees is most commonDivision 1Division 2Division 3EMERGING MSSPs ADDReSS SECURITY COMPLEXITY AND CONTAIN COSTSHistorically, MSSPs offered a series of point solutions without much integration. S&amp;R professionalstoday want to simplify security operations and lower their costs, which they can do by sourcing theirtools and processes for network and application security from an MSSP. This also allows the S&amp;Rpros to focus on other security issues.6The MSSPs ability to reduce complexity and provide greatsituational awareness separates the Leader from the Strong Performer and the Strong Performerfrom the Contender. The MSSPs in this Wave vary in their ability to deliver consistently. S&amp;R prosshould focus on these elements when doing due diligence on emerging MSSPs: 6. For Security &amp; Risk ProfessionalsThe Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 5 2013, Forrester Research, Inc. Reproduction Prohibited January 8, 2013 | Updated: February 14, 2013Advanced delivery models security software- and hardware-as-a-service. The economyof scale that encourages companies to move other workloads to the cloud also applies tosecurity. Several of the emerging MSSPs offer cloud-based solutions for activity monitoring,log management, and distributed denial of service (DDoS) protection including CompuCom,Network Box, Savvis/Century Link, and Tata Communications. Alert Logic, SilverSky, andSavvis/Century Link provide log management as a cloud-based service, and Network Boxprovides both hardware and software as part of its unified threat management (UTM) service,providing the hardware as part of the companys security protection services.Different value propositions. Information security is an activity built on trust. If an MSSP isa good fit for your company it will become immediately obvious, and trust soon follows. TheMSSP market is very broad and dynamic, with players offering similar services. Security andrisk pros should consider a potential providers value proposition. For example, some MSSPsoffer low cost, others service bundles, all have different pricing models. Not all companies needan MSSP that operates seven SOCs and supports 10 languages. What they do need is excellenttechnical competence, responsiveness, and flexibility.White-label reselling of services. The MSSP market is fast becoming a bazaar of OEM servicesresold by various providers. Alert Logic, for example, resells its Threat Manager and LogManager services to other MSSPs.7Youll need to know the integration points between providersin the service youve contracted for so that you can ensure youre protected from any integrationfailures. Security and risk professionals should also be careful of third-party carve-outs incases where information security compliance is an issue.8A carve-out is a clause in the serviceproviders contract that says they will provide some level of certainty regarding the security ofclient data, except when they are reselling a service from another third party.Licensed technology. Licensed technology is at the core of these MSSPs offerings. Theemerging MSSPs we analyze all deliver services using licensed technology from securitysolution vendors such as EMC-RSA, Fortinet, HP-ArcSight, Kaspersky, McAfee, SonicWall,and Symantec, to name just a few. Depending on the technology, the MSSPs either enhance orconfigure the technology to meet client requirements.A broad portfolio of services. All the MSSPs in this Forrester Wave provide what we considerto be a core set of services the most important services an MSSP should offer (see Figure 2).These providers all provide good coverage of these core services.Service line importance. We asked the MSSPs what percentage of their customers use aparticular service. Depending on the service, the answers varied from as little as 2% to as highas 80%. Unless the service is new and targeted for growth, the firm may just offer the service asa sideline. This is a good indicator of the MSSPs ability to provide the service. 7. For Security &amp; Risk ProfessionalsThe Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 6 2013, Forrester Research, Inc. Reproduction Prohibited January 8, 2013 | Updated: February 14, 2013Figure 2 Core MSSP Services ListSource: Forrester Research, Inc.86781APT detection and remediation Identity and access management servicesDistributed/denial of service (DDoS) Log management, monitoring, and archiveEm...</p>