10 Things To Look For In an MSSP

Managed Security Service Providers (MSSP) are IT companies that operate some portion of their customer’s security infrastructure such as firewalls, VPNs, spam / antivirus systems, and intrusion detection tools. They typically offer Log Management (CLM), Security Information & Event Management (SIEM), and Security Orchestration Automation & Response (SOAR) solutions as well for a comprehensive approach to ensure security issues are prevented as much as possible, detected when they do occur, and responses are deployed quickly to mitigate risk.

A survey indicates that 82% of IT professionals have either already partnered with, or plan on partnering with an MSSP in the near future, while another report estimates that the Managed Security Services Market will continue growing and exceed $47 billion in revenue by 2023.

There are several must-have capabilities to look for in an MSSP, and these are 10 of the most essential ones.



Essential to modern cloud computing, multi-tenancy refers to software architecture that is built around a single instance of the program which runs from a server and is provided to several tenants (customers). Each individual tenant can be set up to suit their own workflow needs, but this information is not shared with other tenants, ensuring confidentiality and data protection.

A good MSSP will leverage multi-tenant solutions to achieve operational efficiencies, but must thoroughly evaluate the multi-tenancy capabilities of the security tools they use on behalf of their customers to ensure the tools themselves are secure and do not allow data leakage between clients.


Now, more than ever before, cybersecurity is one of the most vital components of IT. Hackers, industrial espionage, and various types of malware – every day they are looking for ways to compromise your systems and operations.

Security measures like anti-virus software and firewalls don’t cut it anymore – you need an MSSP with expertise in advanced solutions such as SIEM, proactive security features, and early detection systems.


When it comes to network security, time is always of the essence. If a security breach does occur, the right people should be notified ASAP. Look for an MSSP that both has a set of baseline alerting rules and will work with you to develop custom rules for your unique situation. Be sure to clarify up front who will be receiving and responding to alerts – a full-service MSSP should be expected to handle the majority of alerts, but is good at bringing you into the process early when critical events occur.


Services should include automated matching of log data to threat intelligence data feeds to detect activity within your environment that indicates known threats. These threats should be part of the alerting baseline mentioned above and you may want to request that you are included on any alerts stemming from log data that matches threat intel data.


You never know what might happen in a few years – your MSSP changes technology platforms, you outgrow them, they are acquired or experience some other major change. Make sure you have clarity on what data can be extracted, how, and the process for requesting that data before you sign a contract with them. Dig in deep – they may be limited by functionality and contractual constraints from the vendors they do business with.


In order to meet certain industry regulations and criteria, enterprises have to archive their historical log data and other information. These can often take up considerable space, which having an archived back-up on the cloud frees up. Make sure your MSSP offers this service and is capable of advising you on what data needs to be archived and for how long. If the MSSP is including storage costs in your contract, make sure to clarify storage limits on active and archived data and any price differences between the two.



While MSSPs undoubtedly save a lot of money and headaches in the long run, they can also be very expensive, especially as your enterprise begins to scale upwards. Many MSSPs base their price on data volume tiers, and you get charged more when you exceed your current one – even if it’s only by just a little.

That is why a good MSSP charges granularly – according to the amount of data you send to it. This pricing model is not just more affordable and fair, it also makes it easier to plan your operating budget.


Friendly and forthcoming customer support separates good products from bad ones. When rating companies and their services, customers place quality customer service at the very top.

If something goes wrong, or if you have any questions, knowing that you can always reach out to the professionals that know the software inside out and are there to patiently help you with whatever you need is something you can’t put a price on.

A critical component to this is what kind of relationship do they have with their technology vendors. Do they do joint Marketing activities together? Who is responsible for Level 1, 2, and 3 technical support? Do the talk to their vendors regularly, attend their conferences (if they have them), complete their trainings, or even sit on their advisory boards? Your MSSP doesn’t have to be huge, just engaged.


Not every MSSP has a technical development team that is dedicated to constantly seeking new ways to improve performance. Many get needlessly bloated in adding new and superfluous products, instead of focusing on improving the ones they do have.

This can lead to a gradual loss of focus and forgetting who their target audience is and what they are supposed to do – manage security.


Many software companies don’t communicate their plans for the future of their software very well. Some operate like this because they don’t really have a clear idea of where they are heading, while others don’t consider it a priority.

That is a big oversight, since their customers rely on them to see which features will be coming next, and when. Customers love communicating with the brands they use, and can often pinpoint areas that can stand to be improved and expanded – or suggest new capabilities of the software – even better than the developers themselves.

Using an MSSP puts them between you and the software. Depending on where you are drawing the line on who does what, you may want more direct access to the roadmaps of the software the MSSP is managing on your behalf. At the very least, be sure your MSSP is keeping on top of it and is good at incorporating new releases quickly (but not too quickly!).

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.