Magic Quadrant for MSSPs, North America

The global economic environment continues to drive businesses to limit hiring and increase demand for managed services. Managed security services are mature, but buyers must carefully define the scope and depth of services required, and assess the delivery capabilities and options available from providers. Enterprises that optimize their use of managed security service providers (MSSPs) can free up internal staff time for dealing with more-business-critical security functions if they select MSSP services that can integrate with internal security operations.

Source: Gartner (November 2011)

Market Overview

Gartner sees continued strong, if not spectacular, growth for managed security services (MSSs) in North America. Compliance requirements (formal and those created by large business partners or customers) continue to drive MSS adoption, especially for midsize and smaller businesses. Across buyers of all sizes, an inability to increase head count, greater acceptance of outsourcing IT activities, and implementation of additional security technologies or controls such as data loss prevention (DLP) or application monitoring also drive MSS. These factors will lead to growth in the incumbent vendors, as well as continued entry into the MSSP market by new providers, small and large.

Gartner expects that growing enterprise experience with software as a service (SaaS), as well as enabling more access of consumer-grade technology to corporate systems, will result in greater acceptance of, and reliance on, cloud-based security-as-a-service offerings. These services will grow faster than the market for remotely monitored customer premises equipment (CPE) MSS through 2012 on a percentage basis, but starting from a smaller base. New security-as-a-service-based offerings addressing specific security controls for cloud-based IT resources will be available from larger IT and network service providers during the next 24 months, with small and midsize businesses (SMBs) as the initial target market. Gartner predicts that smaller, pure-play MSSPs will be most affected by the introduction of these services, and we anticipate consolidation of smaller, pure-play MSSPs in the market.

In 2010, MSSPs realized North American revenue of $2.3 billion, up from $1.8 billion in 2009. We predict MSS revenue will have grown to $2.8 billion in 2011. Growth in enterprise demand for MSS is driven primarily by five factors:

• Staffing and budget constraints. Gartner's forecast for IT spending indicates a 2.9% growth rate in 2010, not including the effect of exchange rates (see "Forecast Alert: IT Spending, Worldwide, 3Q11 Update"). Gartner sees continued corporate pressure to reduce operational costs, capital expenditures and staffing while maintaining a sufficient security posture and meeting compliance mandates.
• Evolving compliance reporting requirements. Gartner customers report that meeting compliance reporting requirements is a contributing driver in almost every MSS engagement. As formal compliance regimes evolve or audit/enforcement activity increases, organizations consider external service providers to reduce the costs of meeting compliance requirements with internal resources, and to provide coverage beyond the capabilities of existing internal resources. The primary driver remains the PCI Data Security Standards, but Gartner expects U.S. Federal Information Security Management Act (FISMA) continuous monitoring requirements to become an increasing factor for government agencies as well as private firms that sell to the government. North American Electric Reliability Corp. (NERC)/Critical Infrastructure Protection (CIP) is acting as a driver for security assessment and mitigation services, but only as a minor driver for MSS. In addition, compliance concerns and corporate governance policies can create a secondary effect of stronger requirements for incident monitoring, identification and response among an organization's business partners and suppliers.
• Expansion of Internet connection points. Gartner still sees enterprises moving toward allowing remote offices to have local Internet connectivity, which, in the past, drove requirements for monitoring additional firewalls and unified threat management (UTM) devices. However, we have seen Web security gateways as service offerings as a less expensive way of securing branch office Web use, eliminating the need for buying or monitoring those devices. PCI compliance and other requirements for continuous monitoring still continue to increase demand for server monitoring.
• Increased availability and adoption of IT functions as a service. As enterprises gain experience using IT capabilities such as infrastructure and applications delivered as a service, security functions will be affected in two ways: (1) Some security functions will be embedded into cloud-style computing services, and (2) other security controls will be delivered as discrete services positioned between the cloud IT service and the enterprise buyer. The concept of outsourcing security functions will continue to gain acceptance. Gartner predicts significant growth in security outsourcing in areas adjacent to MSS, such as secure Web gateways, email security, and identity and access management. Customers will have additional options to outsource security as IT and network services providers add MSS, allowing customers to buy from known, trusted service providers.
• SMBs use external service providers for security. Smaller businesses are more acutely affected by formal regulatory requirements and secondary requirements from business partners. Smaller businesses typically have fewer internal security resources and are often unable to add to them as requirements evolve. This market segment is a target for MSSPs that already have substantial enterprise business, as well as for smaller MSSPs and other service providers adding MSS to their IT and network services.

Supply of MSSPs Continues to Increase

The number of IT services firms offering managed security continues to grow. Gartner sees two types of firms entering the MSS space — IT and network managed services providers (MSPs), and specialized MSS providers:

• MSPs add managed security to their portfolios of services to increase revenue from existing customers. MSPs typically deploy a commercial security information and event management (SIEM) product with features designed to support multitenant service delivery. Major SIEM product vendors have MSP channel efforts in place to encourage the growth of MSPs offering MSS to customers that do not have the resources or desire to deploy a SIEM product. Gartner also believes that some smaller MSPs that already offer some MSS will focus more on the security revenue and less on the network services revenue due to competitive pressures in the MSP area.
• Specialized MSSPs tend to be providers of professional services for compliance or security that add MSS to their existing consulting or assessment offerings. These vendors may focus on a specific market, such as small banks or credit unions, or compliance requirements, such as PCI. They may deliver their MSS with commercial SIEM technology, develop their own technology, or use open-source technologies (or a combination of approaches).

These providers tend to position their MSS offerings on ease of procurement/deployment (buy from a trusted vendor of other services) or as a low-cost solution to meeting compliance, and they offer mainstream technology adopters or risk-averse organizations choices. Buyers can opt for firms focused on compliance, which may be small, privately held, and concentrate on a limited number of security controls, or vertical or geographic regions, and compliance regimes. They can also select a larger, established service provider with a broad set of services, which offers the ability to leverage an established relationship to cover security services in addition to other IT services.

MSS Portfolio

In addition to the core services of monitoring and managing firewall and intrusion detection systems/intrusion prevention systems (IDSs/IPSs), MSSPs now offer a range of additional managed services:

• Multifunction firewall/UTM services
• Web application firewall
• Data loss prevention services
• Security information management services or log management

MSSPs report several services they describe as cloud or SaaS-based services. These include:

• Distributed denial of service (DDOS) protection
• Email security
• Web filtering
• Vulnerability scanning
• Network-based firewall/IDP
• Log management

Portals and Dashboards

An MSSP's portal is typically the primary means of communicating information about monitoring and management services performed for customers. Portals are typically Web-based, although several MSSPs are incorporating technologies to make some elements of their portals available to mobile devices. We expect that trend to grow in 2012. Portal features and functionality vary widely among MSSPs. Common functionality includes the creation and review of service request tickets and the display of predefined reports.

More-advanced portal capabilities include the ability to display detailed information on alerts created by the MSSP, such as the conditions that caused the alert, context about the event sources or targets, and evaluation and recommendations from MSS analysts. Still others provide the ability to view raw log data, vulnerability data, risk data, etc. Some provide trending data for incidents for the individual customer, as well as a comparison with other customers in the same industry.

Portal reporting capabilities range from the static display of HTML, graphics or PDF formats, and linked displays that enable drill down to underlying data, to configurable dashboards that are user-customizable by dragging and dropping data widgets.

The importance of the MSS portal to customers varies. Some MSS customers use the portal operations activities, such as daily interaction with the MSSP, to support incident investigation and response activities as well as to create reports to senior management regarding current security posture or compliance status. Other customers barely use the portal at all, and prefer other means, such as phone or email, for interacting with the MSSP and for receiving alerts. Gartner expects that portal reporting and dashboard features will continue to improve. These serve several purposes. They are valuable presales "demo" tools, their use improves the MSSP's ability to interact with more customers without adding security operations center (SOC) staff, and customers can use them to demonstrate the value of MSS to management.

Consulting Services

Gartner has long believed that leading MSSPs will have strong security consulting offerings to add value to their MSSP customers. We think the importance of strong professional service offerings has increased, given the rise of advanced threats driving demand for penetration testing, incident response and forensic services, as well as mitigation implementation engagements. Although many enterprises prefer to separate monitoring services from consulting services, in the current economic environment the majority are looking for the least costly approach to dealing with emerging security problems. Gartner expects to see another round of small security consultancies being acquired by MSSPs during the next 12 to 18 months.

Pricing

Pricing for MSS has, traditionally, related to the anticipated amount of data the MSSP expects to receive and analyze from the customer. In practice, MSSPs set pricing levels based on the type of security devices monitored and the capacity of the devices. Device management pricing was a bit more straightforward, based on the number of configuration changes to be performed. Adding additional devices to a monitoring or management contract required a change order.

Several developments are causing MSSPs to explore different pricing models:

• Log management for compliance reporting can involve accepting logs for many data sources, including logs that have little impact on the security monitoring function. MSSPs must price those activities at a lower cost to customers, or risk losing that business to SIEM vendors or compliance-specific services providers.
• Virtualization in the customer IT environment. Customers can quickly create (and remove) assets in the IT infrastructure that may be in the scope of the MSSP's monitoring or management. The change order approach to accounting for additional (or fewer) assets proves cumbersome and slow.
• Cloud-based IT. Enterprises consume IT infrastructure or applications as services. The ability of the MSSP to access these for security monitoring or management may be absent. The same issue applies with the elasticity of resources.
• Flexible coverage requirements from customers. Some enterprises, such as those with internal security expertise, and/or existing SIEM deployments, request flexible coverage for security monitoring or management. Examples include organizations requiring monitoring coverage after business hours, MSSP monitoring of perimeter technologies with enterprise staff monitoring internal user activity and log collection, or "on-demand" monitoring or device management to address resource constraints from peak business activity or external events.

Gartner expects MSSPs will develop more flexible on-demand and usage-based pricing to accommodate these situations. To be accepted by the market, these options must make it easier for customers to tailor the MSS services to their requirements without adding effort in the form of documentation, billing problems or gaps in coverage. The MSSP must also make the details of the service it provides (such as the number of data sources, the amount of data collected or monitored, and so forth) easy for the customer to understand and validate.

Gartner expects that, during 2012-2013, per-unit pricing for common services, such as firewall and IDP monitoring and management, will continue to decline slightly. Price pressure comes from new sources for these services, as we have described, as well as from continued corporate efforts to reduce IT budgets. MSSPs will continue to try to expand the number of devices and data sources to monitor, as well as differentiate monitoring based on the availability of additional external data feeds, such as reputation data, blacklists, behavioral data and cross-customer activity that can be correlated with data from a customer's monitored devices.

MSSP Landscape

The basic makeup of the MSSP vendor space has not changed fundamentally. There are three major types of MSSPs:

• Pure plays. Generally smaller, privately held MSSPs that are completely focused on security services. Pure-play MSSPs that grow rapidly will continue to be acquired by larger services or IT infrastructure firms seeking to provide MSS. New entrants of pure-play MSSPs tend to be focused on specific vertical market segments and on customers subject to specific regulatory requirements.
• System integrators/business process outsourcers. Broad IT services providers that typically manage security devices as part of larger outsourcing deals. Where the integrator or outsourcer acquired a pure-play MSSP and maintained a discrete MSS delivery capability, these providers often compete for MSS-only deals.
• Carriers and network service providers. Bandwidth and connectivity providers that manage network security products and often provide, in addition to remote monitoring premises-based technologies, cloud-based services through their Internet connections.

In general, the MSS portfolios of these providers look broadly similar. However, not all customers have the same requirements or expectations of MSSPs, and Gartner recommends that prospective MSS buyers develop explicit requirements for service delivery. It is in the details of these requirements that customers will be able to discern distinct differences among MSSPs. Buyers should define expectations for the degree and quality of interaction with the MSSP's SOC analysts, the features of the MSSP's portal that will support the customer's use cases, reporting for operational and management reporting, the depth of threat and security intelligence offerings, support for specific compliance requirements, and the MSSP's professional service capabilities. Buyers with distinct deployment requirements, such as a large number of locations requiring coverage, or those that require IT support in addition to security services, should evaluate MSSPs against those requirements as well. When prospective buyers evaluate MSSPs in the context of specific requirements, the providers that best fit those requirements may come from any segment of the Magic Quadrant: Leaders, Visionaries, Niche Players and Challengers.

Not included in this Magic Quadrant analysis are smaller, subregional providers, which can include small pure plays as well as larger providers that do not have enough MSS business to meet the criteria for inclusion. Excluded from this analysis are service providers that provide MSSs only for their own technology, and do not deliver services for commercial technology. Examples of vendors not evaluated in this Magic Quadrant are Sprint, which offers network-based services to its telecommunications customers and partners with CompuCom for premises-based MSS. BT, Unisys and Tata Communications are not included because they did not meet the inclusion threshold for customers and devices or discrete MSS offerings. StillSecure and Alert Logic offer log management, monitoring and vulnerability management services built around their own technologies. Exclusion of these service providers from coverage in the MSSP Magic Quadrant is not an indication of the quality of their services; it is based on the inclusion criteria we have developed for the Magic Quadrant analysis.

Market Definition/Description

For the purposes of this research, Gartner defines "MSS" as "the remote management or monitoring of IT security functions delivered via remote SOCs, not through personnel on-site." Therefore, MSSs do not include staff augmentation or any consulting or development and integration services.

MSSs include:

• Monitored or managed firewalls or IPSs
• Monitoring or managed IDSs
• DDOS protection
• Managed secure messaging gateways
• Managed secure Web gateways
• Security information management (SIM)
• Security event management
• Managed vulnerability scanning of networks, servers, databases or applications
• Security vulnerability or threat notification services
• Log management and analysis
• Reporting associated with monitored/managed devices and incident response

This Magic Quadrant evaluates MSSPs that offer monitored/managed firewall and IDP functions, rather than those whose main focus is on other elements of the services we have listed.

Inclusion and Exclusion Criteria

We have changed our inclusion criteria for this iteration of the Magic Quadrant for MSSPs, North America. The criteria now include a threshold for the number of firewall or IDP devices under monitoring or management, and a threshold for the number of North American customers. MSSs refer to remote management and monitoring of security technologies. Several large infrastructure outsourcing vendors offer other service delivery options, such as staff augmentation, in addition to MSS. We don't evaluate those other delivery options, but we do note when the providers deliver the majority of their security monitoring or management services by those means. Excluded from this analysis are service providers that offer MSS only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSS only for their own technology.

Inclusion Criteria

• The ability to remotely monitor and/or manage firewalls and IDP devices from multiple vendors via discrete service offerings
• More than 1,200 firewall/IDP devices under shared-service remote management or monitoring for external customers
• More than 125 external customers with those devices under management or monitoring

Exclusion Criteria

• MSS offerings that are available only to end users that buy other non-MSSs
• Service providers that monitor or manage only their own technology

Added

These vendors have been added to our evaluation or appear under different names since the 2010 Magic Quadrant:

• SecureWorks was acquired by Dell in 1Q11, and now operates as Dell SecureWorks.
• Clone Systems was added.

Dropped

These vendors were dropped from the Magic Quadrant:

• BT does not meet the inclusion criteria for monitored devices in North America.
• Unisys does not meet the inclusion criteria for a discrete MSS offering in North America.

Evaluation Criteria

Ability to Execute

• Product/service refers to the service capabilities in areas such as event management and alerting, information and log management, incident management, workflow, reporting, and service levels.
• Overall viability includes the organization's financial health, the financial and practical success of the overall company, and the likelihood that the business unit will continue to invest in the MSS offering.
• Sales execution/pricing includes the service provider's success in the MSSP market and its capabilities in presales activities. This includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
• Market responsiveness and track record evaluates the match of the MSS offering to the functional requirements stated by buyers at acquisition time, and evaluates the MSSP's track record in delivering new functions when they are needed by the market.
• Marketing execution is an evaluation of the service provider's ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.
• Customer experience is an evaluation of service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by conducting qualitative interviews of vendor-provided reference customers, as well as feedback from Gartner customers that are using the MSSP's services or have completed competitive evaluations of the MSSP's offerings.
• Operations includes the MSSP's service delivery resources, such as infrastructure, staffing and operations reviews or certifications.

Criteria weights for Ability to Execute are shown in Table 1.

Source: Gartner (November 2011)

Completeness of Vision

• Market understanding involves the ability of the MSSP to understand buyers' needs and to translate those needs into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options.
• Marketing strategy refers to a clear, differentiated set of messages that is consistently communicated throughout the organization; is externalized through the website, advertising, customer programs and positioning statements; and is tailored to the specific client drivers and market conditions in the MSS market.
• Sales strategy relates to the vendor's use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.
• Offering (product) strategy is the vendor's approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSS. Development plans are also evaluated.
• Business model includes the process and success rate for developing features and innovation, and service delivery capabilities.
• Vertical, industry and geographic strategy includes the ability and commitment to service geographies and vertical markets.
• Innovation refers to the service provider's strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements.

Criteria weights for Completeness of Vision are shown in Table 2.

Source: Gartner (November 2011)

Leaders

Each of the service providers in the Leaders quadrant has significant "mind share" among enterprises looking to buy an MSS as a discrete offering. These providers generally receive very positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring frequent interaction with the MSSP for analyst expertise and advice, portal-based correlation and workflow support, and flexible reporting options.

Challengers

Gartner customers are more likely to encounter MSSs offered by an IT or network service provider in the Challengers quadrant as a component of that provider's other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, it offers a "path of least resistance" to enterprises that need an MSSP and use the vendor's main services. These service providers also represent the largest portion of overall MSSP revenue.

Visionaries

Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises requiring frequent interaction with MSS analysts, flexible service delivery options and strong customer service. Visionaries quadrant MSSPs have less market coverage and fewer resources or service options compared with Leaders quadrant firms.

Niche Players

Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve.

Vendor Strengths and Cautions

Allstream

Allstream is a Canadian telecommunications provider of services to Canadian businesses. Allstream's MSS is based mostly on device management and multifunction firewall services, and also includes network-based firewalls. Allstream positions managed security as a key component of its bandwidth and networking services. Allstream partners with Dell SecureWorks for the delivery of advanced security management, monitoring and SIM services. Canadian firms seeking managed services for multifunction or network-based firewalls should evaluate Allstream.

Strengths

• Allstream provides stand-alone and multifunction firewall capabilities that are positioned to address the needs of SMB buyers and large enterprises.
• Allstream receives good marks from customers for device management services.

Cautions

• Allstream's security portal provides limited functionality compared with that of competitors. Advanced security management/monitoring, reporting and SIM functionality are available through Dell SecureWorks services.

AT&T

In addition to a broad range of telecommunications and IT services, AT&T offers security monitoring and management services for customer-based as well as network-based security controls, including wireless. Enterprises requiring a global service provider with a broad range of service offerings and deployment capabilities that include CPE and network-based options, or customers of other AT&T services seeking MSSs from an incumbent provider, should consider AT&T.

Strengths

• AT&T often appears in competitive MSS evaluations for Gartner customers.
• AT&T's service portfolio includes network-based and CPE delivery options that can be deployed in combination, along with threat monitoring and management and security consulting services.
• AT&T is a stable service provider vendor with a presence and delivery capabilities in multiple geographies.

Cautions

• MSS buyers should ensure that AT&T's plans to add standardized asset reporting and log browsing capabilities to its MSS portal will meet customer requirements for those capabilities.
• MSS buyers seeking stand-alone MSS based on CPE technology may require persistence to focus AT&T on responding to these CPE-specific MSS engagements.

Bell Canada

Bell provides a broad range of services, including professional, hosted and managed services for network, video, contact center, customer experience and unified communications solutions, in addition to professional services and MSSs. Bell's security management business is primarily more-traditional account-based outsourcing delivery, rather than shared remote security monitoring. Enterprises seeking an established vendor for MSS delivery in the Canadian market should consider Bell.

Strengths

• Bell continues to improve its shared MSS delivery capability and can offer MSS via remote shared services and on-site staff augmentation.
• Bell's capabilities are well-known in the Canadian market to Gartner customers evaluating MSS for delivery in that market.
• Bell has strong delivery experience with large governmental entities.

Cautions

• Bell network-based MSSs are less mature than those of other telecommunications providers offering MSSs, and multitenant cloud-based-firewall services are just recently in general availability.

CGI

CGI provides a broad range of services, including managed security, IT and business outsourcing, consulting, and system integration. CGI provides services in Canada and the U.S., with emphasis on government, financial services and insurance markets. Enterprises seeking MSS delivery capabilities in these vertical markets, as well as service delivery and presence in U.S. and Canada, should consider CGI.

Strengths

• CGI is well-established in the Canadian market, and recent acquisitions have greatly increased its presence in the U.S.
• CGI gets good marks for security expertise and for good security service delivery in the context of overall IT outsourcing.

Cautions

• CGI's MSS portal lags that of competitors in features related to the display and analysis of security incidents and user-defined reporting.
• CGI customers should establish service-level metrics that ensure consistent, unified delivery of MSS and customer care across Canadian and U.S. operations.
• Customers seeking MSS-specific engagements must be prepared to navigate CGI's multiple services delivery options to engage with remote, shared MSS capabilities.

Clone Systems

Clone Systems is an established pure-play managed security and PCI certified services provider offering compliance services for retail, pharmaceutical, financial services and other vertical markets. Clone delivers services primarily in North America, but is pursuing expansion in the Asia/Pacific market and has a European sales office. Clone operates two SOCs in the U.S. and one in Eastern Europe. Midsize organizations looking for vendor-neutral MSS to address regulatory compliance requirements and security monitoring should consider Clone Systems.

Strengths

• Clone Systems has established reselling deals with several firms that address compliance requirements, providing MSS availability through a variety of channels for buyers seeking security monitoring and compliance services.
• Clone receives good marks from customers for effective MSS delivery.

Cautions

• Potential MSS buyers seeking extensive interaction with MSS SOC analysts should validate that Clone support capabilities are appropriately aligned with customer expectations.

CompuCom

CompuCom provides IT outsourcing and other services, including MSS to all industry segments, with particular focus on retail and financial services customers subject to compliance requirements. Security monitoring and management services are augmented by IP telephony security services. Customers of CompuCom's IT services that are seeking to add security services, and enterprises looking to meet PCI or financial compliance requirements, should evaluate CompuCom.

Strengths

• CompuCom received good marks from customers for firewall management.
• CompuCom delivery centers are compliant with SSAE 16 (SAS 70).
• CompuCom's relationship with Sprint provides access MSS for CPE deployments to Sprint customers.

Cautions

• MSS buyers not already customers of CompuCom may need persistence to engage with the right CompuCom sales resources for MSS.

CSC

CSC is increasing its capabilities to deliver MSS as a discrete, shared-service offering, and as a complement to its broad range of IT outsourcing and consulting services to enterprises and government agencies. Although many of CSC's security management services have been delivered through more traditional outsourcing or staff-augmentation arrangements, CSC is actively pursuing MSS as a stand-alone offering for IT outsourcing customers, and prospective buyers who are not current CSC customers. CSC outsourcing customers, and enterprises in the defense, industrial base and financial services industries should consider CSC for MSS.

Strengths

• CSC has made progress in creating an MSS-specific portal that includes detail to support daily operational use. More-advanced customization, reporting and dashboard features were released as this Magic Quadrant was being prepared for publication.
• CSC's multiregional MSS delivery capability includes the option of an on-site risk manager to act as a liaison between MSS analysts and customer staff.
• CSC has a strong presence in the U.S. federal government and critical infrastructure markets, and security expertise to support those markets.

Cautions

• CSC's MSS capabilities are not as visible to Gartner customers outside of CSC's core IT outsourcing and consulting businesses, and those seeking MSS-only engagements lack awareness of CSC's MSS capabilities.
• MSS buyers must validate that CSC's MSS road map for services related to specific compliance regimes and vertical markets is aligned with current and anticipated MSS requirements.

Dell SecureWorks

SecureWorks, previously a privately held firm, was acquired by Dell in 1Q11, and is now called Dell SecureWorks. Dell has retained SecureWorks management, staff and operations centers. Dell SecureWorks' MSS portfolio includes security monitoring, device management, scanning, and log management. Dell monitors and manages third-party security technologies and also delivers services via its own appliances. Delivery models include CPE-based services and "as a service" delivery for monitoring and log management. SMBs seeking to meet compliance requirements, and enterprises looking for full-featured MSSs, should consider Dell SecureWorks.

Strengths

• As part of Dell, SecureWorks has easier access to resources to support ongoing service development and delivery capabilities, and accelerate expansion into other geographic regions. The acquisition should enhance SecureWorks efforts to provide MSS, consulting and intelligence to small and midsize markets that are covered by Dell sales resources and to participate in large IT outsourcing engagements with Dell services.
• Dell SecureWorks has generally received very positive evaluations from Gartner customers for depth of security expertise and for effective service delivery.
• Dell SecureWorks' existing MSS portal (which is to be updated in 4Q11) provides a strong balance of executive reporting and comparative data with detailed support for operational activities via a flexible and rich user interface.

Cautions

• SecureWorks customers should confirm that the service platform and portal upgrade being introduced in 4Q11 (unifying the legacy VeriSign and SecureWorks systems) provides improved functionality compared with their legacy platforms, and request compensating capabilities if important features are lacking.
• MSS customers should closely monitor SecureWorks service delivery to confirm that integration into Dell and plans to expand in other geographic markets do not reduce MSS focus and delivery capabilities.
• Dell's acquisition of Force10 may divert Dell's attention from the services market as it attempts to compete in the network infrastructure market.

HCL Technologies

HCL offers a broad range of security and IT services for consulting, integration and outsourcing, and delivers MSS in North America from a U.S.-based SOC and three India-based SOCs. HCL emphasizes process adherence, subject matter expertise and relationships with technology vendors as key elements in its MSS delivery. Enterprises that use HCL for IT services, and are seeking MSSs from an incumbent partner, should consider HCL.

Strengths

• The HCL MSS portal has user-customizable displays and graphics that provide drill-down views to underlying alert or log data.
• HCL gets good marks from customers for flexible service delivery and adapting to customer process requirements.

Cautions

• MSS customers seeking shared and on-site MSS support should establish metrics to track and help ensure that flexible delivery options do not impede knowledge sharing, and consistent analysis and response across SOC staff and account-specific staff.
• HCL IT services customers considering MSS should adopt security-specific service-level requirements, reporting, relationship management and remedies.

HP

HP offers a broad range of professional and managed services for security, in addition to security technologies for network and application security and SIEM. HP has increased its efforts to establish a unified MSS capability across all regions, although delivery capabilities are not yet universally available across all geographies. MSS delivery will be based on the Vistorm platform. Enterprise and midsize companies with HP IT services should consider HP for managed security.

Strengths

• As a large, multiregional IT services provider, HP offers a wide range of MSS, consulting, system integration and security products.
• HP has strengthened its security intelligence capabilities via recent acquisitions and is in a position to leverage them as components of MSS delivery.
• HP has selected the capabilities acquired with Vistorm as the core of its MSS offerings, which offers the opportunity for unified analysis and service delivery across regions.

Cautions

• The HP MSS portal provides basic ticket and service management capabilities, but not the analysis, reporting and dashboard features of competitor portals.
• MSS buyers seeking stand-alone MSS engagements may need persistence to navigate the large number of security and IT outsourcing services offered by HP.

IBM Security Services

IBM's MSS offers are available to its infrastructure outsourcing customers, as well as a stand-alone offering available to customers looking for discrete MSS. IBM has extensive MSS delivery resources, including SOCs distributed worldwide. The majority of IBM MSS deals include device monitoring as well as device management, and often include security services beyond the core firewall and IDP devices, including Web gateway and email managed services and vulnerability management. Enterprises with global service delivery requirements, and those with strategic relationships with IBM, should consider IBM for MSSs.

Strengths

• The IBM MSS portal is feature-rich and provides integration of log management and vulnerability management services with real-time monitoring, alerting and ticketing features.
• IBM is investing in its MSS capabilities, including developing more-advanced analytics and reporting capabilities, and refining changes in its customer care and service delivery capabilities.
• IBM has global delivery capabilities across a broad range of managed security and consulting services, as well as many other IT services.

Cautions

• Gartner customers continue to report uneven service delivery from IBM, although many also indicate IBM is working to address issues. IBM must continue to focus on MSS delivery and customer care.
• IBM MSS supports multiple security technologies, including many from IBM competitors in the firewall and intrusion detection product market. MSS customers should monitor planned and actual MSS support for their non-IBM technologies.

Integralis

Integralis, a publicly traded European MSSP, was acquired by NTT Communications Group in 2010. Prior to the acquisition, Integralis focused on security services, and had a modest presence in the North American market. NTT America is offering Integralis-delivered MSS to network services customers, and Integralis is focusing security services efforts in North America. Enterprises seeking MSS as a discrete service or to augment infrastructure management services from a provider with a service presence in multiple regions should consider Integralis.

Strengths

• Integralis has MSS presence in multiple regions, including two U.S. SOCs.
• Integralis gets good marks from customers for responsiveness, security expertise and service delivery flexibility.
• The Integralis MSS portal provides a strong combination of operational information and reporting capabilities.

Cautions

• MSS buyers that require log management services should ensure that Integralis' plans to enhance log management capabilities meet functional requirements and time frames.
• Integralis and other recent NTT acquisitions Secode and Dimension Data each have security services delivery capabilities. Potential MSS buyers should confirm with Integralis that they will experience the benefits of a unified analytic and delivery capability across multiple regions.

Nuspire Networks

Nuspire offers managed security, network gateway and help desk services. Nuspire's MSS is typically delivered via the monitoring and management of its own multifunction appliance, although it also monitors customer-owned technologies. Nuspire also offers endpoint security, log management services and a recently introduced rogue wireless detection service. Buyers that require compliance-oriented MSS at multiple locations, such as branch offices or retail, and include help desk and network services, should consider Nuspire.

Strengths

• Nuspire has experience meeting the requirements of retail/branch office customers for managed security services.
• Nuspire gets good marks from customers for meeting service commitments.

Cautions

• MSS buyers with staff that require frequent and extensive interaction with MSSP SOC analysts should validate that Nuspire can meet expectations for analyst support.
• Nuspire's MSS portal lacks data correlation and vulnerability management features available in competitor portals. Potential MSS buyers should verify that Nuspire's near-term plans to add these capabilities will meet deployment requirements.

Perimeter E-Security

Perimeter has pared several previously offered services to focus on messaging and security management offerings, and partners with Alert Logic to provide log management services. Perimeter provides MSS via a U.S.-based SOC, with additional Level 1 support staff in Manila. SMBs requiring easy deployment options and a relatively low-touch relationship with the service provider, should consider Perimeter.

Strengths

• Perimeter gets good marks from customers for device management and customer care.
• Perimeter offers an array of compliance-oriented services for customers subject to banking regulations, PCI and other compliance requirements.

Cautions

• Perimeter's MSS portal lacks the advanced capabilities of some competitor portals. Log management capabilities are available through a separate portal supplied by a partner.
• Perimeter needs to bolster its marketing and sales efforts to gain visibility and traction in the midsize market beyond compliance-specific buyers.

SAIC

SAIC offers a broad range of IT outsourcing, integration and consulting services in addition to security services. SAIC's primary markets include government, critical infrastructure, healthcare and energy. SAIC subsidiary, CloudShield Technologies, offers a network security platform to telecommunication providers and government customers, and SAIC offers services for CloudShield deployments, as well as integrating, managing and monitoring of a variety of third-party security technologies. Enterprises with MSS deployments that will involve significant implementation and integration work should consider SAIC's strengths in delivering those services, as well as its ongoing monitoring and log management capabilities.

Strengths

• SAIC's security services are well-known in the U.S. federal government market, as well as in commercial markets concerned with critical infrastructure security.
• SAIC's MSS delivery is augmented by a strong professional service capability, and security intelligence and threat research capabilities.

Cautions

• SAIC's focus on specific markets and large services deals results in limited visibility for its MSS capabilities among Gartner customers outside of those vertical markets.

Savvis

In July 2011, Savvis was acquired by CenturyLink, which also acquired Qwest. Savvis provides infrastructure as a service, Web hosting and network services, and its managed security services are sold primarily but not exclusively to customers of those infrastructure services. MSS offerings include network-based firewall, Web application firewall and DDOS protection, and IDP and log management services. Customers of Savvis' infrastructure services should consider Savvis for managed security

Strengths

• Acquisition by CenturyLink provides an opportunity for Savvis to deliver MSS capability to a much broader range of enterprise and SMB customers.
• Savvis can provide a broad range of security controls as a component of network and cloud infrastructure services.
• Savvis' security expertise is enhanced by its Arca Common Criteria Testing Laboratory.

Cautions

• Savvis customers and prospects should require Savvis to provide updates to its service delivery road map as the integration activities among the security services delivered by Savvis, CenturyLink, Qwest and IBM (as Qwest's partner) are rationalized.

Solutionary

Solutionary is a pure-play MSSP providing security monitoring, information management, compliance and vulnerability assessment and consulting services. Solutionary has two U.S.-based SOCs and partners with e-Cop to support local MSS delivery in Asia/Pacific. Enterprises and midsize businesses that need flexible and customizable management and monitoring services for firewall, IDS, IPS, Web application firewall (WAF), next-generation firewall, scanning and log management services should consider Solutionary.

Strengths

• Solutionary continues to receive strong positive comments from customers for high-quality service delivery and for flexibility in accommodating customer requirements for service design, and for service delivery.
• Solutionary has made progress in gaining broader market attention and access to competitive MSS procurements with much larger MSSPs.
• Solutionary's MSS portal enables extensive customization of data displays, analytic views and reporting.

Cautions

• Solutionary must balance its efforts to reach beyond the North American market to Asia/Pacific and Europe with channel development and sales efforts in the U.S.
• Solutionary must increase its efforts to establish greater visibility for security expertise, because several competitors have recently bolstered security intelligence resources and marketing efforts.

Symantec

Symantec recently moved the MSS delivery unit into its Security and Compliance organization, which contains Symantec's other enterprise security product and services groups. This reorganization should result in better alignment of service development and service delivery for MSS customers. Symantec provides security monitoring and security intelligence services, messaging security services, and a range of security products. Symantec has moved to a services-based log management offering that brings log data to the Symantec SOC, rather than to technology deployed on customer premises. Symantec's simplified level of service reduces the service tiers for MSS from three to two, and Symantec has added an enterprisewide pricing model for monitoring and management that includes broad tiers, based on enterprise size, with customers able to add/remove devices from service at will. Symantec also adjusted pricing on device classes (such as firewall and IPS) that results in one fee per device class, without regard to the capacity of the device. Enterprises seeking an established MSSP should consider using Symantec.

Strengths

• Symantec's security intelligence capabilities get good marks from customers for threat analysis and for providing context for SOC analysts.
• Symantec continues to receive strong positive reviews from Gartner customers for MSS, and Symantec often appears in competitive MSS deals.
• Prospective MSS customers provide generally positive feedback about Symantec's enterprisewide pricing model.

Cautions

• Symantec's changes in service levels and pricing models may prove challenging to existing MSS customers as they begin contract renewal discussions, and must compare existing services and pricing to the new models.
• Symantec's retreat from offering security consulting services means that MSS customers must address assessment and remediation activities with another security service provider.
• Symantec's acquisition of VeriSign's authentication services, which is not a core MSS offering, may dilute management focus on, and investment in, growing the MSS business.

Trustwave

Trustwave has continued its efforts to expand its customer base beyond buyers of PCI compliance services, with emphasis in community banks, credit unions, retail and healthcare. Trustwave offers a large number of managed services built around the security technologies it has acquired during the past several years. Companies with PCI compliance requirements should consider Trustwave for MSSs.

Strengths

• Trustwave's large base of PCI compliance services customers provides an opportunity to add additional MSS to existing accounts.
• Trustwave remains a broadly known provider of PCI compliance services.

Cautions

• Trustwave has just recently implemented its Intellitactics SIEM technology in its MSS operations. Potential MSS customers should evaluate whether the addition of capabilities for data correlation across multiple third-party security technologies and for compliance reporting beyond PCI meets their deployment time frames and functional requirements.
• Potential MSS buyers must establish service levels and monitor Trustwave's delivery and focus on MSS development in the context of product integration and development, and a possible initial public offering.

Verizon

Verizon's security services business, including MSS and consulting services, which previously used the "Cybertrust" brand, is being moved into the Terremark business unit, acquired by Verizon in 1Q11. Terremark, a Verizon company, will continue to deliver MSS, security consulting services and compliance offerings. Enterprises looking for an established service provider capable of delivering a broad range of security services in multiple regions should consider Verizon.

Strengths

• Verizon can provide MSS for customer premises equipment and for controls based in the Verizon Business network. The Terremark acquisition gives Verizon a strong position in "off network" delivery of security as a service to non-Verizon bandwidth customers.
• Verizon continues to invest in security services delivery capabilities and has strong recognition as an MSSP and security consultancy with focused security expertise.
• Verizon MSS receives positive reviews from Gartner customers for meeting expectations for security expertise and effective MSS delivery.

Cautions

• Verizon MSS customers should monitor service delivery and customer care activities to ensure continuity and support levels as these functions are transferred to the Terremark unit.
• Verizon/Terremark must be careful that Terremark's emphasis on cloud and infrastructure as a service does not diminish its capability to deliver discrete, stand-alone MSS.

Wipro

Wipro delivers MSS via four SOCs in the U.S. and additional SOCs around the world. Wipro's services portfolio includes a broad range of IT services, as well as security services. Wipro focuses its MSS on the financial services, retail, healthcare and energy vertical markets. Enterprises looking to augment IT services with MSS from a trusted incumbent provider should consider Wipro.

Strengths

• Wipro can augment its MSS with traditional outsourcing and staff support services where blended delivery of security management or monitoring services is required.
• Wipro IT services customers can add security management and monitoring from a service provider with which they are already familiar.

Cautions

• The Wipro MSS portal lags in functionality compared with those of competitors. Access to MSS information is presented via three portal interfaces. Prospective customers should ensure that the Wipro portal will meet their requirements for monitoring and reporting security and compliance posture.
• Wipro's security management and monitoring services receive mixed feedback from customers. Prospective MSS customers should develop selection criteria based on security expertise and ability to add value, delivery capability and security-specific SLAs.