Magic Quadrant for Global MSSPs
Managed security services is a mature market with offerings from established service providers. This Magic Quadrant presents enterprise buyers with advice on selecting MSS providers to support global service requirements.
For the purposes of this research, Gartner defines managed security services (MSSs) as "the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers (SOCs), not through personnel on-site." Therefore, MSSs do not include staff augmentation, nor any consulting or development and integration services.
MSSs broadly include:
- Monitored or managed firewalls or intrusion prevention systems (IPSs)
- Monitored or managed intrusion detection systems (IDSs)
- Distributed denial of service (DDoS) protection
- Managed secure messaging gateways
- Managed secure Web gateways
- Security information and event management (SIEM)
- Managed vulnerability scanning of networks, servers, databases or applications
- Security vulnerability or threat notification services
- Log management and analysis
- Reporting associated with monitored/managed devices and incident response
This Magic Quadrant evaluates monitored/managed firewall and intrusion detection and prevention (IDP) functions, as well as log management services, rather than other elements of the services we have listed. Firewall, IDP and log collection form the core of most MSS engagements. The vendors in the Magic Quadrant are evaluated on their ability to support customers with global service requirements.
Source: Gartner (February 2014)
Headquartered in Dallas, and with regional offices in Hong Kong and London, AT&T offers security monitoring and management services for customer-based and network-based security controls — including wireless — in addition to a wide range of other IT and telecommunications services. AT&T MSSs are based on commercial and self-developed technologies for alert and log collection, real-time correlation, reporting, and device management. Workflow is supported by the AT&T BusinessDirect portal. Query and browsing of log data are supported via commercial and self-developed technologies. AT&T offers log management via on-premises solutions. Log management and MSS functions must be accessed through separate portals. Integration of these functions into a single portal remains planned. AT&T's advanced threat offering is the Security Event and Threat Analysis (SETA) service, which includes correlation and analysis of data from customer devices and the AT&T network, with customer-specific configuration and response templates. Three SOCs are located in the U.S., two in Asia/Pacific and one in Europe, and multilingual support is available. Enterprises should consider AT&T if they require a global service provider with a broad range of service offerings and deployment capabilities that include premises-based and network-based options. Customers of other AT&T services that seek MSSs from an incumbent provider should also consider AT&T.
- AT&T has good visibility among Gartner customers, and is often included in competitive MSS evaluations.
- AT&T's network-based security controls are mature security management and monitoring offerings that are attractive to MSS customers with remote and branch office coverage requirements.
- AT&T is an established and stable service provider, with delivery capabilities in multiple geographic regions.
- The MSS portal continues to lack standardized asset reporting as well as the log browsing capabilities that are available in several competitors' portals.
- Log management functions must be accessed from a portal that is distinct from the MSS portal.
- The customization features of the MSS portal are not as extensive or self-service-capable as those in competitors' portals.
BT is headquartered in London and has offices across the globe, including a regional presence in Texas and Hong Kong. BT's MSS offerings include monitoring and management of customer premises deployed devices and network-based security controls as part of its larger portfolio of telecommunications and IT services. BT uses self-developed technology for log and event collection, correlation, query, reporting, and device management. Commercial technology supports workflow. In addition to its MSS, BT offers Assure Analytics, an extension that provides additional analysis and visualization capabilities. BT has two European SOCs and three Asia/Pacific SOCs staffed 24/7, with an additional nine SOCs worldwide. Capabilities to detect targeted attacks and provide advanced analytics are focused on larger customers and delivered via add-on services, including a social media monitoring service, Assure Analytics and consulting engagements. Customers of other BT services that are seeking MSS as well as additional analytics and visualization capabilities should consider BT.
- BT has a broad range of security offerings for MSS globally, as well as for security consulting, cybersecurity services, secure networking, business continuity, identity and access management, technology deployment, and integration.
- BT gets good marks from users for security expertise in support of its MSS delivery.
- BT continues to have much lower visibility among MSS buyers in North America and Asia/Pacific than in Europe.
- Customers use the BT Assure Threat Monitoring Web portal for searching, browsing and reporting security-relevant raw log data, and a premises-based appliance user interface to access non-security-relevant raw log data.
CenturyLink is based in Monroe, Louisiana, and has offices in Singapore, Hong Kong, London and throughout North America. It provides MSS as well as infrastructure as a service, software as a service (SaaS), Web hosting, colocation and network services. MSS customers have primarily been customers of CenturyLink's infrastructure services. MSS is delivered through a combination of commercial and self-developed technology for data collection, correlation and analysis, reporting, and log management. CenturyLink has three SOCs in North America, with an additional SOC in Europe and one in Asia/Pacific. Advanced analytics to detect targeted attacks are embedded within the MSS capabilities, and are based on monitoring third-party security technologies. CenturyLink's infrastructure and network services customers should consider the company for managed security.
- CenturyLink's enterprise and small or midsize business customers for network services can augment their relationships with CenturyLink via MSSs.
- CenturyLink's rationalization of security services across its lines of business has enabled a more focused and consistent delivery of MSSs.
- CenturyLink does not appear on Gartner customer shortlists for MSSs.
- The CenturyLink MSS portal lags competitors' portals in several areas, including customization, asset tracking, and correlation across data sources and user data.
CSC is headquartered in Falls Church, Virginia, with regional offices in Sydney, Singapore and the U.K. CSC delivers its MSS as a stand-alone service, and as a complement to its IT outsourcing and consulting services to enterprises and government agencies. CSC is in the process of standardizing its MSS delivery capabilities across all regions using commercial SIEM technology for data collection and correlation, real-time alert generation, and log management. The self-developed Pulse Portal provides access to alerts, reporting, ticketing and workflow. CSC has four SOCs in the U.S., two in Europe and three in Asia/Pacific. New offerings to address advanced targeted attacks are available and include network and payload analysis. Preliminary endpoint analysis and forensics are available via managed services, with more in-depth forensics available as a consulting engagement. CSC outsourcing customers and enterprises, especially those in the defense industrial base and financial services industries, should consider CSC for MSSs.
- CSC's efforts to standardize MSSs across regions now provide global event visibility to SOC analysts, and should result in enhanced effectiveness for multiregional customers.
- Customers give good marks for the security expertise of CSC's staff, as well as for their understanding of the customer environment.
- CSC's security expertise supports its strong presence in the U.S. federal government and the U.K. government, in financial services and in critical infrastructure markets.
- CSC does not fully market its stand-alone MSS. Also, CSC is rarely included on Gartner commercial customers' shortlists for stand-alone MSS deals.
- Organizations considering CSC for MSSs should evaluate the current state and progress toward the completion of global service standardization to ensure that the capabilities needed in all regions are available to meet deployment requirements.
Dell is headquartered in Texas, and Dell SecureWorks is headquartered in Atlanta, with five regional offices in the U.S. — plus Edinburgh, Scotland, London and Tokyo, with additional offices in Asia/Pacific and Europe. Dell SecureWorks offers MSSs as well as security consulting, incident response and threat intelligence services. MSS delivery is based on self-developed technology for log and alert collection, for real-time correlation and analysis, and for presentation/reporting via portal. Premises-based log retention and reporting are delivered via commercial SIEM technology. The Dell SecureWorks Counter Threat Unit provides threat intelligence, malware analysis and analytic support for MSS operations. Customers may buy threat intelligence services as part of an MSS subscription. Five SOCs are located in the U.S., with additional SOCs in the U.K., India, Mexico and Eastern Europe. Advanced attack detection is offered within existing MSSs and includes threat feeds, correlation, and analysis of historical events to identify anomalies. Midsize organizations that want to meet compliance requirements, and enterprises looking for full-featured MSSs, should consider Dell SecureWorks.
- Dell SecureWorks is very visible to Gartner customers and is typically included in competitive MSS deals.
- Gartner customers offer strong praise for Dell SecureWorks' MSS delivery, security expertise and relationship management. The security expertise available through the Counter Threat Unit is often cited as a differentiator.
- The MSS portal receives very good marks from customers.
- Dell's ownership changes offer less visibility into its business operations, including the positioning and emphasis placed on security products and services.
- Although reports of issues to Gartner have been minimal to date, customers should continue to monitor Dell SecureWorks' service delivery to ensure that MSS geographic expansion and any shift in Dell's business focus do not dilute its MSS delivery capabilities.
- Dell SecureWorks' cautious expansion beyond the Japanese market may result in prospects having limited references in the Asia/Pacific region, and not as much ready access to presales interaction.
HP is headquartered in Palo Alto, California, with MSS locations in Australia, London and Plano, Texas. HP has a broad security portfolio of professional and managed services; technologies for SIEM, application security and network security; and extensive offerings of additional IT products and services. HP's MSS is based on several self-developed and commercial technologies for data collection, correlation/alerting, query and reporting. Workflow and ticketing use HP technology, and tools for customer deployment provide workflow support. HP has two SOCs in the U.S., one in Latin America, three in Europe and two in Asia/Pacific. HP offers a portal for MSS and uses the HP ArcSight console for log management. HP offers a separate governance, risk and compliance-oriented portal for executive dashboards. The HP MSS portal provides role-based access, ticketing and security reporting features. Log management is delivered via HP ArcSight ESM and ArcSight Logger in hosted or on-premises deployments. Log management features are available via the HP ArcSight portal. HP's targeted attack detection and advanced analytics capabilities are embedded in its MSS offerings, and are supported with threat feeds, vulnerability information, the detection capabilities of HP ArcSight, and expert analysis. Enterprises and midsize companies with HP IT services or security technology services should consider HP for MSSs.
- HP is a large, stable provider of MSSs and other security services. It has a multiregional presence and delivery capabilities.
- HP's broad technology and service delivery options enable extensively customized MSS engagements, including technology bundling and hybrid delivery options.
- The HP MSS portal lacks the user correlation and asset and vulnerability reporting capabilities that are available in competitors' portals. Potential customers should validate that HP's current capabilities and enhancement plans meet their deployment and operations requirements.
- Gartner customers report challenges in differentiating and navigating among HP's security monitoring capabilities, which are available, in differing forms, from HP's product, outsourcing and discrete MSS delivery organizations.
- Prospective MSS customers should validate HP's coverage and monitor ongoing support when MSS engagement includes security technologies from HP's competitors.
IBM is headquartered in New York, with MSS offices in Atlanta and other geographies. MSSs and a full range of security consulting and integration services are available as stand-alone services, and as components of larger infrastructure outsourcing contracts. IBM uses self-developed technology for data collection, correlation, log query and reporting, and ticketing/workflow. Log management is offered as a hosted service, and with premises-based IBM QRadar and other SIEM technologies. IBM has four North American SOCs, two in Europe, two in Asia/Pacific and two more in other regions. IBM's advanced analytics and targeted attack detection capabilities are embedded in its MSS and hosted SIEM offerings, and they are supported by IBM technology and third-party technology deployed by customers. Enterprises with global service delivery requirements, and those with strategic relationships with IBM, should consider IBM for MSSs.
- Gartner customers often include IBM in competitive MSS evaluations, and IBM has high visibility in North American, Asia/Pacific and European markets.
- IBM's MSS capabilities include support for customer-deployed SIEM (from IBM and other vendors) that is integrated into its standard MSS offerings.
- IBM is a large, stable provider of security and IT services and products, and it has global delivery capabilities.
- Gartner customers report overall improvements and lingering challenges for IBM MSSs in sales, deployment and customer care.
- Although IBM's MSS supports multiple security technologies — including many from IBM's competitors in the IPS and SIEM markets — MSS customers should monitor planned and actual MSS support for the security technologies deployed in their environments.
NTT, which is based in Tokyo, and with London and New York offices, acquired Solutionary in 2013, adding to prior acquisitions of MSS capabilities in the NTT companies (such as NTT Com Security — formerly Integralis — and Dimension Data's earthwave). NTT is included in this Magic Quadrant on the basis of the combined offerings and scale of the various MSS entities, which it is in the process of rationalizing. NTT uses a variety of self-developed and commercial technologies to support MSS delivery across the three organizations. There are multiple SOCs in Asia/Pacific, Europe and North America. Targeted attack protection is embedded in the MSS offering of each delivery group, and it differs among the groups, although cross-group data sharing for threat information is now being done. NTT customers and enterprises seeking a large global service provider with specific regional strengths should consider NTT for MSSs.
- Individual NTT MSS groups get good feedback from Gartner customers regarding MSS delivery.
- Across the NTT MSS offerings, the capabilities of NTT Com Security, Solutionary, Dimension Data's earthwave and NTT Data are well-known in Europe, North America, the Middle East/Africa and Asia/Pacific, respectively, and they appear in MSS deals in those regions.
- NTT has a global presence as well as a broad range of security service offerings and delivery options, in addition to broader telecommunications and IT infrastructure service offerings.
- MSS operations across the regions are not yet fully integrated. Current MSS customers must monitor NTT's plans to rationalize its MSS delivery capabilities to ensure that any changes result in equal or better service delivery levels and options.
- Potential MSS buyers should get binding assurances from NTT regarding the capabilities they will receive globally and within regions to ensure that NTT's current and planned MSS capabilities will meet customers' region-specific and global requirements.
Orange Business Services
Headquartered in Paris, with offices in Atlanta and Singapore, Orange offers a broad range of telecommunications and cloud-based IT infrastructure services, security consulting and integration services, and MSSs. Orange MSSs are based on commercial SIEM technology for data collection, correlation and analysis, reporting, and log management, with self-developed technology for workflow. Three MSS SOCs are located in Europe, two in Asia/Pacific, one in North America and two in the Middle East/Africa regions. Advanced threat detection is provided by proprietary technologies as well as by commercial SIEM and network security products, with additional capabilities planned for 2014. Orange service customers and organizations seeking a large, global and stable Europe-focused and Asia/Pacific-focused MSS provider (MSSP) should consider Orange.
- Orange offers a broad range of network and IT services that can be bundled with MSSs.
- Orange is a large, stable service provider with long-standing MSS and security consulting experience.
- Orange has lagged several MSS competitors in the introduction of advanced attack detection and analytics offerings.
- Orange rarely appears on Gartner customer shortlists for MSS procurement, and in North America, Orange has very limited market visibility.
- MSS customers in North America often express a preference for a SOC in-region. Although Orange has a North American SOC, it is not staffed 24/7.
Symantec is headquartered in Mountain View, California, with MSS offices in Virginia, Singapore and Reading, U.K. Symantec offerings include security monitoring, security intelligence, messaging security services and a range of security products. Symantec's MSS architecture is based on self-developed technology for event and log collection, with a combination of self-developed and commercial technology for correlation, analytics and reporting. Ticketing/workflow and device management are based on commercial technology. Log query and browsing are enabled via self-developed technology. Symantec has one SOC in the U.S., one in the U.K. and two in Asia/Pacific, plus a new SOC in Japan. Log management services are delivered via Symantec log collection platform, are stored in Symantec SOCs and are available to customers via the MSS portal. A distinct service level offers advanced attack detection analytics. Enterprises seeking an established MSSP should consider using Symantec.
- Symantec has strong visibility in the MSS market. Gartner customers very often consider Symantec's MSS offerings in competitive evaluations.
- Symantec's Gartner customers generally offer positive reviews of Symantec's MSS delivery, and of the quality of their interactions with Symantec's SOC analysts.
- MSS customers indicate that the DeepSight threat feeds and intelligence reports are differentiators of Symantec's services.
- Prospective buyers should evaluate Symantec's optional enterprisewide pricing with realistic assumptions of the number of monitoring/log sources they can expect to incorporate into the scope of MSSs. Customer delays in bringing event sources into coverage will result in buyers paying for coverage that they are unable to receive.
- Symantec is rebuilding its security consulting capability. Prospective MSS customers should carefully evaluate whether Symantec's security consulting services will meet their needs, and whether they must engage with partner-led security services for service initiation and for ongoing project work throughout the course of the MSS relationship.
Trustwave is based in Chicago, with offices in London and Sydney. Trustwave has several security technologies — including SIEM, unified threat management (UTM), network access control, application security, Web application firewall (WAF) and Web security — and builds MSSs around those as well as third-party products. MSSs are based on Trustwave's SIEM technology for data collection, correlation, alerting and workflow. Security intelligence capabilities are provided by the Trustwave SpiderLabs group. Trustwave has three U.S.-based SOCs, one in Europe and one in Asia/Pacific. Targeted attack detection and advanced analytics capabilities are standard components of Trustwave MSSs, and they are delivered via three Trustwave activities: network monitoring, endpoint monitoring and managed WAF. Companies in the retail, healthcare and banking vertical industries — and others that are subject to PCI compliance — should consider Trustwave for MSSs.
- Trustwave has an extensive portfolio of security products and associated managed services that can be packaged as subscription-based solutions for customers with limited capital budgets and security resources.
- Trustwave remains a well-recognized provider of services and technologies to support PCI Data Security Standard (DSS) compliance.
- The Trustwave MSS portal provides extensive language support.
- Current customers and potential MSS buyers should continue to monitor Trustwave's ability to meet delivery and road map commitments as it navigates a possible initial public offering.
- Potential MSS customers should evaluate whether the split of compliance reporting capabilities between the MSS portal and the log management portal meets their operational requirements.
- The Trustwave MSS portal lags several competitors' portals in providing correlation of user activities with infrastructure events.
- Except for PCI monitoring engagements, Trustwave very rarely appears in MSS deals among Gartner customers.
Verizon is headquartered in Basking Ridge, New Jersey, with offices throughout the U.S., Europe, Latin America and Asia. Verizon offers MSSs and security consulting, as well as a broad range of telecommunications and infrastructure services. Verizon's MSS architecture is based on self-developed technologies for event collection, correlation and alerting, with commercial technologies for reporting and workflow. Log management services are based on a combination of self-developed and commercial technologies. Two SOCs are located in the U.S., two in Europe and two in Asia/Pacific. Verizon's Research, Investigations, Solutions, Knowledge (RISK) Team provides threat intelligence and malware detection signatures that support MSSs, and Verizon's breach response services inform MSS monitoring efforts. Targeted threat detection services are incorporated into the standard MSS delivery. They are based on commercial technologies, on Verizon's self-developed correlation and threat intelligence capabilities, and on network monitoring. A distinct advanced analytics service is available in the U.S. to governments and enterprises facing specific targeted threats. Enterprises should consider Verizon if they are looking for an established service provider that is capable of delivering a broad range of security services in multiple regions.
- Verizon's network-based capabilities enable MSS configuration that includes network-based and premises-based controls.
- Gartner customers often include Verizon in competitive MSS evaluations.
- Verizon's MSS receives generally positive reviews from Gartner customers for meeting their expectations for security expertise, and for effective security monitoring and alerting. Customers also indicate that Verizon's security expertise is a differentiator for MSSs.
- Verizon's MSS portal lacks the user activity correlation capabilities that are available from several competitors.
- Verizon's log management services currently lag those of its competitors. New capabilities are planned for 1Q14.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
NTT was added to this Magic Quadrant based on its acquisition of Solutionary, and on the prior acquisitions of Integralis (now NTT Com Security) and Dimension Data's earthwave. NTT's capabilities across these organizations meet the criteria for inclusion in the Magic Quadrant.
Orange Business Systems was added because it also meets the inclusion criteria.
Allstream, Bell Canada, CGI, Clone Systems, Nuspire Networks and Perimeter E-Security (now named SilverSky) were dropped from this Magic Quadrant because they do not meet the inclusion criteria for network devices and customers monitored/managed in Europe and Asia/Pacific.
Wipro was dropped because it does not meet the inclusion criteria for customers in Asia/Pacific or North America.
HCL Technologies was dropped because it is in the process of realigning its MSS capabilities and currently does not meet the inclusion criteria for this research.
SAIC was dropped because of its split into two companies, SAIC and Leidos, and because the MSS business of Leidos does not meet the inclusion criteria for customers in Asia/Pacific and Europe.
This Magic Quadrant expands the coverage from MSSPs in North America to include delivery capabilities in North America, Europe and Asia/Pacific. As a remote service, MSSs can be delivered via network connectivity to and from any locations with sufficient connectivity, and certainly MSSPs that have operations in one geographic region can support customers in other regions. Gartner sees a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their region. Among global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more "local" support — and also includes the MSSP's ability to keep some data in specific regions, provide local business hours, provide access to advanced support, and provide local language support, among other concerns. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers.
This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue.
The criteria include a threshold for the number of firewalls or IDP devices under monitoring or management, and a threshold for the number of MSS customers — both distributed across multiple regions. MSSs refer to remote management and monitoring of security technologies. Several large infrastructure outsourcing vendors offer other service delivery options (such as staff augmentation) in addition to MSSs, but we don't evaluate these other delivery options. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies.
Vendors must have:
- The ability to remotely monitor and/or manage firewalls, IDP devices from multiple vendors via discrete service offerings, and shared service delivery resources
- Firewalls/IDP devices under remote management or monitoring for external customers
- External customers with those devices under management or monitoring
- Reference accounts that are relevant to Gartner customers in the appropriate geographic regions
- A threshold of the number of customers as well as the number of firewalls and IDS/IPS devices in multiple geographies
- A threshold for MSS revenue of $20 million in 2012
- A SOC presence in multiple geographic regions
Inclusion thresholds for firewalls/IDP devices under MSSs are 225 in Asia/Pacific, 1,500 in Europe, 2,250 in North America and 25 in the rest of the world (ROW), in the following possible combinations:
- Asia/Pacific + Europe
- North America + ROW
- Asia/Pacific + North America
- Europe + North America
Inclusion thresholds for MSS clients are 45 in Asia/Pacific, 75 in Europe, 225 in North America and 10 in ROW, in the following possible combinations:
- Asia/Pacific + Europe
- North America + ROW
- Asia/Pacific + North America
- Europe + North America
- Service offerings that are available only to end users that buy other non-MSS services
- Services that monitor or manage only their own technology
- Services delivered by their own resources and dedicated to a single customer
Product or service refers to the service capabilities in areas such as event management and alerting, information and log management, incident management, workflow, reporting, and service levels.
Overall viability includes the organization's financial health, the financial and practical success of the overall company, and the likelihood that the business unit will continue to invest in the MSS offering.
Sales execution/pricing includes the service provider's success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
Market responsiveness/record evaluates the match of the MSS offering to the functional requirements stated by buyers at acquisition time. It also evaluates the MSSP's track record in delivering new functions when the market needs them.
Marketing execution is an evaluation of the service provider's ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.
Customer experience is an evaluation of the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by conducting qualitative interviews of vendor-provided reference customers, as well as by feedback from Gartner customers that are using the MSSP's services, or have completed competitive evaluations of the MSSP's offerings.
Operations includes the MSSP's service delivery resources, such as infrastructure, staffing and operations reviews or certifications.
Source: Gartner (February 2014)
Market understanding involves the MSSP's ability to understand buyers' needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options.
Marketing strategy refers to a clear, differentiated set of messages that is consistently communicated throughout the organization; is externalized through the website, advertising, customer programs and positioning statements; and is tailored to the specific client drivers and market conditions in the MSS market.
Sales strategy relates to the vendor's use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.
Offering (product) strategy is the vendor's approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.
Business model includes the process and success rate for developing features, innovations and service delivery capabilities.
Vertical/industry strategy and geographic strategy include the ability and commitment to service geographies and vertical markets.
Innovation refers to the service provider's strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements.
Source: Gartner (February 2014)
Each of the service providers in the Leaders quadrant has significant mind share among enterprises looking to buy an MSS as a discrete offering. These providers typically receive very positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring frequent interaction with the MSSP for analyst expertise and advice, for portal-based correlation and workflow support, and for flexible reporting options.
In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider's other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, it offers a "path of least resistance" to enterprises that need an MSSP and use the vendor's main services.
Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require frequent interaction with MSS analysts, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant.
Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve.
Prospective MSS buyers with threat management use cases should highly weight MSSPs' threat research and security intelligence capabilities.
Current and prospective MSS users should require a proof of concept, or a demonstration of MSS offerings for advanced analytics and big data, to validate effectiveness and value.
Current and prospective MSS users should validate MSSPs' services that are related to monitoring or management of third-party technologies or their own technologies to address advanced attacks.
The MSS market is mature, and prospective customers have numerous options among MSSPs and the types of services offered. The primary drivers for MSSs have been consistent for several years: 24/7 threat management and meeting compliance requirements. These may be complemented by related drivers, such as the desire to redirect existing resources to other security areas, or the need to engage deeper or broader expertise than is available in-house. An emerging driver is support for the protection from and detection of targeted attacks through MSSP knowledge of the external threat environment, through insight gained from monitoring events from a broad and global customer base, through MSSP-based advanced analytics, or through MSSP monitoring of customer-deployed next-generation protection and detection capabilities.
The 2013-2014 Magic Quadrant for Global MSSPs reflects multiregional delivery requirements, and the MSSPs included in the evaluation meet the minimum thresholds for MSS business in two or more regions. MSSPs with multiregional business typically have a sufficient understanding of region-specific customer requirements, as well as sufficient service delivery capabilities that can scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services.
MSSPs that do not meet the customer or device thresholds for inclusion in this Magic Quadrant may still deliver high-quality services within a region, and can typically deliver in multiple regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their specific requirements.
Gartner expects that growing enterprise experience with cloud-based infrastructure and applications delivered as a service, as well as accommodating the access of consumer technology to corporate systems, will result in greater acceptance of, and reliance on, cloud-based security-as-a-service offerings.
In 2013, the global market for security outsourcing was $12 billion, with a forecast compound annual growth rate of 15.4% through 2017.
Growth in enterprise demand for MSSs is driven primarily by four factors:
- Security staffing and budget constraints: Gartner sees continued expectations to reduce operational costs and capital expenditures, and to avoid staffing increases related to the monitoring and management of mature security technologies, such as IDSs and firewalls. At the same time, increased monitoring of infrastructure logs, as well as privileged and application user activity and next-generation technologies, requires tool and analytical expertise that will be difficult for many organizations to supply in-house.
- Evolving compliance reporting requirements: This involves the evolution of existing compliance requirements, and of corporate governance policies that create a secondary effect of stronger requirements for incident monitoring, identification, and response internally and among business partners. As formal compliance regimes evolve or audit/enforcement activity increases, organizations consider external service providers to reduce the costs of meeting compliance requirements. PCI DSS remains an important driver; also, Gartner is starting to see the U.S. Federal Information Security Management Act's (FISMA's) continuous monitoring requirements become an increasing factor for U.S. government agencies, for commercial firms that sell to the U.S. government, and for organizations funded by government grants, such as universities.
- Adoption of security technologies and analytic tools focused on advanced attacks: As enterprises gain experience with technologies to analyze networks, payloads and endpoints for advanced attacks, they will look for opportunities to focus internal resources on prevention and response activities, and to augment those activities with external expertise to monitor and manage the technologies.
- Increased availability and adoption of cloud-based IT services: Increasing use of cloud-based IT services will drive security controls into those services, and will also lead to greater acceptance and adoption of cloud-based security services for controls that are best suited for cloud-based delivery. Gartner expects significant security outsourcing growth in areas adjacent to MSSs, such as secure Web gateways, email security, and identity and access management.
MSS growth can also be constrained by a few factors:
- Enterprise deployment of SIEM technology to provide in-house alerting and log analysis: MSSPs typically lack deep insight into the customer IT and business environment; thus, they are less able to determine whether events involving users, administrators, internal applications and data are inappropriate or unacceptable. Wherever enterprises want close monitoring of internal activities, they may opt to do it themselves. Some organizations monitor internal activities and also use an MSSP for external/perimeter monitoring. Such an arrangement still constrains the growth of MSSs in those organizations.
- Core competency: Organizations that provide security technology or services, or position their technology or services as secure, are likely to forgo outsourced security monitoring. Where security is a value proposition and a core competence, outsourcing security may not be an effective option.
- Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy regarding the use of external services can mean that MSSs are not considered effective options.
The services that are core to MSS offerings involve the monitoring of perimeter network security technologies:
- Multifunction firewalls/UTM services
- Next-generation firewalls
In addition to monitoring, many MSSPs have management services for those technologies. It is increasingly common for MSSPs to also provide monitoring and log collection from IT infrastructure such as servers, user directories and applications.
Among organizations that have deployed SIEM technology, Gartner sees increasing interest for services to monitor or run the SIEM. Several MSSPs have offerings to support customer-deployed SIEM.
MSSPs may also provide cloud or SaaS-based services, including:
- DDoS protection
- Email security
- Web filtering
- Vulnerability scanning
- Network-based firewall/IDP
MSSPs offer cloud services directly or via partnerships with other service providers. The degree of integration of partner-delivered services with MSSP services varies from little more than purchasing convenience to integration of partner data and management functionality into the MSSP's portal. Deeper integration can provide operational and vendor management advantages, but may reduce the ability to "swap out" one cloud-based service for another.
Buyers should take into consideration the degree of integration of any partner-delivered services with the MSSP's offering, as well as the potential for affecting training, operational efficiency and end-of-contract switching costs.
Several MSSPs have created research groups to improve their understanding of the threat landscape — that is, the identities, motives, targets and techniques of attackers. MSSPs use their findings to support their security operations analysts; they may also provide customers with subscription-based access to this research, or offer customers project-based access to the group for analysis/reverse engineering of malware. Potential customers of threat intelligence feeds from MSSPs should require proof-of-concept access to evaluate the relevance of the information, as well as their ability to consume and act on it.
Many MSSPs claim capabilities to assist their customers in addressing advanced targeted attacks. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example:
- Correlation of alerts with IP reputation or known bad addresses
- Comparison of alerts, activity patterns or state (such as device configuration, registry and so on) to those of known attacks
- Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines
These offerings are now primarily based on the security events monitored by the MSSPs; however, we expect that several MSSPs will introduce distinct service offerings to acquire, retain and analyze large volumes of customer data — so called "security big data" — from IT infrastructure and other sources. Gartner recommends that customers require a limited pilot or proof of concept to identify specific areas where relevant, actionable intelligence results from the collection and analysis of the data, and to identify the service levels required. Based on feedback from Gartner customers, early adopters should plan for the inclusion of relevant domain experts who are typically outside the security group, such as line-of-business owners and application owners.
Most MSSPs also offer incident response capabilities to assist customers with investigation and remediation activities in the event of a breach. These services are typically available on a consulting basis. Prospective customers should confirm with MSS candidates how much response support is available within the context of the standard monitoring services, and when a consulting engagement is required. If the MSSP offers packaged or prepaid hours for incident response activities, then customers should ensure that those hours are available for other security services if they are not needed for incident response.
The typical pricing model for MSSs is based on the type and size of the security technology to be monitored for customer-premises-equipment-based devices, or on the bandwidth or number of users/endpoints for network-based controls. Log collection is typically priced by the number and types of sources, or on events per time period (device count pricing includes implicit expectations of event volumes). There is typically a clear distinction between technology that is monitored in real time, and subject to alerting service-level agreements (SLAs), and technology that is not — that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and analyst review. Device management pricing is typically based on the number of configuration changes to be performed within a period of time.
During 2014, Gartner expects the trend for common services, such as firewall and IDP monitoring and management, to decline slightly. Price pressure is coming from new sources for these services, such as from the technology providers themselves, from other MSSPs and from continued corporate efforts to reduce IT budgets. In response, MSSPs have introduced new services to monitor and manage advanced threat detection technologies. MSSPs will continue trying to expand the number of devices and data sources to monitor, and will differentiate monitoring based on the availability of additional external intelligence feeds and analysis (such as reputation data, blacklists, behavioral data and cross-customer activity) that can be correlated with data from customers' monitored devices.
The basic makeup of the MSSP vendor space has not changed fundamentally. There are three major types of MSSPs:
- Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. As seen in 2013, pure-play MSSPs will continue to be acquired by larger service or IT infrastructure firms that seek to provide MSSs. New pure-play security service providers often focus on specific vertical markets or regulatory requirements, or on specific analytic services (such as user activity) or advanced threat detection technologies.
- System integrators/business process outsourcers: These are broad IT service providers that typically manage security devices as part of larger outsourcing deals. Where the integrator or outsourcer acquired a pure-play MSSP and maintained a discrete MSS delivery capability, these providers often compete for MSS-only deals.
- Carriers and network service providers: These are bandwidth and connectivity providers that manage network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their Internet connections.
This Magic Quadrant reflects the requirements of customers that seek MSSPs with a global presence and global delivery capabilities. The vendors that meet those requirements fall into the latter two types of MSSPs.
In general, the MSS portfolios of these providers look broadly similar. Customer satisfaction with services can be strongly related to customer expectations. Customers occasionally report dissatisfaction related to objectively poor performance, including missed SLAs. However, it is more common for dissatisfied customers to express disappointment related to subjective criteria that may never have been made explicit to prospective providers, or to the MSSP selected.
Gartner customers using MSSPs express differing expectations regarding their type of relationship with MSSPs. Expectations may range from frequent interactions and knowledge sharing among the customer security staff and MSSP staff, to almost no interactions beyond the provision of periodic reports of monitoring activity. Gartner recommends that prospective MSS buyers develop explicit requirements for service delivery. MSSPs' responses to these requirements (including via demonstrations, proofs of concept and the like) will enable customers to discern distinct differences among the MSSPs.
Buyers should define expectations for the degree and quality of interaction with the MSSP's SOC analysts, the features of the MSSP's portal that will support the customer's use cases, reporting for operational and management reporting, the depth of threat and security intelligence offerings, support for specific compliance requirements, and the MSSP's professional services capabilities. Prospective buyers that evaluate MSSPs within the context of specific requirements will find that the providers that best fit those requirements may come from any segment of the Magic Quadrant.
Not included in this Magic Quadrant analysis are smaller, regional or subregional providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria. Also excluded from this analysis are service providers that provide MSSs only for their own technology, and that do not deliver services for commercial technology.
The adoption of managed security services in Asia/Pacific continues to grow, with most global vendors in the 2014 MSSP Magic Quadrant facing strong competition from regional MSSPs. Depth and breadth of services and language support vary widely, giving clients choice from many services and prices.
This document was revised on 2 September 2014. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
The managed security service (MSS) market is estimated to be $13.8 billion globally and $3.6 billion for Asia/Pacific in 2014, which is 26% of the global market. As a result, this particular service offering is one of the more heavily contested IT services in the market today. Depth and breadth of services, along with country and language support, vary widely within the large Asia/Pacific (APAC) region, giving clients a range of services and prices from which to choose.
The APAC region is highly diverse in terms of geography, culture and economics. This diversity has led to considerable opportunities for regional MSS providers (MSSPs) that have invested in coverage and offerings leveraging these variables to differentiate their services. Global MSSPs based outside of APAC are using their scale and brand awareness to compete in this market off the backs of existing global clients that have an APAC presence. As a result, an increasing number of both regional and global providers are continuing to develop and invest in the MSSP market in APAC.
Due to the increasing importance of enterprise information security to businesses, Gartner anticipates a steady growth and continuing maturity of the MSS market in APAC.
At a high level, there are two "classes" of MSSPs in the context of this report:
- MSSPs with a primarily APAC-focused staff and client base
- Global MSSPs targeting the APAC market, but with a small base of existing local customers
Clients in Asia/Pacific continue to express a preference for providers with a security operations center (SOC) and "feet on the street" in the region. This preference has aided the growth of local providers with a more tailored approach that takes into account regional nuances. In response, multinational providers have invested in the region — building SOCs and acquiring personnel — which is diluting geography as a competitive differentiator. Migrating from internal management of security infrastructure to an MSSP model is a complex process. The hurdles encountered often have nothing to do with technology, but much to do with industry vertical considerations (for example, data sovereignty perceptions and legislative mandates), IT organization preferences, and internal social or political issues.
Gartner clients indicate that they choose MSSP providers, based on a combination of general requirements, and are influenced by local presence. In particular, APAC clients are focusing on the following:
- SOC location within APAC
- SOC staffing levels with in-region availability
- Vendor market perception and sales visibility in APAC
- Existing relationship with the vendor
- Customer service within local time zones
- Ability to deliver ancillary services with qualified local personnel
Vendors included in this Magic Quadrant Perspective have customers that are successfully using their products and services. Selections are based on analyst opinion and references that validate IT provider claims; however, this is not an exhaustive list or analysis of vendors in this market. Use this perspective as a resource for evaluations, but explore the market further to gauge the ability of each vendor to address your unique business problems and technical concerns. Consider this research as part of your due diligence and in conjunction with discussions with Gartner analysts and other resources.
AT&T has a smaller MSSP presence in APAC, compared with its market share in Europe and the U.S. The majority of AT&T's devices under management are with multinational corporations headquartered outside of the region and needing consistent MSSP delivery and a single-vendor relationship. AT&T also leverages its overall range of telecommunications services, such as voice, video, data, ISP and distributed denial of service (DDoS), where MSSP is but one option in its portfolio for a client to consider.
AT&T can be considered by clients that are already using its carrier and other services, or have a large distributed office network globally or in APAC.
AT&T has eight SOCs: three in the U.S., one in Malaysia, two in India, one in South America, and one in Eastern Europe. In total, AT&T has 2,000 employees in SOC engineering, sales and other roles globally.
BT takes its MSS to market with the name "BT Assure." It has an APAC footprint via its two dedicated SOCs, two customer-specific SOCs and its regionally focused specialist sales staff. BT's local offerings include monitoring and management of on-premises devices, as well as network controls as part of larger telecommunications and service offerings. BT is increasing its security business unit sales and presales teams to provide better coverage in the region. BT's APAC footprint lags behind that of EMEA and the U.S.
It has also invested in a heavily customized back-end "data pond" that is based on Hadoop. This allows for its attractive client portal to be an effective tool for end users. Additionally, it enables BT security analysts to develop sophisticated correlation rules that can operate over significant datasets.
BT Assure can be considered by large and smaller organizations alike due to its experience as an MSSP and the ease of use of its client portal.
BT Assure has four SOCs: one in Australia, one in Singapore and two in India. In total, BT has 235 employees in SOC engineering, sales and other roles in APAC.
Dell SecureWorks has continued to show growth in its global MSSP business and services offered since its acquisition in 2011. Dell's acquisitions of SecureWorks and SonicWALL clearly show its intention to compete and win share in the security market. SecureWorks offers a large range of MSSP and complementary specialist security services centered around intelligence, consulting, compliance and incident response.
A majority of its back end is based on internally developed technology for log and alert collection, correlation and analysis. On-premises-based log retention and reporting are delivered via commercial technology. SecureWorks has not had the same levels of market penetration in the APAC geography that it has seen with its U.S. and European operations, to date. This is likely due to less brand recognition, lack of a specific APAC focus, and strong competition from other global and regional MSSPs.
Dell SecureWorks should be considered by global organizations with a footprint in APAC and by organizations that value expertise in threat research and intelligence.
Dell SecureWorks has nine SOCs in the U.S., Scotland, Romania, India and Mexico. In total, Dell SecureWorks has 240 employees in SOC engineering, sales and other roles in APAC.
e-Cop is headquartered in Singapore with other regional offices. It has a leading amount of SOCs and other processing facilities in the APAC, dwarfing the footprint of the majority of global MSSPs that operate in the APAC geography. e-Cop's ability to deliver SOCs in multiple countries has made it an attractive alternative for clients such as regional governments and finance and health verticals, where local staff and data sovereignty are both perceived and legislative imperatives for clients. Its clients have historically been loyal and consistently rate e-Cop's services as good to excellent (see "MarketScope for Managed Security Services in Asia/Pacific, 2012").
Due to its extensive geographical coverage, range of security services and competitive pricing, e-Cop should be considered for any APAC-centered midsize enterprise.
e-Cop has eight SOCs in Singapore, Malaysia, Hong Kong, Thailand and India. In total, e-Cop has more than 200 employees in SOC engineering, sales and other roles in APAC.
Headquartered in India, HCL offers a large range of MSS offerings and a broad range of IT consulting, system integration and outsourcing services. HCL has expanded its customer portfolio outside of its historical client base in India. However, based on a recent inquiry, few end-user organizations in Southeast Asia or Australia indicate they include HCL on their shortlists for MSS. The company has sales personnel throughout APAC and is now in 31 countries with over 90,000 employees. Previous client reviews of HCL are generally good.
HCL should be considered by APAC-centric businesses, large and small, with a broad range of consulting and infrastructure management requirements, including risk and security management.
HCL did not provide details on SOC locations and staffing for this research.
HP is a large provider of a broad range of security consulting and traditional and on-premises-based MSS offerings. HP continues to build out a pure-play MSS as well as a large enterprise outsourcing business that can both manage and monitor security technology. The HP MSS is growing but should not be confused with its outsourcing business. HP MSS is part of the HP Enterprise Security practice and leverages specialized security personnel for regional go-to-market execution.
HP has good APAC coverage, in addition to a new SOC opening in Sydney, Australia, and an attractive client portal. HP should be considered by large organizations that seek a mix of infrastructure, outsourcing and software, and need a sizable strategic IT partner.
HP has eight SOCs globally, and is in three APAC locations in Australia, Malaysia and India. HP did not disclose its MSS APAC staffing levels.
IBM acquired, via Internet Security Systems (ISS), a market-leading APAC MSSP business. It offers a full range of MSSP services, along with extensive consulting and integration services that can be consumed as stand-alone or as part of a larger outsourcing arrangement. IBM uses internally developed technology for data collection, correlation, log query and reporting. The Q1 Labs acquisition further extends IBM's ability to provide on-premises security information and event management (SIEM), as well as its traditional hosted log management solution.
IBM should be considered for its MSSP services where the enterprise has global service delivery requirements; large outsourcing deals; strategic relationships with IBM; and finally, a preference for APAC-located SOC delivery capabilities.
IBM has three SOCs in Australia, Japan and India. IBM did not disclose its MSS APAC staffing levels.
Network Box is a Hong Kong-headquartered MSSP that operates a franchise business model. The company licenses independently owned and operated SOCs that are primarily based in APAC, and has a significant number of customers and devices under management. Network Box takes a vertically integrated approach featuring patented push technology. It provides a standardized hardware or virtual appliance, and develops and controls software and services to deliver its MSS offering without using third-party security technology, with the exception being an OEM arrangement with Kaspersky Lab for malware detection. This is a relatively unique approach in the MSSP market — a franchise model that implements a vertically integrated offering. It does not offer a broad range of managed security services, however — for example, no log management and limited vulnerability assessment are available. Network Box is primarily focused on managing its own technology at this time. In addition, customers that need unified monitoring across franchised SOCs will receive that service via event forwarding to and problem management from the Hong Kong SOC.
Network Box can be considered by small to midsize enterprises throughout APAC where having branded security appliances is not a primary buying factor, and where the enterprise is looking to address gateway network security as the MSS use case.
Network Box owns and operates the primary SOCs in Hong Kong, and franchise licensees own and operate 16 SOCs in the U.S., the U.K., Germany, Dubai, Thailand, Taiwan, China, Singapore, South Korea, Japan, Malaysia, Indonesia, Australia and New Zealand. There are also unstaffed processing locations in the same geographies. In total, Network Box directly employs 60 people in SOC engineering, sales and other roles in Hong Kong. Franchisees staff their own SOCs.
NTT has, through acquisitions, three MSSP businesses servicing APAC: Integralis (now called NTT Com Security), Solutionary and earthwave (via Dimension Data, itself an acquisition of NTT). All three of these MSSP acquisitions were well-regarded and competitive in their own right in different geographies. NTT now has three MSSP "brands" all offering the same "service" in the APAC market. Individually, all three are credible MSSPs with sizable numbers of clients and devices under management. At this time, they are separate MSS offerings that will be merged partially (MSS back-end processing, for example) or fully at some point in the future.
Clients with a majority of offices in the U.S. looking for APAC MSS coverage should consider NTT's U.S. offering (Solutionary). Meanwhile, clients that are based primarily in Europe with APAC branches or have a Japan-specific footprint should consider NTT Com Security (formerly Integralis).
All other APAC-centric clients should focus on Dimension Data, as this is the largest of NTT's security practices in the region. Dimension Data's client portal is currently a leader in the APAC market. It also has a significant system integration business covering consulting, cloud, integration, outsourcing and maintenance that is leveraged to cross-sell its well-regarded MSSP service.
NTT has nine SOCs in Australia, New Zealand, Singapore, Malaysia, India and Japan — and seven unstaffed processing locations in Japan, Hong Kong, Singapore, Thailand, Malaysia and Australia. In total, NTT has 420 employees in SOC engineering, sales and other roles in APAC.
Paladion is a pure-play service provider in the APAC region, headquartered from India, with footprints in the U.S., Europe and the Middle East. Paladion offers a wide range of IT governance, analytics, fraud management, security and compliance assessment, data protection, identity and access management (IAM), and cloud and mobile security services, in addition to its MSSP offering. With three SOCs in the region, it also offers the ability to build SOCs for clients, as well as deliver traditional MSSP offerings. Historically, Paladion customers have rated its services as good to excellent, and it is a steadily growing business unit within Paladion, growing at double digits.
For organizations that have a large footprint in India and stretch out into APAC, Paladion can offer a range of services at very competitive price points.
Paladion has four SOCs: two in India, one in Malaysia and one in Vietnam. It also has two unstaffed processing locations in the U.S. and United Arab Emirates. In total, Paladion has 295 employees in SOC engineering, sales and other roles in APAC.
Symantec has local APAC language availability, a visually attractive client portal, mature staffing and training models, and a global reach.
Some APAC clients may find this offering suboptimal, because all data resides in the U.S., and some technology management capabilities like firewalls are being depreciated in favor of analytics. While its APAC business is growing, there is a delta in the size of Symantec's devices under management in North America versus APAC that is behind the market average.
Symantec appears regularly on shortlists and can be considered by large APAC organizations or global organizations with a footprint in APAC. Symantec has three SOCs in India, Australia and Japan. In total, Symantec has 395 employees in SOC engineering, sales and other roles in APAC.
Tata Communications is a large telecommunications provider that is headquartered out of India, has a global presence and offers a good range of services in the market. These include on-premises DDoS, proxy, clean pipe, secure extranet, authentication, SIEM, next-generation firewall (NGFW), unified threat management (UTM), intrusion prevention system (IPS), Web application firewall (WAF) and data loss prevention (DLP). While its MSS is a direct offering, it is also taken to market as an adjunct to its primary offerings around hosting, data and voice products.
Tata Communications is rarely seen on Gartner shortlists outside of India, and competitors also infrequently list Tata Communications as a competitor. At this time, its primary client base is APAC only. It offers a competitive range of services that includes some cloud coverage for virtual firewalls or UTM, and a competitive and useful client access portal. Its MSS is also supplemented by professional security services.
Tata Communications can be considered by clients who have an existing relationship with Tata Communications, are headquartered in India with an APAC focus, or have price sensitivity as a primary driver in their MSS requirements.
Tata Communications has two staffed SOCs: India and Singapore. It also has four unstaffed processing locations in India, Hong Kong and Singapore. In total, Tata Communications has 40 employees in SOC engineering, sales and other roles in APAC.
Telstra is Australia's largest telecommunications provider that offers a large number of adjacent services to its core offerings, including MSS. It previously had a partnership with IBM to deliver some MSS and is now slowly transitioning these clients over to its own internal business unit. It also offers consulting services to complement its offerings.
Being the largest telecommunications provider in Australia, it also has a strong DDoS offering, which complements its strength as an ISP. Compared with other APAC-centric MSSPs, Telstra has a credible number of clients and devices under management — however, its clients are almost exclusively within the Australian market. Telstra has also announced its intention to expand throughout the region, including its security practice, of which MSS is a part.
Telstra should primarily be considered for Australia-centric businesses that are using Telstra's services already, or for businesses that are primarily based in Australia.
Telstra does not regularly appear on shortlists of Gartner's APAC clients. Telstra has two SOCs in Australia. In total, Telstra has 395 employees in SOC engineering, sales and other roles in APAC.
Verizon's APAC business does not have the same level of penetration as its U.S. and EMEA operations have achieved. It offers the capability to support management of on-premises SIEM, as well as traditional MSSP "off-premises" management via a very functional client Web portal. Verizon has a respected research and investigation team that complements its MSSP operation. Clients benefit from this by receiving Verizon threat intelligence data. Additionally, Verizon can offer DDoS services to its ISP clients.
Organizations that require global coverage, a range of MSS offerings and strong specialist security services like incident response should consider Verizon. In addition to four security processing locations in North America and Europe, Verizon has one SOC in APAC located in Canberra, Australia. In total, Verizon has more than 500 employees in SOC engineering, sales and other roles in APAC.
Wipro delivers a broad range of IT services around the globe. Its APAC MSSP client base and number of devices under management, while substantial, are smaller than its client bases in the U.S. and EMEA, respectively. Customers have rated Wipro's services as very good. Wipro regularly appears on shortlists throughout the region, especially in the Indian subcontinent. Wipro's strength in system integration and consulting has produced a sound project-managed onboarding process.
An ideal client for Wipro is an organization that requires a broad range of consulting, system integration and project management services either in a single country or throughout larger geographies.
Wipro has eight SOCs: two in the U.S., one in Europe, four in India and one in Malaysia. It also has five unstaffed processing locations in Germany, and two each in the U.S. and India. In total, Wipro has 500 employees in SOC engineering, sales and other roles in APAC.
Note: This perspective was added to this Magic Quadrant on 25 July 2014 as a planned enhancement to the reading experience. The perspective was originally published on 2 July 2014 as a separate document. This content contains no new information from when it was originally published.
National champions, niche players and regional operations of global providers characterize the European market. The ability to fulfill local data residency requirements is the main factor that differentiates them.
The managed security service (MSS) market in Europe is stable, but complex. Different types of providers compete, and are often compared against one another on customer shortlists:
- Global providers emphasize their broad geographic reach, which sometimes encompasses merely several countries rather than the globe, and their footprint in Europe varies.
- In the largest countries — Germany, France, the U.K. and Spain — providers that dominate the telecommunications market also push their security service offerings. This is most successful for network-based services.
- Some markets — in particular, Germany — consist of a large number of midsize companies in sectors like manufacturing. Although many of them are world leaders in their particular markets, they are still often run as private or even family businesses where trust, long-term commitment and established relationships are important. This nourishes an ecosystem of IT vendors and providers, including providers of MSS.
- A few providers have carved out a niche with a particular type of security service — mostly around vulnerability scanning, penetration testing, threat intelligence and forensics — and offer this service across multiple European countries.
Recent and ongoing headlines about the U.S. National Security Agency and the potential use of governmental investigational powers under the USA Patriot Act have reinforced the data protection concerns of European MSS clients. These concerns tend to inhibit adoption among customers considering MSS offerings from U.S. companies. Even if the security information does not directly include confidential corporate information, it is considered sensitive enough to trigger an additional risk analysis — thus playing in favor of providers from Europe, with a detailed understanding of European data residency requirements and with European data centers.
The market for MSS in Europe is mature — in 2014, Gartner predicts a revenue growth of about 14%. However, this revenue growth comes largely from an existing client base. Most vendors in the European market for MSS experienced only a small growth in the number of customers in 2013, while some reported a net loss of customers.
The motivation to use an MSS provider (MSSP) and the specific functional requirements of large European customers are not much different from those of North American customers. It's usually a lack of internal resources, a gap in security skills, or simply the company's strategy to focus on core business functions that drive European companies to engage an MSSP. In recent years, companies are also concerned about their inability to address external attacks and undetected corporate espionage, manage an ever-larger amount of security log information, and show the value of costly security services to business management. This is reflected in the choice of security services — such as external security monitoring, vulnerability scanning, penetration testing and threat intelligence — in addition to the classic network security services.
Concerns about not being able to defend against corporate espionage are common in Europe but so also is the fear that engaging a foreign provider creates additional potential for information leakage. This has somewhat inhibited growth in Europe and driven potential customers to carefully evaluate capabilities of providers that focus on Europe in terms of data residency, meeting privacy requirements and complying with local government standards (see also "The Snowden Effect: Data Location Matters").
Three major elements differentiate the market in Europe from the market in the U.S. (and to some extent, the Asia/Pacific market):
- Trust — Above and beyond functional capabilities, support for new and innovative technology, efficient operations of currently deployed technology, and a competitive price, the relationship with the provider is what determines the outcome of a prospective deal. This plays in favor of providers with a local presence, small providers with an existing relationship, or established vendors that also offer telecommunications or outsourcing services, in conjunction with reputation and brand name.
- Language — Most IT departments will be satisfied with English language portals and operational support in English. However, creating and maintaining a trust relationship with business stakeholders and decision makers is most effective if the provider staff can communicate in the local language, understand regulatory concerns and address relationship issues directly. Some European customers, especially governments or local authorities, may even stipulate localized language support as a requirement.
- Residency — Requirements vary by country and industry, and concerns raised during an RFP do not always translate into extra spending for local storage. European customers are aware that global threat visibility requires global data sharing. The solution is often to filter or aggregate sensitive data in-country or on-premises. Details are explained in the descriptions of many providers in the section below.
For additional considerations on technology and service selection, see the corresponding sections in "Magic Quadrant for Global MSSPs."
Vendors included in this Magic Quadrant Perspective have customers that are successfully using their products and services. Selections are based on analyst opinion and references that validate IT provider claims; however, this is not an exhaustive list or analysis of vendors in this market. Use this perspective as a resource for evaluations, but explore the market further to gauge the ability of each vendor to address your unique business problems and technical concerns. Consider this research as part of your due diligence and in conjunction with discussions with Gartner analysts and other resources.
Gartner is aware of more than 70 providers of security services in Europe. Many of them thrive in a particular niche, such as an industry segment, country or region, or they offer a subset of security services:
- Atos is a global provider of MSS with a strong presence in Europe, being born out of a merger with Siemens IT Solutions and Services. It operates three global security operations centers (SOCs) in North America, Europe and Asia/Pacific, supported by more than 10 regional SOCs in Europe. Atos offers strong security consulting and system integration services as well.
- Telefónica, headquartered in Spain, offers an almost complete portfolio of security services in Europe, with a focus on network security services and log management. It has SOCs in Spain and in the U.K., and additional security capabilities in Germany.
- T-Systems is the IT services subsidiary of Deutsche Telekom. It offers a full range of MSS from seven shared or dedicated SOCs in Germany, Hungary and Slovakia, as well as identity and access management (IAM), often integrated with IT services and communications services.
- HCL Technologies and Wipro are India-headquartered global IT services companies that serve the European market in multiple countries with a mix of on-site staff and offshore SOCs, providing security services integrated with IT outsourcing.
- Open Systems AG is based in Switzerland, but has international SOCs and offerings. It provides a variety of managed services, including network device management and monitoring, and managed IAM.
- Mnemonic from Norway offers standard MSS and security monitoring, combined with threat intelligence delivered from its own platform.
- Above Security, headquartered in Canada, acquired SecureIT, a security firm based in Switzerland. Services include incident response management, intrusion prevention, log and event monitoring and correlation, and vulnerability assessments. Its emphasis on risk management resonates with a business-level audience.
- Unisys is a provider with customers and SOCs in all regions, including Europe, offering MSS as well as stealth VPNs.
- Accumuli Security in the U.K., formerly known as Boxing Orange, offers network security, log management and security analytics. Other U.K. MSSPs are Caretower, ITC Secure Networking, SecureData, BAE Systems Applied Intelligence and Khipu Networks.
- MSS GmbH is an MSSP from Germany with customers in Europe and beyond. Computacenter is active in Germany as well as in the U.K., providing IT infrastructure and security management. Other providers from Germany are Electronic Service Center (ESC) and SSP Europe.
- Kahuna and Onsight are two providers that serve the Dutch market with managed security services and solutions.
There are many more providers in Europe, usually with a geographic or topical focus, such as the following groups:
- MSSPs with a national focus are Sentor (Sweden), United Security Providers (Switzerland), S2 Grupo (Spain) and the French telecommunications operator SFR Business Team.
- European providers that offer MSS in conjunction with IT or communications services are Level 3 Communications, Network Box, Getronics and Steria.
- Several providers offer a range of security services, often including MSS, with an industry sector expertise that differentiates them from the rest of the market — for example, QinetiQ, Cassidian, Thales (all defense security), Sogeti (a Capgemini subsidiary — process control network security) and Kudelski Security (media and broadcasting security, expanding into other industries).
- The following European providers offer a specific subset of security services: Fox-IT (Netherlands — threat detection and intelligence, and forensic response), Outpost24 (Sweden — vulnerability management), Integrity (Portugal — persistent penetration testing called Keep-It-Secure-24), Spamina (Spain — email security), Secucloud (Germany — cloud security systems), Retarus (Germany — email security) and Nixu Software (Finland — vulnerability management).
The following providers were all rated in the global MSSP Magic Quadrant. This means they also have a substantial client base in Europe, which was part of the Magic Quadrant's inclusion criteria.
AT&T deploys a globally consistent delivery model in North America, Europe and elsewhere, regardless of which country the services are provided in or from. There are no regional differences outside of legal requirements for delivery in certain countries (where AT&T subcontracts with a local integrator to implement changes if necessary). AT&T delivers security services that are mostly network-based, such as firewall management, intrusion detection and Web application firewalls, although AT&T supports premises-based business as well.
BT has a strong business in Europe, where two-thirds of its customers are based — typically, enterprises. It operates eight SOCs in Europe alone, including satellite SOCs in major European cities, staffed to varying degrees. BT covers the whole range of security services as defined in the Magic Quadrant. The U.K. and France BT Assure Threat Monitoring instances are separate from the U.S. or global instances for servicing customers who are subject to EMEA data protection regulations. BT has security showcase and demonstration facilities at the BT Centre in London and is looking for new local talent with its U.K. Cyber Security Challenge. BT provides comprehensive MSS to U.K. government entities up to and including Business Impact Level 6 (IL6).
CSC has dozens of customers across Europe, predominantly in the U.K., Ireland and Scandinavia. Services in Europe focus on monitoring firewalls and operating log management solutions. Its two European SOCs are in the U.K., and one of them supports government clients.
CSC's strategy is to have a global logical SOC with multiple connected SOCs in most world regions. Security incidents discovered anywhere in the world are immediately made available to all SOCs. However, global threat information is carefully examined to ensure it is in compliance with regulatory and legislative mandates before it is shared with other SOCs. This may create a local instance that is kept only in a geography where intelligence sharing outside of that boundary is prohibited by law. For instance, IP addresses in Germany are kept in that locale.
Dell SecureWorks is active in all regions of Europe, including the U.K., Ireland, France, Germany, Nordics, Benelux and the Middle East, offering a nearly complete portfolio of security services. One of seven global SOCs is located in the U.K. Dell SecureWorks maintains a separate MSS delivery platform in Europe for customers requiring local data storage. However, according to Dell SecureWorks, a majority of its European customers find it acceptable to use the U.S. delivery platform, which means its infrastructure is remotely managed with data storage in the U.S. Also, a Hadoop cluster that stores all log results and enables fast correlation and full search is a global capability, although it does support variations in event collection policies to support local data privacy mandates, removing sensitive data from the log streams.
Dell SecureWorks uses a direct sales model for its primary markets; however, Dell SecureWorks leverages its Dell counterparts and its channel partners to provide additional coverage in Europe.
HP is a global provider of IT and security services with significant growth in Europe, supported by its enterprisewide (rather than infrastructure-focused) approach to risk management. It offers a whole range of security services, with a focus on endpoint protection, data loss prevention, vulnerability scanning, network security devices, and security information and event management (SIEM).
HP is able to monitor and manage security infrastructure across all world regions, with global visibility and yet a localized response. This is implemented with a two-tier SOC strategy, where regional or sector-specific SOCs (which are operational in the U.K., Spain and Bulgaria and planned for Germany) address areas with high regulation or compliance requirements, heavily concentrated user demand, and high-threat areas requiring a rapid response.
IBM is a global MSSP that has strengthened its European delivery teams to meet local market requirements. IBM has its SOC in Belgium and has now added an SOC in Poland and a partnership in Riyadh, Saudi Arabia. It focuses on IT transformation projects, data center transformation, mobility, data residency concerns and cloud as general acceptance for outsourcing continues to grow. European staff members work as liaisons with the worldwide delivery and SOC teams.
In several industries such as financial services, retail and healthcare, IBM focuses on France, Germany, Italy and the U.K. The MSS customer portal is fully localized in French, German, Italian, Portuguese and Spanish. In Europe, IBM has long-standing partnerships with BT and Sita. In terms of number of customers, EMEA is the third-most-important region for IBM.
As part of NTT, which also includes Dimension Data and Solutionary, NTT Com Security is a global provider of MSS under its WideAngle brand and is the largest of NTT's security practices in the European region. NTT Com Security was formed from a number of Europe-based acquisitions in recent years, including Integralis and Secode, and operates SOCs in Norway, Sweden, the U.K. and Germany, with a specific European customer focus on the U.K., Ireland, German-speaking countries, Nordics and France.
The portfolio in Europe includes managed and professional services for firewalls, unified threat management (UTM) and network intrusion prevention — as well as endpoint protection, SIEM and log management, Web and message gateways, and vulnerability scanning. Data is stored in regional data centers, which are multitenanted. Data is captured on-site and is then centralized for customer and engineer reporting and management.
Orange Business Services (OBS) is a large MSSP in Europe, based on the number of customers and revenue. In France, the number of midsize and small business customers is slightly higher than in the rest of Europe. It delivers security services on firewalls, intrusion prevention systems, multifunction security devices and secure Web gateways, as well as SIEM and log management. The customer portal is available in English and French. In France, OBS pioneered a new type of security and privacy service. Anonymization as a service (called Flux Vision) enables the use and analysis of large amounts of sensitive telecommunications data in compliance with strict local privacy regulations.
OBS emphasizes its CyberSOC and analytics capacity in Western Europe. Many customers request to store data (logs and events) in one of the three European data centers, even for non-European clients. This helps win business against U.S.-based providers. As an incumbent telecommunications company, OBS is also well-positioned to deliver services in compliance with local regulations on critical infrastructure protection.
Symantec is a global MSSP that combines global visibility with attention to regional differences. Device, application and log data is aggregated, analyzed and stored within the North American data center. The SOC in India serves as a global resource, supporting all regional SOCs outside regional business hours. The European SOC is located in the U.K., providing services to Europe, the Middle East and Africa. Analysts provide personalized care to review customer security event information. The European SOC maintains attestation to industry security standards by external third parties. In addition, assets can be tagged with various compliance policy restrictions, including those that contain personal data, enabling faster filtering of the related assets to a required report. Sales teams use local-language fluency wherever possible, to communicate with the greatest clarity in order to establish Symantec as a trusted security advisor.
Trustwave is a global provider of MSS, with a globally consistent strategy. Ninety percent of Trustwave's customers are in North America. Half of Trustwave's European customers are in the U.K. and Ireland, while the other half are more or less equally distributed across all other major European countries. The European SOC is located in Poland. Trustwave works with local partners throughout EMEA, including the U.K. and Germany. Trustwave's security service focus is on threat management and event monitoring, network protection and access control, application security, content security, and anti-malware. The portal is also available in Spanish, while scanning and compliance sections are also available in German, French and many other European languages.
Trustwave's hybrid on-premises and cloud SIEM architecture was created to support in-country or on-premises data storage requirements, especially for EMEA countries with data privacy and location sensitivity (for example, Germany). Trustwave also offers data-location-sensitive customers a full on-premises technology stack to meet local data privacy requirements.
Verizon has a substantial customer base in Europe — largely, enterprise customers. Demand is driven by managed WAN deals with security services tied to them, as well as by industrial control system security requirements in the manufacturing sector. Moreover, Verizon operates an SOC in Luxembourg to address country requirements in the financial sector and clients with European data sovereignty requirements. For additional charges, Verizon can provide systems and storage that are not multitenant (using commercial SIEM instead of Verizon's MSS platform). Verizon also operates regional denial of service (DoS) mitigation centers and maintains Hadoop nodes per region as part of large-scale security analytics launched in 2014. Verizon also has a partnership with Swisscom.
Note: This perspective was added to this Magic Quadrant on 25 July 2014 as a planned enhancement to the reading experience. The perspective was originally published on 22 July 2014 as a separate document. This content contains no new information from when it was originally published.
- Gartner customer inquiries and information sharing related to MSSPs
- Analyst interactions with Gartner customers via inquiries and meetings
- Survey of MSSPs
- Survey of MSS reference customers
Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.