Magic Quadrant for Global MSSPs
Managed security services is a mature market with offerings from established service providers. This Magic Quadrant presents enterprise buyers with advice on selecting MSS providers to support global service requirements.
For the purposes of this research, Gartner defines managed security services (MSSs) as "the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers (SOCs), not through personnel on-site." Therefore, MSSs do not include staff augmentation, nor any consulting or development and integration services.
MSSs broadly include:
- Monitored or managed firewalls or intrusion prevention systems (IPSs)
- Monitored or managed intrusion detection systems (IDSs)
- Distributed denial of service (DDoS) protection
- Managed secure messaging gateways
- Managed secure Web gateways
- Security information and event management (SIEM)
- Managed vulnerability scanning of networks, servers, databases or applications
- Security vulnerability or threat notification services
- Log management and analysis
- Reporting associated with monitored/managed devices and incident response
This Magic Quadrant evaluates monitored/managed firewall and intrusion detection and prevention (IDP) functions, as well as log management services, rather than other elements of the services we have listed. Firewall, IDP and log collection form the core of most MSS engagements. The vendors in the Magic Quadrant are evaluated on their ability to support customers with global service requirements.
Source: Gartner (February 2014)
Headquartered in Dallas, and with regional offices in Hong Kong and London, AT&T offers security monitoring and management services for customer-based and network-based security controls — including wireless — in addition to a wide range of other IT and telecommunications services. AT&T MSSs are based on commercial and self-developed technologies for alert and log collection, real-time correlation, reporting, and device management. Workflow is supported by the AT&T BusinessDirect portal. Query and browsing of log data are supported via commercial and self-developed technologies. AT&T offers log management via on-premises solutions. Log management and MSS functions must be accessed through separate portals. Integration of these functions into a single portal remains planned. AT&T's advanced threat offering is the Security Event and Threat Analysis (SETA) service, which includes correlation and analysis of data from customer devices and the AT&T network, with customer-specific configuration and response templates. Three SOCs are located in the U.S., two in Asia/Pacific and one in Europe, and multilingual support is available. Enterprises should consider AT&T if they require a global service provider with a broad range of service offerings and deployment capabilities that include premises-based and network-based options. Customers of other AT&T services that seek MSSs from an incumbent provider should also consider AT&T.
- AT&T has good visibility among Gartner customers, and is often included in competitive MSS evaluations.
- AT&T's network-based security controls are mature security management and monitoring offerings that are attractive to MSS customers with remote and branch office coverage requirements.
- AT&T is an established and stable service provider, with delivery capabilities in multiple geographic regions.
- The MSS portal continues to lack standardized asset reporting as well as the log browsing capabilities that are available in several competitors' portals.
- Log management functions must be accessed from a portal that is distinct from the MSS portal.
- The customization features of the MSS portal are not as extensive or self-service-capable as those in competitors' portals.
BT is headquartered in London and has offices across the globe, including a regional presence in Texas and Hong Kong. BT's MSS offerings include monitoring and management of customer premises deployed devices and network-based security controls as part of its larger portfolio of telecommunications and IT services. BT uses self-developed technology for log and event collection, correlation, query, reporting, and device management. Commercial technology supports workflow. In addition to its MSS, BT offers Assure Analytics, an extension that provides additional analysis and visualization capabilities. BT has two European SOCs and three Asia/Pacific SOCs staffed 24/7, with an additional nine SOCs worldwide. Capabilities to detect targeted attacks and provide advanced analytics are focused on larger customers and delivered via add-on services, including a social media monitoring service, Assure Analytics and consulting engagements. Customers of other BT services that are seeking MSS as well as additional analytics and visualization capabilities should consider BT.
- BT has a broad range of security offerings for MSS globally, as well as for security consulting, cybersecurity services, secure networking, business continuity, identity and access management, technology deployment, and integration.
- BT gets good marks from users for security expertise in support of its MSS delivery.
- BT continues to have much lower visibility among MSS buyers in North America and Asia/Pacific than in Europe.
- Customers use the BT Assure Threat Monitoring Web portal for searching, browsing and reporting security-relevant raw log data, and a premises-based appliance user interface to access non-security-relevant raw log data.
CenturyLink is based in Monroe, Louisiana, and has offices in Singapore, Hong Kong, London and throughout North America. It provides MSS as well as infrastructure as a service, software as a service (SaaS), Web hosting, colocation and network services. MSS customers have primarily been customers of CenturyLink's infrastructure services. MSS is delivered through a combination of commercial and self-developed technology for data collection, correlation and analysis, reporting, and log management. CenturyLink has three SOCs in North America, with an additional SOC in Europe and one in Asia/Pacific. Advanced analytics to detect targeted attacks are embedded within the MSS capabilities, and are based on monitoring third-party security technologies. CenturyLink's infrastructure and network services customers should consider the company for managed security.
- CenturyLink's enterprise and small or midsize business customers for network services can augment their relationships with CenturyLink via MSSs.
- CenturyLink's rationalization of security services across its lines of business has enabled a more focused and consistent delivery of MSSs.
- CenturyLink does not appear on Gartner customer shortlists for MSSs.
- The CenturyLink MSS portal lags competitors' portals in several areas, including customization, asset tracking, and correlation across data sources and user data.
CSC is headquartered in Falls Church, Virginia, with regional offices in Sydney, Singapore and the U.K. CSC delivers its MSS as a stand-alone service, and as a complement to its IT outsourcing and consulting services to enterprises and government agencies. CSC is in the process of standardizing its MSS delivery capabilities across all regions using commercial SIEM technology for data collection and correlation, real-time alert generation, and log management. The self-developed Pulse Portal provides access to alerts, reporting, ticketing and workflow. CSC has four SOCs in the U.S., two in Europe and three in Asia/Pacific. New offerings to address advanced targeted attacks are available and include network and payload analysis. Preliminary endpoint analysis and forensics are available via managed services, with more in-depth forensics available as a consulting engagement. CSC outsourcing customers and enterprises, especially those in the defense industrial base and financial services industries, should consider CSC for MSSs.
- CSC's efforts to standardize MSSs across regions now provide global event visibility to SOC analysts, and should result in enhanced effectiveness for multiregional customers.
- Customers give good marks for the security expertise of CSC's staff, as well as for their understanding of the customer environment.
- CSC's security expertise supports its strong presence in the U.S. federal government and the U.K. government, in financial services and in critical infrastructure markets.
- CSC does not fully market its stand-alone MSS. Also, CSC is rarely included on Gartner commercial customers' shortlists for stand-alone MSS deals.
- Organizations considering CSC for MSSs should evaluate the current state and progress toward the completion of global service standardization to ensure that the capabilities needed in all regions are available to meet deployment requirements.
Dell is headquartered in Texas, and Dell SecureWorks is headquartered in Atlanta, with five regional offices in the U.S. — plus Edinburgh, Scotland, London and Tokyo, with additional offices in Asia/Pacific and Europe. Dell SecureWorks offers MSSs as well as security consulting, incident response and threat intelligence services. MSS delivery is based on self-developed technology for log and alert collection, for real-time correlation and analysis, and for presentation/reporting via portal. Premises-based log retention and reporting are delivered via commercial SIEM technology. The Dell SecureWorks Counter Threat Unit provides threat intelligence, malware analysis and analytic support for MSS operations. Customers may buy threat intelligence services as part of an MSS subscription. Five SOCs are located in the U.S., with additional SOCs in the U.K., India, Mexico and Eastern Europe. Advanced attack detection is offered within existing MSSs and includes threat feeds, correlation, and analysis of historical events to identify anomalies. Midsize organizations that want to meet compliance requirements, and enterprises looking for full-featured MSSs, should consider Dell SecureWorks.
- Dell SecureWorks is very visible to Gartner customers and is typically included in competitive MSS deals.
- Gartner customers offer strong praise for Dell SecureWorks' MSS delivery, security expertise and relationship management. The security expertise available through the Counter Threat Unit is often cited as a differentiator.
- The MSS portal receives very good marks from customers.
- Dell's ownership changes offer less visibility into its business operations, including the positioning and emphasis placed on security products and services.
- Although reports of issues to Gartner have been minimal to date, customers should continue to monitor Dell SecureWorks' service delivery to ensure that MSS geographic expansion and any shift in Dell's business focus do not dilute its MSS delivery capabilities.
- Dell SecureWorks' cautious expansion beyond the Japanese market may result in prospects having limited references in the Asia/Pacific region, and not as much ready access to presales interaction.
HP is headquartered in Palo Alto, California, with MSS locations in Australia, London and Plano, Texas. HP has a broad security portfolio of professional and managed services; technologies for SIEM, application security and network security; and extensive offerings of additional IT products and services. HP's MSS is based on several self-developed and commercial technologies for data collection, correlation/alerting, query and reporting. Workflow and ticketing use HP technology, and tools for customer deployment provide workflow support. HP has two SOCs in the U.S., one in Latin America, three in Europe and two in Asia/Pacific. HP offers a portal for MSS and uses the HP ArcSight console for log management. HP offers a separate governance, risk and compliance-oriented portal for executive dashboards. The HP MSS portal provides role-based access, ticketing and security reporting features. Log management is delivered via HP ArcSight ESM and ArcSight Logger in hosted or on-premises deployments. Log management features are available via the HP ArcSight portal. HP's targeted attack detection and advanced analytics capabilities are embedded in its MSS offerings, and are supported with threat feeds, vulnerability information, the detection capabilities of HP ArcSight, and expert analysis. Enterprises and midsize companies with HP IT services or security technology services should consider HP for MSSs.
- HP is a large, stable provider of MSSs and other security services. It has a multiregional presence and delivery capabilities.
- HP's broad technology and service delivery options enable extensively customized MSS engagements, including technology bundling and hybrid delivery options.
- The HP MSS portal lacks the user correlation and asset and vulnerability reporting capabilities that are available in competitors' portals. Potential customers should validate that HP's current capabilities and enhancement plans meet their deployment and operations requirements.
- Gartner customers report challenges in differentiating and navigating among HP's security monitoring capabilities, which are available, in differing forms, from HP's product, outsourcing and discrete MSS delivery organizations.
- Prospective MSS customers should validate HP's coverage and monitor ongoing support when MSS engagement includes security technologies from HP's competitors.
IBM is headquartered in New York, with MSS offices in Atlanta and other geographies. MSSs and a full range of security consulting and integration services are available as stand-alone services, and as components of larger infrastructure outsourcing contracts. IBM uses self-developed technology for data collection, correlation, log query and reporting, and ticketing/workflow. Log management is offered as a hosted service, and with premises-based IBM QRadar and other SIEM technologies. IBM has four North American SOCs, two in Europe, two in Asia/Pacific and two more in other regions. IBM's advanced analytics and targeted attack detection capabilities are embedded in its MSS and hosted SIEM offerings, and they are supported by IBM technology and third-party technology deployed by customers. Enterprises with global service delivery requirements, and those with strategic relationships with IBM, should consider IBM for MSSs.
- Gartner customers often include IBM in competitive MSS evaluations, and IBM has high visibility in North American, Asia/Pacific and European markets.
- IBM's MSS capabilities include support for customer-deployed SIEM (from IBM and other vendors) that is integrated into its standard MSS offerings.
- IBM is a large, stable provider of security and IT services and products, and it has global delivery capabilities.
- Gartner customers report overall improvements and lingering challenges for IBM MSSs in sales, deployment and customer care.
- Although IBM's MSS supports multiple security technologies — including many from IBM's competitors in the IPS and SIEM markets — MSS customers should monitor planned and actual MSS support for the security technologies deployed in their environments.
NTT, which is based in Tokyo, and with London and New York offices, acquired Solutionary in 2013, adding to prior acquisitions of MSS capabilities in the NTT companies (such as NTT Com Security — formerly Integralis — and Dimension Data's earthwave). NTT is included in this Magic Quadrant on the basis of the combined offerings and scale of the various MSS entities, which it is in the process of rationalizing. NTT uses a variety of self-developed and commercial technologies to support MSS delivery across the three organizations. There are multiple SOCs in Asia/Pacific, Europe and North America. Targeted attack protection is embedded in the MSS offering of each delivery group, and it differs among the groups, although cross-group data sharing for threat information is now being done. NTT customers and enterprises seeking a large global service provider with specific regional strengths should consider NTT for MSSs.
- Individual NTT MSS groups get good feedback from Gartner customers regarding MSS delivery.
- Across the NTT MSS offerings, the capabilities of NTT Com Security, Solutionary, Dimension Data's earthwave and NTT Data are well-known in Europe, North America, the Middle East/Africa and Asia/Pacific, respectively, and they appear in MSS deals in those regions.
- NTT has a global presence as well as a broad range of security service offerings and delivery options, in addition to broader telecommunications and IT infrastructure service offerings.
- MSS operations across the regions are not yet fully integrated. Current MSS customers must monitor NTT's plans to rationalize its MSS delivery capabilities to ensure that any changes result in equal or better service delivery levels and options.
- Potential MSS buyers should get binding assurances from NTT regarding the capabilities they will receive globally and within regions to ensure that NTT's current and planned MSS capabilities will meet customers' region-specific and global requirements.
Orange Business Services
Headquartered in Paris, with offices in Atlanta and Singapore, Orange offers a broad range of telecommunications and cloud-based IT infrastructure services, security consulting and integration services, and MSSs. Orange MSSs are based on commercial SIEM technology for data collection, correlation and analysis, reporting, and log management, with self-developed technology for workflow. Three MSS SOCs are located in Europe, two in Asia/Pacific, one in North America and two in the Middle East/Africa regions. Advanced threat detection is provided by proprietary technologies as well as by commercial SIEM and network security products, with additional capabilities planned for 2014. Orange service customers and organizations seeking a large, global and stable Europe-focused and Asia/Pacific-focused MSS provider (MSSP) should consider Orange.
- Orange offers a broad range of network and IT services that can be bundled with MSSs.
- Orange is a large, stable service provider with long-standing MSS and security consulting experience.
- Orange has lagged several MSS competitors in the introduction of advanced attack detection and analytics offerings.
- Orange rarely appears on Gartner customer shortlists for MSS procurement, and in North America, Orange has very limited market visibility.
- MSS customers in North America often express a preference for a SOC in-region. Although Orange has a North American SOC, it is not staffed 24/7.
Symantec is headquartered in Mountain View, California, with MSS offices in Virginia, Singapore and Reading, U.K. Symantec offerings include security monitoring, security intelligence, messaging security services and a range of security products. Symantec's MSS architecture is based on self-developed technology for event and log collection, with a combination of self-developed and commercial technology for correlation, analytics and reporting. Ticketing/workflow and device management are based on commercial technology. Log query and browsing are enabled via self-developed technology. Symantec has one SOC in the U.S., one in the U.K. and two in Asia/Pacific, plus a new SOC in Japan. Log management services are delivered via Symantec log collection platform, are stored in Symantec SOCs and are available to customers via the MSS portal. A distinct service level offers advanced attack detection analytics. Enterprises seeking an established MSSP should consider using Symantec.
- Symantec has strong visibility in the MSS market. Gartner customers very often consider Symantec's MSS offerings in competitive evaluations.
- Symantec's Gartner customers generally offer positive reviews of Symantec's MSS delivery, and of the quality of their interactions with Symantec's SOC analysts.
- MSS customers indicate that the DeepSight threat feeds and intelligence reports are differentiators of Symantec's services.
- Prospective buyers should evaluate Symantec's optional enterprisewide pricing with realistic assumptions of the number of monitoring/log sources they can expect to incorporate into the scope of MSSs. Customer delays in bringing event sources into coverage will result in buyers paying for coverage that they are unable to receive.
- Symantec is rebuilding its security consulting capability. Prospective MSS customers should carefully evaluate whether Symantec's security consulting services will meet their needs, and whether they must engage with partner-led security services for service initiation and for ongoing project work throughout the course of the MSS relationship.
Trustwave is based in Chicago, with offices in London and Sydney. Trustwave has several security technologies — including SIEM, unified threat management (UTM), network access control, application security, Web application firewall (WAF) and Web security — and builds MSSs around those as well as third-party products. MSSs are based on Trustwave's SIEM technology for data collection, correlation, alerting and workflow. Security intelligence capabilities are provided by the Trustwave SpiderLabs group. Trustwave has three U.S.-based SOCs, one in Europe and one in Asia/Pacific. Targeted attack detection and advanced analytics capabilities are standard components of Trustwave MSSs, and they are delivered via three Trustwave activities: network monitoring, endpoint monitoring and managed WAF. Companies in the retail, healthcare and banking vertical industries — and others that are subject to PCI compliance — should consider Trustwave for MSSs.
- Trustwave has an extensive portfolio of security products and associated managed services that can be packaged as subscription-based solutions for customers with limited capital budgets and security resources.
- Trustwave remains a well-recognized provider of services and technologies to support PCI Data Security Standard (DSS) compliance.
- The Trustwave MSS portal provides extensive language support.
- Current customers and potential MSS buyers should continue to monitor Trustwave's ability to meet delivery and road map commitments as it navigates a possible initial public offering.
- Potential MSS customers should evaluate whether the split of compliance reporting capabilities between the MSS portal and the log management portal meets their operational requirements.
- The Trustwave MSS portal lags several competitors' portals in providing correlation of user activities with infrastructure events.
- Except for PCI monitoring engagements, Trustwave very rarely appears in MSS deals among Gartner customers.
Verizon is headquartered in Basking Ridge, New Jersey, with offices throughout the U.S., Europe, Latin America and Asia. Verizon offers MSSs and security consulting, as well as a broad range of telecommunications and infrastructure services. Verizon's MSS architecture is based on self-developed technologies for event collection, correlation and alerting, with commercial technologies for reporting and workflow. Log management services are based on a combination of self-developed and commercial technologies. Two SOCs are located in the U.S., two in Europe and two in Asia/Pacific. Verizon's Research, Investigations, Solutions, Knowledge (RISK) Team provides threat intelligence and malware detection signatures that support MSSs, and Verizon's breach response services inform MSS monitoring efforts. Targeted threat detection services are incorporated into the standard MSS delivery. They are based on commercial technologies, on Verizon's self-developed correlation and threat intelligence capabilities, and on network monitoring. A distinct advanced analytics service is available in the U.S. to governments and enterprises facing specific targeted threats. Enterprises should consider Verizon if they are looking for an established service provider that is capable of delivering a broad range of security services in multiple regions.
- Verizon's network-based capabilities enable MSS configuration that includes network-based and premises-based controls.
- Gartner customers often include Verizon in competitive MSS evaluations.
- Verizon's MSS receives generally positive reviews from Gartner customers for meeting their expectations for security expertise, and for effective security monitoring and alerting. Customers also indicate that Verizon's security expertise is a differentiator for MSSs.
- Verizon's MSS portal lacks the user activity correlation capabilities that are available from several competitors.
- Verizon's log management services currently lag those of its competitors. New capabilities are planned for 1Q14.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
NTT was added to this Magic Quadrant based on its acquisition of Solutionary, and on the prior acquisitions of Integralis (now NTT Com Security) and Dimension Data's earthwave. NTT's capabilities across these organizations meet the criteria for inclusion in the Magic Quadrant.
Orange Business Systems was added because it also meets the inclusion criteria.
Allstream, Bell Canada, CGI, Clone Systems, Nuspire Networks and Perimeter E-Security (now named SilverSky) were dropped from this Magic Quadrant because they do not meet the inclusion criteria for network devices and customers monitored/managed in Europe and Asia/Pacific.
Wipro was dropped because it does not meet the inclusion criteria for customers in Asia/Pacific or North America.
HCL Technologies was dropped because it is in the process of realigning its MSS capabilities and currently does not meet the inclusion criteria for this research.
SAIC was dropped because of its split into two companies, SAIC and Leidos, and because the MSS business of Leidos does not meet the inclusion criteria for customers in Asia/Pacific and Europe.
This Magic Quadrant expands the coverage from MSSPs in North America to include delivery capabilities in North America, Europe and Asia/Pacific. As a remote service, MSSs can be delivered via network connectivity to and from any locations with sufficient connectivity, and certainly MSSPs that have operations in one geographic region can support customers in other regions. Gartner sees a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their region. Among global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more "local" support — and also includes the MSSP's ability to keep some data in specific regions, provide local business hours, provide access to advanced support, and provide local language support, among other concerns. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers.
This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue.
The criteria include a threshold for the number of firewalls or IDP devices under monitoring or management, and a threshold for the number of MSS customers — both distributed across multiple regions. MSSs refer to remote management and monitoring of security technologies. Several large infrastructure outsourcing vendors offer other service delivery options (such as staff augmentation) in addition to MSSs, but we don't evaluate these other delivery options. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies.
Vendors must have:
- The ability to remotely monitor and/or manage firewalls, IDP devices from multiple vendors via discrete service offerings, and shared service delivery resources
- Firewalls/IDP devices under remote management or monitoring for external customers
- External customers with those devices under management or monitoring
- Reference accounts that are relevant to Gartner customers in the appropriate geographic regions
- A threshold of the number of customers as well as the number of firewalls and IDS/IPS devices in multiple geographies
- A threshold for MSS revenue of $20 million in 2012
- A SOC presence in multiple geographic regions
Inclusion thresholds for firewalls/IDP devices under MSSs are 225 in Asia/Pacific, 1,500 in Europe, 2,250 in North America and 25 in the rest of the world (ROW), in the following possible combinations:
- Asia/Pacific + Europe
- North America + ROW
- Asia/Pacific + North America
- Europe + North America
Inclusion thresholds for MSS clients are 45 in Asia/Pacific, 75 in Europe, 225 in North America and 10 in ROW, in the following possible combinations:
- Asia/Pacific + Europe
- North America + ROW
- Asia/Pacific + North America
- Europe + North America
- Service offerings that are available only to end users that buy other non-MSS services
- Services that monitor or manage only their own technology
- Services delivered by their own resources and dedicated to a single customer
Product or service refers to the service capabilities in areas such as event management and alerting, information and log management, incident management, workflow, reporting, and service levels.
Overall viability includes the organization's financial health, the financial and practical success of the overall company, and the likelihood that the business unit will continue to invest in the MSS offering.
Sales execution/pricing includes the service provider's success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
Market responsiveness/record evaluates the match of the MSS offering to the functional requirements stated by buyers at acquisition time. It also evaluates the MSSP's track record in delivering new functions when the market needs them.
Marketing execution is an evaluation of the service provider's ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.
Customer experience is an evaluation of the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by conducting qualitative interviews of vendor-provided reference customers, as well as by feedback from Gartner customers that are using the MSSP's services, or have completed competitive evaluations of the MSSP's offerings.
Operations includes the MSSP's service delivery resources, such as infrastructure, staffing and operations reviews or certifications.
Source: Gartner (February 2014)
Market understanding involves the MSSP's ability to understand buyers' needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options.
Marketing strategy refers to a clear, differentiated set of messages that is consistently communicated throughout the organization; is externalized through the website, advertising, customer programs and positioning statements; and is tailored to the specific client drivers and market conditions in the MSS market.
Sales strategy relates to the vendor's use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.
Offering (product) strategy is the vendor's approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.
Business model includes the process and success rate for developing features, innovations and service delivery capabilities.
Vertical/industry strategy and geographic strategy include the ability and commitment to service geographies and vertical markets.
Innovation refers to the service provider's strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements.
Source: Gartner (February 2014)
Each of the service providers in the Leaders quadrant has significant mind share among enterprises looking to buy an MSS as a discrete offering. These providers typically receive very positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring frequent interaction with the MSSP for analyst expertise and advice, for portal-based correlation and workflow support, and for flexible reporting options.
In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider's other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, it offers a "path of least resistance" to enterprises that need an MSSP and use the vendor's main services.
Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require frequent interaction with MSS analysts, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant.
Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve.
Prospective MSS buyers with threat management use cases should highly weight MSSPs' threat research and security intelligence capabilities.
Current and prospective MSS users should require a proof of concept, or a demonstration of MSS offerings for advanced analytics and big data, to validate effectiveness and value.
Current and prospective MSS users should validate MSSPs' services that are related to monitoring or management of third-party technologies or their own technologies to address advanced attacks.
The MSS market is mature, and prospective customers have numerous options among MSSPs and the types of services offered. The primary drivers for MSSs have been consistent for several years: 24/7 threat management and meeting compliance requirements. These may be complemented by related drivers, such as the desire to redirect existing resources to other security areas, or the need to engage deeper or broader expertise than is available in-house. An emerging driver is support for the protection from and detection of targeted attacks through MSSP knowledge of the external threat environment, through insight gained from monitoring events from a broad and global customer base, through MSSP-based advanced analytics, or through MSSP monitoring of customer-deployed next-generation protection and detection capabilities.
The 2013-2014 Magic Quadrant for Global MSSPs reflects multiregional delivery requirements, and the MSSPs included in the evaluation meet the minimum thresholds for MSS business in two or more regions. MSSPs with multiregional business typically have a sufficient understanding of region-specific customer requirements, as well as sufficient service delivery capabilities that can scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services.
MSSPs that do not meet the customer or device thresholds for inclusion in this Magic Quadrant may still deliver high-quality services within a region, and can typically deliver in multiple regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their specific requirements.
Gartner expects that growing enterprise experience with cloud-based infrastructure and applications delivered as a service, as well as accommodating the access of consumer technology to corporate systems, will result in greater acceptance of, and reliance on, cloud-based security-as-a-service offerings.
In 2013, the global market for security outsourcing was $12 billion, with a forecast compound annual growth rate of 15.4% through 2017.
Growth in enterprise demand for MSSs is driven primarily by four factors:
- Security staffing and budget constraints: Gartner sees continued expectations to reduce operational costs and capital expenditures, and to avoid staffing increases related to the monitoring and management of mature security technologies, such as IDSs and firewalls. At the same time, increased monitoring of infrastructure logs, as well as privileged and application user activity and next-generation technologies, requires tool and analytical expertise that will be difficult for many organizations to supply in-house.
- Evolving compliance reporting requirements: This involves the evolution of existing compliance requirements, and of corporate governance policies that create a secondary effect of stronger requirements for incident monitoring, identification, and response internally and among business partners. As formal compliance regimes evolve or audit/enforcement activity increases, organizations consider external service providers to reduce the costs of meeting compliance requirements. PCI DSS remains an important driver; also, Gartner is starting to see the U.S. Federal Information Security Management Act's (FISMA's) continuous monitoring requirements become an increasing factor for U.S. government agencies, for commercial firms that sell to the U.S. government, and for organizations funded by government grants, such as universities.
- Adoption of security technologies and analytic tools focused on advanced attacks: As enterprises gain experience with technologies to analyze networks, payloads and endpoints for advanced attacks, they will look for opportunities to focus internal resources on prevention and response activities, and to augment those activities with external expertise to monitor and manage the technologies.
- Increased availability and adoption of cloud-based IT services: Increasing use of cloud-based IT services will drive security controls into those services, and will also lead to greater acceptance and adoption of cloud-based security services for controls that are best suited for cloud-based delivery. Gartner expects significant security outsourcing growth in areas adjacent to MSSs, such as secure Web gateways, email security, and identity and access management.
MSS growth can also be constrained by a few factors:
- Enterprise deployment of SIEM technology to provide in-house alerting and log analysis: MSSPs typically lack deep insight into the customer IT and business environment; thus, they are less able to determine whether events involving users, administrators, internal applications and data are inappropriate or unacceptable. Wherever enterprises want close monitoring of internal activities, they may opt to do it themselves. Some organizations monitor internal activities and also use an MSSP for external/perimeter monitoring. Such an arrangement still constrains the growth of MSSs in those organizations.
- Core competency: Organizations that provide security technology or services, or position their technology or services as secure, are likely to forgo outsourced security monitoring. Where security is a value proposition and a core competence, outsourcing security may not be an effective option.
- Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy regarding the use of external services can mean that MSSs are not considered effective options.
The services that are core to MSS offerings involve the monitoring of perimeter network security technologies:
- Multifunction firewalls/UTM services
- Next-generation firewalls
In addition to monitoring, many MSSPs have management services for those technologies. It is increasingly common for MSSPs to also provide monitoring and log collection from IT infrastructure such as servers, user directories and applications.
Among organizations that have deployed SIEM technology, Gartner sees increasing interest for services to monitor or run the SIEM. Several MSSPs have offerings to support customer-deployed SIEM.
MSSPs may also provide cloud or SaaS-based services, including:
- DDoS protection
- Email security
- Web filtering
- Vulnerability scanning
- Network-based firewall/IDP
MSSPs offer cloud services directly or via partnerships with other service providers. The degree of integration of partner-delivered services with MSSP services varies from little more than purchasing convenience to integration of partner data and management functionality into the MSSP's portal. Deeper integration can provide operational and vendor management advantages, but may reduce the ability to "swap out" one cloud-based service for another.
Buyers should take into consideration the degree of integration of any partner-delivered services with the MSSP's offering, as well as the potential for affecting training, operational efficiency and end-of-contract switching costs.
Several MSSPs have created research groups to improve their understanding of the threat landscape — that is, the identities, motives, targets and techniques of attackers. MSSPs use their findings to support their security operations analysts; they may also provide customers with subscription-based access to this research, or offer customers project-based access to the group for analysis/reverse engineering of malware. Potential customers of threat intelligence feeds from MSSPs should require proof-of-concept access to evaluate the relevance of the information, as well as their ability to consume and act on it.
Many MSSPs claim capabilities to assist their customers in addressing advanced targeted attacks. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example:
- Correlation of alerts with IP reputation or known bad addresses
- Comparison of alerts, activity patterns or state (such as device configuration, registry and so on) to those of known attacks
- Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines
These offerings are now primarily based on the security events monitored by the MSSPs; however, we expect that several MSSPs will introduce distinct service offerings to acquire, retain and analyze large volumes of customer data — so called "security big data" — from IT infrastructure and other sources. Gartner recommends that customers require a limited pilot or proof of concept to identify specific areas where relevant, actionable intelligence results from the collection and analysis of the data, and to identify the service levels required. Based on feedback from Gartner customers, early adopters should plan for the inclusion of relevant domain experts who are typically outside the security group, such as line-of-business owners and application owners.
Most MSSPs also offer incident response capabilities to assist customers with investigation and remediation activities in the event of a breach. These services are typically available on a consulting basis. Prospective customers should confirm with MSS candidates how much response support is available within the context of the standard monitoring services, and when a consulting engagement is required. If the MSSP offers packaged or prepaid hours for incident response activities, then customers should ensure that those hours are available for other security services if they are not needed for incident response.
The typical pricing model for MSSs is based on the type and size of the security technology to be monitored for customer-premises-equipment-based devices, or on the bandwidth or number of users/endpoints for network-based controls. Log collection is typically priced by the number and types of sources, or on events per time period (device count pricing includes implicit expectations of event volumes). There is typically a clear distinction between technology that is monitored in real time, and subject to alerting service-level agreements (SLAs), and technology that is not — that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and analyst review. Device management pricing is typically based on the number of configuration changes to be performed within a period of time.
During 2014, Gartner expects the trend for common services, such as firewall and IDP monitoring and management, to decline slightly. Price pressure is coming from new sources for these services, such as from the technology providers themselves, from other MSSPs and from continued corporate efforts to reduce IT budgets. In response, MSSPs have introduced new services to monitor and manage advanced threat detection technologies. MSSPs will continue trying to expand the number of devices and data sources to monitor, and will differentiate monitoring based on the availability of additional external intelligence feeds and analysis (such as reputation data, blacklists, behavioral data and cross-customer activity) that can be correlated with data from customers' monitored devices.
The basic makeup of the MSSP vendor space has not changed fundamentally. There are three major types of MSSPs:
- Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. As seen in 2013, pure-play MSSPs will continue to be acquired by larger service or IT infrastructure firms that seek to provide MSSs. New pure-play security service providers often focus on specific vertical markets or regulatory requirements, or on specific analytic services (such as user activity) or advanced threat detection technologies.
- System integrators/business process outsourcers: These are broad IT service providers that typically manage security devices as part of larger outsourcing deals. Where the integrator or outsourcer acquired a pure-play MSSP and maintained a discrete MSS delivery capability, these providers often compete for MSS-only deals.
- Carriers and network service providers: These are bandwidth and connectivity providers that manage network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their Internet connections.
This Magic Quadrant reflects the requirements of customers that seek MSSPs with a global presence and global delivery capabilities. The vendors that meet those requirements fall into the latter two types of MSSPs.
In general, the MSS portfolios of these providers look broadly similar. Customer satisfaction with services can be strongly related to customer expectations. Customers occasionally report dissatisfaction related to objectively poor performance, including missed SLAs. However, it is more common for dissatisfied customers to express disappointment related to subjective criteria that may never have been made explicit to prospective providers, or to the MSSP selected.
Gartner customers using MSSPs express differing expectations regarding their type of relationship with MSSPs. Expectations may range from frequent interactions and knowledge sharing among the customer security staff and MSSP staff, to almost no interactions beyond the provision of periodic reports of monitoring activity. Gartner recommends that prospective MSS buyers develop explicit requirements for service delivery. MSSPs' responses to these requirements (including via demonstrations, proofs of concept and the like) will enable customers to discern distinct differences among the MSSPs.
Buyers should define expectations for the degree and quality of interaction with the MSSP's SOC analysts, the features of the MSSP's portal that will support the customer's use cases, reporting for operational and management reporting, the depth of threat and security intelligence offerings, support for specific compliance requirements, and the MSSP's professional services capabilities. Prospective buyers that evaluate MSSPs within the context of specific requirements will find that the providers that best fit those requirements may come from any segment of the Magic Quadrant.
Not included in this Magic Quadrant analysis are smaller, regional or subregional providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria. Also excluded from this analysis are service providers that provide MSSs only for their own technology, and that do not deliver services for commercial technology.
- Gartner customer inquiries and information sharing related to MSSPs
- Analyst interactions with Gartner customers via inquiries and meetings
- Survey of MSSPs
- Survey of MSS reference customers
Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.