Source: thianchai sitthikongsak/Moment via Getty Images.
A recent survey conducted with information security professionals by 451 Research, a part of S&P Global Market Intelligence, examines the overall usage and plans to use MSS, including the types of services employed, the primary reasons driving services adoption, the key pain points experienced by security leaders in that usage, and characteristics of those services.
The take
Managed detection and response (MDR) service offerings have historically been distinguished from traditional MSS by similarly having the monitoring component but emphasizing follow up, including active threat hunting and responding to indicators of compromise. While 9% of MSS offerings are classified as the more specialized MDR services by their users (most MSS offerings are part of an offering by a general IT service provider), the move to MDR has influenced all managed security offerings more toward response.
One measure this survey employs to explore this MSS role in response is determining how many enterprises with an MSS in place had a major security incident that their MSS provider assisted in detecting or responding to: 48%, up from 33% in 2023. Of those where an MSS was involved, 49% noted their MSS both detected and responded to the incident. Forty-five percent said their MSS discovered the incident, but handed response operations over to the internal security team. Rounding out the responses, 4% said their MSS found indicators of compromise, but the internal team shouldered much of the investigation and response, and 2% noted their MSS performed the full forensic investigation.
Summary of findings
Forty-four percent of enterprise respondents report having an MSS relationship in place, but the market exists on a wide spectrum of offerings, typically tied to the customer company size targeted. The most common consumption model for MSS offerings is when they are part of a larger IT services agreement. That arrangement is most common in enterprises with fewer than 1,000 employees (24%). For enterprises with more than 1,000 employees, the most common arrangement is more targeted to security, with traditional MSS offerings (21%) such as alert monitoring. Firewall management is by far the most common service offering for smaller organizations (44%). Security information and event management is also more common at enterprises with fewer than 1,000 employees, as is managing identities. Vulnerability assessment is a much more common services for larger enterprises.
As noted in our recent blog post, 65% of enterprises have a security operations center (SOC) in place, but not all of them are 24/7/365 operations which are a challenge to maintain. Forty-six percent of enterprise SOCs are characterized as staffed by mostly in-house resources; however, depending on office locations, a “follow the sun” model can be difficult to maintain. Those who attack enterprise IT systems also may not match their activities up to the same nine-to-five periods of an enterprise’s security operations team no matter how globally dispersed, so it is perhaps unsurprising then to see the most common reason for implementing MSS is ensuring 24/7/365 security monitoring coverage at 28% of respondent citations.
Additional drivers for leveraging MSS include addressing skills gap issues (the difficulty in maintaining certain specialist security skillsets in-house, cited by 26% of respondents) and investigative capabilities (22%). Nineteen percent note the ability of MSS vendors to develop economies of scale by serving multiple clients with the same common pool of security capabilities as a primary driver for employing their services. And 16% note they implement MSS capabilities as part of a cyber-insurance requirement.
Many of the complaints, or expressed pain points, about MSS offerings also offer key points of differentiation between different service offerings. As the graphic below shows, the most common issue (21% of respondents) is that dashboards provide insufficient or nonactionable information, closely tied to a related complaint of alert fatigue and lack of effective prioritization and investigation support (18%). Two related complaints, that it is unclear the MSS is delivering the services contracted for (14%) and an inability to audit the capabilities of an MSS (12%) are increasingly being addressed by the 80% of users who independently validate the monitoring capabilities of their MSS through active testing.
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
This content may be AI-assisted and is composed, reviewed, edited and approved by S&P Global in accordance with our Terms of Service.
