{{Short description|Outsourced network security service}} {{multiple issues | {{more citations needed|date=December 2010}} {{original research|date=December 2010}} }}
In computing, '''managed security services''' ('''MSS''') are network security services that have been outsourced to a service provider. A company providing such a service is a '''managed security service provider''' ('''MSSP''').<ref name=Kairab>{{cite book|title=A Practical Guide to Security Assessments|author=Sudhanshu Kairab|pages=220–222|publisher=CRC Press|year=2004|isbn=9780849317064}}</ref> The roots of MSSPs are in the Internet service providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall over a dial-up connection.<ref>{{cite news |title=Outsourcing Options |author=Denise Pappalardo |publisher=Network World | date=1997-03-17}}</ref>
According to recent industry research, most organizations (74%) manage IT security in-house, but 82% of IT professionals said they have either already partnered with, or plan to partner with, a managed security service provider.<ref>[http://www.out-law.com/articles/2014/february/pressure-to-deliver-new-it-projects-despite-security-concerns-felt-by-80-of-it-professionals/] Pressure to deliver new IT projects despite security concerns felt by 80% of IT professionals</ref>
Businesses turn to managed security services providers<ref>{{Cite news |last=Marak |first=Sylvia |date=March 10, 2025 |title=Top 10 Managed Security Service Providers (MSSPs) |url=https://www.intelligenceinsights.net/security/top-10-managed-security-service-providers/|access-date=November 13, 2024}}</ref> to alleviate the pressures they face daily related to information security such as targeted malware, customer data theft, skills shortages and resource constraints.<ref>{{cite web|title=5 Pitfalls to Avoid When Choosing a Managed Security Service Provider|url=https://www.mosaic451.com/outsourcing-cybersecurity-5-pitfalls-avoid/|accessdate=29 July 2016|archive-url=https://web.archive.org/web/20160821175855/https://www.mosaic451.com/outsourcing-cybersecurity-5-pitfalls-avoid/|archive-date=21 August 2016|url-status=dead}}</ref><ref>{{cite web|url=http://www.csoonline.com/article/2134337/employee-protection/study-shows-those-responsible-for-security-face-mounting-pressures.html| date=February 11, 2014|title=CSO Magazine: Study shows those responsible for security face mounting pressures}}</ref>
Managed security services (MSS) are also considered the systematic approach to managing an organization's security needs. The services may be conducted in-house or outsourced to a service provider that oversees other companies' network and information system security. Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies. There are products available from a number of vendors to help organize and guide the procedures involved. This diverts the burden of performing the chores manually, which can be considerable, away from administrators.
Industry research firm, Forrester Research, identified the 14 most significant vendors in the global market in 2018 with its 23-criteria evaluation of managed security service providers (MSSPs)--identifying Accenture, IBM, Dell SecureWorks, Trustwave, AT&T, Verizon, Deloitte, Wipro and others as the leaders in the MSSP market.<ref>[https://www.forrester.com/report/The+Forrester+Wave+Global+Managed+Security+Services+Providers+MSSPs+Q3+2018/-/E-RES141654] The Forrester Wave™: Global Managed Security Services Providers (MSSPs), Q3 2018</ref> Newcomers to the market include a number of smaller providers used to protect homes, small businesses, and high networth clients.
The IT partner intelligence source compuBase has identified more than 35,000 MSSPs worldwide (without Asia),<ref>[https://en.compubase.net/MSSP-Managed-Security-Service-Providers_a422.html]</ref> and this number continues to grow as more VARs become MSPs and more MSPs offer Managed Security Services.
==Early history== An early example of an outsourced and off-site MSSP service is US West !NTERACT Internet Security. The security service didn't require the customer to purchase any equipment and no security equipment was installed at the customers premises.<ref name=NW1>{{cite news |title=RBOC or ISP? |author=Tim Greene |publisher=Network World | date=1997-03-17}}</ref> The service is considered an MSSP offering in that US West retained ownership of the firewall equipment and the firewalls were operated from their own Internet Point of Presence (PoP)<ref name=PR1>{{cite web|title=Security Services for the Internet Release |url=http://www.uswest.com/com/atwork/interprise/031297_security.html/ |accessdate=24 November 2014 |url-status=dead |archiveurl=https://web.archive.org/web/19970516211801/http://www.uswest.com/com/atwork/interprise/031297_security.html/ |archivedate=May 16, 1997 }}</ref> The service was based on Check Point Firewall-1 equipment.<ref>{{cite web|title=Check Point Software Technologies ISP Market Initiative Partner Quote Sheet|url=http://www.checkpoint.com/press/1997/isp3quote.html/|accessdate=24 November 2014}}</ref> Following over a year long beta introduction period, the service was generally available by early 1997.<ref name=NW1 /><ref name=PR1 /> The service also offered managed Virtual Private Networking (VPN) encryption security at launch.<ref name=PR1 />
==Industry terms== *'''Asset''': A resource valuable to a company worthy of protection. *'''Incident''': An assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an asset. *'''Alert''': Identified information, i.e. fact, used to correlate an incident.
==Six categories of managed security services==
===On-site consulting=== This is customized assistance in the assessment of business risks, key business requirements for security and the development of security policies and processes. It may include comprehensive security architecture assessments and design (include technology, business risks, technical risks and procedures). Consulting may also include security product integration and On-site mitigation support after an intrusion has occurred, including emergency incident response and forensic analysis<ref name=Kairab /><ref name=PLSC>{{cite book|title=Physical and Logical Security Convergence|url=https://archive.org/details/physicallogicals00cont_034|url-access=limited|author1=Brian T. Contos |author2=William P. Crowell |author3=Colby Derodeff |author4=Dan Dunkel |author5=Eric Cole |name-list-style=amp |pages=[https://archive.org/details/physicallogicals00cont_034/page/n166 140]|publisher=Syngress|year=2007|isbn=9781597491228}}</ref>
===Perimeter management of the client's network=== This service involves installing, upgrading, and managing the firewall, Virtual Private Network (VPN) and/or intrusion detection hardware and software, electronic mail, and commonly performing configuration changes on behalf of the customer. Management includes monitoring, maintaining the firewall's traffic routing rules, and generating regular traffic and management reports to the customer.<ref name=Kairab /> Intrusion detection management, either at the network level or at the individual host level, involves providing intrusion alerts to a customer, keeping up to date with new defenses against intrusion, and regularly reporting on intrusion attempts and activity. Content filtering services may be provided by; such as, email filtering and other data traffic filtering.<ref name=PLSC />
===Product resale=== Clearly not a managed service by itself, product resale is a major revenue generator for many MSS providers. This category provides value-added hardware and software for a variety of security-related tasks. One such service that may be provided is archival of customer data.<ref name=PLSC />
===Managed security monitoring=== This is the day-to-day monitoring and interpretation of important system events throughout the network—including unauthorized behavior, malicious hacks, denial of service (DoS), anomalies, and trend analysis. It is the first step in an incident response process.
===Penetration testing and vulnerability assessments=== This includes one-time or periodic software scans or hacking attempts in order to find vulnerabilities in a technical and logical perimeter. It generally does not assess security throughout the network, nor does it accurately reflect personnel-related exposures due to disgruntled employees, social engineering, etc. Regularly, reports are given to the client.<ref name=Kairab /><ref name=PLSC />
===Compliance monitoring=== Conduct change management by monitoring event log to identify changes to a system that violates a formal security policy. For example, if an impersonator grants himself or herself too much administrative access to a system, it would be easily identifiable through compliance monitoring.<ref>{{Cite web |url=https://www.itb.com.sa/D71DF2D6.html#:~:text=Compliance%20monitoring&text=This%20service%20will%20identify%20changes,to%20a%20technical%20risk%20model. |title=Managed Services |access-date=2020-11-15 |website=www.itb.com.sa |archive-date=2020-11-16 |archive-url=https://web.archive.org/web/20201116134421/https://www.itb.com.sa/D71DF2D6.html#:~:text=Compliance%20monitoring&text=This%20service%20will%20identify%20changes,to%20a%20technical%20risk%20model. |url-status=dead }}</ref>
=== Managed Detection and Response (MDR) === Unlike traditional MSS, which focuses on perimeter management and alert triage (sending notifications for the client to handle), managed detection and response focuses on rapid threat detection, analysis, investigation and response<ref>{{Cite web |title=Best Managed Detection and Response Reviews 2026 {{!}} Gartner Peer Insights |url=https://www.gartner.com/reviews/market/managed-detection-and-response |access-date=2026-02-24 |website=www.gartner.com |language=en}}</ref> (the provider actually takes steps to contain the threat).
==Engaging an MSSP== The decision criteria for engaging the services of an MSSP are much the same as those for any other form of outsourcing: cost-effectiveness compared to in-house solutions, focus upon core competencies, need for round-the-clock service, and ease of remaining up-to-date. An important factor, specific to MSS, is that outsourcing network security hands over critical control of the company's infrastructure to an outside party, the MSSP, whilst not relieving the ultimate responsibility for errors. The client of an MSSP still has the ultimate responsibility for its own security, and as such must be prepared to manage and monitor the MSSP, and hold it accountable for the services for which it is contracted. The relationship between MSSP and client is not a turnkey one.<ref name=Kairab />
Although the organization remains responsible for defending its network against information security and related business risks, working with an MSSP allows the organization to focus on its core activities while remaining protected against network vulnerabilities.
Business risks can result when information assets upon which the business depends are not securely configured and managed (resulting in asset compromise due to violations of confidentiality, availability, and integrity). Compliance with specific government-defined security requirements can be achieved by using managed security services.<ref>{{Cite web |date=2003-01-15 |title=Outsourcing Managed Security Services |url=https://insights.sei.cmu.edu/library/outsourcing-managed-security-services/ |access-date=2025-06-12 |website=insights.sei.cmu.edu |language=en}}</ref>
==Managed security services for mid-sized and smaller businesses==
The business model behind managed security services is commonplace among large enterprise companies with their IT security experts. The model was later adapted to fit medium-sized and smaller companies (SMBs - organizations up to 500 employees, or with no more than 100 employees at any one site) by the value-added reseller (VAR) community, either specializing in managed security or offering it as an extension to their managed IT service solutions. SMBs are increasingly turning to managed security services because they face a dangerous gap in coverage and capability. A primary driver is the "always-on" nature of modern threats; for instance, 91% of ransomware attacks occur outside regular business hours<ref name=":0">{{Cite web |title=Addressing the cybersecurity skills shortage in SMBs |url=https://www.sophos.com/blog/addressing-the-cybersecurity-skills-shortage-in-smbs |access-date=2026-02-24 |website=Sophos |language=en-us}}</ref>, a window during which most SMBs lack active monitoring. This vulnerability is compounded by internal resource gaps; SMBs perceive a lack of in-house expertise as their second biggest single cybersecurity risk, trailing only the threats themselves<ref name=":0" />.
Whereas larger organizations typically employ an IT specialist or department, organizations at a smaller scale such as distributed location businesses, medical or dental offices, attorneys, professional services providers or retailers do not typically employ full-time security specialists, although they frequently employ IT staff or external IT consultants. Of these organizations, many are constrained by budget limitations. To address the combined issues of lack of expertise, lack of time and limited financial resources, an emerging category of managed security service provider for the SMB has arisen.
Many organizations have begun adopting managed security services instead of relying solely on in-house IT security teams. In this model, companies outsource aspects of their information security operations to specialized service providers. This approach can allow organizations to reduce operational costs and focus on other business activities while maintaining continuous monitoring and management of their IT security systems. The growth of managed security services has been supported by the increasing involvement of major information technology companies and service providers.<ref>{{Cite web|url=http://www.sigmamarketresearch.com/managed-security-services-mss-an-opportunistic-it-security-segment-globally/|title=Managed Security Services (MSS): An Opportunistic IT Security Segment, Globally|date=17 December 2015}}</ref>
Services providers in this category tend to offer comprehensive IT security services delivered on remotely managed appliances or devices that are simple to install and run for the most part in the background. Fees are normally highly affordable to reflect financial constraints, and are charged every month at a flat rate to ensure predictability of costs. Service providers deliver daily, weekly, monthly or exception-based reporting depending on the client's requirements.<ref>[http://www.itworld.com/article/2774665/small-business/security-for-small-business---how-to-make-the-most-of-managed-security-services.html] How to make the most of managed security services</ref>
Information technology security addresses threats such as cyberattacks malware, and email spoofing. Managed Security Service Providers (MSSPs) offer services related to these security issues. Vendors develop and maintain security solutions and service portfolios. Global data protection regulations set requirements for data security.
Key sectors engaging managed security services include financial services, telecommunications, and information technology. MSS vendors develop and maintain technology offerings for client deployment. Service models include cost management and integration of tools. Service creation and product integration are part of these systems. The MSS market is present in regions including North America, Europe, Asia–Pacific, Latin America, the Middle East, and Africa.<ref>{{Cite web|url=http://www.ifsecglobal.com/global-managed-security-services-market-grow-16-2020/|title = Cloud-based Managed Security Services to Overtake On-Premise Deployment within 12 Months|date = 14 August 2015}}</ref>
== Regulatory compliance drivers == Organizations increasingly engage managed security service providers (MSSPs) to meet regulatory requirements that demand continuous security monitoring and specialized expertise. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to implement procedures for monitoring log-in attempts, reporting discrepancies (45 CFR 164.308(a)(5)(ii)(C)), and regularly reviewing records of information system activity (45 CFR 164.308(a)(1)(ii)(D)).{{cite web |title=45 CFR § 164.308 - Administrative safeguards |url=https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C |publisher=Legal Information Institute |access-date=April 1, 2026}} The December 2024 HIPAA Security Rule NPRM proposed requiring continuous monitoring capabilities and 24-hour notification timelines for security incidents, requirements that many healthcare organizations rely on MSSPs to fulfill.{{cite web |title=HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information |url=https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information |publisher=Federal Register |date=January 6, 2025 |access-date=April 1, 2026}} Under HIPAA, MSSPs that access electronic protected health information are classified as business associates and must enter into business associate agreements with covered entities (45 CFR 164.308(b)).
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires daily review of security events and continuous monitoring of critical systems (Requirements 10.4 and 10.6), driving demand for managed security services among organizations processing payment card data.{{cite web |title=PCI DSS v4.0 |url=https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf |publisher=PCI Security Standards Council |date=March 2022 |access-date=April 1, 2026}} NIST Special Publication 800-53 addresses outsourced security services through the SA-9 (External System Services) control, which requires organizations to ensure that external service providers comply with applicable security requirements.{{cite web |title=NIST SP 800-53 Rev. 5: Security and Privacy Controls |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final |publisher=National Institute of Standards and Technology |date=September 2020 |access-date=April 1, 2026}}
==See also== * Information security operations center * Security as a service * Managed detection and response
==References== {{reflist|2}}
==Further reading== * {{cite book|title=Surviving Security|author=Amanda Andress|chapter=Managed Security Services|pages=353–358|publisher=CRC Press|year=2003|isbn=9780849320422}} * {{cite book|title=Network Security|author1=Roberta Bragg |author2=Mark Rhodes-Ousley |author3=Keith Strassberg |name-list-style=amp |chapter=Managed Security Services|pages=110–113|publisher=McGraw-Hill Professional|year=2004|isbn=9780072226973}} * {{cite book|title=Outsourcing Information Security|author=C. Warren Axelrod|publisher=Artech House|year=2004|isbn=9781580535311}}
{{DEFAULTSORT:Managed Security Service}} Category:Computer network security Category:Outsourcing