Gartner.mq.Global.mssp.2014

8/9/2019 Gartner.mq.Global.mssp.2014

1/23

Magic Quadrant for Global MSSPs

Analyst(s): Kelly M. Kavanagh

Managed security services is a mature market with offerings from established service providers. This

Magic Quadrant presents enterprise buyers with advice on selecting MSS providers to support global

service requirements.

Market Definition/Description

For the purposes of this research, Gartner defines managed security services (MSSs) as "the remote

monitoring or management of IT security functions delivered via shared services from remote

security operations centers (SOCs), not through personnel on-site." Therefore, MSSs do not include

staff augmentation, nor any consulting or development and integration services.

MSSs broadly include:

This Magic Quadrant evaluates monitored/managed firewall and intrusion detection and prevention

Evidence

Ability to Execute

26 February 2014ID:G00247003

VIEW SUMMARY

Monitored or managed firewalls or intrusion prevention systems (IPSs) Monitored or managed intrusion detection systems (IDSs)

Distributed denial of service (DDoS) protection

Managed secure messaging gateways

Managed secure Web gateways

Security information and event management (SIEM)

Managed vulnerability scanning of networks, servers, databases or applications

Security vulnerability or threat notification services

Log management and analysis Reporting associated with monitored/managed devices and incident response

Gartner customer inquiries and information sharing

related to MSSPs

Analyst interactions with Gartner customers via

inquiries and meetings

Survey of MSSPs

Survey of MSS reference customers

Evaluation Criteria Definitions

Product/Service: Core goods and services offered by

the vendor for the defined market. This includes current

product/service capabilities, quality, feature sets, skills

and so on, whether offered natively or through OEM

agreements/partnerships as defined in the market

definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of

the overall organization's financial health, the financial

and practical success of the business unit, and the

likelihood that the individual business unit will continue

investing in the product, will continue offering the

product and will advance the state of the art within the

organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in

all presales activities and the structure that supports

them. This includes deal management, pricing and

negotiation, presales support, and the overall

effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond,

change direction, be flexible and achieve competitive

success as opportunities develop, competitors act,

customer needs evolve and market dynamics change.

This criterion also considers the vendor's history of

responsiveness.

Marketing Execution: The clarity, quality, creativity
http://www.gartner.com/technology/contact/bac/


2/23

(IDP) functions, as well as log management services, rather than other elements of the services we

have listed. Firewall, IDP and log collection form the core of most MSS engagements. The vendors in

the Magic Quadrant are evaluated on their ability to support customers with global service

requirements.

Magic Quadrant

Completeness of Vision

Return to Top

Figure 1.Magic Quadrant for Global MSSPs

and efficacy of programs designed to deliver the

organization's message to influence the market,

promote the brand and business, increase awareness of

the products, and establish a positive identification with

the product/brand and organization in the minds of

buyers. This "mind share" can be driven by a

combination of publicity, promotional initiatives, thought

leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and

services/programs that enable clients to be successful

with the products evaluated. Specifically, this includesthe ways customers receive technical support or account

support. This can also include ancillary tools, customer

support programs (and the quality thereof), availability

of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its

goals and commitments. Factors include the quality of

the organizational structure, including skills,

experiences, programs, systems and other vehicles that

enable the organization to operate effectively and

efficiently on an ongoing basis.

Market Understanding: Ability of the vendor to

understand buyers' wants and needs and to translate

those into products and services. Vendors that show the

highest degree of vision listen to and understand

buyers' wants and needs, and can shape or enhance

those with their added vision.

Marketing Strategy: A clear, differentiated set of

messages consistently communicated throughout the

organization and externalized through the website,

advertising, customer programs and positioning

statements.

Sales Strategy: The strategy for selling products that

uses the appropriate network of direct and indirect

sales, marketing, service, and communication affiliates

that extend the scope and depth of market reach, skills,

expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach

to product development and delivery that emphasizes

differentiation, functionality, methodology and feature

sets as they map to current and future requirements.

Business Model: The soundness and logic of the

vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to

direct resources, skills and offerings to meet the specific

needs of individual market segments, including vertical


3/23

Source: Gartner (February 2014)

AT&T

Headquartered in Dallas, and with regional offices in Hong Kong and London, AT&T offers security

monitoring and management services for customer-based and network-based security controls

including wireless in addition to a wide range of other IT and telecommunications services. AT&T

MSSs are based on commercial and self-developed technologies for alert and log collection, real-time

correlation, reporting, and device management. Workflow is supported by the AT&T BusinessDirect

portal. Query and browsing of log data are supported via commercial and self-developed

technologies. AT&T offers log management via on-premises solutions. Log management and MSS

functions must be accessed through separate portals. Integration of these functions into a single

portal remains planned. AT&T's advanced threat offering is the Security Event and Threat Analysis

(SETA) service, which includes correlation and analysis of data from customer devices and the AT&T

network, with customer-specific configuration and response templates. Three SOCs are located in the

U.S., two in Asia/Pacific and one in Europe, and multilingual support is available. Enterprises should

consider AT&T if they require a global service provider with a broad range of service offerings anddeployment capabilities that include premises-based and network-based options. Customers of other

AT&T services that seek MSSs from an incumbent provider should also consider AT&T.

Return to Top

Vendor Strengths and Cautions

Strengths

AT&T has good visibility among Gartner customers, and is often included in competitive MSS

evaluations.

AT&T's network-based security controls are mature security management and monitoring

offerings that are attractive to MSS customers with remote and branch office coverage

requirements.

AT&T is an established and stable service provider, with delivery capabilities in multiple

geographic regions.

Cautions

The MSS portal continues to lack standardized asset reporting as well as the log browsing

capabilities that are available in several competitors' portals.

Log management functions must be accessed from a portal that is distinct from the MSS portal.

The customization features of the MSS portal are not as extensive or self-service-capable as

those in competitors' portals.

Return to Top

markets.

Innovation: Direct, related, complementary and

synergistic layouts of resources, expertise or capital for

investment, consolidation, defensive or pre-emptive

purposes.

Geographic Strategy: The vendor's strategy to direct

resources, skills and offerings to meet the specific needs

of geographies outside the "home" or native geography,

either directly or through partners, channels and

subsidiaries as appropriate for that geography and

market.


4/23

BT

BT is headquartered in London and has offices across the globe, including a regional presence in

Texas and Hong Kong. BT's MSS offerings include monitoring and management of customer premises

deployed devices and network-based security controls as part of its larger portfolio of

telecommunications and IT services. BT uses self-developed technology for log and event collection,

correlation, query, reporting, and device management. Commercial technology supports workflow. In

addition to its MSS, BT offers Assure Analytics, an extension that provides additional analysis and

visualization capabilities. BT has two European SOCs and three Asia/Pacific SOCs staffed 24/7, with

an additional nine SOCs worldwide. Capabilities to detect targeted attacks and provide advanced

analytics are focused on larger customers and delivered via add-on services, including a social mediamonitoring service, Assure Analytics and consulting engagements. Customers of other BT services

that are seeking MSS as well as additional analytics and visualization capabilities should consider BT.

CenturyLinkCenturyLink is based in Monroe, Louisiana, and has offices in Singapore, Hong Kong, London and

throughout North America. It provides MSS as well as infrastructure as a service, software as a

service (SaaS), Web hosting, colocation and network services. MSS customers have primarily been

customers of CenturyLink's infrastructure services. MSS is delivered through a combination of

commercial and self-developed technology for data collection, correlation and analysis, reporting,

and log management. CenturyLink has three SOCs in North America, with an additional SOC in

Europe and one in Asia/Pacific. Advanced analytics to detect targeted attacks are embedded within

the MSS capabilities, and are based on monitoring third-party security technologies. CenturyLink's

infrastructure and network services customers should consider the company for managed security.

Strengths

BT has a broad range of security offerings for MSS globally, as well as for security consulting,

cybersecurity services, secure networking, business continuity, identity and access

management, technology deployment, and integration.

BT gets good marks from users for security expertise in support of its MSS delivery.

Cautions

BT continues to have much lower visibility among MSS buyers in North America and Asia/Pacific

than in Europe.

Customers use the BT Assure Threat Monitoring Web portal for searching, browsing and

reporting security-relevant raw log data, and a premises-based appliance user interface to

access non-security-relevant raw log data.

Return to Top

Strengths

CenturyLink's enterprise and small or midsize business customers for network services can

augment their relationships with CenturyLink via MSSs.


5/23

CSC

CSC is headquartered in Falls Church, Virginia, with regional offices in Sydney, Singapore and the U.

K. CSC delivers its MSS as a stand-alone service, and as a complement to its IT outsourcing and

consulting services to enterprises and government agencies. CSC is in the process of standardizing

its MSS delivery capabilities across all regions using commercial SIEM technology for data collection

and correlation, real-time alert generation, and log management. The self-developed Pulse Portal

provides access to alerts, reporting, ticketing and workflow. CSC has four SOCs in the U.S., two in

Europe and three in Asia/Pacific. New offerings to address advanced targeted attacks are available

and include network and payload analysis. Preliminary endpoint analysis and forensics are available

via managed services, with more in-depth forensics available as a consulting engagement. CSC

outsourcing customers and enterprises, especially those in the defense industrial base and financial

services industries, should consider CSC for MSSs.

CenturyLink's rationalization of security services across its lines of business has enabled a more

focused and consistent delivery of MSSs.

Cautions

CenturyLink does not appear on Gartner customer shortlists for MSSs.

The CenturyLink MSS portal lags competitors' portals in several areas, including customization,

asset tracking, and correlation across data sources and user data.

Return to Top

Strengths

CSC's efforts to standardize MSSs across regions now provide global event visibility to SOC

analysts, and should result in enhanced effectiveness for multiregional customers.

Customers give good marks for the security expertise of CSC's staff, as well as for their

understanding of the customer environment.

CSC's security expertise supports its strong presence in the U.S. federal government and the U.

K. government, in financial services and in critical infrastructure markets.

Cautions

CSC does not fully market its stand-alone MSS. Also, CSC is rarely included on Gartner

commercial customers' shortlists for stand-alone MSS deals.

Organizations considering CSC for MSSs should evaluate the current state and progress toward

the completion of global service standardization to ensure that the capabilities needed in all

regions are available to meet deployment requirements.

Return to Top


6/23

Dell SecureWorks

Dell is headquartered in Texas, and Dell SecureWorks is headquartered in Atlanta, with five regional

offices in the U.S. plus Edinburgh, Scotland, London and Tokyo, with additional offices in Asia/

Pacific and Europe. Dell SecureWorks offers MSSs as well as security consulting, incident response

and threat intelligence services. MSS delivery is based on self-developed technology for log and alert

collection, for real-time correlation and analysis, and for presentation/reporting via portal. Premises-

based log retention and reporting are delivered via commercial SIEM technology. The Dell

SecureWorks Counter Threat Unit provides threat intelligence, malware analysis and analytic support

for MSS operations. Customers may buy threat intelligence services as part of an MSS subscription.

Five SOCs are located in the U.S., with additional SOCs in the U.K., India, Mexico and EasternEurope. Advanced attack detection is offered within existing MSSs and includes threat feeds,

correlation, and analysis of historical events to identify anomalies. Midsize organizations that want to

meet compliance requirements, and enterprises looking for full-featured MSSs, should consider Dell

SecureWorks.

HP

HP is headquartered in Palo Alto, California, with MSS locations in Australia, London and Plano,

Texas. HP has a broad security portfolio of professional and managed services; technologies for

SIEM, application security and network security; and extensive offerings of additional IT products

and services. HP's MSS is based on several self-developed and commercial technologies for data

collection, correlation/alerting, query and reporting. Workflow and ticketing use HP technology, and

Strengths

Dell SecureWorks is very visible to Gartner customers and is typically included in competitive

MSS deals.

Gartner customers offer strong praise for Dell SecureWorks' MSS delivery, security expertise

and relationship management. The security expertise available through the Counter Threat Unit

is often cited as a differentiator.

The MSS portal receives very good marks from customers.

Cautions

Dell's ownership changes offer less visibility into its business operations, including the

positioning and emphasis placed on security products and services.

Although reports of issues to Gartner have been minimal to date, customers should continue to

monitor Dell SecureWorks' service delivery to ensure that MSS geographic expansion and any

shift in Dell's business focus do not dilute its MSS delivery capabilities.

Dell SecureWorks' cautious expansion beyond the Japanese market may result in prospects

having limited references in the Asia/Pacific region, and not as much ready access to presales

interaction.

Return to Top


7/23

tools for customer deployment provide workflow support. HP has two SOCs in the U.S., one in Latin

America, three in Europe and two in Asia/Pacific. HP offers a portal for MSS and uses the HP ArcSight

console for log management. HP offers a separate governance, risk and compliance-oriented portal

for executive dashboards. The HP MSS portal provides role-based access, ticketing and security

reporting features. Log management is delivered via HP ArcSight ESM and ArcSight Logger in hosted

or on-premises deployments. Log management features are available via the HP ArcSight portal.

HP's targeted attack detection and advanced analytics capabilities are embedded in its MSS offerings,

and are supported with threat feeds, vulnerability information, the detection capabilities of HP

ArcSight, and expert analysis. Enterprises and midsize companies with HP IT services or security

technology services should consider HP for MSSs.

IBM

IBM is headquartered in New York, with MSS offices in Atlanta and other geographies. MSSs and a

full range of security consulting and integration services are available as stand-alone services, and as

components of larger infrastructure outsourcing contracts. IBM uses self-developed technology for

data collection, correlation, log query and reporting, and ticketing/workflow. Log management is

offered as a hosted service, and with premises-based IBM QRadar and other SIEM technologies. IBM

has four North American SOCs, two in Europe, two in Asia/Pacific and two more in other regions.

IBM's advanced analytics and targeted attack detection capabilities are embedded in its MSS and

hosted SIEM offerings, and they are supported by IBM technology and third-party technology

deployed by customers. Enterprises with global service delivery requirements, and those withstrategic relationships with IBM, should consider IBM for MSSs.

Strengths

HP is a large, stable provider of MSSs and other security services. It has a multiregional

presence and delivery capabilities.

HP's broad technology and service delivery options enable extensively customized MSS

engagements, including technology bundling and hybrid delivery options.

Cautions

The HP MSS portal lacks the user correlation and asset and vulnerability reporting capabilities

that are available in competitors' portals. Potential customers should validate that HP's current

capabilities and enhancement plans meet their deployment and operations requirements.

Gartner customers report challenges in differentiating and navigating among HP's security

monitoring capabilities, which are available, in differing forms, from HP's product, outsourcing

and discrete MSS delivery organizations.

Prospective MSS customers should validate HP's coverage and monitor ongoing support when

MSS engagement includes security technologies from HP's competitors.

Return to Top

Strengths


8/23

NTT

NTT, which is based in Tokyo, and with London and New York offices, acquired Solutionary in 2013,

adding to prior acquisitions of MSS capabilities in the NTT companies (such as NTT Com Security

formerly Integralis and Dimension Data's earthwave). NTT is included in this Magic Quadrant on

the basis of the combined offerings and scale of the various MSS entities, which it is in the process of

rationalizing. NTT uses a variety of self-developed and commercial technologies to support MSS

delivery across the three organizations. There are multiple SOCs in Asia/Pacific, Europe and North

America. Targeted attack protection is embedded in the MSS offering of each delivery group, and it

differs among the groups, although cross-group data sharing for threat information is now being

done. NTT customers and enterprises seeking a large global service provider with specific regional

strengths should consider NTT for MSSs.

Gartner customers often include IBM in competitive MSS evaluations, and IBM has high visibility

in North American, Asia/Pacific and European markets.

IBM's MSS capabilities include support for customer-deployed SIEM (from IBM and other

vendors) that is integrated into its standard MSS offerings.

IBM is a large, stable provider of security and IT services and products, and it has global

delivery capabilities.

Cautions

Gartner customers report overall improvements and lingering challenges for IBM MSSs in sales,deployment and customer care.

Although IBM's MSS supports multiple security technologies including many from IBM's

competitors in the IPS and SIEM markets MSS customers should monitor planned and actual

MSS support for the security technologies deployed in their environments.

Return to Top

Strengths

Individual NTT MSS groups get good feedback from Gartner customers regarding MSS delivery.

Across the NTT MSS offerings, the capabilities of NTT Com Security, Solutionary, Dimension

Data's earthwave and NTT Data are well-known in Europe, North America, the Middle East/

Africa and Asia/Pacific, respectively, and they appear in MSS deals in those regions.

NTT has a global presence as well as a broad range of security service offerings and delivery

options, in addition to broader telecommunications and IT infrastructure service offerings.

Cautions

MSS operations across the regions are not yet fully integrated. Current MSS customers must

monitor NTT's plans to rationalize its MSS delivery capabilities to ensure that any changes

result in equal or better service delivery levels and options.


9/23

Orange Business Services

Headquartered in Paris, with offices in Atlanta and Singapore, Orange offers a broad range of

telecommunications and cloud-based IT infrastructure services, security consulting and integration

services, and MSSs. Orange MSSs are based on commercial SIEM technology for data collection,

correlation and analysis, reporting, and log management, with self-developed technology for

workflow. Three MSS SOCs are located in Europe, two in Asia/Pacific, one in North America and two

in the Middle East/Africa regions. Advanced threat detection is provided by proprietary technologies

as well as by commercial SIEM and network security products, with additional capabilities planned for

2014. Orange service customers and organizations seeking a large, global and stable Europe-focused

and Asia/Pacific-focused MSS provider (MSSP) should consider Orange.

Symantec

Symantec is headquartered in Mountain View, California, with MSS offices in Virginia, Singapore and

Reading, U.K. Symantec offerings include security monitoring, security intelligence, messaging

security services and a range of security products. Symantec's MSS architecture is based on self-

developed technology for event and log collection, with a combination of self-developed and

commercial technology for correlation, analytics and reporting. Ticketing/workflow and device

management are based on commercial technology. Log query and browsing are enabled via self-

developed technology. Symantec has one SOC in the U.S., one in the U.K. and two in Asia/Pacific,

plus a new SOC in Japan. Log management services are delivered via Symantec log collection

Potential MSS buyers should get binding assurances from NTT regarding the capabilities they

will receive globally and within regions to ensure that NTT's current and planned MSS

capabilities will meet customers' region-specific and global requirements.

Return to Top

Strengths

Orange offers a broad range of network and IT services that can be bundled with MSSs.

Orange is a large, stable service provider with long-standing MSS and security consulting

experience.

Cautions

Orange has lagged several MSS competitors in the introduction of advanced attack detection

and analytics offerings.

Orange rarely appears on Gartner customer shortlists for MSS procurement, and in North

America, Orange has very limited market visibility.

MSS customers in North America often express a preference for a SOC in-region. Although

Orange has a North American SOC, it is not staffed 24/7.

Return to Top


10/23

platform, are stored in Symantec SOCs and are available to customers via the MSS portal. A distinct

service level offers advanced attack detection analytics. Enterprises seeking an established MSSP

should consider using Symantec.

Trustwave

Trustwave is based in Chicago, with offices in London and Sydney. Trustwave has several security

technologiesincluding SIEM, unified threat management (UTM), network access control,

application security, Web application firewall (WAF) and Web security and builds MSSs around

those as well as third-party products. MSSs are based on Trustwave's SIEM technology for data

collection, correlation, alerting and workflow. Security intelligence capabilities are provided by the

Trustwave SpiderLabs group. Trustwave has three U.S.-based SOCs, one in Europe and one in Asia/

Pacific. Targeted attack detection and advanced analytics capabilities are standard components of

Trustwave MSSs, and they are delivered via three Trustwave activities: network monitoring, endpoint

monitoring and managed WAF. Companies in the retail, healthcare and banking vertical industries

and others that are subject to PCI compliance should consider Trustwave for MSSs.

Strengths

Symantec has strong visibility in the MSS market. Gartner customers very often consider

Symantec's MSS offerings in competitive evaluations.

Symantec's Gartner customers generally offer positive reviews of Symantec's MSS delivery, and

of the quality of their interactions with Symantec's SOC analysts.

MSS customers indicate that the DeepSight threat feeds and intelligence reports are

differentiators of Symantec's services.

Cautions

Prospective buyers should evaluate Symantec's optional enterprisewide pricing with realistic

assumptions of the number of monitoring/log sources they can expect to incorporate into the

scope of MSSs. Customer delays in bringing event sources into coverage will result in buyers

paying for coverage that they are unable to receive.

Symantec is rebuilding its security consulting capability. Prospective MSS customers should

carefully evaluate whether Symantec's security consulting services will meet their needs, andwhether they must engage with partner-led security services for service initiation and for

ongoing project work throughout the course of the MSS relationship.

Return to Top

Strengths

Trustwave has an extensive portfolio of security products and associated managed services that

can be packaged as subscription-based solutions for customers with limited capital budgets andsecurity resources.

Trustwave remains a well-recognized provider of services and technologies to support PCI Data


11/23

Verizon

Verizon is headquartered in Basking Ridge, New Jersey, with offices throughout the U.S., Europe,

Latin America and Asia. Verizon offers MSSs and security consulting, as well as a broad range of

telecommunications and infrastructure services. Verizon's MSS architecture is based on self-

developed technologies for event collection, correlation and alerting, with commercial technologies

for reporting and workflow. Log management services are based on a combination of self-developed

and commercial technologies. Two SOCs are located in the U.S., two in Europe and two in Asia/

Pacific. Verizon's Research, Investigations, Solutions, Knowledge (RISK) Team provides threat

intelligence and malware detection signatures that support MSSs, and Verizon's breach response

services inform MSS monitoring efforts. Targeted threat detection services are incorporated into the

standard MSS delivery. They are based on commercial technologies, on Verizon's self-developed

correlation and threat intelligence capabilities, and on network monitoring. A distinct advanced

analytics service is available in the U.S. to governments and enterprises facing specific targeted

threats. Enterprises should consider Verizon if they are looking for an established service provider

that is capable of delivering a broad range of security services in multiple regions.

Security Standard (DSS) compliance.

The Trustwave MSS portal provides extensive language support.

Cautions

Current customers and potential MSS buyers should continue to monitor Trustwave's ability to

meet delivery and road map commitments as it navigates a possible initial public offering.

Potential MSS customers should evaluate whether the split of compliance reporting capabilities

between the MSS portal and the log management portal meets their operational requirements.

The Trustwave MSS portal lags several competitors' portals in providing correlation of useractivities with infrastructure events.

Except for PCI monitoring engagements, Trustwave very rarely appears in MSS deals among

Gartner customers.

Return to Top

Strengths

Verizon's network-based capabilities enable MSS configuration that includes network-based and

premises-based controls.

Gartner customers often include Verizon in competitive MSS evaluations.

Verizon's MSS receives generally positive reviews from Gartner customers for meeting their

expectations for security expertise, and for effective security monitoring and alerting.

Customers also indicate that Verizon's security expertise is a differentiator for MSSs.

Cautions


12/23

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as marketschange. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope

may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not

the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a

reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of

focus by that vendor.

NTT was added to this Magic Quadrant based on its acquisition of Solutionary, and on the prioracquisitions of Integralis (now NTT Com Security) and Dimension Data's earthwave. NTT's

capabilities across these organizations meet the criteria for inclusion in the Magic Quadrant.

Orange Business Systems was added because it also meets the inclusion criteria.

Allstream, Bell Canada, CGI, Clone Systems, Nuspire Networks and Perimeter E-Security (now

named SilverSky) were dropped from this Magic Quadrant because they do not meet the inclusioncriteria for network devices and customers monitored/managed in Europe and Asia/Pacific.

Wipro was dropped because it does not meet the inclusion criteria for customers in Asia/Pacific or

North America.

HCL Technologies was dropped because it is in the process of realigning its MSS capabilities and

currently does not meet the inclusion criteria for this research.

SAIC was dropped because of its split into two companies, SAIC and Leidos, and because the MSS

business of Leidos does not meet the inclusion criteria for customers in Asia/Pacific and Europe.

Verizon's MSS portal lacks the user activity correlation capabilities that are available from

several competitors.

Verizon's log management services currently lag those of its competitors. New capabilities are

planned for 1Q14.

Return to Top

Vendors Added and Dropped

Return to Top

Added

Return to Top

Dropped

Return to Top


13/23

Inclusion and Exclusion Criteria

This Magic Quadrant expands the coverage from MSSPs in North America to include delivery

capabilities in North America, Europe and Asia/Pacific. As a remote service, MSSs can be delivered

via network connectivity to and from any locations with sufficient connectivity, and certainly MSSPs

that have operations in one geographic region can support customers in other regions. Gartner sees

a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their

region. Among global enterprises, that includes a presence in multiple regions where the enterprises

operate, in order to provide more "local" support and also includes the MSSP's ability to keep

some data in specific regions, provide local business hours, provide access to advanced support, and

provide local language support, among other concerns. In addition, compliance with data residency

and privacy regulations can be addressed in many cases with local operations centers.

This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices

supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS

revenue.

The criteria include a threshold for the number of firewalls or IDP devices under monitoring or

management, and a threshold for the number of MSS customers both distributed across multiple

regions. MSSs refer to remote management and monitoring of security technologies. Several large

infrastructure outsourcing vendors offer other service delivery options (such as staff augmentation)in addition to MSSs, but we don't evaluate these other delivery options. Also excluded from this

analysis are service providers that offer MSSs only as a component of another service offering (such

as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for

third-party technologies.

Vendors must have:

Return to Top

2013-2014 Global MSSP Magic Quadrant Inclusion Criteria

The ability to remotely monitor and/or manage firewalls, IDP devices from multiple vendors via

discrete service offerings, and shared service delivery resources

Firewalls/IDP devices under remote management or monitoring for external customers

External customers with those devices under management or monitoring

Reference accounts that are relevant to Gartner customers in the appropriate geographic

regions

A threshold of the number of customers as well as the number of firewalls and IDS/IPS devices

in multiple geographies

A threshold for MSS revenue of $20 million in 2012

A SOC presence in multiple geographic regions


14/23

Inclusion thresholds for firewalls/IDP devices under MSSs are 225 in Asia/Pacific, 1,500 in Europe,

2,250 in North America and 25 in the rest of the world (ROW), in the following possible

combinations:

Inclusion thresholds for MSS clients are 45 in Asia/Pacific, 75 in Europe, 225 in North America and 10

in ROW, in the following possible combinations:

Vendors have:

Evaluation Criteria

Asia/Pacific + Europe

North America + ROW

Asia/Pacific + North America

Europe + North America

Asia/Pacific + Europe

North America + ROW

Asia/Pacific + North America

Europe + North America

Return to Top

2013-2014 Global MSSP Magic Quadrant Exclusion Criteria

Service offerings that are available only to end users that buy other non-MSS services

Services that monitor or manage only their own technology

Services delivered by their own resources and dedicated to a single customer

Return to Top

Ability to Execute

Product or servicerefers to the service capabilities in areas such as event management and

alerting, information and log management, incident management, workflow, reporting, and service

levels.

Overall viabilityincludes the organization's financial health, the financial and practical success of

the overall company, and the likelihood that the business unit will continue to invest in the MSS

offering.

Sales execution/pricingincludes the service provider's success in the MSSP market and its

bili i i l i i i hi l i l d SS i i d h ll


15/23


capabilities in presales activities. This also includes MSS revenue, pricing and the overall

effectiveness of the sales channel. The level of interest from Gartner clients is also considered.

Market responsiveness/recordevaluates the match of the MSS offering to the functional

requirements stated by buyers at acquisition time. It also evaluates the MSSP's track record in

delivering new functions when the market needs them.

Marketing executionis an evaluation of the service provider's ability to effectively communicate

the value and competitive differentiation of its MSS offering to its target buyer.

Customer experienceis an evaluation of the service delivery to customers. The evaluation includesease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and

problem resolution. This criterion is assessed by conducting qualitative interviews of vendor-provided

reference customers, as well as by feedback from Gartner customers that are using the MSSP's

services, or have completed competitive evaluations of the MSSP's offerings.

Operationsincludes the MSSP's service delivery resources, such as infrastructure, staffing and

operations reviews or certifications.

Return to Top

Completeness of Vision

Market understandinginvolves the MSSP's ability to understand buyers' needs and to translatethem into services. MSSPs that show the highest degree of market understanding are adapting to

customer requirements for specific functional areas and service delivery options.

Table 1.Ability to Execute Evaluation

Criteria

Evaluation Criteria Weighting

Product or Service High

Overall Viability High

Sales Execution/Pricing Medium

Market Responsiveness/Record Medium

Marketing Execution Medium

Customer Experience High

Operations Medium

k i f l d ff d f h l


16/23


Marketing strategyrefers to a clear, differentiated set of messages that is consistently

communicated throughout the organization; is externalized through the website, advertising,

customer programs and positioning statements; and is tailored to the specific client drivers and

market conditions in the MSS market.

Sales strategyrelates to the vendor's use of direct and indirect sales, marketing, service, and

communications affiliates to extend the scope and depth of market reach.

Offering (product) strategyis the vendor's approach to product development and delivery that

emphasizes functionality and delivery options as they map to current and emerging requirements for

MSSs. Development plans are also evaluated.

Business modelincludes the process and success rate for developing features, innovations and

service delivery capabilities.

Vertical/industry strategyand geographic strategyinclude the ability and commitment to

service geographies and vertical markets.

Innovationrefers to the service provider's strategy and ability to develop new MSS capabilities and

delivery models to uniquely meet critical customer requirements.

Return to Top

Quadrant Descriptions

Table 2.Completeness of Vision

Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding High

Marketing Strategy Medium

Sales Strategy Medium

Offering (Product) Strategy High

Business Model Low

Vertical/Industry Strategy Medium

Innovation High

Geographic Strategy Medium

Leaders


17/23

Each of the service providers in the Leaders quadrant has significant mind share among enterprises

looking to buy an MSS as a discrete offering. These providers typically receive very positive reports

on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically

appropriate options for enterprises requiring frequent interaction with the MSSP for analyst expertise

and advice, for portal-based correlation and workflow support, and for flexible reporting options.

In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered

as components of an IT or network service provider's other telecommunications, outsourcing or

consulting services. Although an MSS is not a leading service offering for this type of vendor, it offers

a "path of least resistance" to enterprises that need an MSSP and use the vendor's main services.

Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on

managed security into high-quality service offerings for the MSS market. These service providers are

often strong contenders for enterprises that require frequent interaction with MSS analysts, flexible

service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less

market coverage and fewer resources or service options compared with vendors in the Leaders

quadrant.

Niche Players are characterized by service offerings that are available primarily in specific market

segments, or primarily as part of other service offerings. These service providers often tailor MSS

offerings to specific requirements of the markets they serve.

Context

Prospective MSS buyers with threat management use cases should highly weight MSSPs' threat

research and security intelligence capabilities.

Current and prospective MSS users should require a proof of concept, or a demonstration of MSS

offerings for advanced analytics and big data, to validate effectiveness and value.

Current and prospective MSS users should validate MSSPs' services that are related to monitoring or

Leaders

Return to Top

Challengers

Return to Top

Visionaries

Return to Top

Niche Players

Return to Top

management of third party technologies or their own technologies to address advanced attacks


18/23

management of third-party technologies or their own technologies to address advanced attacks.

Market Overview

The MSS market is mature, and prospective customers have numerous options among MSSPs and

the types of services offered. The primary drivers for MSSs have been consistent for several years:

24/7 threat management and meeting compliance requirements. These may be complemented by

related drivers, such as the desire to redirect existing resources to other security areas, or the need

to engage deeper or broader expertise than is available in-house. An emerging driver is support for

the protection from and detection of targeted attacks through MSSP knowledge of the external threat

environment, through insight gained from monitoring events from a broad and global customer base,

through MSSP-based advanced analytics, or through MSSP monitoring of customer-deployed next-

generation protection and detection capabilities.

The 2013-2014 Magic Quadrant for Global MSSPs reflects multiregional delivery requirements, and

the MSSPs included in the evaluation meet the minimum thresholds for MSS business in two or more

regions. MSSPs with multiregional business typically have a sufficient understanding of region-

specific customer requirements, as well as sufficient service delivery capabilities that can scale to

support global service delivery. Customers with a mix of global delivery requirements and localregulatory requirements related to, for example, data privacy, may require customized services.

MSSPs that do not meet the customer or device thresholds for inclusion in this Magic Quadrant may

still deliver high-quality services within a region, and can typically deliver in multiple regions. When

considering MSSs, Gartner customers should develop evaluation criteria that meet their specific

requirements.

Gartner expects that growing enterprise experience with cloud-based infrastructure and applications

delivered as a service, as well as accommodating the access of consumer technology to corporate

systems, will result in greater acceptance of, and reliance on, cloud-based security-as-a-service

offerings.

In 2013, the global market for security outsourcing was $12 billion, with a forecast compound annual

growth rate of 15.4% through 2017.

Growth in enterprise demand for MSSs is driven primarily by four factors:

Return to Top

Security staffing and budget constraints:Gartner sees continued expectations to reduce

operational costs and capital expenditures, and to avoid staffing increases related to the

monitoring and management of mature security technologies, such as IDSs and firewalls. At the

same time, increased monitoring of infrastructure logs, as well as privileged and application

user activity and next-generation technologies, requires tool and analytical expertise that will

be difficult for many organizations to supply in-house.

Evolving compliance reporting requirements:This involves the evolution of existing

compliance requirements and of corporate governance policies that create a secondary effect


19/23

MSS growth can also be constrained by a few factors:

The services that are core to MSS offerings involve the monitoring of perimeter network security

technologies:

Return to Top

MSS Portfolio

compliance requirements, and of corporate governance policies that create a secondary effect

of stronger requirements for incident monitoring, identification, and response internally and

among business partners. As formal compliance regimes evolve or audit/enforcement activity

increases, organizations consider external service providers to reduce the costs of meeting

compliance requirements. PCI DSS remains an important driver; also, Gartner is starting to see

the U.S. Federal Information Security Management Act's (FISMA's) continuous monitoring

requirements become an increasing factor for U.S. government agencies, for commercial firms

that sell to the U.S. government, and for organizations funded by government grants, such as

universities.

Adoption of security technologies and analytic tools focused on advanced attacks:As

enterprises gain experience with technologies to analyze networks, payloads and endpoints for

advanced attacks, they will look for opportunities to focus internal resources on prevention and

response activities, and to augment those activities with external expertise to monitor and

manage the technologies.

Increased availability and adoption of cloud-based IT services:Increasing use of cloud-

based IT services will drive security controls into those services, and will also lead to greater

acceptance and adoption of cloud-based security services for controls that are best suited for

cloud-based delivery. Gartner expects significant security outsourcing growth in areas adjacent

to MSSs, such as secure Web gateways, email security, and identity and access management.

Enterprise deployment of SIEM technology to provide in-house alerting and log

analysis:MSSPs typically lack deep insight into the customer IT and business environment;

thus, they are less able to determine whether events involving users, administrators, internal

applications and data are inappropriate or unacceptable. Wherever enterprises want close

monitoring of internal activities, they may opt to do it themselves. Some organizations monitor

internal activities and also use an MSSP for external/perimeter monitoring. Such an

arrangement still constrains the growth of MSSs in those organizations.

Core competency:Organizations that provide security technology or services, or position their

technology or services as secure, are likely to forgo outsourced security monitoring. Where

security is a value proposition and a core competence, outsourcing security may not be an

effective option.

Change in strategy to reduce outsourcing:At the enterprise level or within the security

organization, a change in strategy regarding the use of external services can mean that MSSs

are not considered effective options.


20/23

In addition to monitoring, many MSSPs have management services for those technologies. It is

increasingly common for MSSPs to also provide monitoring and log collection from IT infrastructure

such as servers, user directories and applications.

Among organizations that have deployed SIEM technology, Gartner sees increasing interest for

services to monitor or run the SIEM. Several MSSPs have offerings to support customer-deployed

SIEM.

MSSPs may also provide cloud or SaaS-based services, including:

MSSPs offer cloud services directly or via partnerships with other service providers. The degree of

integration of partner-delivered services with MSSP services varies from little more than purchasing

convenience to integration of partner data and management functionality into the MSSP's portal.

Deeper integration can provide operational and vendor management advantages, but may reduce

the ability to "swap out" one cloud-based service for another.

Buyers should take into consideration the degree of integration of any partner-delivered services

with the MSSP's offering, as well as the potential for affecting training, operational efficiency and end-

of-contract switching costs.

Several MSSPs have created research groups to improve their understanding of the threat landscape

that is, the identities, motives, targets and techniques of attackers. MSSPs use their findings to

support their security operations analysts; they may also provide customers with subscription-based

access to this research, or offer customers project-based access to the group for analysis/reverse

engineering of malware. Potential customers of threat intelligence feeds from MSSPs should require

Firewalls

IDSs/IPSs

Multifunction firewalls/UTM services

Next-generation firewalls

WAFs

DDoS protection

Email security

Web filtering

Vulnerability scanning

Network-based firewall/IDP

Return to Top

Threat Intelligence and Advanced Analytics

proof-of-concept access to evaluate the relevance of the information as well as their ability to


21/23

proof of concept access to evaluate the relevance of the information, as well as their ability to

consume and act on it.

Many MSSPs claim capabilities to assist their customers in addressing advanced targeted attacks.

These capabilities may be visible as discrete service offerings or options, or as features embedded in

existing offerings. They may include, for example:

These offerings are now primarily based on the security events monitored by the MSSPs; however,

we expect that several MSSPs will introduce distinct service offerings to acquire, retain and analyze

large volumes of customer data so called "security big data" from IT infrastructure and other

sources. Gartner recommends that customers require a limited pilot or proof of concept to identify

specific areas where relevant, actionable intelligence results from the collection and analysis of the

data, and to identify the service levels required. Based on feedback from Gartner customers, early

adopters should plan for the inclusion of relevant domain experts who are typically outside the

security group, such as line-of-business owners and application owners.

Most MSSPs also offer incident response capabilities to assist customers with investigation and

remediation activities in the event of a breach. These services are typically available on a consulting

basis. Prospective customers should confirm with MSS candidates how much response support is

available within the context of the standard monitoring services, and when a consulting engagement

is required. If the MSSP offers packaged or prepaid hours for incident response activities, then

customers should ensure that those hours are available for other security services if they are not

needed for incident response.

The typical pricing model for MSSs is based on the type and size of the security technology to be

monitored for customer-premises-equipment-based devices, or on the bandwidth or number of users/

endpoints for network-based controls. Log collection is typically priced by the number and types of

sources, or on events per time period (device count pricing includes implicit expectations of event

volumes). There is typically a clear distinction between technology that is monitored in real time, and

subject to alerting service-level agreements (SLAs), and technology that is not that is, where logs

are collected and subject to reporting or querying, but not to real-time correlation and analyst

review. Device management pricing is typically based on the number of configuration changes to be

performed within a period of time.

Correlation of alerts with IP reputation or known bad addresses

Comparison of alerts, activity patterns or state (such as device configuration, registry and so

on) to those of known attacks

Analysis of activity patterns (across an MSS customer base as well as within the customer

environment) to identify outliers, exceptions or deviations from baselines

Return to Top

Pricing Models

During 2014, Gartner expects the trend for common services, such as firewall and IDP monitoring


22/23

During 2014, Gartner expects the trend for common services, such as firewall and IDP monitoring

and management, to decline slightly. Price pressure is coming from new sources for these services,

such as from the technology providers themselves, from other MSSPs and from continued corporate

efforts to reduce IT budgets. In response, MSSPs have introduced new services to monitor and

manage advanced threat detection technologies. MSSPs will continue trying to expand the number of

devices and data sources to monitor, and will differentiate monitoring based on the availability of

additional external intelligence feeds and analysis (such as reputation data, blacklists, behavioral

data and cross-customer activity) that can be correlated with data from customers' monitored

devices.

The basic makeup of the MSSP vendor space has not changed fundamentally. There are three major

types of MSSPs:

This Magic Quadrant reflects the requirements of customers that seek MSSPs with a global presence

and global delivery capabilities. The vendors that meet those requirements fall into the latter two

types of MSSPs.

In general, the MSS portfolios of these providers look broadly similar. Customer satisfaction with

services can be strongly related to customer expectations. Customers occasionally report

dissatisfaction related to objectively poor performance, including missed SLAs. However, it is more

common for dissatisfied customers to express disappointment related to subjective criteria that may

never have been made explicit to prospective providers, or to the MSSP selected.

Gartner customers using MSSPs express differing expectations regarding their type of relationship

with MSSPs. Expectations may range from frequent interactions and knowledge sharing among the

customer security staff and MSSP staff, to almost no interactions beyond the provision of periodic

reports of monitoring activity. Gartner recommends that prospective MSS buyers develop explicit

Return to Top

MSSP Landscape

Pure plays:These are generally smaller, privately held MSSPs that are completely focused on

security services. As seen in 2013, pure-play MSSPs will continue to be acquired by larger

service or IT infrastructure firms that seek to provide MSSs. New pure-play security service

providers often focus on specific vertical markets or regulatory requirements, or on specificanalytic services (such as user activity) or advanced threat detection technologies.

System integrators/business process outsourcers:These are broad IT service providers

that typically manage security devices as part of larger outsourcing deals. Where the integrator

or outsourcer acquired a pure-play MSSP and maintained a discrete MSS delivery capability,

these providers often compete for MSS-only deals.

Carriers and network service providers:These are bandwidth and connectivity providers

that manage network security products. They often provide remote monitoring, premises-based

technologies and cloud-based services through their Internet connections.


23/23

Gartner.mq.Global.mssp.2014

Documents

Transcript of Gartner.mq.Global.mssp.2014