OF ALL THE CHALLENGES we face in our MSP practices, managing security vendor sprawl might be the hardest. We want to offer the best possible response to every threat, of course, but who wants to manage a dozen or more different vendor relationships and consoles, dashboards, and as many “”single”” panes of glass? After all, too much sprawl will bring your operations to a crawl.
How do we balance the concerns of product and vendor management, along with the challenges of managing industry change, integrating information, and more? It starts with operational maturity. Are you just getting started, or are you well down the growth path of a larger firm? And how much tolerance for single-provider risk can you muster? The answers to these questions will help you form your strategy.
Let’s start with the “”easy”” stuff, the vendors.
Managing Vendors
The first hurdle to clear is establishing and maintaining the various relationships you’ll need to develop and nurture with different vendors. We can stipulate that nearly all of us will need a wide variety of security providers, including firewall, EDR/MDR, MFA, SOC/SIEM, and the suite of protection and backup for M365 “”endpoints.””
No matter how well you manage all of this, juggling these relationships adds complexity, and reduces your leverage with any given vendor. Complexity will also limit your scalability, weaken your vendor relationships, and ultimately constrain your profitability. And with too many different vendor data “”silos”” at play, you’ll miss out on potential synergies that a limited vendor stack provides.
If you are managing thousands of seats, you will surely have the breadth of staff and skill sets to manage multiple providers for each of these offerings, and more. And we all know that a varied provider ecosystem can help protect against a single vendor outage or compromise taking you or your sites down, or worse. And with that much scale, you can afford to “”share the love”” across multiple providers of any given solution and still develop solid relationships with many vendors.
But what about those of us with hundreds, not thousands, of seats? How do we develop strong vendor relationships, keep it simple, and still manage to grow and scale while remaining profitable? The simple answer is to keep the answer simple.
As I’ve built out my stack at Net Sciences, I have kept in mind that managing vendors is quite a bit like managing staff, and that realistically, about half a dozen variables are the most I can effectively handle. That means one firewall vendor, one EDR/MDR vendor, and so on. Where this starts to fray for my practice is bringing together the various MDR, firewall, and M365 log response vendors out there.
This means that changing out one part of my security stack requires careful attention to all the other layers and overlaps. I’ve tried to limit myself to vendors that can offer three or more solutions, and rarely (but not never) select “”point”” solution vendors. Players such as Solutions Granted that provide EDR/MDR, M365 alerting, and more stand out for me right now. And as I continue to further refine my security stack, I always look for ways to reduce the number of vendors. That makes players like SOCSoter and others that can offer very broad security portfolios even more interesting.
Managing Change
On a flight one time, I sat next to a neurosurgeon and we compared notes on who had “”the harder job.”” He was making life and death decisions and I was “”just”” protecting businesses, but then I asked him, “”What if the neural systems of your patients changed every few months, with new diseases developed every day?”” We went back to debating safer stuff, like politics… My point is, there really is nothing more complicated or faster changing than our industry—and it is only accelerating. It’s not just new technologies and “”better”” adversaries, but we also face endless mergers and acquisitions, policy and pricing changes, and more. The more vendors we engage with, the more management is required, and this takes time.
Managing Information Silos
Earlier I alluded to another issue that having multiple vendors creates: managing multiple dashboards. We have MDR, vulnerability scanning, log reading and response, anti-phishing, Microsoft 365, firewall logs, and more. Vendors are improving their integration, often by using our PSA and RMM products as the “”middleware”” that glues their alerting and reporting capabilities to our existing management stack. But even the best of these integrations cannot address the inherent lack of incident and alert integration created by these separate “”information silos.”” Different layers also bring feature overlap. For example, how long might it take to figure out what layer of our stack has generated a false positive that is blocking legitimate activities?
Addressing the information silo issue is the single best argument for finding an integrated security provider that can consolidate as much of the security provisioning as possible. Having EDR/MDR, edge security, traffic tunneling, and comprehensive log reading and response in the hands of a single provider does feel like a lot of eggs in one basket, but the eggs do get to share information that way. On the other side of this is the “”fragile ecosystem”” argument in which a single vendor’s compromise (or just a temporary service failure) can lead to widespread outages or much worse. In our own case, I have decided against a single provider for all security needs. I still work with separate firewall/UTM, BDCR and SaaS backup, EDR/MDR/M365 monitoring, and SOC/SIEM providers, among others.
The Final Analysis
If you are well along in your evolution as a service provider, you already have a solid security stack, including EDR/MDR, SOC/SIEM, and more. And once you consider secure remote access, M365 protections, and backup, you probably have six or more vendors to manage. And you’ve probably done some work to integrate alerts and reporting into your other systems and processes as well. Looking for incremental ways to simplify and improve your management is probably your next step. As you build out and update your security stack, always remember to do so with an eye to limiting vendor and data silo count, and the concomitant challenges that brings to management, efficiency, and your ability to scale your size and profitability.
Finding a way to manage the sprawl of security providers will always be a challenge. Some “”point solutions”” are just too good to pass up (we use Dark Cubed for firewall monitoring and response, and TruGrid for proxied RDS, for example). In the long run, though, reducing vendor count and “”alert silos”” and simplifying management will take precedence as we all mature and scale as providers.
JOSHUA LIBERMAN is president of Net Sciences, founded in 1995. A 27-year ASCII Group member, former rock climber and martial artist, and lifelong photographer, Liberman has visited five continents and speaks many languages. He also writes and speaks in the IT field and raises Siberian Huskies with his wife, Heidi, who calls him the Most Interesting Geek in the World.
Image: iStock