Premium margins for premium services

There are some large figures being bandied about however this is a cautionary tale because in order to make these margins you need to do it properly.

If done properly, the potential margins on managed security services are enormous. But don’t ignore that caveat: if done properly. (inbay 22.10.18)

Margins for managed security services began to climb sharply in 2011, and are now reaching a gross margin of 53.9 percent.

Computer Reseller News 20.08.18

If you’re an IT managed service provider, there’s a tremendous opportunity to help your clients save money by providing high-value endpoint security services while you receive a high margin of return in exchange

Security Intelligence 19.09.18

Security and cloud applications (SaaS) are the top-selling and fastest-growing products in the managed services portfolio

Barracuda July 2017

Security and cloud applications (SaaS) are the top-selling and fastest-growing products in the managed services portfolio (Barracuda July 2017)

Good quality security monitoring and threat detection is a niche activity putting it beyond the reach of most mid size and smaller organisations. It makes far more sense to get a 3rd party to do it instead and it’s probably cheaper as they will have scale.

The trend is moving away from larger IT company providers who have historically provided a very light touch service, simply producing a report each week. Customers are asking their service providers for a much greater level of transparency and in some cases want access to a live portal so they can see activity and results for themselves.


Delivering a good service at an attractive price

If the best way to manage the cost of delivering a service is to have repeatable processes then the greatest risk of cost overrun is to build a new one for each customer. This is certainly true if you’re offering the service at a fixed price.

Service variations are the enemy of cost control and healthy margins.

The managed services business is highly competitive and relies on predictable costs and volume business. If a service provider is tempted to respond to individual customer requirements they need to ask themselves “who is picking up the extra cost of designing and delivering a tailored service?”

  • The cost of consulting with the customer as to what they want, documenting requirements etc.
  • The additional on-boarding costs for bespoke correlation rules, reports etc.
  • The ongoing additional resource costs and overheads of running a SOC where difference customers have different services.
  • The additional costs of drawing up bespoke SLAs and commercial contracts.

Just like building a new house, the affordable one is pre-designed and packaged while the architected one is wonderfully unique but twice the price

A fixed price service needs a robust service definition and processes


Setting up a managed security service - where to start

Many people start the journey to Managed Security Services (MSS) by looking at the supporting technology, specifically SIEM solutions. The reasoning being they will craft a service based on the functionality available. By starting with the technology you risk building a complex service at an unattractive price.

By starting with the Service Definition you can build a set of Use Cases that meet the needs of the target customers at a price they are willing to pay. Using this approach the Service Definition drives a commercially viable service offering and prevents the technology “bells and whistles” leading to an expensive one with little take-up.

At the heart of the service definition are use cases, for example:

Boundary Monitoring for

Detection of suspicious outbound activity
Detection of denial of service attacks
Detection of unauthorised device introduced to the network

User Monitoring to

Track remote user authentication
Detect unusual print volumes, out of hours printing etc.

The Service Definition will drive the technology required, the amount of resource required and the skill set of the SOC resources. A clear Service Definition also helps the sales team explain the new offering.

Where to start - business/services, not technology


Customer portals & SOC dashboards

Customer Portals are the future of managed security services. The age of customers being satisfied with a weekly report from their service provider is over. Cyber security has made its way into the operational risk consciousness of organisations, so simply outsourcing it isn’t satisfactory. Customers want to know that risks are being managed effectively.

Customer Portal Dashboard

Our research has found that customers want to see;

  • The number of open incidents
  • Average alert response time
  • No of alerts pending investigations
  • Ageing incidents by priority

SOC Manager Dashboard

The SOC Manager wants to be able to see the status of all the MSS customers at a glance. A single screen showing a summary of the security posture letting them know if the operation is going well or needs intervention.


A day in the life of a SOC analyst

At a superficial glance the SOC analyst workflow below looks straightforward but if the volume of security alerts starts to exceed the resource available to deal with them you quickly get a bottleneck.

The SOC is where machine generated information meets a human interface. Be careful how much you open the valve!


The SIEM solution will generate alerts once the conditions in the correlation engine have been triggered.


The SOC analyst triages the alerts and can investigate them, discard them as benign or assign to someone else, for example the network team.


Investigation can be the most time consuming activity for a SOC analyst.

Incident management and reporting

When the analyst finds an issue or breach they need to switch to incident management mode where they collate the relevant information supporting the incident and build a case for remediation and reporting.

SOC Analyst Workflow

What to look for

Being able to customise your own playbooks/workflow to match the service offering SLAs and resource allocation. An incident management system that allows multiple people from different teams or different shifts to have visibility and access to all open incidents.

What to avoid

Too many use cases will trigger too many alerts, which means your SOC analysts can very quickly become overwhelmed. Bottlenecks occur and SLAs are missed.

The SOC is where machine generated information meets a human interface. Be careful how much you open the valve!


Multi-tenancy for MSSP = one SIEM and a single console for 20+ customers

Change the ratio of multiple SOC analysts per customer to multiple customers per analyst.

The SIEM market is relatively mature, with many available solutions being 10+ years old. Most SIEM solutions were designed for on-premise deployment for a single customer. As such they are expected to be set-up and configured once only.

By contrast an MSSP needs the minimum overhead when onboarding each new customer and to be able to manage many customers from a single SIEM via a single console. The answer is multi-tenancy.

True multi-tenancy is where the events and alerts for each customer reside in a single central database with ALL configurations. This means you can view all customers and complete all investigations from a single console.

Huntsman multi-tenancy SIEM

Imagine having to manage 20 customers on 20 separate consoles. Logistically it’s quite a challenge and the time lost moving between consoles to check for alerts is annoying and unproductive.

SIEM solution for managed security services - a single SOC platform that houses up to 30 customers


Some SIEM vendors seek to solve the problem of multiple standalone SIEMs by way of a federated model. A federated SIEM is where the alerts are forwarded to a single central console but the events that caused the alerts to occur remain in the individual customer SIEMs. In order to investigate an alert you need access to the SIEM it was generated in.

This also means that you cannot cross correlate for suspicious activities across your customer portfolio.

See next section where we look at the overhead of onboarding new customers to stand alone SIEM solutions.


Adding multiple customers - the hidden cost of SIEM

The repeated set-up and configuration of SIEM software is the hidden cost of SIEM technologies that are non multi-tenanted

With a stand alone or even federated solution on-boarding each new customer is like starting from scratch, you need to deploy the software, configure rules, alerts, dashboards reports etc.

With a true multi-tenancy solution you only have to set the solution up once, for the first customer. All the additional customers use the configuration already in place and you can house 20-30 plus customers on a single platform giving lots of additional savings and the ability to grow revenue faster.

Let’s compare the two SIEM Models

1st Customer

Standalone SIEM
  1. Deploy platform/software
  2. Deploy log collectors
  3. Configure correlation rules & alerts
  4. Configure dashboards
  5. Configure reports
Multi-tenanted SIEM
  1. Deploy platform/software
  2. Deploy log collectors
  3. Configure correlation rules & alerts
  4. Configure dashboards
  5. Configure reports

2nd - 10th + Customers

Standalone SIEM
  1. Deploy platform/software
  2. Deploy log collectors
  3. Configure correlation rules & alerts
  4. Configure dashboards
  5. Configure reports

Man days / weeks

Multi-tenanted SIEM
  1. Deploy log collectors
  2. Add new customer to customer list
  3. Tick boxes to add pre-existing correlation rules, dashboards and reports

Man hours

Man days / weeks

Man hours

Software licence cost + set-up cost doubles the onboarding cost if the SIEM is NOT multi-tenanted.

Closing Remarks

A pre-defined service simplifies the sales process. The focus of the sales conversation is on the scope of the service and the benefits it offers rather than what each customer thinks they may want. It is also possible that the customers may not be sure of what they want which risks a protracted pre-sales consultation period.

One of the main reasons the customer is looking for a managed security service is that they do not have the in-house expertise or capacity, A well-considered service offering at an affordable price should please everyone.


3 minute Illustration – adding security monitoring to your managed services business