18 April 2025

Key Differentiators: What an MSSP will and won’t do

What an MSSP does

Let’s set the stage – Your organisation is running Spunk ES, Sentinel, or Google Security Operations. You’ve got an MSSP covering SecOps tasks:

Security Engineering – Building detective use cases, setting up log ingestion.

SOC analytics – Monitoring and triaging alerts.

Reporting – Maintaining and building dashboards.

However, the pathway to success and demonstrable value from SIEM is far deeper than just strong SecOps.

Common Misconceptions

However, businesses often assume their MSSP is handling more than they are. MSSPs do not tend to take care of the wider processes required to upkeep platform and data.

“You can have the best use-cases in the world, but that irrelevant unless the data is coming in and the platform is working” – Operate Client

Does your MSSP’s SoW include platform management & data management? If not, you might find that you’ve got false confidence and blind spots in security coverage.

Find out more about these blind spots in our latest video:

Where the Gaps Show Up in Real Terms

Ever found yourself asking why your licence costs are rising, why you might be getting false negatives, or why your platform is misbehaving?

Likely, little attention has been paid to the underlying platform that drives the SOC. The SIEM is misconfigured or mismanaged – and has deteriorated over time. This has fallen through the gaps, outside of the MSSPs responsibility, and yet it’s reflecting badly on them and the platform.

A quick case study:

An Apto Operate client onboarded with confidence in their Splunk ES deployment, they had an MSSP involved triaging alerts and managing dashboards.

Whilst the MSSP had SOC functionality by piping alerts out to their tooling, they were never logging on to the Splunk Platform. Health had spiralled and affecting security insights being delivered.

Operate once onboarded, we found a litany of missing data streams and data quality issues for those that were online. We even found compliance breaches, and correlation searches that weren’t running due to bottlenecking.

All of this meant the alerts being triaged by the MSSP were not accurate and didn’t reflect the expected security posture.

The Role of the Operate in Closing the Loop

By collecting telemetry data 24/7, Apto Operate bridges the gap between an MSSP running SecOps and true SIEM performance.

We provide proactive technical assurance on the quality of your platform and insights, along with unfettered support in the five pillars of SIEM health.

Platform: The underlying infrastructure needs to be reliable and up-to-date.

Data: The platform is not just receiving data but receiving the right data consistently and in-full.

Performance: Study the wider computational behaviours of the environment – throttling is the enemy!

Analysis: Maintaining accurate notifications and analytics with strong scheduling.

Reporting: We must close the loop with accurate data; validate and audit dashboard health and ensuring reports can be relied on.

Read more about the criticalities of these here: https://www.aptosolutions.co.uk/blog/the-cost-of-not-having-a-siem-operating-model/

How MSSPs + Operate Work Together (Not Against Each Other)

The two services are complementary, not competitive.

MSSPs are great at SOC activities and compliance reporting.

Operate ensures that the insights being generated are accurate and reflective.

Our Operate model gives demonstrable process and cost control for the SIEM platform.

Let’s go back to our previous client, we are now managing a Splunk platform that is providing strong and accurate alerts to the MSSP. We’ve saved huge cost by removing the need for in house staffing to upkeep the platform , but also revived security by driving better functional monitoring and alerts.

What gaps does your MSSP have?

Apto Operate is your hands-off MSP for platform management, your MSSP handles the SecOps, but if you don’t manage the platform, cost spirals and those SOC insights cannot be relied upon.

If you’ve ever just assumed your MSSP is validating and maintaining the platform, you might be wrong.