top of page


<<Buyer Beware – Own Your Tools and Security Event Data>>


Imagine for a moment that you have procured a Managed Security Service Provider (MSSP) that is designed to monitor your security event data (logs) and report to you if you are under attack and validate identified issues. You are happy because you found a managed security service which is much cheaper than trying to run a 24x7 security operation. Buyer beware - not all services are created equal.

Let me tell you a story…

A customer outsourced their managed security service to a large MSSP and the following challenges ensued. For a bit of background, the customer in this story is subject to regulatory requirements that require them to maintain security event data (logs) for several years. No worries, the MSSP is doing that for them. Right?

About six months passes by and the customer was growing more and more frustrated with the MSSP. They were just not getting the attention they need from the MSSP and started evaluating options for when the contract came up for renewal. At the time, Emagined Security was just working in an advisory role and was not directly involved. This allowed us to hear multiple sides of the story.

About two months before the end of the contract term, the customer notified the MSSP that they intended to not renew the contract. The current provider did not flinch a bit upon the termination notification. The customer was shocked and could not figure out why they did not seem to care. After all, it was a large contract.

Around the same time, the customer contracted with another provider for MSSP for the next year and started a project to replace the original MSSP. One of the first steps in the replacement process was to acquire the security event data (logs) for long term archival from the MSSP to meet their regulatory requirements. When they asked for the logs the MSSP told them that they are not entitled to them since the customer the logs were only available if they remained a client. Bewildered, the customer insisted that they acquire a copy of the logs since they have a long-term government requirement to preserve them.

One Million Dollars!!

The MSSP said they would allow the customer to pay a fee to deliver the logs to them. A few days later a quote was provided to the customer for ONE MILLION DOLLARS. The customer was stunned! How could this be… aren’t they entitled to the logs? At that time, the customer turned to the contract they signed. Surely, that couldn’t be right. No where in the contract did it say they are entitled to the logs, in fact, it said they are not entitled once they stop being a customer.

Below is a redacted version of a few relevant items from within the contract:

Log Retention duration during Services Term only

  • Online Raw Log Retention - 3 months

  • Additional 1 year Online Raw Log Retention - Optional

  • Offline Raw Log Retention - 12 months

  • Logs available for SOC Analyst inspection

  • Online logs may be queried by customer via a portal

I bolded the issue “during Services Term only.” If the customer cancels the contract, they lose all access rights to the logs. The MSSP knew they had the customer locked into renewing the contract or paying a huge fee. In fact, the MSSP stood to make more money by charging to provide the logs than the entire contract’s fees.

Was the MSSP being unreasonable?

Let us look at that ONE MILLION DOLLAR fee. It sounded outrageous but we were briefed by the MSSP into what it was going to take to provide the logs to the customer you will understand why they wanted a fee.

1. The MSSP’s SIEM license was in the MSSP’s name and not the end customer so the logs where owned by them and not the customer.

  • The MSSP was able to save cost by used a Managed Services contract with the SIEM vendor and broking apart the license into a large number of customers.

  • Backup tapes where not created on a per customer basis – each tape contained multiple customers.

  • Backup tape were shipped offsite for long term storage after 3 months.

2. The MSSP estimated that they would need a team of engineers working on pulling out the logs for months having never anticipated the request they received.

  • Only three months of logs where online for retrieval.

  • Nine months of logs were archived offsite on tape backups and needed to be restored.

  • A year of ALL backup tapes needed to restored and parsed.

  • It was more work to parse the archived logs then performing all the task in the MSSPs contract.

Sadly, the MSSP never displayed any remorse for the way they wrote their contract or architected their solution, instead stating that it gave them a higher valuation. Their business model was to lock in customers regardless of good or bad service and if a customer left, the customers were forced to start from ground zero.

Back to the story…

The customer needed to figure out what to do next so they approached the regulators to see what would happen if they did not have access to the logs for preservation purposes. The regulators were not happy about the situation at all. The regulators believed the customer should have foreseen this issue and warned them that they could be subject to a multi-million dollar fine if they could not preserve the logs.

As an example regulation (not the real one applying to this situation), you can see the Federal Energy Regulatory Commission requires logs to be preserved:

This regulation requires IT Management data to be retained almost indefinitely.

Some logs were required to be kept available for up to 25 years. Do you think your MSSP keeps your logs for that amount of time? I can’t image trying to find and restore 25-year-old data without preplanning and preparation.

The customer was being held hostage between the MSSP and the regulatory authority. Should they pay ONE MILLION DOLLARS to the MSSP or potentially be subject to a multi-million dollar fine. Neither option sounded good. I wish I could tell you fully how the story ended but once it hit the customer’s legal department for review, they stopped sharing information. Last thing I heard was that a lawsuit was filed.

So, why did I just tell you this story…

When Emagined Security designed and built our MSSP offerings, we kept this story and many other like it in mind. We designed our solutions using true partnership between us and our customers to deliver what industry really needs. And, every year we enhance our solutions, our ability to collaborate, and partnership approaches with our customers. Today, Emagined Security’s customers consider us as their Managed Security Service Partner; not just a Managed Security Service Provider.

How does Emagined Security achieve the level of integration to be considered a partner? Glad you asked.

  • You own the security tools and Emagined Security bring the analysis and threat context

  • You have the same access to the tools as our team

  • You own the security event data (logs) and it is stored on your systems or cloud services

  • No sensitive data leaves your security boundary

  • Emagined Security gets alerts that require us to pivot into your environment and perform our duties

  • We work together to analyze potential issues

  • We can even take action to stop issues from proliferating, if in scope

This is just a few of Emagined Security’s differentiators and approaches to partnership. Emagined Security’s MSSP offerings are designed to be either outsourced continuously or transitioned back to the customer with little or no impact to operations – that how partnership works.

Why has not every MSSP adopted the partnership principal? Maybe, it is because they want to hold you hostage rather than provide great services and entice you to stay a customer by exceeding your expectations. Whether or not you look at Emagined Security for outsourcing elements of your security practice, make sure you own the right to fire your provider and retain ownership of the tools and the security event data (logs)! Of course, we would love to chat with you and tell you more.

Feel free to reach out to us at

bottom of page