Incident Response Retainer: Getting Your Money’s Worth

What is an Incident Response Retainer Service?

An Incident Response Retainer (IRR) is a service agreement that allows organizations to get external help with cybersecurity incidents.

IRRs are provided by data forensics and incident response (DFIR) specialists and service providers, and also by vendors offering incident response tools, who also have in-house incident response teams. When purchasing a service from a tool vendor, you will typically receive access to their technology as well as incident response services.

There are two main types of retainers:

• No-cost retainer—an on-demand agreement with a vendor or service provider that specifies how they will help the organization respond to an incident, if and when an incident occurs. The agreement specifies a service level agreement (SLA), nature of services provided, a procedure for declaring incidents, and a cost per incident, which is paid only if the service provider actually renders services.
• Prepaid retainer—an incident response agreement in which the organization pre-pays the service provider for a certain number of hours, typically per month or per quarter, which can be used to respond to cyber incidents, with an agreed SLA. If the hours are not used in full, the service provider will typically offer other valuable security services, such as penetration testing or security education for the organization’s staff.

What is Included in an Incident Response and Data Forensics Service?

A DFIR service provider or tool vendor will typically provide the following elements in an IRR service:

• Incident response preparation—reviewing the organization’s network, IT systems and existing security tools, gaining access to data, and establishing quick procedures for investigating and triaging incidents.
• Incident response planning—defining a plan, together with the organization’s IT or security teams, for jointly responding to common types of security incidents.
• Incident triage and classification—having a security analyst on call at the service provider to receive details of the incident, triage it, and help determine if it is a real security incident and its severity.
• Initial response—response will typically follow a framework like the SANS incident response process: after the incident has been identified, the service provider will perform containment, eradication of the threat, recovery of affected systems, and lessons learned.
• SLA—the agreement will provide an agreed level of access to the service provider’s incident responders. Most services are offered 24/7, with a specified time period, ranging from minutes to several hours, allowed to transpire until the incident response process begins.

Incident Response Team: Build or Buy?

Many organizations are considering whether to build in-house incident response capabilities, or rely on external services. There are two aspects to this question:

• People—the individuals who respond to incidents are DFIR experts, who can perform in-depth data forensics, identify and triage incidents, mitigate threats and recover systems.
• Technology—there are multiple layers of security tools that can assist with incident response, including tools for network and traffic analysis, vulnerability scanning, security information and event management (SIEM), endpoint detection and response (EDR), and security orchestration, automation and response (SOAR).

Build vs buy is not a black-and-white decision—most organizations will choose to build some in-house incident response capability and also rely on external services, at least for severe or high-profile incidents.

We recommend, at a minimum, building the following capabilities in-house:

• At least one DFIR expert in-house—they can help the organization prepare for incidents, and actively hunt for threats even when there is no visible sign of an attack.
• Basic tooling for tracking and alerting on security events—you’ll need an infrastructure that can collect logs from IT systems, endpoints and security tools, and raises alerts on suspicious activity. IRR services will not build this for you.
• Automated incident response—put in place an automated incident response system, which activate security playbooks in response to common attack scenarios. This can help respond to many day-to-day incidents without the expense and overhead of activating your external IRR service.

Cynet’s 24/7 Incident Response Team

Cynet offers a holistic security solution that analyses network and endpoint data, raises alerts, and protects against a wide range of known and zero-day threats. Cynet provides an outsourced incident response team that can provide organizations with professional security staff who can execute a fast, effective incident response process.

The Cynet team can deploy the Cynet security platform in a matter of minutes across hundreds to thousands of endpoints. They can then scan, analyse, identify and remediate threats before damage is done. Our incident response service includes:

• 24/7 incident response—including identification, containment, eradication and recovery
• Deep forensic investigations—collecting data to identify the scope of an attack and who is responsible
• Threat hunting—exploring security data to proactively discover advanced threats
• Malware analysis—analyzing malware in a sandbox to determine its characteristics and how to remediate it

Contact us for immediate help

For emergency assistance from our security experts, call us at US 1-(347)-474-0048, International +44-203-290-9051