incident response

Incident Response: Should you develop it in-house or buy it?

June 8, 2021 | by Mark Ratcliffe

When disaster strikes, you’ve got to be prepared. The clock is counting down, and every second could mean more damages incurred. In terms of incident response, you’ve got a few options to consider that’ll enhance your capabilities and minimise impacts. The question is: should you build in-house or buy?

Firstly, what is incident response?

The term ‘incident response’ (IR) refers to the methodology or framework an organisation follows in order to effectively identify, contain, and remediate a cyberattack. A business’ IR capabilities refer to a myriad of elements, including the existence of an IR team, plans and playbooks, as well as incident response retainers (we’ll cover this later in the blog).

Secondly, why is incident response necessary?

There are many elements that need to be coordinated in order to respond to a security breach swiftly and effectively. Any time wasted in containing the incident means a longer attacker dwell time and ultimately, this means more severe impacts. Incident response is a crucial part of any business’ security strategy because it involves organising these elements to avoid any confusion, miscommunication and moreover, downtime.

Should you DIY or buy your incident response?

Many organisations toss up on whether to develop IR capabilities in-house, or to outsource incident response from an external provider. When deciding whether to build or buy, take the following into account:

Do you have the manpower?

You need to consider your people – e.g. can you band together a team of individuals who can respond to an incident? If not, do you have the budget to invest in Digital Forensics and Incident Response (DFIR) expertise?

What is the extent of your technological capabilities?

You need to review the security tools you have in place for incident response and also consider whether you’re willing to devote a substantial part of your budget towards these. There’s a myriad of security tools to garner in the IR process – those for network and traffic analysis, vulnerability scanning, endpoint detection and response (EDR), etc. For some businesses, it might not be feasible (nor cost-efficient) to obtain and operate all of these.

So, where does that leave you?

Keep in mind that IR, like a lot of situations in cybersecurity, is not a black and white subject. If your business does not have the capacity to take on the entirety of the IR process, it might be worth taking the hybrid route.

In fact, developing some basic incident response plans and processes in-house are the key to proactively protecting your assets and reducing response times. In addition, it’ll help minimise the impact of security incidents, and improve your security posture.

Essentially, you shouldn’t put all your eggs in one basket. The most realistic, and arguably the most secure way to approach incident response is to do both – build in-house and buy. Think about partnering with an IR service provider who will complement your existing capabilities as well as uplift them.

Wondering where to start with building your in-house capabilities?

1. Invest in the right tools

Your organisation will need some basic security controls in place that will identify, monitor and alert suspicious/malicious activity. These controls are important as they generate event logs that can be used during a digital forensic investigation.

2. Create a plan

Having a clear, organised and up-to-date incident response plan in place is one of the most valuable, cost-saving things an organisation can develop. According to IBM’s Cost of a Data Breach Report 2020, incident response preparedness was the highest cost saver for businesses:

“The average total cost of a data breach for companies with an IR team that also tested an IR plan using table-top exercises or simulations was $3.29 million (USD), compared to $5.29 million (USD) for companies with neither an IR team nor tests of the IR plan” (pg.12)

3. Increasing end-user awareness

While the technical or IT security team will take the lead in IR, it is important that all users know their roles in the event of an attack. Further, they should know the signs of suspicious or anomalous activity, and how to report it. This begins with clearly explaining to staff what is normal and expected within your business environment.

4. Hire the right staff

This is, of course, within your staffing budgets and requirements. If you are capable, consider bringing a DFIR specialist on-board. They hold extensive knowledge on the entire IR process and can take the lead on handling breach investigations.

5. Stress test your plan

Developing and testing IR playbooks help optimise your ability to respond quickly and effectively to attacks. This can in turn reduce the cost of security incidents. In fact, extensive testing of incident response plans is the highest cost mitigating factor for breaches, decreasing the average cost by approximately $381 000 AUD. (IBM, Cost of a Data Breach Report 2020, pg.42)

Looking to outsource your Incident Response instead?

If you’re looking to partner with an experienced cyber security specialist to enhance your IR capabilities, you can either take the ad-hoc incident response route, or secure an incident response retainer.

What is an Incident Response Retainer?

IR retainers are essentially pre-arranged and pre-paid incident response contracts, ensuring that you have an expert team on standby to reduce response times and minimise impacts. For organisations that lack in-house security expertise, this is key.

At Content Security, we act as a seamless extension of your team, helping you avoid the extensive costs of training and maintaining in-house incident responders.

Our incident response retainers:

Provide the necessary guidance, certainty and expertise when disaster strikes;
Give you greater visibility over your environment and uplift your security posture; and
Protect your brand, reputation and customers.

The great thing about IR retainers is that there are no prerequisite capabilities or technology required on your part. With multiple tiers to choose from, our retainers provide you with the necessary DFIR expertise, right when you need it.

For more information please contact our cybersecurity professionals today.

Recent news