I frequently help Forrester clients come up with shortlists for incident response services selection. Navigating the vendor landscape can be overwhelming, every vendor that has consultant services has moved or is moving into the space. This has been the case for many years, you are probably familiar with the saying: “when there is blood in the water.” I take many incident response services briefings and vendors don’t do the best job of differentiating themselves, the messages are so indistinguishable you could just swap logos on all the presentations.

Early next year, after the RSA Conference, I’m going to start a Forrester Wave on Incident Response services. Instead of waiting for that research to publish, I thought I’d share a few suggestions for differentiating IR providers.

  1. What is their hourly rate? This is typically my first question; I use it as a litmus test to figure out where the vendor sits in the landscape. If the rate is around $200 you are typically dealing with a lower tier provider. Incident response is an area where you get what you pay for. You don’t want to have to bring in a second firm to properly scope and respond to your adversaries.
  2. How many cases have they worked in the previous year? You want to hire an experienced firm; you don’t want to work with a consultancy that is using your intrusion to build out the framework for their immature offering. While volume alone shouldn’t be the key decision point, it does give you an objective way to differentiate potential providers.
  3. Of the cases they have worked, how many of them are from companies that share a similar threat model? This is a critical question; you don’t want to select a vendor that doesn’t have experience working with threat actors operating against your vertical. It is important to know how a candidate’s experience aligns with your threat model. A firm that focuses on cyber criminals might not be the best provider if your vertical has a history of being targeted by nation state actors.
  4. Are they willing to provide reference accounts? I highly recommend you conduct some reference interviews that would ideally be with organizations that share a similar threat model. Vendors can arrange blind interviews where you don’t know what company is on the other line.
  5. What is the background of the typical consultant?  What is the skillset and history of the typical consultant? Will get you the same caliber of onsite consultant that was proposed in the scope of work? Responders with experience dealing with adversaries who target your vertical are ideal. It is also important to get the background for the individual that is going to manage the overall engagement. This individual will be interfacing with your leadership and will essentially be the face of the investigation, it is important to vet them as well. Finally you need to understand the process framework that enables the vendor’s consultants. Do they have a mature process for conducting incident response services?
  6. Do they provide other blue team services? When I say blue team I am referring to defender activities including: security program assessments, response readiness assessments, and table top exercise development.
  7. Do they provide red team services? When I say red team, I am referring to offensive activities including penetration testing and red teaming. A valid case can be made to use different vendors to separate blue and red team service engagements, that way you avoid a fox guarding the chicken coop scenario.
  8. Do they offer a retainer? Retainers give peace of mind, when you need emergency assistance you have guaranteed response lined up and available for response. You want to avoid, a when seconds count, the police are minutes away scenario. If a retainer isn’t used for IR services, then some of the services from suggestions 6 or 7 could be used. The downside of retainers, for IR firms at least, is that they have to maintain availability on their consulting bench to deliver that retainer work. Depending on their volume of business and how the IR firm manages their delivery queue, having analysts waiting and not billing can be an expensive proposition. Some vendors elect to not offer retainers as a result. Before an intrusion occurs, plan for failure, and complete master services agreements with your top two IR firms. That way in the event you don’t use a retainer or for some reason an IR firm cannot deliver on a retainer, you already have a backup firm on deck.
  9. What does their technology stack consist of? I purposely put technology at the end of the list since it doesn’t matter how good the technology stack is if the people and process aren’t proven. That being said, understanding the technology used for collection, detection and respond is important. Do they have both endpoint and network visibility? What threat intelligence is incorporated? Do they use proprietary solutions? Is their technology managed on premises or in the cloud? Here are two questions that you should ask yourself. How would you deploy their agents? Which ingress/egress points will you perform passive network monitoring on? It may be cost and time prohibitive to deploy sensors across all you ingress/egress points.  You need a prioritized list of Internet and 3rd party business connections.
  10. Do they offer follow on managed services? Does the vendor offer the ability to leave their technology stack in place and transition to a managed service model? Can you partner with the vendor for “managed hunting” of your environment. The same technology that was used for a consulting enagement is then used in a managed service offering. This is a fairly popular post eradication/recovery option since most organizations don’t have the resources for proactively hunting their environments.