Incident Response Retainer: Getting Your Money’s Worth
January 14, 2020
Last Updated:
November 27, 2024
Share on:
When disaster strikes it’s best to be prepared. An incident response retainer is like an insurance policy—it gives you additional resources to deal with a devastating cyber attack. You can hire an outsourced incident response service provider, and have their experts on call, to help you respond to a cyber incident with a guaranteed Service Level Agreement (SLA).
Read on to understand what you should expect to get in an IR retainer, including the option of a no-cost retainer, and whether it makes sense to build an in-house incident response operation.
Need an incident response retainer?
Cynet is a trusted partner that analyses network and endpoint data, raises alerts, and protects against a wide range of known and zero-day threats. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.
Learn more about Cynet incident response services.
What is an Incident Response Retainer Service?
An Incident Response Retainer (IRR) is a service agreement that allows organizations to get external help with cybersecurity incidents.
IRRs are provided by data forensics and incident response (DFIR) specialists and service providers, and also by vendors offering incident response tools, who also have in-house incident response teams. When purchasing a service from a tool vendor, you will typically receive access to their technology as well as incident response services.
There are two main types of retainers:
No-cost retainer—an on-demand agreement with a vendor or service provider that specifies how they will help the organization respond to an incident, if and when an incident occurs. The agreement specifies a service level agreement (SLA), nature of services provided, a procedure for declaring incidents, and a cost per incident, which is paid only if the service provider actually renders services.
Prepaid retainer—an incident response agreement in which the organization pre-pays the service provider for a certain number of hours, typically per month or per quarter, which can be used to respond to cyber incidents, with an agreed SLA. If the hours are not used in full, the service provider will typically offer other valuable security services, such as penetration testing or security education for the organization’s staff.
Looking to automate
incident response?
Cynet is the Leading All-In-One Security Platform
24/7 Managed Detection and Response
Security Automation, Orchestration and Response (SOAR)
Full-Featured EDR and NGAV
Achieved 100% detection in 2023
Rated 4.8/5
2024 Leader
What is Included in an Incident Response and Data Forensics Service?
A DFIR service provider or tool vendor will typically provide the following elements in an IRR service:
Incident response preparation—reviewing the organization’s network, IT systems and existing security tools, gaining access to data, and establishing quick procedures for investigating and triaging incidents.
Incident response planning—defining a plan, together with the organization’s IT or security teams, for jointly responding to common types of security incidents.
Incident triage and classification—having a security analyst on call at the service provider to receive details of the incident, triage it, and help determine if it is a real security incident and its severity.
Initial response—response will typically follow a framework like the SANS incident response process: after the incident has been identified, the service provider will perform containment, eradication of the threat, recovery of affected systems, and lessons learned.
SLA—the agreement will provide an agreed level of access to the service provider’s incident responders. Most services are offered 24/7, with a specified time period, ranging from minutes to several hours, allowed to transpire until the incident response process begins.
Incident Response Team: Build or Buy?
Many organizations are considering whether to build in-house incident response capabilities, or rely on external services. There are two aspects to this question:
People—the individuals who respond to incidents are DFIR experts, who can perform in-depth data forensics, identify and triage incidents, mitigate threats and recover systems.
Technology—there are multiple layers of security tools that can assist with incident response, including tools for network and traffic analysis, vulnerability scanning, security information and event management (SIEM), endpoint detection and response (EDR), and security orchestration, automation and response (SOAR).
Build vs buy is not a black-and-white decision—most organizations will choose to build some in-house incident response capability and also rely on external services, at least for severe or high-profile incidents.
We recommend, at a minimum, building the following capabilities in-house:
At least one DFIR expert in-house—they can help the organization prepare for incidents, and actively hunt for threats even when there is no visible sign of an attack.
Basic tooling for tracking and alerting on security events—you’ll need an infrastructure that can collect logs from IT systems, endpoints and security tools, and raises alerts on suspicious activity. IRR services will not build this for you.
Automated incident response—put in place an automated incident response system, which activate security playbooks in response to common attack scenarios. This can help respond to many day-to-day incidents without the expense and overhead of activating your external IRR service.
Tips From the Expert
In my experience, here are tips that can help you better leverage incident response retainers:
Leverage the retainer for proactive services Utilize unused hours in prepaid retainers for proactive services like threat hunting or red-teaming, which can reveal gaps in your defenses before an attack occurs.
Integrate response playbooks with IR provider Share your organization’s internal incident response playbooks with the retainer provider to ensure they align with your operational processes and reduce friction during a real incident.
Negotiate incident categorization and SLA tiers When establishing SLAs, clarify what constitutes “critical” vs. “non-critical” incidents to avoid delays. Negotiate response times based on severity to ensure your high-priority issues get swift attention.
Request continuous knowledge transfer Ensure your in-house team receives ongoing knowledge transfer from the IR team post-incident reviews. This will improve internal capabilities and empower your team for future incidents.
Opt for retainer providers with post-incident analytics Choose providers that offer post-incident analytics and trend analysis. This insight helps you identify recurring vulnerabilities and assess the evolving threat landscape specific to your environment.
These tips will help ensure your incident response retainer is a strategic asset rather than just a reactive tool.
Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s ATM to show the weakness of their security and has been recognized in Google’s security Hall of Fame.
Cynet’s 24/7 Incident Response Team
Cynet offers a holistic security solution that analyses network and endpoint data, raises alerts, and protects against a wide range of known and zero-day threats. Cynet provides an outsourced incident response team that can provide organizations with professional security staff who can execute a fast, effective incident response process.
The Cynet team can deploy the Cynet security platform in a matter of minutes across hundreds to thousands of endpoints. They can then scan, analyse, identify and remediate threats before damage is done. Our incident response service includes:
24/7 incident response—including identification, containment, eradication and recovery
Deep forensic investigations—collecting data to identify the scope of an attack and who is responsible
Threat hunting—exploring security data to proactively discover advanced threats
Malware analysis—analyzing malware in a sandbox to determine its characteristics and how to remediate it
Contact us for immediate help
For emergency assistance from our security experts, call us at US 1-(347)-474-0048, International +44-203-290-9051