Incident response is a critical component of enterprise security. Knowing how to deal with unplanned and potentially disruptive events that affect the security and integrity of an organization's IT infrastructure can mean the difference between survival and going out of business.
In order to successfully handle incident response, it is important to have the proper tools in place. Today, many organizations may also employ incident response service providers to offload the task.
Let's look at how to decide between in-house or outsourced incident response, considerations to make in each scenario and lists of leading software and service providers.
Incident response: In-house or outsourced?
Incident response cannot be completed by an all-in-one platform. It requires a mix of tools and technologies, ranging from endpoint products, to network security platforms, to specialized malware analysis tools, to software with automation capabilities. The majority of these tools are already in use by most organizations, including SIEMs, vulnerability scanners, endpoint detection and response (EDR), antimalware and firewalls. More recently, user behavior analytics (UBA); security orchestration, automation and response (SOAR); and extended detection and response (XDR) have joined the fold. If a company has these tools, it is better suited to complete its own incident response tasks.
Deciding between in-house or outsourced incident response may also come down to the nature and complexity of threats faced by an organization. Use risk analyses and business impact analyses to identify the types of situations for which incident response may be needed, and build an incident response plan. An in-house approach may be the easiest way to complete this, or if risk and business impact analyses indicate potentially more serious events, organizations may want to consider outsourcing the planning process to a service provider. Organizations with multiple locations may also be better suited to outsource because each location may have different risks, threats and vulnerabilities, and each locale may require plan restructuring to address its unique needs.
Also consider staffing. Does the organization have staff with the expertise needed to complete the steps in the incident response lifecycle? Does it have the budget?
How to choose incident response software
After using risk and business impact analyses to identify security events likely to occur to an organization, consider which tools will be needed. Many companies have the tools needed in-house, but if not, they may want to assess the need for additional tools. As with any activity, funding is an important factor.
When building an incident response toolkit, consider how -- and if -- the tools can work together. Integrations are important to ensure proper analytics, investigation and response. More than one technology is often available from a single vendor, while sometimes tools from separate vendors connect to share information and work on incident response together.
Incident response software should also account for incident response standards and frameworks. This is important from both compliance and audit perspectives.
How to choose an incident response service provider
Organizations that find it more effective to work with a trusted third party should ask if their current managed security or risk management service providers or cloud service providers offer incident response capabilities. Using services from an existing provider can make the incident response service selection process easier.
If no existing vendors fit the bill, the following steps can help identify a suitable service provider:
- Determine the specific incident response requirements of your organization. This could include threat detection, alert notifications and detailed step-by-step procedures for incident handling.
- Research the market for incident response service providers and review their offerings.
- Prepare and present a business case to management for approval and funding.
- Prepare a request for proposal or request for quotation to secure pricing and other elements, such as installation, training, warranties, support for service-level agreements, maintenance costs, testing capabilities, documentation and technical support and assistance.
- Select a vendor, have contracts reviewed and approved, secure organization funding and schedule deployment and training.
- Complete installation and deployment, then test the system. If possible, test along with business continuity and disaster recovery and cybersecurity testing.
- Set up maintenance, performance review and testing schedules.
As with any new technology or process, prepare or update policies and procedures for incident response activities.
Leading incident response vendor platforms
For managing incident response planning and management in house, choose the right incident response tools. As mentioned, the incident response lifecycle requires a mix of tools. The following are 10 leading incident response software options to consider adding to an organization's arsenal.
1. AT&T USM Anywhere
Unified Security Management (USM) Anywhere from AT&T offers automated threat detection based on threat intelligence from AT&T Alien Labs. USM has discovery capabilities that include network asset and cloud asset discovery; analysis that includes SIEM event correlation and user activity monitoring; detection that includes cloud intrusion detection and EDR; response; assessments that include vulnerability scanning and dark web monitoring; and reporting.
USM Anywhere is a SaaS product. Essentials, Standard and Premium plans are available, starting at $1,075-$2,595 per month. Contact the company for further pricing.
2. CrowdStrike Falcon Insight
CrowdStrike Falcon Insight is an XDR and EDR platform with continuous logging, threat detection, threat hunting, situational awareness, response and streamlined notifications and threat prioritization. Integration with CrowdStrike's SOAR platform, Falcon Fusion, enables automated response capabilities. Alerts are mapped to the Mitre ATT&CK framework.
The cloud-based product is available as part of the Falcon Elite pricing, with the subscription licensed per endpoint. Contact the company for pricing.
3. Cynet 360 AutoXDR Platform
The Cynet 360 AutoXDR Platform integrates threat detection and prevention, log analysis and data correlation, and incident response and automation into a single platform. Features include EDR, UBA, network detection and response (NDR), deception technology, sandboxing and threat intelligence, as well as SaaS security posture management and cloud security posture management.
This product is available for SaaS, hybrid or on-premises deployment. CyOps, the vendor's 24/7 managed detection and response (MDR), is included at no additional cost. Contact the company for pricing.
4. Datadog Cloud SIEM
Platform provider Datadog offers a cloud-based SIEM with an automated incident management integration. Combining observability and security investigations, Cloud SIEM maps to the Mitre ATT&CK framework and has a custom rules editor to help teams detect and respond to threats across applications, networks, workloads and infrastructure.
Pricing starts at $0.20 per GB of analyzed logs per month. Contact the company for further pricing.
5. Exabeam Fusion
Exabeam calls its cloud-delivered Fusion that combines SIEM and XDR a "New-Scale SIEM." It features threat detection, investigation and response; log management; and analytics. Also included are logging, UBA, the company's Common Information Model, alert prioritization, and reporting and dashboards. The optional Incident Responder add-on helps orchestrate and automate responses.
Exabeam Threat Intelligence Service, the company's threat intelligence feed, is included at no additional cost. Contact the company for pricing.
6. IBM QRadar
IBM's QRadar suite of security products for incident response includes QRadar SIEM, which integrates with QRadar NDR, EDR, SOAR and Randori Recon, an external attack surface management tool. QRadar SIEM also works with QRadar Vulnerability Manager, QRadar Network Insights, QRadar XDR Connect and Cloud Pak for Security.
QRadar SIEM uses security and behavioral analytics to detect anomalies, offers prioritized alerting and aligns with the Mitre ATT&CK framework. It is available as on-premises software, a cloud deployment or SaaS via QRadar on Cloud.
Pricing is based on events per second or flows per minute, or as an unlimited server-based license. Contact the company for pricing.
7. KnowBe4 PhishER
PhishER, from security awareness training and simulated phishing platform vendor KnowBe4, is a cloud-based platform designed to help incident response teams detect and respond to phishing-related security incidents. Described by the company as a lightweight SOAR platform for email, it analyzes incoming messages, filters based on threat level and automatically prioritizes potential threats. Its PhishRIP feature quarantines potential threats across all employee mailboxes.
The SaaS product is priced on a per-seat basis. Contact the company for pricing.
8. LogRhythm SIEM
LogRhythm's SIEM platform combines log management, analytics, UBA, network traffic analysis, SOAR and endpoint monitoring to help security teams increase visibility, prevent exposure, and detect and respond to threats quickly and efficiently.
It is available for deployment on-premises, in the cloud, via a managed security service provider or as a SaaS. Contact the company for pricing.
9. Splunk Enterprise Security
Splunk Enterprise Security is the vendor's SIEM offering that sits on top of the Splunk Platform. Available as a cloud, on-premises or hybrid deployment, Splunk Enterprise Security features risk-based alerting, threat detection, and analytics and response. Automated responses called adaptive response actions are included; for further automation, Splunk SOAR is available. Other integrations include Splunk UBA, Splunk On-Call, an alerting and messaging incident response tool, and IT Service Intelligence, a monitoring and visibility plugin. Splunk Enterprise Security maps to the Mitre ATT&CK framework, NIST, the Center for Internet Security's Critical Security Controls and the Cyber Kill Chain.
Workload and ingest pricing are available; contact the company for details.
Part of software company Everbridge, xMatters is a service reliability platform that enables automated incident management. It features analytics and collaboration capabilities for incident response. Though geared toward DevOps and operations teams and engineers, the SaaS product can help address IT events for cybersecurity incident response.
Free, Essentials, Standard and Advanced pricing are available, though not all incident response capabilities are included in each tier. Contact the company for pricing.
Leading incident response service providers
The following is a list of 10 of the leading incident response service providers, as opposed to software providers. Most provide an array of managed security and related services, including consulting. Some software providers listed above also offer hosted incident response services.
1. AT&T Managed Threat Detection and Response
Still the dominant telecommunications provider in the U.S., AT&T is uniquely positioned in the incident response services market with its inline internet and WAN monitoring services. Using its globally distributed security operations centers (SOCs), AT&T offers managed threat detection and response through its USM platform. Services include endpoint, cloud security, firewall and secure remote access. Customers can also access the AT&T Alien Labs Open Threat Exchange, which provides insight into actions a global community of cybersecurity experts are taking regarding threat identification, actionable insights and reporting.
2. BAE Systems Incident Response
Founded in 1999, BAE Systems is one of the original cyber incident response vendors in the world. The U.K.-based company offers preemptive threat prevention services, including custom threat intelligence tools, penetration testing and attack preparation tools. If an attack or breach occurs, BAE Systems uses one of three support centers in the U.K., the U.S. or Australia to base incident response. If needed, BAE deploys its experts to the customer's location. The company can also assist with PR management.
3. Cyderes Enterprise MDR
Headquartered in Toronto, Cyderes offers digital forensics and incident response services that can be used on an emergency basis or by retainer. With six SOCs worldwide, the company provides 24/7 root cause identification, forensics and analysis, incident containment and post-incident review. Retainer services include planning, consultation and advisory services, and tabletop exercises. Previously, Cyderes was created in 2022 when Herjavec Group merged with security services provider Fishtech Group.
4. Cynet CyOps
Cynet, headquartered in Boston, offers CyOps, a 24/7 SaaS-based MDR service. The company has offices in the U.S. and Israel, as well as a contact number in the EU. The MDR provider offers detection, investigation and response services; on-demand and live advice; and regular reporting, including newsletters, technique and malware reports.
5. Mandiant Incident Response
Part of Google Cloud, Mandiant offers 24/7 incident response and security services. The provider has incident responders in more than 30 countries worldwide that offer investigation, crisis management, containment and recovery. Mandiant offers incident response retainer services in two models: a no-cost retainer or prepaid hours.
6. NTT Limited MDR
Tokyo-based NTT is a global telecommunications and technology integrator. The company offers telecom, cloud, networking and data center services, along with several technology consulting specialties. Specialized services include security and incident response managed out of the parent company's NTT Security division. Customers with retainer services use NTT security experts for incident response services, digital forensics, preemptive planning and compliance assessment reviews. NTT Security also offers threat intelligence and endpoint management services.
7. Secureworks Incident Response
Operating out of five globally dispersed SOCs, Secureworks offers a range of security incident response services. The company's proprietary Counter Threat Platform provides advanced security analytics through a customizable portal. Secureworks Taegis ManagedXDR provides endpoint, network and cloud support and threat hunting. Customers with retainers can take advantage of Secureworks professionals remotely or on site. The company also offers proactive security services, including incident preparedness, security assessments and application security testing.
8. Sygnia Incident Response
Headquartered in Israel with offices in New York, Singapore and London, Sygnia offers incident response services, incident response readiness services, digital forensics, threat hunting and advanced monitoring, as well as managed XDR. It also offers an incident response retainer and litigation support. Proactive defense and adversarial security services are also available.
9. Trustwave MDR
U.S.-based Trustwave offers online and on-site incident response support retainers globally. The company partners with various telecommunication and service providers in strategic locations to provide more localized support and faster incident response. Customers that purchase retainer services receive remote and on-site incident support and can use the company's proprietary threat intelligence services and in-house cybersecurity experts, known as the SpiderLabs team.
10. Verizon Incident Response & Investigation
Global telecom giant Verizon operates nine SOCs and six digital forensics centers worldwide. The company offers incident response planning and investigation services, as well as post-incident support. Customers purchasing rapid response retainer services can negotiate service contracts, receive 24/7 support and work with a designated investigative liaison. Add-ons include dark web hunting and network and endpoint telemetry analysis.