Incident response is a critical component of enterprise security. Being prepared for unplanned and potentially disruptive events that affect the security and integrity of an organization's IT infrastructure can mean the difference between survival and going out of business.
To successfully handle incident response, organizations need to equip their teams with the best tools or employ incident response service providers.
Let's look at deciding between in-house or outsourced incident response, considerations to find the best option for your organization, and lists of leading software and service providers.
Incident response: In-house or outsourced?
Incident response cannot be completed by an all-in-one platform. It requires a mix of tools and technologies, including endpoint products, network security platforms, specialized malware analysis tools and software with automation capabilities. Most organizations have these tools in their arsenal already, including SIEM systems, vulnerability scanners, endpoint detection and response (EDR), antimalware and firewalls. More recently, user behavior analytics (UBA); security orchestration, automation and response (SOAR); and extended detection and response (XDR) have joined the fold. If a company has these tools, it is better suited to complete its own incident response tasks.
Deciding between in-house or outsourced incident response can also come down to the nature and complexity of the threats it faces. Use risk analyses and business impact analyses to identify the types of situations for which incident response might be needed, and build an incident response plan. An in-house approach could be the easiest way to complete this, or if risk and business impact analyses indicate potentially more serious events, organizations might want to consider outsourcing the planning process to a service provider. Organizations with multiple locations could also be better suited to outsource because each location might have different risks, threats and vulnerabilities, and each locale could require plan restructuring to address its unique needs.
Also, consider staffing. Does the organization have staff with the expertise needed to complete the steps in the incident response lifecycle? Does it have the budget?
How to choose incident response software
After using risk and business impact analyses to identify security events likely to occur to an organization, consider which tools are needed. Many companies have the tools needed in-house, but if not, they should assess the need for additional tools. As with any activity, funding is an important factor.
When building an incident response toolkit, consider how -- and if -- the tools can work together. Integrations are important to ensure proper analytics, investigation and response. More than one technology is often available from a single vendor, while, sometimes, tools from separate vendors connect to share information and work on incident response together.
Incident response software should also account for incident response standards and frameworks. This is important from both compliance and audit perspectives.
How to choose an incident response service provider
Organizations that find it more effective to work with a trusted third party should ask if their current managed security or risk management service providers or cloud service providers offer incident response capabilities. Using services from an existing provider can make the incident response service selection process easier.
If no existing vendors fit the bill, the following steps can help identify a suitable service provider:
- Determine the specific incident response requirements of your organization. This could include threat detection, alert notifications and detailed step-by-step procedures for incident handling.
- Research the market for incident response service providers, and review their offerings.
- Prepare and present a business case to management for approval and funding.
- Prepare a request for proposal or request for quotation to secure pricing and other elements, such as installation, training, warranties, support for service-level agreements, maintenance costs, testing capabilities, documentation and technical support.
- Select a vendor, review and approve contracts, secure organization funding, and schedule deployment and training.
- Complete installation and deployment, and then test the system. If possible, test along with business continuity, disaster recovery and cybersecurity testing.
- Set up maintenance, performance review and testing schedules.
As with any new technology or process, prepare or update policies and procedures for incident response activities.
Leading incident response vendor platforms
When managing incident response planning and management in-house, choose the right incident response tools. As mentioned, the incident response lifecycle requires a mix of tools. The following are 10 leading incident response software options to consider adding to an organization's arsenal.
1. AT&T USM Anywhere
Unified Security Management (USM) Anywhere from AT&T offers automated threat detection based on threat intelligence from the AT&T Alien Labs security team and AT&T Alien Labs Open Threat Exchange. USM has discovery capabilities that include network asset and cloud asset discovery; analysis that includes SIEM event correlation and user activity monitoring; detection that includes cloud intrusion detection and EDR; response; assessments that include vulnerability scanning and dark web monitoring; and reporting.
USM Anywhere is a SaaS product, available in Essentials, Standard and Premium plans that start at $1,075-$2,595 per month, respectively. Contact the company for further pricing.
2. CrowdStrike Falcon Insight
CrowdStrike Falcon Insight is an XDR and EDR platform with continuous logging, AI-powered threat detection, threat hunting, situational awareness, response, streamlined notifications and threat prioritization. Integration with CrowdStrike's SOAR platform, Falcon Fusion, enables automated response capabilities. Alerts are mapped to the Mitre ATT&CK framework.
The cloud-based product is available as part of the Falcon Enterprise and Elite packages, with the subscription licensed per endpoint. Contact the company for pricing.
3. Cynet 360 AutoXDR Platform
The Cynet 360 AutoXDR Platform integrates threat detection and prevention, log analysis and data correlation, and incident response and automation into a single platform. Features include EDR, UBA, network detection and response (NDR), deception technology, sandboxing and threat intelligence, as well as SaaS security posture management and cloud security posture management.
This product is available for SaaS, hybrid or on-premises deployment. CyOps, Cynet's 24/7 managed detection and response (MDR), is included at no additional cost. Contact the company for pricing.
4. Datadog Cloud SIEM
Platform provider Datadog offers cloud-based SIEM with an automated incident management integration. Combining observability and security investigations, Cloud SIEM maps to the Mitre ATT&CK framework and has a custom rules editor to help teams detect and respond to threats across applications, networks, workloads and infrastructure.
Pricing starts at $5 monthly per million events analyzed, billed annually, with automated workflows billed separately. On-demand pricing is also available. Contact the company for further pricing.
5. Exabeam Fusion
Exabeam calls its cloud-delivered Fusion that combines SIEM and XDR "New-Scale SIEM." The cloud-delivered product features threat detection, investigation and response; log management; and analytics. It includes UBA, the company's Common Information Model, alert prioritization, and reporting and dashboards. The optional Incident Responder add-on helps orchestrate and automate responses.
Exabeam Threat Intelligence Service, the company's threat intelligence feed, is included at no additional cost. Contact the company for pricing.
6. IBM Security QRadar
IBM Security's QRadar Suite of security products for incident response includes the following:
- QRadar EDR, featuring attack visibility, AI-powered alert management and ransomware prevention.
- QRadar Log Insights, offering visibility, observability, AI-powered risk prioritization and automated threat investigation.
- QRadar SIEM, featuring NDR, UBA and threat intelligence.
- QRadar SOAR, offering automated breach response and workflows, as well as customizable playbooks.
QRadar SIEM uses security and behavioral analytics to detect anomalies, offers prioritized alerting and aligns with the Mitre ATT&CK framework. It is available as on-premises software, a cloud deployment or SaaS via QRadar on Cloud.
Pricing is based on events per second or flows per minute, as an unlimited server-based license or subscription-based. Contact the company for pricing.
7. KnowBe4 PhishER
PhishER, from security awareness training and simulated phishing platform vendor KnowBe4, is a cloud-based platform designed to help incident response teams detect and respond to phishing-related security incidents. Described by the company as a lightweight SOAR platform for email, it analyzes incoming messages, filters based on threat level and automatically prioritizes potential threats. Its PhishRIP feature quarantines potential threats across all employee mailboxes.
The SaaS product is priced on a per-seat basis. Contact the company for pricing.
8. LogRhythm SIEM
LogRhythm's SIEM platform combines log management, analytics, UBA, network traffic analysis, SOAR and endpoint monitoring to help security teams increase visibility, prevent exposure, and detect and respond to threats quickly and efficiently. It integrates with the company's Threat Intelligence Service, as well as third-party threat feeds.
It is available for deployment on premises, in the cloud, via a managed security service provider or as a SaaS in its Axon platform. Contact the company for pricing.
9. Splunk Enterprise Security
Splunk Enterprise Security is the vendor's SIEM offering that sits on top of the Splunk platform. Available as a cloud, on-premises or hybrid deployment, Splunk Enterprise Security features risk-based alerting, threat detection, and analytics and response. Automated responses called "adaptive response actions" are included; for further automation, Splunk SOAR is available. Other integrations include Splunk UBA; Splunk On-Call, an alerting and messaging incident response tool; and IT Service Intelligence, a monitoring and visibility plugin. Splunk Enterprise Security maps to the Mitre ATT&CK framework, NIST, the Center for Internet Security's Critical Security Controls and the Cyber Kill Chain.
Workload, predictive and ingest pricing are available; contact the company for details.
Part of software company Everbridge, xMatters is a service reliability platform that enables automated incident management. It features analytics, collaboration and reporting capabilities for incident response. Though geared toward DevOps and operations teams and engineers, the SaaS product can help address IT events for cybersecurity incident response.
Free, Essentials, Standard and Advanced pricing are available, though not all incident response capabilities are included in each tier. Contact the company for pricing.
Leading incident response service providers
The following is a list of 10 leading incident response service providers, as opposed to software providers. Most feature an array of managed security and related services, including consulting. Some software providers listed above also offer hosted incident response services.
1. AT&T Managed Threat Detection and Response
Still the dominant telecommunications provider in the U.S., AT&T is uniquely positioned in the incident response services market with its inline internet and WAN monitoring services. Using its globally distributed security operations centers (SOCs), AT&T offers 24/7 managed threat detection and response through its USM platform. Services include EDR, cloud security, firewall and secure remote access. Customers can also access AT&T Alien Labs Open Threat Exchange, which provides insight into actions a global community of cybersecurity experts are taking regarding threat identification, actionable insights and reporting.
2. BAE Systems Incident Response
Founded in 1999, BAE Systems is one of the original cyber incident response vendors in the world. The U.K.-based company offers preemptive threat prevention services, including custom threat intelligence tools, penetration testing and attack preparation tools. If an attack or breach occurs, BAE Systems uses one of three support centers in the U.K., U.S. or Australia to base incident response. If needed, BAE Systems deploys its experts to the customer's location. The company can also assist with evidence acquisition, reverse-engineering, technical and executive response, and PR management.
3. Cyderes Enterprise MDR
Headquartered in Toronto, Cyderes offers digital forensics and incident response (DFIR) services that can be used on an emergency basis or by retainer. With six SOCs worldwide, the company provides 24/7 root cause identification, forensics and analysis, incident containment and post-incident review. Retainer services include planning, consultation and advisory services, and tabletop exercises. Cyderes was created in 2022 when Herjavec Group merged with security services provider Fishtech Group.
4. Cynet CyOps
Cynet, headquartered in Boston, offers CyOps, a 24/7 MDR service. The company has offices in the U.S. and Israel, as well as a contact number in the EU. The MDR provider offers detection, investigation and response services; on-demand and live advice; and regular reporting, including newsletters, technique and malware reports.
5. Mandiant Incident Response
Part of Google Cloud, Mandiant offers 24/7 incident response and security services. The provider has incident responders in more than 30 countries worldwide that offer investigation, crisis management, containment and recovery. Mandiant also offers incident response retainer services in two models: a no-cost retainer or prepaid hours.
6. NTT Data MDR
Tokyo-based NTT is a global telecommunications and technology integrator. Its Security Services division's MDR offers a cloud-native security analytics and response platform that features DFIR, threat hunting, continuous monitoring and remote isolation, backed with 24/7 technical guidance. NTT Data also offers cloud security; application security; endpoint management; and governance, risk and compliance services.
7. Secureworks Emergency Incident Response
Operating out of five globally dispersed SOCs, the Secureworks Counter Threat Unit research team offers assessment, testing and exercise services for incident prevention, detection and response. Its Emergency Incident Response services feature remote or on-site technical and advisory services, including forensics and threat analysis, containment, system recovery and post-incident recommendations for improvement. The company also has a 24/7 emergency hotline number in eight countries.
8. Sygnia Incident Response
Headquartered in Israel with offices in New York, Singapore and London, Sygnia offers incident response services, incident response readiness services, digital forensics, threat hunting, advanced monitoring and litigation support, as well as managed XDR. It also offers an incident response retainer. Proactive defense and adversarial security services are also available.
9. Trustwave MDR
With eight global SOCs, U.S.-based Trustwave offers MDR featuring 24/7 threat monitoring, threat hunting, incident response and containment, and vulnerability and pen testing services. The company partners with various telecommunication and service providers to provide localized support and faster incident response. Customers that purchase its DFIR retainer services receive remote and on-site incident support and access to Trustwave's in-house SpiderLabs team of cybersecurity experts.
10. Verizon Incident Response & Investigation
Global telecom giant Verizon operates nine SOCs and six digital forensics centers worldwide. The company offers incident response planning and investigation services, as well as post-incident support. Customers purchasing rapid response retainer services can negotiate service contracts, receive 24/7 support and work with a designated investigative liaison. Add-ons include dark web hunting, network and endpoint telemetry analysis, data recovery and malware reverse-engineering.
Editor's note: This unranked list is based on a combination of market reports and vendor rankings from Gartner, G2 and SoftwareTestingHelp, plus additional research by TechTarget editors.
Paul Kirvan is an independent consultant, IT auditor, and technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.