Booz Allen Hamilton
News coverage related to the latest cybersecurity attacks is no longer restricted to the technology-related channels that IT and cybersecurity practitioners peruse. The costs to a business’ bottom line, to a country’s critical infrastructure, or to an individual’s ability to obtain life-saving treatment in a hospital due to the proliferation of ransomware and other cyberattacks are becoming huge wake-up calls. These calls are getting the attention of newsrooms, boardrooms, and regulatory bodies across the globe.
Cybersecurity evangelists and analysts historically have debated the merits of where to invest the monetary resources and time needed to combat threats. There are those who make the argument that preventing attacks is paramount, and to a certain extent, they are correct. No one disputes the need to invest in preventing attacks. However, despite ever-increasing amounts of time and money that have been invested in preventing attacks, the cybercriminal gangs and their nation-state supporters prove their resilience in overcoming the defenses. The vicious cycle of attacks landing and ransoms being paid has led to a realization that organizations need to diversify their cybersecurity investments by gaining expertise in responding to the sort of advanced attacks like ransomware that they are likely to see in their environment.
Now it is time to diversify and channel investments into being prepared to respond when attacks land. Organizations need to work with providers that understand the value proposition of shifting to a proactive mindset from a reactive one. The launch or expansion of incident readiness programs symbolizes the logical next step required to elevate a cybersecurity program. The underlying theme for all incident readiness programs is the ability to prepare — and this is the key phrase here — in advance — to make intelligent decisions in a crisis situation to minimize the damage and duration of a cyberattack.
Arguably one of the top tools in a CISO’s toolbox is the use of an incident response retainer. The primary use of a retainer is to give security leaders peace of mind. They know that if they have an incident response situation, they do not go to the back of the line. Conversely, they can engage with an incident response provider on an expedited basis to handle the situation.
IDC has noted that incident response providers are formalizing the use of these funds to serve dual purposes. One is providing access to the exact types of services that can help minimize the need for or duration of future incident response engagements. The second is funding anticipated incident response engagements.
IDC conducted a survey in June 2021 to survey the customers of the providers that are part of this study. Respondents were surveyed on a variety of topics relating to their consumption of incident readiness services.
Recognizing that there will be a day when a full-blown incident response team will be required to respond to a ransomware or similar devastating sort of attack, CISOs are starting to make the monetary and time investments in a variety of incident readiness capabilities. In this worldwide IDC MarketScape, IDC researched the various incident readiness services that can enable organizations to be proactive in their capabilities to detect, respond to, and limit the damage from the advanced cyberattacks that too often are making the news headlines.
The meaning of incident readiness varies by world area, size of organization, and industry. Buyers should discuss their understanding of incident readiness with providers to be sure all parties are on the same page. IDC’s Global Incident Readiness Survey reveals the top 8 definitions of incident readiness.
Further, when asked what incident readiness means to survey participants, the responses make it clear that simply having an incident response retainer in place, having a CISO, or employing security by design is not enough for an organization to consider itself incident ready. Before buyers evaluate providers and services, they should clarify internally what incident readiness means to their organizations. A clear picture of expectations and requirements will help buyers ask the right questions and speed understanding of provider capabilities.
Organizations continue to ramp up spending on a variety of incident readiness activities. Some clear choices are emerging. Two of the top 3 and three of the top 5 categories forecast to see increases in IDC’s Incident Readiness Survey include assessments, while the second most likely category to see a boost in spending is security and strategy consulting.
What do all three categories share?
A special call out needs to be made to firms that recognize the need for media and communications training. Increased regulatory requirements related to what can and should be shared versus kept in-house are raising awareness of the need to train the voices that share crucial information during crises. Attacks such as the Kaseya ransomware attacks in July 2021 impact not only the original company that was attacked but also companies that are users of its software. Miscommunication or a lack of transparency during an attack can result in delayed reactions and increased costs not only for the “patient-zero” company but also for customers and vendors.
In addition, the sections that follow present insights into aspects of incident readiness — tabletop exercises, consulting services, assessments, exercises and testing services, training services, and complementary services — that provide a valuable decision-making context.
Tabletop exercises are deserving of special attention by buyers of incident readiness services. While Figure 4 does not indicate a spike in increased spending for tabletop exercises, the reader should not misconstrue this to mean they are any less as effective or that they are declining in usage. Tabletop exercises are of value to organizations with relatively low cybersecurity maturity, and they continue to see usage for organizations at the top of the cybersecurity maturity rankings.
Numerous potential attack scenarios can be walked through in a tabletop exercise, as shown in Figure 5. Figure 5 illustrates the attack scenarios that the customers of providers in this IDC MarketScape utilized in their most recent tabletop exercises. While all of these scenarios are worthy of attention, the elephant in the room that is grabbing attention is ransomware. The providers in this study were quick to highlight their capabilities in preparing their clients for the possibility of this nightmare situation.
(% of respondents)
n = 309
Base = respondents who indicated organization has done tabletop exercises incident readiness activity since beginning of pandemic/next 12–18 months
Data is managed by IDC’s Quantitative Research Group. Multiple responses were allowed.
Source: IDC’s Global Incident Readiness Survey, June 2021
The potential damage that a ransomware attack can inflict is deep and severe. Because of the potential ramifications of any response to a ransomware situation, a large number of departments need to be brought into some of the exercises that an incident readiness provider facilitates. Tabletop exercises are one of the most common incident readiness exercises in which organizations participate. They typically range from one half day to a full day, and participants can be technical, nontechnical, or a mix. The goal is to walk through a scenario, such as a ransomware situation, and simulate the sort of activities, discussions, and decisions that likely would occur. Consider the range of voices that might need to be represented in a ransomware tabletop exercise:
The strategies and tactics that organizations utilize to increase their incident readiness maturity often require the use of providers that can give them the guidance and knowledge that they may not readily possess:
Assessments are a way of sizing up the risks, threats, and capabilities that an organization faces. When incident readiness providers conduct assessments, the providers gain greater insider knowledge of an organization’s cybersecurity posture. This helps give their guidance contextual perspective as incident readiness plans are developed and matured:
Testing activities offered by incident readiness providers help gauge the capabilities of an organization’s systems, processes, and people to withstand attacks from various potential vectors. Just as important, these exercises can put technical and line-of-business associates in a frame of mind that allows them to immerse themselves in simulations. They can play out the activities they might need to carry out during an incident response situation:
For well over a decade, the common theme of security evangelists has been the lack of trained bodies to fill roles. One of the antidotes to this issue is the need for current cybersecurity practitioners to gain deeper, best practices knowledge of their craft while enticing other industry domains to widen their scope of knowledge to include cybersecurity capabilities.
Figure 7 illustrates the training services and future planned training needs that incident readiness firms are likely to fill. The rising importance of clear communications to internal and external stakeholders and the media highlights the top tier that media and communications training has entered.
Plans to gain training in crisis management are due in part to the high stress levels endured by organizations during a ransomware situation. It is imperative that key employees develop the soft skills that crisis management training can provide during a ransomware or other high stress cyberevent prior to these skills actually being used during a live-fire incident.
Buyers should look for incident readiness providers that have off-the-shelf training that can be tailored to their unique needs. IDC noted during this study that ad hoc training occurs while consuming incident readiness services, but a formal training program for the personas involved in incident response situations is a logical next step in elevating an organization’s overall incident readiness capabilities.
Base = all respondents
Data is managed by IDC’s Quantitative Research Group. Multiple responses were allowed.
Source: IDC’s Global Incident Readiness Survey, June 2021
Other capabilities that incident readiness providers are likely to deliver can raise the overall incident readiness capabilities of organizations:
Mandiant is positioned in the Leaders category in the 2021 IDC MarketScape for worldwide incident readiness services.
The evaluation of Mandiant was done prior to the June 3, 2021, announcement of the separation of the Mandiant offerings from FireEye.
Mandiant organizes its incident readiness solutions into four pillars: assess, transform, defend, and train.
The assess pillar evaluates clients’ ability to prevent, detect, and respond to cyberthreats. Services include a compromise assessment, red team, purple team, penetration testing, tabletop exercises, cloud architecture assessment, remote security assessment, ransomware defense assessment, and response readiness assessments.
Transform actions center on helping clients design, build, or improve key functions such as threat detection, containment, and remediation capabilities. The company provides hands-on support to implement critical changes and best practices for functional/staff readiness.
Mandiant’s threat intelligence capabilities as well as the company’s managed detection and response service are key pieces of its defend pillar.
Train pillar offerings teach clients how to execute the right processes and technologies through instructor-led learnings and hands-on scenario gameplay based on real-world investigations, not theoretical scenarios. Courses include enterprise incident response, malware analysis, network investigations, and forensic analysis. All courses can be delivered remotely.
The ThreatSpace cyber-range is an immersive, virtual environment that enables Mandiant to test a security team’s ability to protect, detect, and respond. Participants are coached to apply proven capabilities, processes, and procedures to improve overall security effectiveness and capabilities.
Using the IDC MarketScape model, IDC studied 14 organizations that offer incident readiness services across the globe. Evaluated vendors provide global capabilities, and while there are many service providers providing managed security services (MSS) globally, specific services and criteria were required to qualify for this vendor assessment:
IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.
Incident readiness services help organizations prepare to act in the case of a security breach or attack by putting in place organized procedures to manage the effect of a breach in the event of such a security incident. Incident readiness services include consulting, training, assessments, exercise and testing engagements, and other complementary services.
The objective is to limit the damage of any potential security incident and to reduce recovery time and costs through the prompt identification, isolation, and eradication of the problem.
IDC recognizes that there are five buckets of services of incident readiness services that providers generally offer. The following list of incident readiness services is not an exhaustive list, but it does lay out the primary list of capabilities that IDC sees in the market, and the definitions are largely based on industry standards as well as the knowledge that IDC has gained doing the research in this study: