Renewed Focus on Incident Response Brings New Competitors and Partnerships

Incident response is shifting from a service that organizations hope they never need to a capability that every business aims to have, and a variety of companies — from consulting firms to insurance companies to cloud providers — are preparing to take advantage of the trend.

In late March, Microsoft announced that the company would focus its generative AI offering, Copilot, on helping companies triage and respond to incidents, with an aim toward bolstering organizations' incident-response capabilities. The company also announced that it would start offering incident response services and consulting on cybersecurity posture as a retainer to companies upon request.

The announcement marks a significant change at Microsoft. In 2019, Microsoft labeled its incident response team — known then as the Detection and Response Team (DART) — as the "cybersecurity team we hope you never meet." Now the team hopes to meet clients on a regular basis.

The moves are about offering the right services to improve incident response capabilities across the board, says Ping Look, director of the Microsoft Incident Response Team.

"We intend to build our customer base and give our customers more flexibility," she says. "Really, I think it's a growth inflection point."

Building IR Relationships

Microsoft is not alone. Incident response services have taken off, and the companies that offer them are looking to build relationships rather than one-off engagements. Google bought incident response bellwether Mandiant in 2022, adding to its other incident response-focused acquisitions of Siemplify and Chronicle and its security advisory services. Consulting firms Deloitte, Booz Allen, Kroll, and PricewaterhouseCoopers have long offered incident response, while managed service firms such as CrowdStrike and Secureworks have focused expertise. Large business-technology and service firms — such as IBM, AT&T, Verizon, and Palo Alto Networks — have also long been players in the incident response space.

Even with the extensive list of players, however, the demand for services continues to skyrocket, says Jurgen Kutscher, executive vice president for services at Mandiant.

"The demand always seems to outpace the supply, so I do believe there's plenty of work for all of these organizations because the threats keep changing," he says. "The organizations that are being targeted, especially when you look at much more opportunistic attacks, like ransomware and similar types of attacks — anybody could be a target."

Incidents Extend into the Cloud

Microsoft and Google are well-positioned because more attacks are impacting assets in the cloud — in an area where both companies have significant expertise — in part because business infrastructure and data have sprawled out into the cloud, or usually multiple clouds.

A few years ago, for example, a quarter of the attacks investigated by Palo Alto Networks, a network security and incident response provider, involved cloud assets; now, approximately half are cloud-related, says Sam Rubin, vice president of Palo Alto Networks' Unit 42 threat intelligence and incident response group. The company collects more than 500 billion security events per day from endpoint agents, network appliances, and cloud telemetry, he says.

Rubin does not expect that trend to slow, which can make incident response a challenge.

"It's very hard for organizations to only live and operate in one cloud environment, and even if most of your workloads are in the cloud, there are still systems at headquarters, there's still users with endpoints," he says. "We believe that having somebody who can cut across the entire environment, the headquarters, the remote users, and the cloud — whatever the case may be — that is going to remain an important strategy for securing the enterprise."

While Microsoft and other companies aim to use generative AI to process incidents faster and present incident responders with analyses in near real time, the efforts are largely aspirational at this point. Handling that data with large language models (LLMs) and other forms of advanced machine learning will require a great deal of development and learning, says Pete Shoard, vice president at business intelligence firm Gartner.

"Automated response for complex security incidents is absolutely a long, long way out," he says. "Where AI will help greatly is in that area of task-based automation, finding the right kind of information quickly, and providing a lot more information for the humans to be able to do their job more efficiently and effectively."

Insurance and Legal Remain Driving Forces

Corporate legal requirements and cyber-insurance policies have an outsized impact on incident response. Often, the first call for an engagement comes not from a company executive, but from an outside counsel hired to handle the crisis (often because attorney-client privilege shields a company from legal discovery). In other cases, an insurance company would bring in incident responders to help reduce the cost of recovering from a breach and to assess the security of a policyholder.

Legal counsel and insurance firms will likely continue to push for incident response retainers as a way to make sure that companies are doing a base level of training and preparation every year. That can create a net benefit, says Jess Burn, a security analyst with Forrester Research.

"Insurance firms are asking if you're doing incident readiness and incident preparedness exercises as part of your application or policy," she says. "Those same incident response firms can do assessments and tabletop exercises at the technical and executive level — and all of those things can help them, and you, really understand your environment."

Overall, companies that have incident response team and a tested incident-response plan save an average of 58% of the costs of mitigating a data breach, or about $2.6 million for large companies, compared with companies that have neither a team nor a well-tested plan, according to IBM's "2022 Cost of a Data Breach" report.

In the end, everyone can save when the incident response firm and the clients have an ongoing relationship, says Mandiant's Kutscher.

"Having organizations consulting with business partners and with cyber-insurance companies so that they don't just put out the fire, but then working with the organization to reduce the risk of having a similar event happen again, is very, very critical," he says. "That's something that the cyber-insurance industry is definitely driving toward."

The Future Is Pre-Crime (Pre-Incident, That Is)

Another benefit from the ongoing relationship with an incident response vendor is that companies will know what they need to have in place for effective incident response. With ongoing advice and expertise from incident response firms, when an attack happens, the incident response firm will know the company has retained the right data, which helps immeasurably in the investigation.

"When they do need us for incident response, we are not coming in cold and coming up to speed in a live-fire situation," Palo Alto's Rubin says.

Even companies with their own security operations center, which would not have qualified for Microsoft's DART services, will now be able to put the incident response group on a retainer, says Microsoft's Look.

"We want to be able to take care of our customers, even if they're not using our Microsoft security staff," she says. "Because that's where we primarily deliver our investigations from, using telemetry that comes in through that. But we're expanding well beyond that too — not as fast as I would like, but we're getting there."