Incident response (IR) retainers have been a staple for security teams for years. You pay an upfront fee to an IR firm to be "on call" if an incident occurs. The basic idea is that IR experts are ready to parachute in when disaster strikes.

There are several good reasons why IR retainers have been broadly used for so long. Retainers offer a framework to call in experts when an incident occurs. The retained team comes in to apply their expertise, helping understand what happened and guide containment, remediation, and recovery using prepaid hours for services.

While retainers proved effective for years when organizations were primarily working in on-prem environments, they deliver minimal value for today's cloud-centric enterprises. When minutes count, retained responders still take days or even weeks to ramp up. By then, substantial breach damage may already be done.

Let's explore why retainers fall short for modern organizations, and what capabilities they need to possess to support incident response across cloud and SaaS (Software as a Service).

Five Challenges of IR Retainers for Cloud

IR retainers are predicated on the promise that expert help is just a phone call away. However, when retained responders arrive after a breach to your cloud or SaaS environments, precious time is often wasted getting up to speed on your business, environments, security stack, and processes. This ramp-up time burns valuable investigation hours as responders try grasping your unique environment and challenges. With sophisticated threats, delayed response enables adversaries to move deeper, inflicting graver damage. Beyond this ramp up challenge, the old “time and materials” retainer model is cloud-deficient for a number of other reasons including:

1.    Lack of Contextual Understanding: The time and materials approach doesn't usually account for the initial discovery required to understand the unique context of each customer's environment. This knowledge is essential in a crisis, but under a time and materials model, this first "getting to know you" stage can use up significant amounts of the allocated hours, delaying the actual response.

2.    Delayed Access to Data: In the cloud, data is often dispersed across various platforms and systems—including IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) from multiple providers. By default, data isn't readily available to be investigated. This can further slowdown the response time and result in hours being used inefficiently. In certain cases, there are even challenges with the data being retrieved at all.

3.    Lack of Ongoing Relationship: Traditional retainer agreements often lack an ongoing relationship that enables the vendor to understand the customer's environment continuously. This leads to inefficiencies when an incident occurs, as the vendor needs to spend critical time to re-familiarize themselves with the customer's systems.

4.    Misaligned Motivations: When vendors are paid by the hour, there's no inherent motivation for efficiency. They might not be incentivized to reduce the time it takes to respond to an incident or to develop more efficient tools and processes. This can lead to longer response times and higher costs for the organization.

5.    Rapid Change in Cloud Environments: Cloud and SaaS environments are inherently dynamic, and a one-time preparation may not be sufficient for future incidents. A retainer service that doesn't constantly update its understanding of the customer's environment is likely to find itself unprepared when an incident occurs.

Fundamentally, IR retainers falter in cloud environments because organizations don't own the data needed for investigation, slowing organizational response or hampering investigations entirely.

A Better Approach for Modern Incident Response  

With rigorous preparation and cloud-native technologies, a modern approach to IR can shrink incident response time dramatically. It minimizes business disruption while responders neutralize threats—elevating organizational resilience. By preparing proactively and continually, enterprises decrease investigation delays. In fact, it’s now possible to shrink the gap between detection and response to mere minutes.

Forward-looking companies are evolving their models to enable rapid, effective incident response across their cloud and SaaS environments by ensure they focus on a number of critical cloud IR capabilities including:

  • Proactive preparation guided by real-world attack intelligence and best practices
  • Ongoing threat monitoring tuned specifically to their cloud and SaaS environments
  • Ensuring ready access to cloud and SaaS platform logs and event data
  • Ability to ingest and analyze cloud telemetry
  • Contextual understanding of cloud-related environments and processes, built over time
  • Streamlined workflows or automation to accelerate response timelines
  • Leveraging a platform with tools to empower self-service investigation

Oftentimes enterprises don't yet possess these capabilities in house, even if they are part of their eventual road map. The right partnerships are being leveraged with cloud-specific IR providers to fill those gaps.  

Don't Let the Next Incident Expose Your Cloud IR Shortcomings

With cloud incidents rising in number and severity, having a modern solution that covers all your cloud and SaaS environments has become table stakes for effectively managing risk and enabling business. Don't let the next crisis expose gaps in your cloud IR program. With the right strategy and partners, your organization can thrive through any incident. The time to rethink cloud IR is now.

Retainers look backwards. Focus forward on what cloud IR really needs: preparation, visibility, expertise, and speed.

Rethinking your IR? Dig deeper here.

LAST UPDATED:

April 23, 2024

Don't miss these stories:

How Missing Logs Impact Cloud Security

Microsoft experienced an issue with internal monitoring agents, resulting in incomplete logs for some services. Get more details and recommended next steps.

Streamline Cloud and SaaS CDR with Mitiga and Torq

Learn about the partnership between Mitiga and Torq that closes the gap in SecOps tools and expertise around handling cloud and SaaS threats.

National Cybersecurity Awareness Month Recommendations

Explore strategies and examples of how to handle cloud security incidents when prevention isn’t enough.

Why Cloud Threats in Healthcare are Surging and How to Combat Them

The healthcare industry is having an increasingly challenging time when it comes to cyber security.

What the Wiz Acquisition of Gem Security Means for the Future of Cloud Threat Detection, Investigation, and Response

It’s official: Gem Security is joining CNAPP decacorn Wiz. Acquisitions in tech do not happen by accident, but rather because giants in the industry recognize the gaps they need to fill as rapidly as possible. In this blog, I will explain what this acquisition means for the future of cloud security so you understand where the industry is headed and what questions you should be thinking about as you selectively choose cloud security vendors.

6 Keys to Resiliency in the Cloud: Advice for CISOs

Enterprise success relies on operational resilience. When you fall, you have to be able to get back up—and quickly. That ability to spring back after a setback requires more than nimbleness.