Incident response (IR) retainers have been a staple for security teams for years. You pay an upfront fee to an IR firm to be "on call" if an incident occurs. The basic idea is that IR experts are ready to parachute in when disaster strikes.

There are several good reasons why IR retainers have been broadly used for so long. Retainers offer a framework to call in experts when an incident occurs. The retained team comes in to apply their expertise, helping understand what happened and guide containment, remediation, and recovery using prepaid hours for services.

While retainers proved effective for years when organizations were primarily working in on-prem environments, they deliver minimal value for today's cloud-centric enterprises. When minutes count, retained responders still take days or even weeks to ramp up. By then, substantial breach damage may already be done.

Let's explore why retainers fall short for modern organizations, and what capabilities they need to possess to support incident response across cloud and SaaS (Software as a Service).

Five Challenges of IR Retainers for Cloud

IR retainers are predicated on the promise that expert help is just a phone call away. However, when retained responders arrive after a breach to your cloud or SaaS environments, precious time is often wasted getting up to speed on your business, environments, security stack, and processes. This ramp-up time burns valuable investigation hours as responders try grasping your unique environment and challenges. With sophisticated threats, delayed response enables adversaries to move deeper, inflicting graver damage. Beyond this ramp up challenge, the old “time and materials” retainer model is cloud-deficient for a number of other reasons including:

1.    Lack of Contextual Understanding: The time and materials approach doesn't usually account for the initial discovery required to understand the unique context of each customer's environment. This knowledge is essential in a crisis, but under a time and materials model, this first "getting to know you" stage can use up significant amounts of the allocated hours, delaying the actual response.

2.    Delayed Access to Data: In the cloud, data is often dispersed across various platforms and systems—including IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) from multiple providers. By default, data isn't readily available to be investigated. This can further slowdown the response time and result in hours being used inefficiently. In certain cases, there are even challenges with the data being retrieved at all.

3.    Lack of Ongoing Relationship: Traditional retainer agreements often lack an ongoing relationship that enables the vendor to understand the customer's environment continuously. This leads to inefficiencies when an incident occurs, as the vendor needs to spend critical time to re-familiarize themselves with the customer's systems.

4.    Misaligned Motivations: When vendors are paid by the hour, there's no inherent motivation for efficiency. They might not be incentivized to reduce the time it takes to respond to an incident or to develop more efficient tools and processes. This can lead to longer response times and higher costs for the organization.

5.    Rapid Change in Cloud Environments: Cloud and SaaS environments are inherently dynamic, and a one-time preparation may not be sufficient for future incidents. A retainer service that doesn't constantly update its understanding of the customer's environment is likely to find itself unprepared when an incident occurs.

Fundamentally, IR retainers falter in cloud environments because organizations don't own the data needed for investigation, slowing organizational response or hampering investigations entirely.

A Better Approach for Modern Incident Response  

With rigorous preparation and cloud-native technologies, a modern approach to IR can shrink incident response time dramatically. It minimizes business disruption while responders neutralize threats—elevating organizational resilience. By preparing proactively and continually, enterprises decrease investigation delays. In fact, it’s now possible to shrink the gap between detection and response to mere minutes.

Forward-looking companies are evolving their models to enable rapid, effective incident response across their cloud and SaaS environments by ensure they focus on a number of critical cloud IR capabilities including:

• Proactive preparation guided by real-world attack intelligence and best practices
• Ongoing threat monitoring tuned specifically to their cloud and SaaS environments
• Ensuring ready access to cloud and SaaS platform logs and event data
• Ability to ingest and analyze cloud telemetry
• Contextual understanding of cloud-related environments and processes, built over time
• Streamlined workflows or automation to accelerate response timelines
• Leveraging a platform with tools to empower self-service investigation

Oftentimes enterprises don't yet possess these capabilities in house, even if they are part of their eventual road map. The right partnerships are being leveraged with cloud-specific IR providers to fill those gaps.  

Don't Let the Next Incident Expose Your Cloud IR Shortcomings

With cloud incidents rising in number and severity, having a modern solution that covers all your cloud and SaaS environments has become table stakes for effectively managing risk and enabling business. Don't let the next crisis expose gaps in your cloud IR program. With the right strategy and partners, your organization can thrive through any incident. The time to rethink cloud IR is now.

Retainers look backwards. Focus forward on what cloud IR really needs: preparation, visibility, expertise, and speed.

Rethinking your IR? Dig deeper here.