There have been so many major security incidents in the last year that it’s no wonder the incident response market has taken off.
Of the 5,000 data breaches detailed in the Verizon Data Breach Investigations Report (DBIR), phishing was the top avenue of incursion used in breaches (more than 30% of incidents). Next came web application attacks (25%) and system intrusions (20%).
The sheer number of attacks is obviously a major driver of growing interest in incident response (IR) tools and services. But the severity of those attacks has been even more noteworthy. The one with the biggest impact on the channel was the Kaseya attack, which combined two of the more dangerous attack vectors and techniques, the software supply chain and ransomware.
“The incident response market is driven by the rise in frequency and sophistication of cyberattacks, the financial impact of a successful breach, and the regulatory requirements for different governments and industries,” said Mike Hanauer, Vice President of Managed XDR Sales at Barracuda. “These, coupled with the rapid digital transformation caused by the pandemic, significantly increase businesses’ digital footprint, expanding their attack surfaces and risks to cyberattacks.”
All those factors have the roughly $30 billion IR growing at a torrid 20% annualized rate by about estimates.
Ransomware Drives the IR Market
Not all incidents have the same level of impact. The DBIR noted that 61% of incidents involved credentials and 13% contained ransomware. About 10% of the reported ransomware attacks cost organizations an average of about $1 million each (that includes cash, remediation, and lost revenue). It is the looming threat of ransomware, more than any other factor, that has caused organizations to consider adding or augmenting existing IR tools and services.
Maureen Perrelli, Chief Channel Officer, Secureworks, said ransomware is the biggest driver of the incident response market right now, along with the cyber insurance industry’s attempts to better prepare for a ransomware breach.
“Incident response IR capabilities are needed at scale and are becoming increasingly more focused on being proactive,” said Perrelli.
Security Staffing Shortage
Another big driver of incident response is the ongoing personnel scarcity. Layoffs at the start of the pandemic lost a lot of security personnel to the world of IT. Now the Great Resignation is worsening the issue. As the ransomware scourge hasn’t been with us too long, the number of people trained in detection and remediation is relatively small.
Those with deep pockets can afford to hire those experts. But even they must be on guard, as head hunters are keen to lure them away for even larger salaries.
“There is a global shortage of security experts, and those with deeper expertise in areas of incident response and threat hunting are even harder to employ and retain,” said Perrelli.
Hanauer agrees. He noted that if large companies are feeling the pressure on personnel, small-and-medium-sized businesses (SMBs) must be suffering even more.
“IT teams just don’t have the time to manage incident response as well as ensure their network is always performing optimally and available,” he said. “This is especially true for SMBs that may not even have a security department or a well-staffed IT department, if any. With hackers using multiple attack vectors, integration is even more important for effective incident response.”
Even SOCs Want Help
With personnel being such a problem, Perrelli has observed that even organizations that have a more mature security operations center (SOC) are looking to partner with experts for their IR and threat hunting services.
“This is an opportunity for MSPs to help organizations respond to that skills gap,” said Perrelli. “MSPs are unlikely to be successful in the IR field if they attempt to go it alone and build their capabilities from scratch.”
But it is the SMBs that represent the largest potential market.
“The question is no longer if, but when an SMB will experience a breach, and what their recovery plan should be in the event of an attack,” said Hanauer. “There’s no emergency infrastructure for businesses to call if they’ve been compromised. In the absence of a police response or dealing with the exorbitant costs of an enterprise-focused vendor, MSPs have had to step in and address the SMBs’ need for a dedicated security team, to not only protect them and take preventative measures to avoid cybersecurity incidents but to respond to incidents that do happen most effectively to reduce the financial impact the attack on their business.”
Chris Cline, Product Manager at security awareness vendor KnowBe4, said that organizations are realizing more and more that the problem of phishing is not getting solved. There are many endpoint protection services, and most companies have adopted one. However, they all allow a certain amount of unwanted data through. Regardless of their presence, the total count of incidents continues to rise. He recommended that organizations find a repeatable way to accurately respond in a timely manner.
“After you’ve managed to make your responses repeatable and accurate, then your next step is to start learning from your responses,” said Klein.
Good questions to ask include: What is the lay of the land? Are you getting more incidents? Are there commonalities? Are there ways to be able to shift from reactive to proactive responses?
MSPs Should Start Small and Partner
The breadth of potential services that fall under the IR umbrella is too wide for an MSP to attempt to offer everything. Klein suggested that MSPs choose a specific area of incident response. Get to know that and then grow it out.
“Choosing a focus area will let you secure an area of the market and learn how to manage a growing headcount,” said Klein. “Then you can use that headcount to start learning new areas.”
Be aware that there are already many well established players in IR that bring decades of human experience, automation, tooling, and threat intelligence. MSPs are advised, therefore, to take the safe route. Instead of attempting to develop their own tools, it is faster, easier, and cheaper to evaluate options for licensing an IR platform like those from Secureworks, Barracuda, or others to prevent, detect, and respond to threats early.
Incident response will become a necessary value-added service for MSPs, and it is forecasted to grow to over $33 billion by 2023, said Hanauer.
“Adopting an incident response service early on will give MSPs a competitive edge and help speed up their learning curve as cyberattacks become more sophisticated,” he said.
Unlike many other areas of the market, demand for MSP IR services is more likely to be driven by difficulties. Those in the midst of an incident and wrestling with a ransomware demand, or other malware issue are most likely to come calling.
“Businesses will call MSPs with incident response capabilities when they’re in crisis,” said Hanauer. “By helping clients identify and address their security gaps, one of the biggest struggles they are facing, is more beneficial than any marketing campaign.”
MSPs Need to Be Ready
Demand for incident response services, then, is likely to be high and sudden. The first port of call in any organization tends to be to existing service providers. If they have a good relationship with their current MSP for backup, disaster recovery, remote desktop or other services, they are likely to reach out and ask if you can also provide security and IR services.
“MSPs will be asked to step in to address cyber problems, whether or not they are equipped to do so,” said Hanauer.
The best approach is to be prepared. Find a trusted service provider that already has IR capabilities. In many cases, they will allow you to rebrand the service as your own, plus provide tier 2 support for problems that go beyond local capabilities.
Further reading: Top 12 Managed Security Service Providers (MSSPs) of 2021