I frequently help Forrester clients come up with shortlists for incident response services selection. Navigating the vendor landscape can be overwhelming, every vendor that has consultant services has moved or is moving into the space. This has been the case for many years, you are probably familiar with the saying: "when there is blood in the water." I take many incident response services briefings and vendors don't do the best job of differentiating themselves, the messages are so indistinguishable you could just swap logos on all the presentations.
Early next year, after the RSA Conference, I'm going to start a Forrester Wave on Incident Response services. Instead of waiting for that research to publish, I thought I'd share a few suggestions for differentiating IR providers.
What is their hourly rate? This is typically my first question; I use it as a litmus test to figure out where the vendor sits in the landscape. If the rate is around $200 you are typically dealing with a lower tier provider. Incident response is an area where you get what you pay for. You don't want to have to bring in a second firm to properly scope and respond to your adversaries.
How many cases have they worked in the previous year? You want to hire an experienced firm; you don't want to work with a consultancy that is using your intrusion to build out the framework for their immature offering. While volume alone shouldn't be the key decision point, it does give you an objective way to differentiate potential providers.
Facebook made headlines last Friday with its announcement that it had been the victim of a sophisticated security attack. All major news publications picked up the story, citing widespread concern about the implications of the breach.
The breach itself, however, was largely a nonevent from a security standpoint.
Facebook identified the security breach before it infiltrated too deeply into company systems, remediated all compromised machines, informed law enforcement, and reported the Java exploit to its parent owner Oracle – acting quickly and appropriately. Most importantly, Facebook made it clear that the breach did not expose any of its users’ data.