Small and mid-sized businesses (SMBs) these days must worry about what horrors await them each day as they log into their networks.
Unfortunately, hackers are targeting the basic applications that many SMBs rely on, making third-party risk, ransomware and the latest bugs like Apache Log4j all risks that small businesses have had to become a lot more familiar with.
“At the beginning of 2020, office documents accounted for only 20% of all malware downloads and have increased to 40% in 2021,” said Ray Canzanese, director at Netskope Threat Labs. “By the end of 2022 malicious office documents will account for more than 50% of all malware downloads as attackers continue to find new ways to abuse the file format and evade detection.
“This trend will continue due to the pervasive nature of office documents in the enterprise and the many different ways they can be abused, making them an ideal malware delivery vector.”
What is Driving the Incident Response Market?
Organizations are realizing that the problem of phishing is not getting solved and is not going away. Existing endpoint protection services allow a certain amount of unwanted data through.
“The incident response market is driven by the rise in frequency and sophistication of cyberattacks, the financial impact of a successful breach, and the regulatory requirements for different governments and industries,” said Mike Hanauer, vice president of Managed XDR Sales at Barracuda. “These, coupled with the rapid digital transformation caused by the pandemic, significantly increase businesses’ digital footprints, expanding their attack surfaces and risks to cyberattacks.”
Ransomware, of course, is one of the big drivers, and one of the most damaging. It is creating havoc across the digital landscape. Incident response capabilities are needed at scale and are becoming increasingly more focused on being proactive. But a global shortage of security experts with deep expertise in areas of incident response and threat hunting make it challenging for SMBs to hire staffers who are well-versed in this area. As a result, even those organizations that have a more mature security operations center are looking to partner with experts for their IR and threat hunting services.
“Organizations need a repeatable way to accurately respond in a timely manner,” said Chris Cline, product manager at KnowBe4. “After you’ve managed to make your responses repeatable and accurate, then your next step is to start learning from your responses.
“What is the lay of the land? Are you getting more incidents? Are there commonalities? Are there ways to be able to shift from reactive to proactive responses? Because of these needs, we see a rise in trend reporting.”
Fortunately, the incident response market is quite mature. There are many well established players that bring decades of human experience, automation, tooling, and threat intelligence. SMBs, therefore, have plenty of options for licensing incident response tools to prevent, detect, and respond to threats early.
Other managed security services to consider:
- Top 15 Managed Security Service Providers (MSSPs) of 2022
- Best Ransomware Backup Services
- Best Managed Detection and Response (MDR) Services for SMBs
Top Incident Response Services
We evaluated a great many incident response services before arriving at the ones we thought were the best; which one is best for your organization will depend on your use cases and budget.
Jump ahead to:
Here are our top picks in no particular order:
Secureworks
Secureworks uses its threat prevention, detection, and response platform, Taegis XDR, as an incident response tool. Key features include a single pane of glass view for telemetry and logs from 50+ different types of event sources (this includes endpoint detection and response, or EDR, agents for streaming as well as scan-based telemetry, cloud telemetry, endpoint events, and network devices). Broad and deep threat detection is powered by machine learning and security expertise, enabling the platform to detect threats and dynamically prioritize those with greatest risk to the organization.
Key Differentiators
- Automated application of threat intelligence (TI)
- Detects Kerberoasting, business email compromise activity, and successful password brute-forcing attacks
- Events are retained for 12 months, allowing responders to look back at historical activity to establish root cause, past attacker actions, etc.
- Responders can isolate endpoints, disrupt running processes (to terminate malware execution), force password resets for active directory (AD) accounts, and disable AD accounts
- Does not lock customers into a specific EDR agent or other sources of telemetry
- Depth of detections powered by machine learning and timely expertise from security experts who are actively engaged in IR engagements, adversarial testing, and monitoring 300+ threat groups
- Built for collaboration, with ability to chat within the tool with security experts to get responses in under 60 seconds to assist in a detection or investigation
- Emergency IR requests can be made through chat
Barracuda MSP
Barracuda MSP currently offers two incident response tools, Barracuda Forensics & Incident Response and Barracuda SKOUT Managed XDR. Barracuda Forensics & Incident Response for MSPs provides an automated process that empowers MSPs to more effectively detect, respond, and remediate email attacks targeting customers’ Microsoft 365 environments. With Barracuda SKOUT Managed XDR, MSPs can offer 24/7/365 monitoring and incident response to their clients without investing additional resources. Managed XDR is backed by AI-powered solutions with a fully staffed security operations center to make sure that not only the latest threats in the channel are taken care of but that proactive steps are taken to protect MSP partners and their customers from emerging threats. While Barracuda mainly aims its services at MSPs, it provides a list of partners for businesses looking to use the services.
Key Differentiators
- Detects which users receive and take action on malicious email by searching mailboxes by sender and subject. It also notifies the impacted users automatically with instructions to change their passwords and other necessary remediation actions
- A reporting feature is available for users to report suspicious emails
- Barracuda Insights (an analysis solution) gathers, consolidates, and analyzes data automatically; automatically identifies anomalies within delivered mail; and uncovers instances of phishing attacks
- Automatically removes emails that contain malicious URLs or attachments directly from users’ inboxes and places them in their junk folders
- Reviews users who clicked on the links and use Barracuda Insights to identify anomalies in delivered emails. The solution, then, creates an alert notifying users of the incident
- An automated workflow feature allows MSPs to create custom workflows to further automate their response across a variety of security solutions
- MSPs can integrate Barracuda incident response data into their current SIEM/SOAR/XDR solutions to streamline their data analysis efforts
- The Managed XDR platform covers a range of attack surfaces, including email and endpoint protection, log and network security monitoring, and Office 365 security monitoring as well as hundreds of integrations with major security vendors and ticketing systems to make MSPs’ lives easier
- Detects and correlates threats from across multiple vectors, detects lateral movements between threat actors, and sends alerts when it detects signs of privilege escalation or command-and-control communication
- Combines extended detection and response with a SOC-as-a-Service approach to offer a more holistic view of a partner’s environment across end users
PhishER
KnowBe4’s PhishER is a simple and easy-to-use web-based platform with critical workstream functionality that serves as a phishing emergency room to identify and respond to user-reported messages. It helps prioritize and analyze what messages are legitimate and what messages are not. With PhishER, teams can quickly prioritize, analyze, and manage a large volume of email messages. The goal is to help incident response teams prioritize as many messages as possible automatically, with an opportunity to review PhishER’s recommended focus points and take desired actions.
Key Differentiators
- PhishER blends incident response with a lightweight SOAR (security orchestration automation response) platform to allow organizations to focus directly on the problems that need to be managed
- Can be used by MSPs by rolling multiple organizations into one PhishER instance
- Automatic prioritization for emails
- Automate the workstream of the 90% of reported emails that are not threats
- Easy-to-use web-based platform to respond to user-reported messages
- Analyze what messages are legitimate and what messages are not
- Automated email response templates
- PhishRIP is an email quarantine feature that integrates with Microsoft 365 and
G Suite to help you remove, inoculate, and protect against email threats, so you can shut down active phishing attacks fast - PhishFlip is a feature that automatically turns user-reported phishing attacks into safe, simulated phishing campaigns
Sophos
Sophos Rapid Response provides fast assistance, identifying and neutralizing active threats against organizations. Whether it is an infection, compromise, or unauthorized access attempting to circumvent security controls, this service offers 24/7 remote incident response, threat analysis, and threat hunting.
Key Differentiators
- Onboarding starts within hours
- Triaging is accomplished within 48 hours in most cases
- Available to existing Sophos customers as well as non-Sophos customers
- Ejects adversaries to prevent further damage
- 24/7 monitoring for 45 days
- Work with a dedicated contact and response lead
- Post-incident analysis to detail the threat and actions taken
- Fixed cost with no hidden fees
Kaspersky
Kaspersky Lab’s global expertise can be brought to bear on the resolution of security incidents. It helps to limit the resultant damage and to prevent an attack from spreading. The full weight of Kaspersky services cover the entire incident investigation cycle to eliminate the threat.
Key Differentiators
- Identification of additional indications of compromise, preparing a remediation plan, and eliminating the threat
- Preventing the attack from spreading
- Analyzing evidence and reconstructing the incident’s chronology and logic
- Analyzing the malware used in the attack
- Uncovering the sources of the attack and other potentially compromised systems
- Conducting tool-aided scans of the IT infrastructure to reveal possible signs of compromise
- Analyzing outgoing connections between the network and external resources to detect anything suspicious (such as possible command and control servers)
- Recommending further remedial actions to take
Rapid7
Rapid7 Incident Response services give access to the experience and technical expertise needed to accelerate incident investigation, containment, and recovery. Its teams work closely with in-house and outsourced teams through every stage of incident response, from analysis to scoping through containment, remediation, and cleanup.
Key Differentiators
- Rapid7’s incident responders have conducted hundreds of investigations and have decades of experience responding to compromises of all sizes and severity
- Expertise in threat analysis, forensics, and malware analysis is complemented with knowledge of multiple technology platforms for rapid analysis and incident scoping
- Single point of contact
- In the event of a compromise, retainer customers alert the Rapid7 team, who will respond within one hour to plan an approach
Proofpoint
Proofpoint Threat Response is a threat management platform to orchestrate and automate incident response. The platform surrounds security alerts with contextual data to help security teams prioritize response actions. It confirms system infections and enforces protections automatically. And by collecting and analyzing security event context, forensics, and intelligence, it closes the gap between detection and response, multiplying the abilities of in-house incident response staff.
Key Differentiators
- Automate collection of forensic data from potentially compromised systems
- Save time confirming infections by comparing system PC data with detection forensics
- Reduce manual collection of data from external devices and intelligence sources
- Monitor incidents and processed threats with a visual interface that lets you see what’s happening at a glance
- Accelerate response decisions with integrated views of threat activity
- Quarantine and contain threats automatically or at the push of a button for fast protection
- Automatically manage users, hosts, IPs, and URLs on enforcement devices throughout the attack lifecycle to free up staff for other tasks
Cynet
Cynet’s Incident Response service combines security analysis experience together with Cynet360 investigative and security technology to achieve fast, accurate results. Cynet’s 24/7 security team acts as an extended team that leads any required analysis, ensuring that nothing is overlooked.
Key Differentiators
- You can decide to keep Cynet360 post-resolution to protect systems against future attacks
- Cynet’s proprietary IR tech looks at alerts and information coming from endpoints, users, and networks
- No need to involve manual tools as it is easy to deploy, allowing for speed and scale across endpoints
- Dedicated IR project manager and point of contact
- Reports ranging from executive summaries to detailed IoCs (indicators of compromise) that can be exported to CSV for consumption by other systems or to manually update systems across the environment