Incident Response Teams: In-House vs Outsourced

How prepared is your organization for a security breach?

That gap in time between finding out you’ve been breached and selecting and onboarding an incident response (IR) team can cost your organization time, money, and brand reputation.

You can improve your security posture, protect your assets, reduce incident response time, and minimize breach impact by adding an IR team as part of your security operations.

What Is an IR Team?

An IR team also referred to as a computer security incident response team (CSIRT), is a cross-functional team that responds to and mitigates incidents on behalf of an organization.

There is some overlap between the Security Operations Center (SOC) and IR teams, but IR teams are typically more focused on incident management and response duties.

What to Consider When Commissioning an IR Team

Organizing an IR team means determining who will be on the team, what skills you need in those individuals, their roles and responsibilities, what tools, training, and facilities you need to support them, which functions to outsource, and where your team members will be located.

As you begin to implement your strategy, you reach a crossroads: is it better to try and build an in-house IR team? Consider outsourcing? Or take a hybrid approach?

Before deciding on how to structure your IR team, take a pause, and begin with the basics: developing an IR plan, which includes a six-phase IR lifecycle, as follows:

The Incident Response Lifecycle

Preparation

This phase lays the foundation for all your IR planning, including:

• Ensuring your employees are properly trained regarding their roles and responsibilities;
• Running through IR scenarios via mock breaches to test your plan; and
• Ensuring proper funding of your IR plan, including training, tools, staff salaries, and more.

Identification

This process determines whether or not you’ve been breached, answering key questions such as:

• When the incident occurred;
• How it was discovered and by whom;
• What areas were impacted;
• Scope of the breach;
• Impact on operations; and
• Source of entry.

Containment

Containing the breach reduces attacker dwell time and minimizes further damage. Issues to address as part of this phase include:

• Identifying short- and long-term fixes;
• Looking at whether malware has been quarantined from the rest of your environment;
• Security patches;
• Updates; and
• Credential reviews.

Eradication

The eradication phase of the incident response lifecycle involves removing the cause of the breach along with patching and updating systems.

Recovery

The recovery phase involves:

• Getting your systems back up and running;
• Patching and testing systems;
• Implementing monitoring of systems; and
• Implementing tools to prevent similar attacks.

Lessons Learned

During the final “lessons learned” phase, your incident response team performs analytical tasks, such as:

• Analyzing and documenting key learnings from the incident;
• Determining what worked and what did not work; and
• Identifying what can be done to strengthen systems to prevent future attacks.

Specialized Skill Sets Required by Incident Response Teams

To build an effective incident response team, you need a diverse group of individuals with very specific skill sets to manage each of these phases.

You need a team with deep experience in forensics and investigative work (think: former FBI agents), in addition to deep reporting and technical expertise, such as the ability to reverse engineer malware.

For more sensitive investigations, you need legal, HR, compliance, and insider threat expertise including evidence seizure, chain-of-custody, secure storage, forensic imaging and analysis, investigative reporting, and courtroom testimony.

Finding individuals with these skill sets is an industry-wide problem, as most professionals’ experience does not go deep enough.

In-House Incident Response Teams Can Be Prohibitively Expensive

However, the biggest hurdle in building an in-house IR team is cost.

Maintaining budgets for training, selecting and licensing the right tools and technology, and providing secure storage of evidence – on top of the high salaries you’ll need to pay as well as issues with retaining that talent – makes building an in-house team cost-prohibitive for most organizations.

Benefits of Outsourced Incident Response Services

Based on the very specific needs of an IR team, outsourcing should be a top consideration.

When outsourcing, you’re not only taking advantage of the expertise that resides within the service provider’s own talent pool. You’re also gaining expertise from specialists who are putting those skills to use every single day, creating a network effect of knowledge from which your organization can benefit.

The cost? Typically far less than you’ll pay for an in-house team.