Cybriant’s Incident Response and Incident Containment Services are vital services after your organization discovers a cybersecurity breach.
Incident Response and Incident Containment Services
Ransomware, Advanced Persistent Threats, Viruses, and Hackers have industrialized information theft across the Internet, corporate networks, and governments.
Does your organization understand how to contain and stop the attacks once they occur? With every antivirus vendor on the market claiming they stop all hacker or ransomware threats it’s hard to break through the noise. Especially, when that noise has outsmarted your antivirus software and has a foothold or total control of your infrastructure. Or, perhaps you couldn’t get budget approved for the managed security services provider, and now are paying the full price of risk exposure.
The answer to stop the bleeding and fixing the problem is Cybriant’s Incident Containment Services (ICS). During an ICS engagement Cybriant will advise your staff on immediate actions that must be taken in order to begin containment. The Plan of Action will include active blocking and termination via a “Scorched Earth” policy for malware present in the infrastructure.
Once containment has been initiated and shown to be effective, Cybriant will further analyze the infrastructure to determine the extent of the incident. The breach data discovered from the infrastructure analysis will also provide information on what information may have been exfiltrated from an organization.
Finally, once an ICS engagement has finished a full report of findings, action items for remediation, and advisements to avoid breaches in the future will be provided.
Rapid Containment of Threats
Log Analysis to Determine Extent of Breach
Active Analysis of Observed Active Threats
Gather Forensic data from Workstations
Discovery and Containment of Threats across all Hosts
Analysis of Forensic Data for Further Findings
Questions about Incident Response and Containment Services?
Incident Response and Incident Containment Services Frequently Asked Questions
What happens if I run out of hours during an incident?
In the event of an Incident, Cybriant can prioritize which systems are targeted. If the customer runs out of retainer hours during the investigation, then the customer will have the option to purchase additional hours to continue the investigation at a discounted negotiated rate (with the exception of Tier 1 Retainers). Should the customer choose, Cybriant can cease the investigation once all retainer hours have been utilized. If an investigation ends before the reporting stage all evidence will be given to the customer.
Can I buy Incident Response and Containment Services without purchasing a retainer?
Yes, IR and ICS services can be purchased without a retainer. However, a retainer offers Cybriant’s ICS and IR services at a discounted rate. More importantly, once a breach occurs time to response and containment are crucial factors to minimize data exfiltration, reducing the spread of ransomware, and minimizing damage to an organization. A retainer provides a guaranteed SLA.
Additionally, by having a retainer you can prove to your insurance organization that you have a proactive cybersecurity posture, and you can assure your customers that you take the security of their data seriously.
I already have a next-gen antivirus platform and the most expensive firewall on the market. Why would I need an IR or ICS retainer?
Cybriant’s Security Engineers have seen hundreds of thousands of systems with various next-gen antivirus platforms, AI-based EDRs, HIDS based detection technologies, and various other buzzwords. If any single system were foolproof and caught all of the bad guys, then they would have a monopoly over the market. Obviously, while many people are passionate (or zealous) about the technology they utilize a monopolistic technology that keeps the bad guys out 100% of the time hasn’t been created.
As such, an IR or ICS retainer provides an additional perspective from seasoned Security Engineers utilizing industry best practices to contain and evict a threat once it has taken root. Our analysis involves significantly greatly scrutiny than AI and next-gen machine-learned models can provide. As a result, our methodology often discovers things that technology can miss. When you’re trying to find a threat that doesn’t want to be found you can’t leave any stone unturned.
It seems like you utilized Incident Response (IR) and Incident Containment (IC) interchangeably. Are they the same thing? Do I have to buy retainers for each individually?
While we often use IR and ICS interchangeably they are two different things, but they are both covered under the same retainer. More specifically, Incident Container is typically seen as a subset to Incidental Response and should be part of any good Incident Response policy. IR involves policies, procedures, escalation contacts, and actions an organization should take in the event of a breach (even including contacting legal counsel). Incident Containment is part of the actions an organization should take to stop the bleeding, and ultimately to both contain and eventually evict the threat.
An organization may utilize retainer hours to have Cybriant build or assist in creating a full Incident Response program. Note: It is always recommended to have a buffer of retainer hours to cover a breach if the organization decides to utilize retainer hours for other consulting services.
I bought retainer hours, but used all of them up. Do I still get the discounted rate and guaranteed SLA?
If the retainer hours are fully utilized during an active investigation, then yes, you would be entitled to the negotiated discounted rate and SLA up to end of the investigation. However, if hours are utilized and a new retainer is not purchased then Cybriant cannot guarantee any SLA.
To avoid loss of coverage, Cybriant recommends opting to have the contract auto-renew once hours are fully utilized. This ensures that you will always have the guaranteed SLA coverage and negotiate a discounted rate.