Solutionary helps prepare for the inevitable

Transcription

1 Solutionary helps prepare for the inevitable Analyst: Wendy Nather 22 May, 2013 There's FUD (fear, uncertainty and doubt), and there's reality. In some cases, the difference is only in how you point it out. With vendor-breach reports detailing the wide variety of enterprises that are being compromised (including SMBs), the public is beginning to understand just how high the risks are for everyone, not just the Fortune This realization is prompting the exhortation from security professionals to spend more budget on detection and response. Detecting is good, and so is response, but in order to do both effectively, you need to lay the groundwork ahead of time. Although it's been providing incident response services for a long time now, Solutionary has formally announced a discrete packaged offering called Critical Incident Response, which is intended to help enterprises in both areas. The 451 Take Two things stand out about Solutionary's Critical Incident Response offerings: one, that they're priced in digestible 40-hour chunks, at a price that won't scare the CFO, and two, that the proactive planning service comes with an opinion letter that the customer has taken all reasonable steps to make sure it can handle a breach. This last part is territory where few dare to tread, but we expect that it will become more common in the future as stakeholders and authorities lose patience with unsecured organizations. Will this be enough to differentiate Solutionary overall from everyone else that offers similar incident response services? It will have to contend with more focused vendors that already have more mindshare in this particular area. Copyright The 451 Group 1

2 Context From its headquarters in Omaha, Nebraska, Solutionary has been building out its presence in several locations including Pittsburgh, where it has a redundant security operations center (SOC), and Atlanta, where it has a large group of employees. The company says it has more than 1,300 accounts, with around one-third of those being in the financial services sector. Its next largest market presence is in healthcare, at roughly 20% of its client base, followed by utilities, security companies, entertainment and insurance. The majority of these customers are US-based, with some presence in other countries through partners or its multinational clients. Its largest single deal is $1.4m in first-year revenue, although the company says that it often works with larger entities as discrete divisions. Solutionary reported year-over-year growth of 38% in 2012, and it's hiring the MSSP is at roughly 300 employees, and plans to bring on as many as 80 more in Some of the growth is proactive; with a 120-day internal training requirement for each new hire, it's prudent to lay the groundwork for expanded initiatives. Services Solutionary's Security Engineering Response Team (SERT) is seeing an uptick in activity in 2013, particularly in DDoS attacks. It has been helping its own customers respond to attacks (particularly involving infrastructure that was not under Solutionary's management), and has been taking on new reactive 'OMG breach' clients, as well. From the many lessons the SERT staff has learned through these diagnostic and forensic engagements, it has created a proactive service, currently available only to its existing customers, to help them prepare better for any incidents later on. The preparation takes several steps. The Solutionary team assesses any incident response plan that the customer might currently have in place (even if it's one page in a three-ring binder in the break room), and performs a gap analysis with the customer's infrastructure, since that tends to grow more often than the response plan is updated. While helping to create or revise the plan, Solutionary makes sure that the customer's third-party partners and suppliers are included; it can also officially integrate SERT members into the designed workflows and processes, where appropriate. Finally, Solutionary helps to organize a test of the incident response procedures, which could be as simple as a tabletop exercise or as complex as a full-blown simulation. The result of all this work is a robust and vetted IR plan one that the customer can use to demonstrate that it has taken all reasonable steps to make sure that it can respond efficiently to a breach. Copyright The 451 Group 2

3 The two types of the Critical Incident Response service the proactive and the reactive come as similar fixed-rate blocks of hours. Solutionary has a streamlined statement of work ready for anyone who contacts it in a hurry, needing help with an ongoing breach investigation. The 'on demand' incident response and forensics service, which is available for noncustomers as well, is priced in 40-hour packages at $17,000 each. The proactive planning service, which right now is only available to current Solutionary customers, is priced at a discounted rate. For customers who end up using both services, the vendor will also offer a discount. Strategy Solutionary says that the pressure is growing on its customers to show this due diligence, and it's ready to help by offering a letter from the SERT team, modeled on the audit opinion letter, stating that the customer's incident response plan has been assessed and validated. It's rare that a consulting firm or a security vendor is willing to put written backing behind any kind of assurance that a security program is actually suitable for its intended purpose (in this case, responding to a breach). But it's just the kind of thing that auditors really like, and it helps the C-suite sleep better at night. A validated incident response plan is also something that a seller of cyber insurance would want to see. This is different from attestation that an enterprise has an incident response plan that is compliant with a particular standard or set of policies (such as PCI or ISO/IEC 27035:2011); these standards generally don't measure the effectiveness or completeness of the plan that is, its suitability for that particular organization implementing it. For example, a qualified security assessor would check to see that a merchant's incident response plan was tested regularly, and that it contained certain types of required data. But the QSA does not determine whether the plan is sufficient or effective. This is because part of the plan's design depends on risk analysis, which is different from compliance, and it's very hard to find evidence for what constitutes effectiveness in security. Competition Incident response and forensics services are not new in and of themselves; there's a whole market for them, as evidenced by the annual breach reports from vendors that provide them to a large population. Every MSSP has to investigate potential problems, whether it's on the vendor's own behalf or on behalf of a customer. Consultancies that focus heavily on incident response include Mandiant, SecureState, Guidance Software, VeriSign, AccessData, CounterStrike, CrowdStrike, Cylance, VisibleRisk and others. Many of the large security firms (IBM, RSA, McAfee, Symantec and Copyright The 451 Group 3

4 more), along with defense contractors, offer risk assessment and incident response services. One advantage that Solutionary has as an MSSP is that when it provides these proactive assessment services to a customer, it already has the historical logging and monitoring data, as well as other knowledge of its security configurations. Once a plan is validated and tested, it also has a greater chance of being correctly executed if a breach should occur. This is enormously better for the customer, as opposed to an organization that has to call an incident response vendor out of the blue that responder may walk in and discover that it can't even get the data it needs to figure out what happened ('What do you mean, you have logging turned on only for your domain controllers?'). Many of these vendors offer a retainer service, paid as an annual subscription, for those who want peace of mind and have enough dedicated budget for what is essentially insurance. Solutionary's version, which is an on-demand fixed-price engagement, may be easier to swallow for enterprises that aren't sure of their risk and don't want to commit money until they have proof that they need to. For very large organizations under frequent or constant attack, an open-ended engagement is more likely to offer the flexibility that they need, whether it's deploying a small army of cyber troops around the world or keeping some dedicated staff in their SOC. Buying a fixed package offers reassurance to the CIO and CFO that any incident response activities and costs will not get out of hand. SWOT Analysis Strengths Weaknesses Solutionary offers two incident response services one proactive and one 'on-demand' in an easily consumable fixed-price package that may be more attractive to customers with limited budgets. Its equivalent of an audit opinion letter for incident response programs is intended to give customer stakeholders the same level of assurance they would draw from nonsecurity audit areas. Opportunities Threats When executed well, on-demand incident response and forensics services can lead to a long-term monitoring contract. Solutionary could keep this on-ramp going, and possibly undercut dedicated consulting firms and other MSSPs, if it keeps the fixed costs low. The fixed-price nature of the incident response planning service makes it a one-time engagement by its nature. The problem is that good planning (whether for security incidents or business continuity) is an ongoing process that keeps up with the changing business requirements, and customers are not likely to keep buying the same package every year; they'll think they're 'done' after the first one. Incident response, and to some extent planning, is part of nearly everyone's services portfolio. On the surface, Solutionary's offerings may not be enough to differentiate it from its competition. Companies that make their name on incident response, such as Mandiant, have more mindshare in this area. Copyright The 451 Group 4

5 Reproduced by permission of The 451 Group; This report was originally published within 451 Research s Market Insight Service. For additional information on 451 Research or to apply for trial access, go to: Copyright The 451 Group 5