IDC

Region Focus: Worldwide

Worldwide Incident Readiness Services 2021 Vendor Assessment

November 2021 | us46741420
Craig Robinson

Craig Robinson

Program Director, Security Services

Christina Richmond

Christina Richmond

Program Vice President, Security Services

Product Type:
IDC: MarketScape
This Excerpt Features: Mandiant

IDC MarketScape: Worldwide Incident Readiness Services, 2021

Capabilities Strategies Participants Contenders Major Players Leaders

Leaders

Accenture

Deloitte

MandiantFeatured Vendor

IBM

KPMG

PwC

Cisco

Secureworks

Kroll

Major Players

Booz Allen Hamilton

CrowdStrike

EY

Wipro

Participants

Verizon

IDC MarketScape Methodology

IDC Opinion

News coverage related to the latest cybersecurity attacks is no longer restricted to the technology-related channels that IT and cybersecurity practitioners peruse. The costs to a business’ bottom line, to a country’s critical infrastructure, or to an individual’s ability to obtain life-saving treatment in a hospital due to the proliferation of ransomware and other cyberattacks are becoming huge wake-up calls. These calls are getting the attention of newsrooms, boardrooms, and regulatory bodies across the globe.

Cybersecurity evangelists and analysts historically have debated the merits of where to invest the monetary resources and time needed to combat threats. There are those who make the argument that preventing attacks is paramount, and to a certain extent, they are correct. No one disputes the need to invest in preventing attacks. However, despite ever-increasing amounts of time and money that have been invested in preventing attacks, the cybercriminal gangs and their nation-state supporters prove their resilience in overcoming the defenses. The vicious cycle of attacks landing and ransoms being paid has led to a realization that organizations need to diversify their cybersecurity investments by gaining expertise in responding to the sort of advanced attacks like ransomware that they are likely to see in their environment.

Now it is time to diversify and channel investments into being prepared to respond when attacks land. Organizations need to work with providers that understand the value proposition of shifting to a proactive mindset from a reactive one. The launch or expansion of incident readiness programs symbolizes the logical next step required to elevate a cybersecurity program. The underlying theme for all incident readiness programs is the ability to prepare — and this is the key phrase here — in advance — to make intelligent decisions in a crisis situation to minimize the damage and duration of a cyberattack.

Arguably one of the top tools in a CISO’s toolbox is the use of an incident response retainer. The primary use of a retainer is to give security leaders peace of mind. They know that if they have an incident response situation, they do not go to the back of the line. Conversely, they can engage with an incident response provider on an expedited basis to handle the situation.

IDC has noted that incident response providers are formalizing the use of these funds to serve dual purposes. One is providing access to the exact types of services that can help minimize the need for or duration of future incident response engagements. The second is funding anticipated incident response engagements. 

IDC conducted a survey in June 2021 to survey the customers of the providers that are part of this study. Respondents were surveyed on a variety of topics relating to their consumption of incident readiness services. 

Recognizing that there will be a day when a full-blown incident response team will be required to respond to a ransomware or similar devastating sort of attack, CISOs are starting to make the monetary and time investments in a variety of incident readiness capabilities. In this worldwide IDC MarketScape, IDC researched the various incident readiness services that can enable organizations to be proactive in their capabilities to detect, respond to, and limit the damage from the advanced cyberattacks that too often are making the news headlines.

Tech Buyer Advice

The meaning of incident readiness varies by world area, size of organization, and industry. Buyers should discuss their understanding of incident readiness with providers to be sure all parties are on the same page. IDC’s Global Incident Readiness Survey reveals the top 8 definitions of incident readiness. 

Further, when asked what incident readiness means to survey participants, the responses make it clear that simply having an incident response retainer in place, having a CISO, or employing security by design is not enough for an organization to consider itself incident ready. Before buyers evaluate providers and services, they should clarify internally what incident readiness means to their organizations. A clear picture of expectations and requirements will help buyers ask the right questions and speed understanding of provider capabilities.

Areas of Incident Readiness in Which Spending Has Increased

Organizations continue to ramp up spending on a variety of incident readiness activities. Some clear choices are emerging. Two of the top 3 and three of the top 5 categories forecast to see increases in IDC’s Incident Readiness Survey include assessments, while the second most likely category to see a boost in spending is security and strategy consulting. 

What do all three categories share? 

  • They reflect the rapid changes in the use of data and applications, as well as an expanded total attack risk surface that needs to be defended. A common misconception is that data and applications have shifted to the cloud. While this is true for many organizations, there still are a lot of legacy data and applications that reside in “classic” on-premises networks. As a result, the total risk attack surface for which CISOs need to prepare response has grown, not shrunk. CISOs recognize they need to realign their security posture to handle the expanded number of vectors where a zero-day attack could land and spread. They are engaging in the appropriate assessments and consulting to be resilient in the face of the expanded risk surface.

A special call out needs to be made to firms that recognize the need for media and communications training. Increased regulatory requirements related to what can and should be shared versus kept in-house are raising awareness of the need to train the voices that share crucial information during crises. Attacks such as the Kaseya ransomware attacks in July 2021 impact not only the original company that was attacked but also companies that are users of its software. Miscommunication or a lack of transparency during an attack can result in delayed reactions and increased costs not only for the “patient-zero” company but also for customers and vendors.

In addition, the sections that follow present insights into aspects of incident readiness — tabletop exercises, consulting services, assessments, exercises and testing services, training services, and complementary services — that provide a valuable decision-making context. 

Tabletop Exercises

Tabletop exercises are deserving of special attention by buyers of incident readiness services. While Figure 4 does not indicate a spike in increased spending for tabletop exercises, the reader should not misconstrue this to mean they are any less as effective or that they are declining in usage. Tabletop exercises are of value to organizations with relatively low cybersecurity maturity, and they continue to see usage for organizations at the top of the cybersecurity maturity rankings.

Numerous potential attack scenarios can be walked through in a tabletop exercise, as shown in Figure 5. Figure 5 illustrates the attack scenarios that the customers of providers in this IDC MarketScape utilized in their most recent tabletop exercises. While all of these scenarios are worthy of attention, the elephant in the room that is grabbing attention is ransomware. The providers in this study were quick to highlight their capabilities in preparing their clients for the possibility of this nightmare situation. 

Figure 5:
Attack Scenarios Utilized in the Most Recent Tabletop Exercises

Q. Which of the following attack scenarios did you run in your last tabletop exercise?


(% of respondents)

n = 309

Base = respondents who indicated organization has done tabletop exercises incident readiness activity since beginning of pandemic/next 12–18 months

Notes:
Data is managed by IDC’s Quantitative Research Group. Multiple responses were allowed.

Source: IDC’s Global Incident Readiness Survey, June 2021

The potential damage that a ransomware attack can inflict is deep and severe. Because of the potential ramifications of any response to a ransomware situation, a large number of departments need to be brought into some of the exercises that an incident readiness provider facilitates. Tabletop exercises are one of the most common incident readiness exercises in which organizations participate. They typically range from one half day to a full day, and participants can be technical, nontechnical, or a mix. The goal is to walk through a scenario, such as a ransomware situation, and simulate the sort of activities, discussions, and decisions that likely would occur. Consider the range of voices that might need to be represented in a ransomware tabletop exercise:

  • Chief legal counsel and/or other legal counselors are often engaged in ransomware situations. While not low-cost participants, legal counselors can offer advice in many areas related to the decisions and implications surrounding payment of a ransom. They also may assist with notifications to legal and regulatory bodies.
  • Human resources plays a role in employee communications. Internal communication systems could be impaired during a ransomware situation, and human resources representatives need to be prepared to communicate issues to employees using different communication methods than those they might normally use.
  • Line-of-business department heads, depending on the industry, need to think about what processes might need to be put into play during a ransomware situation. Think about situations that are in the news (e.g., hospitals trying to track down patient information when they do not have access to electronic patient records). Consider how warehouses can receive shipments when they do not have access to electronic manifests. 
  • The impact of good corporate public relations on a public ransomware situation cannot be overstated. A company’s high-profile situation can have an impact on a local or national economy, and a tabletop exercise is the perfect time to think about the materials that should be prepared in advance of a crisis situation.
  • IT teams often are the first human line of defense to be deployed. Their roles need to be properly defined to make sure that forensic evidence is not accidentally destroyed. They are also key players in response and remediation efforts needed to bring systems back to a normal status.
  • The C-suite and the board are involved in ransomware situations. While their participation may be difficult to obtain on a regular basis, their roles need to be defined and represented. When possible, these stakeholders need to be encouraged to participate in at least one tabletop exercise annually to stay current on their roles and responsibilities.

Consulting Services

The strategies and tactics that organizations utilize to increase their incident readiness maturity often require the use of providers that can give them the guidance and knowledge that they may not readily possess:

  • When the topic of ransomware is raised, a common follow-up topic is the possibility of transferring some of this risk through the purchase of cyberinsurance. The rise of the cyberinsurance market is certainly getting a boost by CISOs, chief risk officers, and other C-suite members who wish to mitigate the cost of a potential ransomware situation. Figure 6 shows that many organizations see a role for cyberinsurance to pay either all or part of the cost of a ransom, and/or forensic, remediation, and potential regulatory costs associated with the incident.
  • Data may be recovered through the payment of a ransom or through the use of backups. Regardless, it’s a wise decision to use an incident readiness provider to assist in the planning of a wholesale backup recovery option or to gauge the amount of coverage required in a cyberinsurance policy.
  • Assistance in the creation and ongoing testing and updating of incident response playbooks and runbooks is a widely used service. Changing business conditions and strategies, as well as ever-evolving IT architectures, require regular document review and updating. Incident readiness providers can help organizations apply best practices to these important documents. In “live-fire” situations, organizations can feel more confident that the planning that went into these scenario-based documents involved multiple sets of eyes. Consider using incident readiness providers that can take already-developed industry-specific playbooks and tailor them to other organizations’ unique needs.

Assessments

Assessments are a way of sizing up the risks, threats, and capabilities that an organization faces. When incident readiness providers conduct assessments, the providers gain greater insider knowledge of an organization’s cybersecurity posture. This helps give their guidance contextual perspective as incident readiness plans are developed and matured:

  • The common theme of being prepared to tackle a potential ransomware situation continues, as providers recognize the need for organizations to walk through the steps needed to prevent and, as needed, limit the size and scope of a potential ransomware situation. Buyers should look for prepackaged ransomware readiness assessments and consider acquiring the valuable guidance that providers can add to their institutional knowledge.
  • Cybersecurity maturity assessments are often a first step in establishing a cybersecurity program. Potential gaps are identified, and realistic road maps are designed that are appropriate for an organization based on its size, industry, and risk tolerance. A maturity assessment is a great document to keep around for presentations to the board and other C-suite members to highlight a CISO’s long-term strategy for maturing a cybersecurity program. 
  • A compromise assessment is a good introduction to a relationship with an incident readiness provider. The holistic view of an organization’s current and historic incident history is invaluable. Consider looking for providers that combine this assessment with a review of current security controls, security architecture, and vulnerabilities.

Exercise and Testing Services

Testing activities offered by incident readiness providers help gauge the capabilities of an organization’s systems, processes, and people to withstand attacks from various potential vectors. Just as important, these exercises can put technical and line-of-business associates in a frame of mind that allows them to immerse themselves in simulations. They can play out the activities they might need to carry out during an incident response situation:

  • Red/blue/purple team exercises. Differing opinions surround the order of these exercises in an organization’s cybersecurity maturity journey. Some argue that having the purple team exercise first is more like an open book exam, with both red and blue teams providing visibility into the opposition’s tactics. Others argue that a classic red/blue team exercise(s) should be run before diving into a purple team exercise. IDC doesn’t state a preference for the order but instead argues that all of these exercises are valuable. 
  • Cyber-range. A misperception exists that a cyber-range exercise is the exclusive domain of the uber technical cybersecurity practitioners that inhabit security operations centers (SOCs). This is not necessarily true. Many incident readiness providers now incorporate scenarios into cyber-range exercises that help legal, communications, and other executive team members gain valuable insights and knowledge from these immersive exercises. The collaborative capabilities of an organization’s leadership team can also be observed and enhanced so that when and if a true crisis situation gets played out, the personas involved will demonstrate greater confidence in critical decisions because they have previously been tested. Buyers will want to make sure that providers include all relevant personnel in their cyber-range exercises.
  • Breach and attack. The use of point-in-time tests such as penetration testing or red team exercises to gauge an organization’s ability to detect and stop attacks is valuable. Unfortunately, these tests suffer from gaps in time between their use. Organizations that are looking for continuous testing capabilities to assess the efficacy of their security controls are increasingly utilizing breach and attack simulation tools. These tools are gaining traction with incident readiness providers as another service that can on a more regular basis quickly identify issues with their clients’ security capabilities.

Incident Readiness Training Services

For well over a decade, the common theme of security evangelists has been the lack of trained bodies to fill roles. One of the antidotes to this issue is the need for current cybersecurity practitioners to gain deeper, best practices knowledge of their craft while enticing other industry domains to widen their scope of knowledge to include cybersecurity capabilities.

Figure 7 illustrates the training services and future planned training needs that incident readiness firms are likely to fill. The rising importance of clear communications to internal and external stakeholders and the media highlights the top tier that media and communications training has entered. 

Plans to gain training in crisis management are due in part to the high stress levels endured by organizations during a ransomware situation. It is imperative that key employees develop the soft skills that crisis management training can provide during a ransomware or other high stress cyberevent prior to these skills actually being used during a live-fire incident. 

Buyers should look for incident readiness providers that have off-the-shelf training that can be tailored to their unique needs. IDC noted during this study that ad hoc training occurs while consuming incident readiness services, but a formal training program for the personas involved in incident response situations is a logical next step in elevating an organization’s overall incident readiness capabilities.

Figure 7:
Top of Mind Training Services and Future Planned Training Needs

Base = all respondents

Notes:
Data is managed by IDC’s Quantitative Research Group. Multiple responses were allowed.

Source: IDC’s Global Incident Readiness Survey, June 2021

Complementary Services

Other capabilities that incident readiness providers are likely to deliver can raise the overall incident readiness capabilities of organizations:

  • Asset discovery capabilities for IT, OT, IoT, and other devices help increase awareness of the actual assets that are potentially at risk of damage or destruction during an attack. Knowledge of what needs to be protected should precede the strategies to protect them.
  • Use of threat intelligence to match up the threat actors and the techniques, tactics, and procedures (TTPs) they use to attack organizations can be a game-changing capability. Knowledge of how threat actors act normally can give CISOs the visibility and road map to deploy defensive capabilities that raise their overall incident readiness maturity.

Featured Vendor

Mandiant

Mandiant is positioned in the Leaders category in the 2021 IDC MarketScape for worldwide incident readiness services.

The evaluation of Mandiant was done prior to the June 3, 2021, announcement of the separation of the Mandiant offerings from FireEye. 

Mandiant organizes its incident readiness solutions into four pillars: assess, transform, defend, and train.

The assess pillar evaluates clients’ ability to prevent, detect, and respond to cyberthreats. Services include a compromise assessment, red team, purple team, penetration testing, tabletop exercises, cloud architecture assessment, remote security assessment, ransomware defense assessment, and response readiness assessments.

Transform actions center on helping clients design, build, or improve key functions such as threat detection, containment, and remediation capabilities. The company provides hands-on support to implement critical changes and best practices for functional/staff readiness.

Mandiant’s threat intelligence capabilities as well as the company’s managed detection and response service are key pieces of its defend pillar. 

Train pillar offerings teach clients how to execute the right processes and technologies through instructor-led learnings and hands-on scenario gameplay based on real-world investigations, not theoretical scenarios. Courses include enterprise incident response, malware analysis, network investigations, and forensic analysis. All courses can be delivered remotely.

The ThreatSpace cyber-range is an immersive, virtual environment that enables Mandiant to test a security team’s ability to protect, detect, and respond. Participants are coached to apply proven capabilities, processes, and procedures to improve overall security effectiveness and capabilities. 

Strengths

  • Mandiant Threat Intelligence provides proactive guidance that helps clients understand the current threat landscape and its potential impacts. 
  • One client noted that after completing a tabletop exercise, it was obvious that the Mandiant team had “done the homework, was fully prepared, and understood the mission.”

Challenges

  • A client commented that sign-in to the website brings up all Mandiant portals and navigating among them is confusing unless one spends a lot of time in the system.
  • Because of limited vendor agnosticism, the company works with clients by relying extensively on client tools.

Consider Mandiant When

  • Organizations looking for a provider with a global footprint, threat intelligence, assessment capabilities, and the ability to strengthen client capabilities through training should consider Mandiant.

Methodology

IDC MarketScape Vendor Inclusion Criteria

Using the IDC MarketScape model, IDC studied 14 organizations that offer incident readiness services across the globe. Evaluated vendors provide global capabilities, and while there are many service providers providing managed security services (MSS) globally, specific services and criteria were required to qualify for this vendor assessment:

  • Revenue: Vendors with minimum of $25 million in a combination of incident readiness and incident response revenue for 2020 were considered.
  • Geographic presence: Each vendor was required to have incident readiness capabilities in the North America (NA), EMEA, and APAC regions.
  • Time frame: The time period studied was 2020–2021 with research ending toward the middle of 2021. It is possible that service providers have enhanced services since that time. 
  • Current capabilities include:
    • Tabletop exercises
    • Cyber-range
    • Vulnerability management
    • Red/blue teams
    • Incident plan and playbook development
    • Technical runbook development
    • Incident response

Reading an IDC MarketScape Graph

  • For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies. 
  • Positioning on the y-axis reflects the vendor’s current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.
  • Positioning on the x-axis, or strategies axis, indicates how well the vendor’s future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-to-market plans for the next three to five years.
  • The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed. 

IDC MarketScape Methodology

IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.

Market Definition

Incident readiness services help organizations prepare to act in the case of a security breach or attack by putting in place organized procedures to manage the effect of a breach in the event of such a security incident. Incident readiness services include consulting, training, assessments, exercise and testing engagements, and other complementary services.

The objective is to limit the damage of any potential security incident and to reduce recovery time and costs through the prompt identification, isolation, and eradication of the problem.

Definitions of Incident Readiness Services

IDC recognizes that there are five buckets of services of incident readiness services that providers generally offer. The following list of incident readiness services is not an exhaustive list, but it does lay out the primary list of capabilities that IDC sees in the market, and the definitions are largely based on industry standards as well as the knowledge that IDC has gained doing the research in this study:

  • Consulting:
    • Risk mitigation. The prioritization, evaluation, and implementation of the appropriate risk-reducing controls/countermeasures recommended from the risk management process
    • Security strategy. A strategy that is determined after completion of activities such as asset discovery and risk classification, review of existing security controls, and evaluation of new/additional controls and security team capabilities (The strategy is a living document that describes the steps an organization should follow to identify, remediate, and manage risks while remaining compliant with applicable regulations.)
    • Business continuity and disaster recovery. Business continuity that focuses on what organizations need to do to keep their businesses running in case of a crisis and return to normal state; disaster recovery that focuses on restoring IT systems and operations as quickly as possible following a disaster to minimize downtime
    • Creation of incident response playbooks. Playbook documents that outline actionable steps an organization can follow to successfully recover from a cyberevent
    • Creation of runbooks. The establishment of predefined procedures to achieve a specific outcome
    • Cyberinsurance. Guidance and negotiation related to purchasing cyberinsurance
    • Ransomware C-suite. Advice and counsel given to the C-suite related to specific ramifications that a ransomware attack entails
  • Assessments:
    • Risk. The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact
    • Maturity. A review of the existing cybersecurity program to determine preparedness for sophisticated attacks and examination of relevant internal documentation; sometimes includes in-person meetings with an organization to understand how the security program works in practice; often includes a heatmap to demonstrate gaps and road map to maturity
    • Network architecture. An evaluation of network architecture and network operations designed to identify vulnerabilities related to device configuration, controls, and policies; typically includes recommendations (ideally prioritized) to address vulnerabilities
    • Cloud architecture. An assessment of cloud service providers’ security controls, policies, standards, and documentation and comparison to an organization’s requirements; typically identifies gaps and provides recommendations to address security vulnerabilities
    • Edge architecture. An assessment of the security of physical or virtual components, software, and processes used in edge computing (When appropriate, regulatory compliance should be a consideration.)
    • Vulnerability. Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation
    • Compromise. A high-level review of an organization to determine if it has been or currently is compromised
    • Proactive threat hunting. The proactive and iterative search for threats that have evaded detection by automated detection systems
    • Threat modeling. A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment
    • Ransomware readiness. Checks an organization’s ability to defend against an actor’s techniques, detect ransomware threats, respond effectively in case of attack, and recover rapidly based on knowledge of assets, locations, and restoration procedures
  • Exercise/testing:
    • Penetration testing. A form of ethical hacking that involves simulating a cyberattack on an organization’s network and other systems such as web applications to discover vulnerabilities and test security controls
    • Cyber range. An interactive, virtual learning/training environment in which attacks on IT infrastructure, software platforms, networks, and applications can be simulated
    • Tabletop exercises. A discussion-based exercise in which team members gather around a table to discuss their roles and responsibilities related to a cybersecurity event (Exercises, which can be customized scenarios, examine current state and identify improvements.)
    • Incident response plan testing. Methods such as tabletop exercises, simulated attacks, and communications strategy testing that verify whether incident response playbooks and processes work as expected
    • Red team exercises. Red teams that test the effectiveness of a security program (This is accomplished by emulating the behaviors and techniques of likely attackers in the most realistic way possible. The practice is similar, but not identical, to penetration testing, and it involves the pursuit of one or more objectives.)
    • Blue team exercises. Blue teams that refer to the internal security teams that defend against both real attackers and red teams (Blue teams should be distinguished from standard security teams, as most security operations teams do not have a mentality of constant vigilance against attack — the mission and perspective of a true blue team.)
    • Purple team exercises. Groups that exist to ensure and maximize the effectiveness of the red and blue teams (They do this by integrating the defensive tactics and controls from the blue team with the threats and vulnerabilities found by the red team into a single narrative that ensures the efforts of each are utilized to their maximum.)
    • Breach and attack simulation (BAS). An evaluation of security postures in a continuous, automated, and repeatable way by simulating cyberattacks against an organization’s infrastructure from within and outside (BAS is used to complement traditional red/blue or purple team exercises, or penetration testing exercises.)
  • Training:
    • Media and communications. Learning activities centered on an organization’s security incident communication strategy, which covers internal communications, media communications, and issues related to compliance
    • Crisis management. Learning activities focused on the process and steps an organization performs to respond to and manage a crisis that has the potential to harm the business or stakeholders
    • Ransomware recovery for IT/security. Training focused on the processes and procedures used to recover from a ransomware attack (Depending on the type of attack, adherence to digital forensics procedures may be essential.)
    • First responder. Education, and potential certification, of individuals who are an organization’s first line of defense against cyberattacks (Topics may include how to analyze threats, how to design secure network environments, and how to investigate security incidents.)
    • Red team. Training sessions designed to teach an internal group to test the effectiveness of security program. (The team plays an adversarial role by running simulated cyberattacks, including penetration testing and vulnerability assessments. Attacks are designed to determine how well people, networks, applications, and physical security controls can detect, alert, and respond to an attack.)
    • Blue team. Education of a group that assesses network security for purposes of identifying vulnerabilities and strengthening incident response (Knowledge of tactics, techniques, and procedures is essential. A blue team defends against red team attacks and uses methods such as security audits and reverse engineering.)
    • Purple team. The education of a “bridge” team that works between red and blue teams to facilitate information sharing and real-time collaboration to improve organizational security (The purple team can be a separate group or a methodology that red and blue teams can implement.)
    • Cybersecurity end-user awareness. Employee education focused on identification of suspicious attachments, social engineering, and scams (In addition, employees are taught what to do when they encounter suspected malicious attacks and how to report them.)
    • Cyberthreat intelligence. Education of individuals who are tasked with using threat intelligence to identify, analyze, block, and remediate potential and actual threats
    • Framework (e.g., MITRE ATT&CK). Sessions designed to teach individuals about one or more security frameworks and how to use them in their cybersecurity analyst roles
  • Complementary:
    • Forensics imaging/analysis during red, blue, or purple team exercises or other simulation exercises. The analysis of relevant data from digital images using the latest image analysis techniques (This may involve metadata, GPS data, and other analysis to determine image origin and content, generally undertaken in legal investigations.)
    • Threat intelligence. Data (and sometimes advice) about cyberattackers, including tactics, techniques, and procedures, that is supplied to experts who can enrich, correlate, and analyze it to improve an organization’s cyberdefense
    • Big data and analytics (also known as anomaly detection or user behavior analytics). The use of machine learning to identify unusual patterns, events, and atypical behaviors that may indicate malicious activity
    • Backup as a service (BaaS). A cloud-based service that provides offsite data storage and regular backup to help protect against data loss (The provider assumes responsibility for maintenance and management because backups are no longer performed on premises.)
    • Disaster recovery as a service (DRaaS). A cloud-based service that backs up an organization’s data and IT infrastructure and enables restoration after a disaster or outage
    • Threat hunting (by monitoring structured and unstructured data, email, and chats on the dark web versus compromise assessments). Threat hunting performed by cybersecurity experts who search networks, endpoints, and files looking for malicious, suspicious, or risky attackers or activities that aren’t discovered by cybersecurity tools or controls (Reactive threat hunters seek to eradicate the identified malware, and then search for other possible incursions by the attacker and the associated malware. Targeted threat hunts occur around the high-value assets of an organization. Proactive threat hunting is the hypothetical analysis of the tactics, techniques, and procedures of a likely adversary and hunting around a likely area of compromise.)
    • IT asset discovery. An inventory of IT assets used in an organization (Typically, discovery includes hardware devices, device configuration, and software.)
    • Internet of Things (IoT) asset discovery. The detection of Internet of Things devices in networks, including a determination of their connection status, for purposes of building an asset database (Details about device attributes and entitlements contribute to identity and access management decisions.)
    • Operational technology (OT) asset discovery. An inventory of operational technology industrial assets, physical or virtual, including location, make and model, hardware/software configuration, and any known vulnerabilities

Related Research

  • Market Analysis Perspective: Worldwide Security Services, 2021 (IDC #US48246421, September 2021)
  • IDC MarketScape: U.S. Managed Detection and Response Services 2021 Vendor Assessment (IDC #US48129921, August 2021)
  • Accelerate Threat Detection and Response with Advanced Tools, Technologies, and Expertise (IDC #US47724721, June 2021)
  • IDC PlanScape: Breach Attack Simulation Services (IDC #US47649921, May 2021)

IDC MarketScape: Worldwide Incident Readiness Services 2021 Vendor Assessment

This IDC study presents a vendor assessment of vendors offering incident readiness services through the IDC MarketScape model. The assessment reviews both quantitative and qualitative characteristics that define current market demands and expected buyer needs for incident readiness services. The evaluation is based on a comprehensive and rigorous framework that assesses how each vendor stacks up to one another, and the framework highlights the key factors that are expected to be the most significant for achieving success in the incident readiness services market over the short term and the long term.