Lesley Carhart · Mar 21, 2022 · 8:58 PM UTC

Lesley Carhart

Lesley Carhart @hacks4pancakes

21 Mar 2022

Man, I’m not trying to sales pitch or anything, but if you don’t have an actually functioning basic IRP, BCP, and IR retainer (or ready to go internal IR team), the best time was a month ago but the second best time is now.

482

Hal Pomeranz · Mar 21, 2022 · 9:19 PM UTC

Hal Pomeranz @hal_pomeranz

21 Mar 2022

IR retainers may not be sufficient if your external IR firm is already oversubscribed.

Harbulary Battery · Mar 23, 2022 · 12:19 PM UTC

Harbulary Battery @keydet89

23 Mar 2022

It's also about how you use the retainer. During my time, I've seen too many managers deploy the retainer simply because their team had already left the parking lot for the day, sending DFIR analysts on-site for operational but not security-related incidents. 1/

Hal Pomeranz · Mar 23, 2022 · 7:33 PM UTC

Hal Pomeranz · Mar 23, 2022 · 7:33 PM UTC

Hal Pomeranz @hal_pomeranz

23 Mar 2022

Replying to @keydet89 @MichaelFazely @hacks4pancakes

Be careful how your retainer agreement is crafted. The SOW should be clear about exactly what kind of work can be performed under the retainer.

Mar 23, 2022 · 7:33 PM UTC

Harbulary Battery · Mar 23, 2022 · 8:07 PM UTC

Harbulary Battery @keydet89

23 Mar 2022

Replying to @hal_pomeranz @MichaelFazely @hacks4pancakes

Oh, agreed. But if you're on the consulting side and follow a utilization model, there may not be much of an option. When I worked for IBM, we had a customer who would declare an incident for...anything and everything.