Man, I’m not trying to sales pitch or anything, but if you don’t have an actually functioning basic IRP, BCP, and IR retainer (or ready to go internal IR team), the best time was a month ago but the second best time is now.
22
79
10
482
IR retainers may not be sufficient if your external IR firm is already oversubscribed.
4
5
22
It's also about how you use the retainer. During my time, I've seen too many managers deploy the retainer simply because their team had already left the parking lot for the day, sending DFIR analysts on-site for operational but not security-related incidents. 1/
2
Also, the question is, if you have a retainer, how do you assess or discern the quality of the work product provided? Or do you simply assume that b/c you have a retainer, the analysts sent on-site aren't going to make assumptions and guess? 2/
1
Replying to @keydet89 @MichaelFazely @hacks4pancakes
Is this not generally a problem with third-party services, whether retainer or ad hoc? If you don't have the expertise in house, how do you vet the quality of the work product? This is particularly an issue for DFIR where defects may not be visible for some time.

Mar 23, 2022 · 7:35 PM UTC

2
Replying to @hal_pomeranz @keydet89 @MichaelFazely @hacks4pancakes
and the more specialized the service, the wider the gulf between agent and principal.
Replying to @hal_pomeranz @MichaelFazely @hacks4pancakes
"...how do you vet the quality of the work product?" Exactly. How do you discern if the vendor findings were based on a thorough approach, or guesswork? There is a difference, and if you know what you're looking for, it can be somewhat obvious.