Incident response (IR) in IT prepares clients for potential incidents, aids in mitigating a realized incident, and assists in the recovery from an incident.
A huge surge in cyber attacks is driving growth of the incident response market, especially detection and IR services to deal with realized incidents.
To learn more about the market that stops cyber attacks in progress, read on:
Today’s Incident Response Market
Reports and Data projects that the incident response market will grow from $16.04 billion in 2019 to $60.6 billion in 2027. Analysts estimate the IR market’s compound annual growth rate (CAGR) to range between 17.23% to 20.3%. Mordor Intelligence estimates that the IR services market alone will grow from $3.48 billion in 2020 to $10.13 billion by 2026, with a CAGR of 20.53%.
The strong growth of the IR market comes from the increase and volume of global cyber attacks. Accenture notes that the “volume of cyber intrusion activity globally jumped 125% in the first half of 2021 compared with the same period last year.”
Regionally, the North American, Asia-Pacific (APAC), and European markets remain the largest markets in terms of incidents, incident response market size, and expected CAGR.
Researchers expect the largest growth is expected to come from the APAC market because of three factors:
- APAC accounts for nearly one-third of the world’s population
- The economic growth and increased stability in the region
- The increasing number of cyber attacks on India
In addition, as attacks such as the Colonial Pipeline ransomware attack begin to affect millions of people and generate global headlines, we can expect increasing regulation requirements. Markets and Markets forecasts that the regulations will grow the market by increasing the compliance requirements for addressing, reporting, and recovering from an incident.
Incident Response Providers
The incident response market is composed of products and services that are used to help an organization recover data and systems after an incident. Incidents can be caused by hardware failure (e.g., hard drive crash), human error (e.g., accidental deletion), or by malicious actions (e.g.,: ransomware).
Markets and Markets report that large international companies with more than $1 billion in annual revenue dominate the incident response market, with an estimated 66% share of total revenue.
These are some of the major incident response players:
- NTT Security
- BAE Systems
- Kaspersky Lab
- Check Point Software Technologies
- AlienVault (AT&T)
- Kudelski Security
- Paladion Networks
- Palo Alto Networks
- Resolve Systems
Incident Response Solutions
Analysts typically segment the incident response market in several ways:
- Security technology specialty: application, cloud, endpoint, network, and web
- Deployment: On premises or cloud
- Service type: Planning and development; assessment and response; advanced threat hunting; training; post-incident reporting and support
Many incident response technologies and service providers offer a blend of solutions that may also encompass cybersecurity technology, networking, backup, or other IT solutions. Key IR solutions offered include:
Attack disruption and mitigation: during an incident, reduce the effectiveness of the attackers, isolate and contain the damage.
Attack surface evaluation: prior to an incident, identify risks, likely vulnerabilities, and how to mitigate possible attack vectors.
Automated detection and response: monitors IT systems for malicious activity and automatically responds to mitigate detected activities. Regularly includes machine learning (ML) or artificial intelligence (AI) algorithms to improve ability to detect and quickly respond to threats. May also specialize in a particular type of IT: cloud, network, endpoint, Internet of Things (IoT), etc.
Compromise assessment: evaluates the incident to identify compromised resources.
Connection monitoring: evaluate traffic leaving and entering the network to check for suspicious traffic, such as command-and-control servers.
Forensic analysis and investigation: examining endpoint, network, mobile, cloud, etc. for the methods and tools used during the incident in a manner that preserves potential evidence and allows for the information to be used later in mitigation, recovery, and post-incident phase.
Incident response planning: prior to an incident, planning and training internal teams for how to handle likely incidents can improve performance during an actual incident.
Litigation support services and expert testimony: makes experts available to an organization and their legal counsel to support lawsuits, arbitrations, or other actions.
Log collection and analysis: the gathering and review of events on computers that may be captured by log files.
Malware detection: catch malicious software in action, in transit, or in storage.
Malware forensics: analyze malicious software used in an incident.
Managed detection, response, and remediation: active monitoring and response by software or by an expert-staffed security operations center (SOC). Attempts to detect malicious attacks by software or humans, prevent or limit damage to the organization, and help the organization recover from an attack.
Managed security services: provides managed security monitoring, such as security device management, SOC-as-a-service, network monitoring, etc.
Policy creation: IR policies define how an organization will respond to an incident, who will perform what roles, and how to escalate issues.
Post-incident reports: internal and external notices inform affected stakeholders and can illustrate how to prevent attacks.
Readiness assessment: evaluates policies and procedures regarding IR.
Table-top exercises: provides scenarios to stakeholders that allow them to consider potential incidents, explore consequences, practice responses, and find areas of improvement.
Tailored threat consulting: provides an evaluation, pre-attack, of what types of attackers may target the entity, how they may operate, and what might they want.
Threat-intelligence sharing: before, during, or after an attack, sharing intelligence with peers and industry experts can reduce risk, provide advance warning, and cut off potential attacks.
Threat management: preparation and ongoing management of an organization’s IT resources and defenses to prevent likely attacks, mitigate the most likely methods, and secure the most likely pathways.
Benefits of Incident Response
IR products and services provide benefits beyond simply addressing the incident:
Access to experts: organizations rarely have the capacity to hire and maintain experts in attacks, forensics, malware analysis, and other aspects of incident response that only occur during an incident. Engaging external service providers allows for expertise to be obtained as needed for planning or specific events and their resolution.
Improved defense: preparation activities and post-incident analysis can be used to tighten an organization’s defenses against future attacks.
Liability limitation: using qualified external experts as service providers or as incident response managers can potentially limit liability from lawsuits and provide a faster path to deal with compliance requests.
Prevention of costly attacks: preparation services and IR tools can detect and prevent an attack before it leads to costly consequences (breach, system damage, etc.) or reduce the impact of a successful attack.
Preparation for legal response: proper collection of evidence can provide companies with evidence needed to provide to law enforcement for potential prosecution of attackers or to internal counsel for defense against shareholder, customer, and other potential lawsuits.
Recovery: an attack may damage or expose an organization’s IT systems or data. IR may allow for a faster resolution of the attack and a recovery of systems to resume normal operations.
Incident Response Use Cases
Here is a sampling of how a variety of organizations from different industries and of different sizes use managed detection and response (MDR) and IR services.
“Since day one, Arctic Wolf Networks has been a valued team addition at our organization. Our concierge team is readily available, our questions are efficiently responded to, configuration of service options and notifications/escalations are customized to our organization’s needs and routinely updated. Detection information, interoperability, vulnerability awareness and reporting have so far been a useful addition to our security department and have actively helped in mitigating vulnerabilities plus helping to resolve incidents/potential incidents quickly.” -IT director, a <$50 million corporation in the services industry, review of Arctic Wolf’s MDR at Gartner Peer Insights.
“FireEye MDR is an outsourced SOC 24×7. Works well for a one person security shop or a VP of Infrastructure owning security and compliance as well. They have an integrated platform where email, endpoint agents and network traffic goes into their Helix and then MDR platform.” -CSO, an enterprise between $250-$500 million in revenue in the finance industry, review of FireEye Mandiant’s Managed Defense at Gartner Peer Insights.
“Kroll assist[ed] us during a critical time right at the beginning of a global pandemic. Their approach and engagement was exceptional. They were completely engaged, provided detailed updates and directed us on a specific plan of attack to address our situation. I would highly recommend Kroll and their IRS team.” -IT director of enterprise engineering, an enterprise between $250-$500 million in revenue, review of Kroll’s Digital Forensics and Incident Response Services at Gartner Peer Insights.