Incident Response Business?

Cyberscum · October 2015

I have been approached by a friend about a possible business venture in strictly incident response and disaster recovery. I have always looked at these items as necessary business operations, but never as an actual provider of these services for a business. The more we got to talking the more I realized that in my experience very few businesses had decent policies and guidelines to actually recover from a disaster, so it got my interest.

I have not talked in great detail with him about his goals and vision, but I am interested in what this community has to say about a business that would specialize solely in these services.

Positive or negative let me hear what you think!

dustervoice · October 2015

Ironically, i just had a friend asked me the same thing last week. I shot down the idea as the country he wanted us to create the start-up would require too much initial investment especially on the DR side of things. I would advise you to go ahead if you strongly believe you will be successful. there are lots of opportunities out there for IR work. Good Luck go for it!

gespenstern · October 2015

Every enterprise has a DR site, sometimes even fully redundant multiple sites. Can't say the same regarding small and medium businesses, yeah. And the fact, they usually don't care much about DR because of huuuuuge costs and pretty low probability of disaster actually happening.

For the most part, I'd say, if they become larger their DR efforts become driven by regulation, they never seemed really genuinely caring about this to me.

dmoore44 · October 2015

Make sure you guys perform a thorough market analysis so that you're not trying to fill a hole that doesn't exist... There might be some stiff competition as Mandiant, Verizon, HP, and several other big names already operate in the IR/BCDR space.

Cyberscum · October 2015

gespenstern wrote: »

Every enterprise has a DR site, sometimes even fully redundant multiple sites. Can't say the same regarding small and medium businesses, yeah. And the fact, they usually don't care much about DR because of huuuuuge costs and pretty low probability of disaster actually happening.

For the most part, I'd say, if they become larger their DR efforts become driven by regulation, they never seemed really genuinely caring about this to me.

This is the same view I have on it. His initial interest is in small to medium sized business (which I know lack IRP/DRP), but it comes down to how much does a SMB actually care about recovering from disasters and incidents. I think I might meet with a business coach and get some feedback.

I honestly don't know how you would charge for services for that. Maybe a one time charge for documentation and a monthly service fee for being on standby? hmmm

Cyberscum · October 2015

dmoore44 wrote: »

Make sure you guys perform a thorough market analysis so that you're not trying to fill a hole that doesn't exist... There might be some stiff competition as Mandiant, Verizon, HP, and several other big names already operate in the IR/BCDR space.

From what I understand he wants to target SMB. I can see the need, but I cant make people that operate these SMB's see the need lol

I might set up some appointments with local business owners to get their view on the situation.

@Duster

What big investment? I was thinking for a technical solution amazon AWS and fee for service models.

si20 · October 2015

dmoore44 wrote: »

Make sure you guys perform a thorough market analysis so that you're not trying to fill a hole that doesn't exist... There might be some stiff competition as Mandiant, Verizon, HP, and several other big names already operate in the IR/BCDR space.

Cyberscum, I work for one of the organisations that dmoore44 has mentioned and honestly, without being biased in any way, shape or form - I would think very, very, very carefully about stepping into the ocean that is Incident Response. The reason why HP and Mandiant are so successful is because the have boat loads of money behind them and they have the hardware too. Mandiant/FireEye have quite possibly the best tools in the business and since HP and FireEye struck a partnership: HP News - HP and FireEye Announce First of its Kind Global Alliance for Incident Response and Advanced Threat Services you'd be battling against a goliath of IR and DR.

Obviously you wouldn't be battling against the big companies immediately, you'd start smaller. So who would your customers be? As you've identified, they'd be SMB. Now, the bigger issue is: how do you actually perform your IR? It's a case of needing excellent software combined with extremely deep knowledge of both digital forensics and security. Then of course, there are the strict deadlines you'd need to meet. Most clients will want an immediate response or something very quick - then they'll want you on site within 12 hours.

If you ask me? It's a nice idea but the reason that many people haven't started their own business doing this is because the big names have got the money and software to make this kind of thing happen. Also, if you're using the same tools that FireEye use, then a client might just wonder why they don't go to FireEye direct - that's assuming they care enough about IR/DR to pay up.

Sorry if this sounds a bit negative, it's not supposed to be. I'm just trying to see pros and cons. It's not the cons that is the problem, it's just the money and responsibility that I see being an issue here.

dustervoice · October 2015

Cyberscum wrote: »

@Duster

What big investment? I was thinking for a technical solution amazon AWS and fee for service models.

Well the country in which we were considering, Electrical power there is very unreliable the "government" shuts off power at will. So our plan included providing power generators/UPS etc as a part of our DR service.

636-555-3226 · October 2015

SMB will be a hard sell. They don't get it. Of those that do get it, some will compare your services to the big names and you'll lose. Unless you or your friend are very in the trenches already with local networking of businesses, I think it's going to be a challenge in 2015. 2012 it would have been an amazing idea. Good luck, let us know what you all figure out

NightShade03 · October 2015

I would have to caution against this venture. The IR market is red hot right now...particularly within the enterprise space. IR rates can go from $325/hr up to $500/hr for really good resources. As si20 mentioned, there is a huge lock on the market for those top vendors and consulting firms at the moment, but that doesn't mean there aren't others out there competing for the business. The challenge with IR is that you have to have deep expertise in the tools and the process. Performing an analysis on a VM image, a physical machine, and an AWS instance are VERY different beasts. Now add in that most enterprises have terrible documentation or understanding of their networks and you'll spend more time investigating that then anything else. Additionally, you need to be "on" 24x7. I work for an org that has an IR practice and those guys are top notch, but are also never home. They get on planes at a moments notice and fly around world all year to respond to things. Now granted you (usually) get paid well for that, but at what cost? You never see your family/friends, it takes a toll on your health, etc.

The SMB market is going to start to have a need for this stuff as more and more breaches are happening each day which effect them. I just don't think we are there yet and many of the challenges that apply to the enterprise clients still exist within SMB.

Just my $0.02.

Cyberscum · October 2015

Wow, great responses and some of them hit on the concerns that I have with this type of business. There would be no growth opportunities (or very little) and closing sales on SMB's that are undereducated would be a monumental challenge.

Very good discussion topics for his business idea. Thanks again for the very detailed responses and explanations duster, gespen, dmoore, si20, 636 and nightshade

cwelber · October 2015

The other issue is the liability is HUGE, because remember you're being brought in when the in-house Info-sec guys can't handle it. You'll be under enormous pressure, and if you fail or miss something which comes back to bite the client in the butt you better have great insurance because you'll be sued promptly. I think incident response is perhaps the hardest discipline in the security field, it's a thankless job that only a select few can do full time and those who do earn EVERY penny. I think Risk Assessment maybe a better way to start out as a company, in general you want to do security work for clients under a good liability umbrella (i.e. a corporation as an employee when possible) because there's a lot of liability in some of the infosec discipline and I don't think people always realize this.

lsud00d · October 2015

Cyberscum, curious why you combined IR and DR? IR being cybersecurity, and DR being, well, disaster recovery. Did this play to both of your skillsets?

Cyberscum · October 2015

lsud00d wrote: »

Cyberscum, curious why you combined IR and DR? IR being cybersecurity, and DR being, well, disaster recovery. Did this play to both of your skillsets?

Well, to make a long story short he is a CIO for a dynamic organization and I am an ISSM/IP. We both write and execute these policies for our orgs. But we are gov, so to provide in a civ capacity is a world I am not familiar with.

dustervoice · October 2015

Cyberscum wrote: »

Well, to make a long story short he is a CIO for a dynamic organization and I am an ISSM/IP. .

Had to google ISSMP/IP

hard to keep up with acronyms nowadays. thought it was a new protocol. TCP/IP vs ISSM/IP.

the_Grinch · October 2015

I think everyone covered it, but I'd add the wrinkle that working with SMB's tends to be extremely difficult. In the MSP sector work you did months ago comes back to haunt you. It's funny to see a customer say "well your guy was just out here and x is not working" and when you check you find out the guy was there four months ago. Also, as previously mentioned, heavy liability. You will be signing off on everything being good to go and if it's found that it wasn't look out.

I do believe the space is ripe for making money, but I think it will come with a heavy up front cost and probably operating at a loss for a few years.

egrizzly · December 2020

Cyberscum said:

I have been approached by a friend about a possible business venture in strictly incident response and disaster recovery. I have always looked at these items as necessary business operations, but never as an actual provider of these services for a business. The more we got to talking the more I realized that in my experience very few businesses had decent policies and guidelines to actually recover from a disaster, so it got my interest.

I have not talked in great detail with him about his goals and vision, but I am interested in what this community has to say about a business that would specialize solely in these services.

Positive or negative let me hear what you think!

In my opinion getting into that space you're simply dealing with the People, Process, and Technology needed to provide incident response services. Best advise is to not compete with the big boys on the "Technology" aspect of it but instead focus on the "People" and the "Process" areas. The "People" part of it involve training staff to bring them up to speed in providing Incident Response. The "Process" part of it is offering your services to create those Policies and Procedures that the companies engage in when they have to execute incident response.

You'd be quite surprised how many companies are not even at the minimum expected level of readiness. So in my opinion I'd say go for it, however be explicitly clear what your scope is with any potential clients.

Incident Response Business?

Comments