The IR Retainer Redefined: Boosting Cyber Resilience with MDR + Cyber Risk Retainer

An effective detection and response capability is essential for monitoring key assets, containing threats early and eradicating them. However, due to the current disparate nature of potential attack vectors within an organization, affording the wide range of sensors necessary can be a challenge as well as the worry of the disruption of critical services. Yet, without robust detection and response processes, businesses are left vulnerable. Organizations are also under pressure to manage the potential business and financial costs and complexities of post-breach activities such as privileged investigations, litigation, crisis communications and breach notification to name just a few. Alongside this, they must respond to the changing requirements of cyber insurers, many of whom now require retainers for new policies and renewals.

How can businesses tackle this current landscape to ensure they have the services they need when they need it, without disrupting their business and not breaking the bank? The answer is a more flexible “cyber risk retainer,” as opposed to an incident response (IR) retainer, combined with an MDR service, as this allows them to achieve significant cost savings by bundling together any pre-incident services from tabletop exercises, penetration tests, dark web monitoring or cloud configuration reviews, to any post-incident services such as digital forensics, breach notification and litigation support.

In this article, we outline why it would be misguided to solely rely on a traditional MDR solution or an incident response (IR) retainer and explain why combining a cyber risk retainer with an MDR service significantly advances an organization’s security posture.

Organizations can avoid these limitations by opting for a Cyber Risk Retainer that provides a broader scope and range of service and flexibility around hours.

From IR Retainer to True Cyber Resilience

Since hours are tied to breach response activities, many organizations still regard the addition of an incident response retainer to their MDR service in the same way they view an insurance policy. They see it as good to have just in case but don’t recognize its true value until something goes wrong. While the cybersecurity industry has sought to adapt to this by offering the ability to re-allocate a certain percentage of retainer hours to incident readiness services such as tabletop exercises, there is still a notable lack of flexibility.

However, with the right approach and capabilities, it is possible to move beyond just pigeonholing IR retainers within incident response so that they actively enable cyber resilience when paired with MDR.

At Kroll, we believe that a retainer should by default contain fundamental DFIR capabilities and SLAs but also provide organizations with the flexibility of being able to use 100% of their service credits towards any cybersecurity services that can help them become more resilient to future threats. This means that, when adding a Cyber Risk Retainer on top of your MDR service, not only are you already covering key aspects of detection and response but also you have the flexibility of applying your service credits to protection.

Added Response Value: The Benefits of MDR and a Cyber Risk Retainer

Organizations that use an MDR service should already benefit from rapid threat detection and what we define as “complete response”. This is the ability to move beyond tactical response actions that address the symptoms of an attack and bring in remote DFIR capabilities to treat the root cause by also hunting for additional signs of indicators of compromise and reverse engineering malware, eliminating persistence, eradicating the threat across all systems, and providing lessons learned. Not every MDR vendor can provide unlimited DFIR, and Kroll is particularly proud of this feature of our service. So, what additional “response value” should a cyber risk retainer provide on top of your MDR solution?

When it comes to procuring MDR, not all companies will want to deploy detection sensors or agents on certain business-critical assets. Even if they do, there’s always the rare possibility that a complex or unanticipated attack could compromise previously undiscovered systems. More legal and recovery expertise could then be required in order to limit the impact of the attack and bring the business back to normal. This is the point at which an MDR provider should be able to add more breach response capabilities bundled within a cyber risk retainer. Some of the key benefits of these added capabilities include:

Responder Clients Improve Resiliency With a Cyber Risk Retainer

Uncovering Hidden Threats

An independent provider of foreign exchange risk management and trading services to financial institutions had unfortunately experienced a business email compromise (BEC) attack which made them feel exposed and not confident in their ability to detect and respond adequately to future security incidents. The company also had a lack of trust in the IT Managed Service provider it had in place. The business engaged Kroll for its Responder services – SIEM and EDR – and added Kroll’s Retainer services to that. This combination of support gave the business 24X7 expertise to detect and respond to threats, flexibility to leverage multiple service lines under the retainer, immediate risk reduction through proactive, targeted security assessments, and on-going strategic advice and guidance through Kroll’s virtual CISO.

Exceeding Initial Security Goals

Another Kroll client invested in the Kroll Responder MDR+ Cyber Retainer Bundle in order to meet certain compliance requirements and become more resilient. The company needed a partner to address its MDR needs and help it become more cyber mature and cyber resilient. Going far beyond the company’s initial goals for its retainer, Kroll is now advancing its security posture through tabletop exercises, red teaming and risk assessments.

MDR + Cyber Risk Retainer from Kroll: Minimize Risk, Mature Resilience

As a leading provider of cyber risk management services, our proven expertise across all areas of cyber resilience – protection, detection, response – can be accessed through our MDR+Cyber Risk Retainer Bundle. While our Kroll Responder MDR service ensures threat detection and response coverage, including our cyber risk retainer with it provides the flexibility to use 100% of your service credits towards any other service at a discounted rate across our protection, response and validation service areas. Doing so also provides peace of mind that Kroll’s team of forensic experts are on hand as and when required to respond to, contain and remediate an incident. 

A Kroll Cyber Risk Retainer guarantees expedited response as well as breach notification and proactive services to minimize the impact of an incident and mature your cyber resilience. Our retainer options address the pressure that organizations feel to maximize the value of cyber security investments with upfront pricing and service structure.

 

Kroll's Cyber Risk Retainer program gave us the flexibility to utilize our retainer credits to help us accomplish some of our IT security goals during the year, while having the peace of mind that we had a Tier 1 partner to quickly respond if we had some type of cyber incident.”

     – NetScout Systems, Inc

Organizations should keep in mind that typical IR retainers focus on incident response to the exclusion of breach response. Because of this, they must be vigilant about selecting a retainer that not only goes beyond incident response but also leads the market in flexibility and range of service. By combining an MDR service with a cyber retainer that can adapt to meet their specific security issues and needs, organizations can look forward to achieving true cyber resilience.

Learn more about our Cyber Risk Retainer or find out about our MDR service, Kroll Responder. Contact us to speak to one of our experts and arrange a demo.