Thursday, March 14, 2019

The End of the Golden Age of Incident Response Billing

If you squint, you can see the beginning of the end of the golden age of incident response billing. I’ve seen this movie before and I know how it ends because I lived through the golden age of eDiscovery billing.  Incident response will no more go away than litigation requiring the production and review of electronic documents, but the current billing gold rush won’t continue indefinitely.

I left law enforcement and entered the private sector around the time electronic discovery was really gaining steam and interest in the legal world.  This resulted in legions of eDiscovery consulting outfits of various sizes and abilities getting into the game and charging confiscatory prices for their work.  The billing was such during this period where it took nothing for litigation to result in some eDiscovery consulting outfit making six or seven figure sums for their work.  Law firms and their clients eventually rebelled against being ridden like ponies off into the sunset by the eDiscovery industry and started to bring as much of the work in-house as they could get away with to avoid expensive outsourcing. Electronic discovery cost containment became a very important buzzword in the legal world. 

The gold rush also brought in more competition and interest from giant consulting firms who could offer competitive pricing and performance because of their economies of scale and ability to invest in technology and utilize their existing infrastructure. This resulted in quite a few small to medium sized eDiscovery firms being bought up, merging with other firms, or just going out of business entirely.  It wasn’t that eDiscovery went away or that it suddenly became inexpensive, but the market eventually worked things out where the larger and more efficient firms could offer better speed, cost, and quality to the legal world and their customers.

We’re going to see something very similar in the incident response world. We’re still very much in the information security version of WWII’s Happy Time where the field of battle still greatly benefits the attacker.  That isn’t changing anytime soon and maybe it never will change.  I wrote about this information security happy time in 2011 and very little has changed since then.  We just have to look at the headlines to see the near constant reports of major breaches in all sectors of business and government. These successes are going to continue to result in high demand for incident response services and these services are not cheap.  Many a fortune has been made in recent years by sharp people who set up incident response consulting practices and billed themselves into a king’s ransom. The costs associated with a breach can be immense due to the costs of the technical response itself, resulting litigation, paying for identity theft protection if personally identifying data was involved, and everything else associated with recovering from a breach including potentially rebuilding all or some of the impacted organizations information technology infrastructure.

These costs have created a growing cyber insurance market where organizations are making cyber insurance part of their risk management process and basically paying the insurance companies to help shoulder the risk for them.  The key rule to understand in an arrangement like this is the age old one that says that “He who pays the piper calls the tune.”  When a breach happens, the insurance companies will be the ones dictating the response since they are the ones shouldering the cost. These firms will have already entered into agreements with trusted incident response providers to provide their services at pre-determined billing rates.  The insurance companies will be driving cost containment in this area because their financial health will depend on it.  This will put an end to the current golden age of incident response billing which will put downward pressure on the profits of organization providing incident response capabilities and the salaries of those who work in those organizations. I expect that we’ll see similar consolidation on the industry where it will be hard for smaller incident response firms to survive unless they develop practices based on providing affordable response services to smaller entitles that might not have insurance and the resources to pay expensive incident response fees. That said, there will still be plenty of money to be made in this area and it’s still going to be a great industry to be in if you are interested in developing the incident response skills that will be in demand for a very long time to come. 

In the short term, the gold rush is going to continue because the insurance market is still developing in this area.  The sun will start to set in the medium term as the insurance industry becomes more mature in this area and an increasing amount of breach victims are covered under some form of cyber insurance.  I think we’ll also see legislation helping drive some of the cost containment where organizations that take certain proactive steps such as being compliant with some information security standard or another will have their liability capped and that will also help drive costs down.  In the long term, stick a fork in the golden rush that is the current incident response market. It will be done.


  1. Billing aside, the inclusion of insurance and law firms becoming more integral to IR is continuing, even exacerbating, the issues that we've always seen with IR; that is, IR is IR, the client gets billed, move on.

    So what's the big deal with this? Well, consider analyst works a ransomware engagement, in their own silo. Due to collection bias and evidence aging out, the analyst isn't able to determine the IIV. Maybe they're new, and honestly don't know how to determine the IIV. Because of the IR business model and billing structure, they have to get the report out and can't bring in another analyst to "take a look" because the billable hours aren't there.

    As a result, "something" gets sent to the customer. There are statements made in the report that a manager reviewing the report doesn't question, because (again, due to the business model) they really don't have the time to look into the analyst's statements.

    The report goes out to the customer, and the analyst moves on to the next engagement. No case notes, no sharing, and no correlation with any of the 4 or 6 other analysts working oddly similar ransomware cases, close to or at the same time. Because the business model and billing structure don't allow it, there is no correlation between analysts or cases, no development of threat intelligence, and subsequently, no public reporting of any kind.

    The business model for IR has always been an issue. Now that IR has moved from full image analysis into a more enterprise-wide approach, incorporating EDR tools as part of the response, these engagements are the best source of "ground truth", more so than can be provided by OSINT. However, the business model has always obviated the ability to publicly report, and hitching to the insurance/law firm wagon has provided just another excuse.

  2. One of the biggest issues I've seen over time is what has NOT happened with DFIR firms...the business model used by both older and newer firms is one in which billable hours are everything. As such, there is no facility or function for strategic tracking of DFIR work. This means that a lot of extremely valuable "ground truth" data gets left "on the floor".

    DFIR firms would benefit greatly if this available data were incorporated into the business itself. Unfortunately, that's not the case and it's unlikely to become part of that business model any time soon, except for extreme cases (like FireEye).