Lesley Carhart Dec 3, 2022
I don’t understand companies that buy a credible incident response retainer and then are terrified to activate it, even though the hours are paid for and a rate and SLA are guaranteed. When in doubt, activate your retainer! Get a fresh set of eyes! You don’t just buy the retainer for the sake of your insurer and regulator. You have specialist incident responders on call to help you and help make things better! Any legitimate company will just use the minimum required hours for the contract and situation. It isn’t a magic red button where the incident isn’t real until you press it… #infosec #DFIR
Show threadd0pp3l6ang3r  Dec 3, 2022
@hacks4pancakes yep, I have also seen MSSP vendors providing insurance if they are selected as vendors and still customers dont activate them. Would be keen to know why the reluctance to press the ☎️
Show threadLesley Carhart Dec 3, 2022
@d0pp3l6ang3r it’s so sad
Show threadd0pp3l6ang3r  
@hacks4pancakes yep, evenif they say “Hey guys, we see x, let us know if you think its bad, and if we should activate IR. Let us know an estimate of how many hours will this be. We have x hours with you every month, if this goes beyond that let us know why we should priortize this or extend those hours. For exploratory engagment we are okay to spend Y, but if nothing yields in z hours we gotta deactivate you!” With vendors providing insurance per server, you can just say we use you as MSSP, if you think this is false pos, let us know if not, go ahead and initiat the claim process and IR”
Dec 3, 2022 at 4:50amWeb