In the cybersecurity industry, the term “IR” stands for Incident Response and is almost synonymous with thoughts of urgency, burnout, and lack of predictability. Over the past decade, the IR space has grown rapidly and has felt the impact of the cybersecurity labor shortage more than any other part of the industry. At the same time, these challenging dynamics have often resulted in lucrative careers for practitioners and exceptional financial results for IR service providers. The phrase ‘if it ain’t broke, don’t fix it’ comes to mind. However, that dynamic has stifled innovation over the years and ultimately served as a key driver for launching MOXFIVE in 2019.
Incident Response: The Historical Model
Traditional IR firms leverage a classic professional services business model, aiming to identify the incident’s root cause and support legal counsel’s effort to determine the victim’s legal exposure. Over the past two decades, the investigations have evolved from credit card theft with intent to sell credit card information on the dark web, nation-states stealing corporate intellectual property to improve competition, single system ransomware for immediate financial gain, Business Email Compromises (BECs) with intent to trick corporate employees into fraudulent payments, to most recently enterprise-wide ransomware. While the technical complexity of these attacks has varied over the years, the ability for threat actors to exploit organizations’ growing dependency on information technology (IT) shifted the focus of IR from largely a legal challenge to an increasingly technical challenge that needs to be solved quickly.
Enter Incident Management as a Platform led by MOXFIVE Technical Advisors.
The Platform: A Virtuous Cycle
A platform is a business model that creates value by connecting producers and consumers, such as Amazon, AirBnb, Uber, Etsy, and eBay. In essence, successful platforms allow producers to sell faster and allow consumers to save time and money when buying. The result is a virtuous cycle where all participants benefit. Importantly, trust is a key characteristic of successful platforms - if producers and/or consumers do not trust the platform, they will not participate and the value is lost. Related, it is important to note that while many software companies use the term “platform” as part of their marketing strategy, often they are selling their own software direct to a consumer which does not constitute a platform business.
At MOXFIVE, we often discuss Airbnb and its success at “scaling the handcrafted experience.” Airbnb set out to change the travel experience, not develop the technology. Along the way, Airbnb developed technology to accelerate and scale the customer experience. In the end, Airbnb became a huge success because they were able to attract enough hosts (producers) to offer travelers (consumers) more options to find what they were searching for and saving travelers time and money, ultimately improving the travel experience for all travelers. This resonates with us at MOXFIVE as we focus on improving the IR customer experience by leveraging a platform approach to create the virtuous cycle between victims of attacks and specialized service providers.
The Need for Scale
MOXFIVE’s Incident Management as a Platform approach introduces scale to the IR customer experience by focusing on speed and efficiency. We do this by avoiding the pitfalls of the traditional professional services firm business model which focuses on headcount to drive capability and success. Instead, MOXFIVE focuses on getting victims the technical expertise and resources they need as fast as possible through rapidly and transparently engaging the appropriate specialized providers based on the details of the incident. From the collective experience of having responded to thousands of cyber attacks, our Technical Advisors clearly define the technical problem for business leaders and legal counsel. Once everyone understands the problem that needs to be solved, MOXFIVE brings the specialized providers to the table and manages the incident response process through to completion. By focusing on connecting the consumers (victims) with producers (vendors), we have created a platform that is positioned to lead the execution of technical workstreams at a scale unmatched by traditional professional services firms.
Consider how the industry is currently fighting ransomware. While threat actors scale by employing affiliates to amplify attack volume, traditional IR firms are hiring additional headcount (resources) to keep up. To be fair, IR firms have gradually been positioned – and arguably pushed – to play the role of ‘all things technical’ without specialization for two reasons:
However, additional headcount cannot alleviate the fact that IR firms are built to specialize in forensic investigations versus a broad set of technical offerings. It’s a business model challenge, not a headcount challenge. Consider the typical client needs when responding to ransomware:
Now, consider the various curveballs that may arise when responding to a ransomware attack, which fall outside of traditional IR firms’ capabilities:
These requirements and capabilities were too much for one organization to consistently and reliably deliver, until now. MOXFIVE’s platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance they yearn for in this time of crisis, and at the same time facilitates the delivery of all technical needs required, consistently and efficiently.
Time for Change
If asked, I bet most organizations who had to foot the bill for IR services expected a better experience and more value given the price tag. As the industry struggles to keep pace with more disruptive cyberattacks and the ever-growing digital dependence of victim organizations, we cannot expect last decade’s playbook to facilitate the much needed change. MOXFIVE’s Incident Management as a Platform approach creates a virtuous cycle where all participants achieve a better outcome - our ecosystem of partners benefit from being able to focus on their specialization and deliver value versus selling their value, and our customers save time and money because of the efficiencies our approach brings to the table - or better said, creates a new ‘table.’
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.