From securing your code to defending against ransomware: 5 headlines to know this month

With 2024 just around the corner, security leaders are fine-tuning budgets and strategies, taking a close look at what worked (and what didn’t) over the past year. Data breaches are top of mind, costing businesses in the US an average of $9.48 million this year and prompting more than half of the affected companies to increase their security budgets. With the right resources and knowledge, you can better prepare your team for the inevitable security challenges you’ll face next year. From understanding the new SEC cybersecurity requirements to tackling the latest application security challenges, here are some resources your security team needs to know about this month.?

?? CISOs: This framework can help determine which cybersecurity incidents are material.?

The SEC now requires reporting of "material" cybersecurity incidents within four days. But how do you determine what's "material"? Our Field CISO @Merritt Baer collaborated with 20+ cybersecurity executives to develop a framework to help companies assess incident materiality. As CISOs are increasingly expected to understand, communicate, and comply with these new SEC regulations, this resource can help you get a step ahead. Explore the framework here.

*This does not constitute legal advice. Ultimately, “materiality” should be determined by your own legal counsel.

?? Security analysts: Identify which MITRE ATT&CK? techniques you actually need to focus on.?

MITRE ATT&CK lists known cyber adversary tactics and techniques and explains how to detect and stop them. This framework serves as a common resource used across various security teams, and as a result, certain techniques are useful to some teams but not others. This article from Security Engineer Tareq Alkhatib details the techniques that threat detection teams should focus on, and other ones that they shouldn’t waste their time on.?

Read it here.

????Application security engineers: Prepare to make strategic security technology decisions.?

In a new Forrester report, 53% of global security leaders said that application development teams will make the final decision on which application security technologies to implement. This means that appsec engineers will need to be ready to take on a new role as a strategic advisor and help choose security tools that will fit well into their development workflow, provide accurate results, and weave security into the CI/CD pipeline.?

Get the full Forrester report insights here.?

?? Incident response teams: Get ready to survive a ransomware attack.

Industries like healthcare and manufacturing are prime targets for ransomware — a 153% increase in ransomware attacks was observed last month compared to the same period last year. What’s the secret to effective ransomware defense? If you’re only thinking about ransomware when you’re under attack, it’s too late. You need to assume your company is a target every day. “When your board wants to talk about ransomware, remind them that it might take the form of day-to-day improvements — in your patching cadence, how you manage identity, how you defend environments and do infrastructure as code, how you do immutable backups and so forth,” Field CISO Merritt Baer said.?

Learn more about ransomware defense strategies here.?

?? Secure your entire cloud from one place with a new approach to code security.

Earlier this week, Lacework released our data-driven approach to code security, making it easier than ever to secure your code throughout the entire application development process. Our new features, including software composition analysis (SCA) capabilities and static application security testing (SAST), help prevent security issues from getting into the wild by identifying them before code is deployed. This approach empowers security teams to be more efficient, eliminates the toil of stitching together data and findings from different sources, and it helps to consolidate onto fewer tools that deliver higher value. Learn more.?

What would you like to see in the next issue of the Code to Cloud Monthly Digest? We’d love to hear your thoughts in the comments below.