372 Million Data Points and a Few Strong Opinions on the State of Attack Surfaces

Presented at Diana Initiative 2022, Aug. 11, 2022, 9:30 a.m. (60 minutes)

There have been profound changes in security as a result of industry shifts toward cloud-native development, resilient architecture, and microservices adoption. My analysis of 372 million cyber assets, findings, and policies at 1270 organizations reveals just how significant the changes in the average asset inventory have been, and the profound impact on security teams. This talk will share original, peer-reviewed research on the state of asset inventories and attack surface management at contemporary organizations and analysis of what it means for security teams, providing insight and advice for blue teamers, security leaders, and cloud engineers. In particular, research will cover the industry average (mean) of 120,561 findings in backlog means for security team burnout and how the ratio of cyber assets to practitioners has reached dire levels. The talk will also cover how current security skills training does not reflect the realities of our cloud-native asset architectures, and why ultra-reliable network architecture demands new approaches to security. Finally, the talk will provide original research and analysis of supply chain risk, as well as insight into the most common blind spots for security practitioners - based on analysis of asset inventories compared to practitioner queries of their environments.

Presenters:

• Jasmine Henry - JupiterOne
  Jasmine "Hex" Henry is Field Security Director at JupiterOne and lead author of The 2022 State of Cyber Assets Report (the SCAR). Previously, she was a Director of Security at a different SaaS startup where she became a JupiterOne customer in September 2019. She is an accidental career specialist in applied graph theory for cloud-native startup security, but she firmly feels she could do much worse since graphs are great. Jasmine has a MS in Informatics & Analytics from Lipscomb University in Nashville, TN, and is working to complete a PhD in Information Science. She is on the board of directors for The Diana Initiative and a career village organizer for BSides Seattle, as well as a speaker at countless industry conferences and events. Jasmine has worked with Esper.io, IBM Security, HPE, the ADP Research Institute, Philips, the Tennessee Valley Authority (TVA), and other organizations in her career.

Links:

• https://thedianainitiative2022.sched.com/event/15ck0/372-million-data-points-and-a-few-strong-opinions-on-the-state-of-attack-surfaces

Similar Presentations:

• AppSec USA 2015 / Security as Code: A New Frontier
• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud