The JupiterOne team kicked off the week at fwd:cloudsec where Field Security Director Jasmine Henry shared her latest research in the session "A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface."
The latest research from Jasmine questions a popular quote by Josh Lambert, "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." Must defenders always think in graphs to get ahead of attackers, or is there still room to operate with lists? Here's what the data tells us so far:
- 93 percent of assets are separated from the public internet by 4 to 6 degrees.
- Analysis of 880 million attack paths revealed that, on average, defenders delete 67 percent of attack paths each month.
- The median age of an unresolved security finding is 383.71 days old or 13 months, which is nearly twice the average US employee job tenure (7 months).
We'll be publishing the full report later this year, so join our email list in the right sidebar to get notified when the report goes live! Watch Jasmine's presentation in the video below:
New Things from AWS
Following fwd:cloudsec, we joined AWS re:Inforce 2022 for two days of cloud security learning! Day 1 kicked off with a keynote featuring:
- Steve Schmidt, Chief Security Officer at Amazon
- CJ Moses, CISO at AWS
- Lena Smart, CISO at MongoDB
- Kurt Kefeld, VP of AWS Platform
One key theme across all the speakers was the importance of building security expertise outside of the security team. Just as developer culture has significantly shifted away from heroism and toward knowledge sharing, so does the culture of security. Creating single points of failure, whether that is relying on a single person for their institutional knowledge or relying on a single security control as the only line of defense, is extremely risky for the business.
Amazon launched a number of cool products and initiatives at the event.
- AWS Marketplace Vendor Insights - As companies continue to rely on a diversified portfolio of technology to deliver value to their customers, AWS is helping companies "streamline the complex third-party software risk assessment process by enabling sellers to make security and compliance information available through AWS Marketplace." For more details, go to this page.
- AWS Detective for Elastic Kubernetes Services - This new capability of AWS Detective expands security investigation coverage to Kubernetes workloads running on Amazon EKS. For more details, read this blog.
- AWS IAM Roles Anywhere - Say goodbye to creating and managing longer-term AWS credentials! IAM Roles Anywhere provides "a secure way for on-premises servers, containers, or applications to obtain temporary AWS credentials." For more details, read this blog.
- AWS GuardDuty Malware Protection for EBS Volumes - When this new feature is enabled, "a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious." For more details, read this blog.
- Security Guardians - This is an internal program where Amazon software engineers outside of the security org volunteer to participate in the application security review of the services they produce - from inception to delivery. While security is still a shared responsibility between AWS and their customers, it is exciting to know that Amazon is taking an active stance to change their security culture from the inside out.
The full keynote is available on the official Youtube Channel for AWS.
For our quick recap of AWS re:Inforce 2022, check out the video below.