07-25, 09:50–10:10 (US/Eastern), Room 1
John Lambert is well known for his quote, "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." But is this always true? Based on new research leveraging data across 1,300 organizations, we discovered areas where it is appropriate to continue using lists and other areas where graphs are more helpful to defenders. This presentation will examine various types of attack surfaces and attack paths to determine the type of techniques (e.g., lists vs graphs) and controls (e.g., bounded vs unbounded) that are potentially most useful for defenders.
We will also examine how different architectural designs might affect these attack surfaces and paths and how the principles of the D.I.E. Triad (distributed, immutable, ephemeral) influence the size of the attack surfaces and the depths of the paths that are underneath that surface.
Jasmine is Field Security Director at JupiterOne, lead author of The 2022 State of Cyber Assets Report, and executive editor of "Reinventing Cybersecurity." She is an accidental career specialist in applied graph theory for cloud-native startup security. Jasmine has a MS in Informatics & Analytics from Lipscomb University in Nashville, TN. She is on the board of directors for The Diana Initiative. Jasmine has worked with Esper.io, IBM Security, HPE, the ADP Research Institute, Philips, the Tennessee Valley Authority (TVA), and other organizations in her career.