Steve Bowers

Wait… my attack surface is how big? I’ve heard this question - or some variation - over and over throughout my career. With the widespread adoption of cloud platforms, as well as the maintenance of legacy (sometimes forgotten) servers, we can sometimes lose track of our areas for entry. Let’s not forget remote workers and shadow IT! When we don’t know what we need to protect, how successful can our information security programs, practices, and people possibly be? Some of the naughty (and completely unknown) findings we’ve provided to customers tells us “not very”. With an ever-expanding attack surface due to experiments, merger and acquisition, and misconfiguration, how can we possibly know what we don’t know? This talk is meant to help InfoSec professionals and teams get a better understanding of how to discover, monitor, and manage their attack surface. We will examine questions such as: “How can we define and enumerate our own attack surface?”, “What are the attackers able to discover without active reconnaissance?”, “What tools are at our (the good guys) disposal to help us better understand our attack surface?” and “How can we better reduce and/or manage our attack surface?” We will also examine what exactly we can do with the data we mine around our own attack surface to augment our security operations practice.