The Ancient Greek maxim, “know thyself” is one of the hardest for security organizations to carry out, especially in an ephemeral, multicloud world.
“We all have this problem of understanding ourselves and knowing what resources we have, the users out there, how things are connected,” said JupiterOne founder Erkang Zheng. “And so, in order to better protect ourselves, we need to have this visibility and in the age of cloud, … where everything is ephemeral, everything is defined as software, and things change so fast and so much, the security team cannot keep up.”
The Morrisville, North Carolina-based startup JupiterOne tackles asset management with automation, a graph database to understand the connections, visualizations and a tool to build and enforce security and compliance policy.
The technology was built in-house for a healthcare technology vendor LifeOmic and spun out of that company in 2018.
“We were building security practices and governance and compliance, and we needed something to drive this fundamental visibility so that we can answer the question the auditor are asking, and we can answer the questions that operationally the team need to ask on a day-to-day basis to reduce the risk,” he said.
Zheng was chief information security officer at the time, but also previously spent 15 years in security with Fidelity, IBM, Cisco and several others.
Though JupiterOne has been around for about 18 months, it’s been calling its recent announcement of a $19 million Series A led by Bain Capital Ventures as its “launch.”
Its customers include Reddit, Databricks, HashiCorp, Addepar, Auth0, and OhMD.
JupiterOne’s core technology is an asset discovery/management engine built on top of a graph-based configuration management database (CMDB). A flexible and extensible query language on top can be used to build configuration management, vulnerability management, compliance, incident response, and threat-hunting workloads for companies.
At RSA in March, Zheng outlined the benefits of such a database, explaining it would contain vulnerability management; governance, risk management and compliance; network; endpoint and infrastructure data. Then users could query the data based on the central question: What does it matter? What does this finding mean in my environment?
The essential elements are the context and relationships between the data, he said.
Most CMDBs in use today are only as up-to-date as the company’s team keeps it, according to Zheng. That’s not sustainable or scalable. It needs to be automated, he says.
JupiterOne integrates with more than three dozen Amazon Web Services services, as well as more than a dozen security and DevOps tools, including Okta, Heroku, Snyk, Cisco Meraki and VMware’s Carbon Black Defense. It automatically pulls in read-only data to create a real-time updated inventory of a company’s digital assets.
It determines the real-time status of that digital environment from the relationships mapped in its knowledge graph, plotted against various security and compliance frameworks.
It also evaluates the status of those resources against security policies and procedures, which can be created with its Policy Builder. Its templates map procedures and controls to security frameworks such as PCI, HIPAA, HITrust, NIST and GDPR.
Connecting the Dots
If you’re trying to remediate a vulnerability, you need to answer questions like: What is the extent of it? What might be the ripple effect of that particular incident or vulnerability be? What happens if I take a server offline?
Those types of answers reside in the connections and the relationships between resources within the digital environment, Zheng explained.
“JupiterOne is the place connecting the dots. We use software and connectors to connect to APIs of the operating environment of an organization,” Zheng said. Connections could be made to cloud infrastructures like AWS and GCP and Azure. It could connect to user environments driven by single-sign-on, and multifactor authentication. It could connect to code repositories, agents that run on your endpoints, and vulnerability findings that feed into the central repository from all sorts of different scanners.
“So step one is we discover and aggregate that data into a central repository. And step two is we normalize, and then use a common data model to describe all the data that previously came in from different shapes and forms into a common data model that is easy to analyze,” Zheng said. “And third is that we build out the graph, we build our connections so that we not only know what’s out there but how are they connected?
So with that data now, we allow people to ask questions and run queries, do searches and answer questions like, you know, vulnerability remediation questions, incident response questions, threat analysis questions, configuration auditing questions,” Zheng said.
Security + Compliance
JupiterOne moves compliance from a manual, survey-driven snapshot of a point in time to a real-time process, according to Zheng.
“We’re reconnecting security and compliance into the same effort into the same initiative and using data to drive compliance answers, rather than using spreadsheets and surveys and interview questions to drive combined answers,” he said. “This will allow organizations to set up the right data and set up the right query and automate that on a continuous basis. And as a result, what organizations would have will be compliance becoming the natural outcome of security and doing security correctly, rather than doing compliance as a whole separate initiative to the day-to-day security operations.”
Databricks’ Adam Youngberg wrote an engineering blog about how JupiterOne helped his company quickly identify which Amazon S3 buckets were public vs. private in order to apply tighter controls over them.
The global market for enterprise asset management technology is expected to grow to $9.3 billion by 2024, according to BCC Research, but the asset management engine by itself isn’t the most interesting part of JupiterOne’s offering, according to Chenxi Wang, founder and general partner at Rain Capital.
“In a traditional infrastructure, compliance, vulnerability management, incident response, asset management, threat hunting, would mean five to six different security products working together. This means a higher cost, more technical debt, a lot more IT exhaust to manage,” she said.
“It’s high time that we do things differently in the cloud, no longer repeating the mistakes we made with respect to security and IT operations for traditional environments. JupiterOne takes this refreshing approach and built a technology platform that enables people to do just that. With this approach, multicloud, multi-environments come for free as well.”
Amazon Web Services, Snyk and VMware are sponsors of The New Stack.
Feature image: A memento mori mosaic from excavations in the convent of San Gregorio in Rome, featuring the Greek motto “Know Thyself.” Public Domain.