A security-as-a-service startup that emerged from stealth last week with $19 million in Series A funding aims to tackle a longstanding challenge for IT and security teams: finding — and keeping up-to-date — all of an organization's online devices and assets, including cloud-native services and connections.
JupiterOne joins the ranks of the emerging and maturing IT and security asset management sector, with products and services that offer an automated inventory of devices and services running on increasingly growing and diverse enterprise networks. Misconfigured systems and network settings as well as unknown unpatched devices sitting on the network are among the most common weak links that expose enterprises to attacks and data breaches, and Internet of Things (IoT) devices have exacerbated the problem of managing network and IT assets. To date, it's been a mostly manual process.
"We're 'the Google' of your digital infrastructure," explains Erkang Zheng, founder and CEO of startup JupiterOne, which spun off as a subsidiary of healthcare software-as-a-service (SaaS) firm LifeOmic, where as CISO Zheng had helped build JupiterOne's platform for the firm's internal use. The concept for the service came amid his own frustration as a former CISO of running multiple security tools (security information and event management; security orchestration and response, vulnerability management; governance, risk management, and compliance security) that require much manual correlation to get on top of security threats and vulnerabilities.
Zheng says his company's service drills down into functions and not just physical devices. "Not just every server instance, but also server functions," for example, he says. "Knowing what those are, how they are configured is one aspect. Second is knowing how it's connected and to be able to absorb and query it in a meaningful way. ... It's a graph to connect all the dots."
Some early adopters of the service are layering it with their security operations. Detailed inventory then provides a "database of the source of truth" when attackers get in, notes Caleb Sima, vice president of security for Databricks, which runs the SaaS. "We know instantly when a database has been opened or a new data store. ... It not only triggers [an alert] that there's a new AWS S3 bucket, but it also knows the user account and also maps to the Okta user" to reveal that User A opened a bucket without permission, for example, he says. The service then contacts the user via email or Slack and alerts them about the unauthorized activity and automatically closes down the bucket.
"When I was at CapitalOne, one of my first questions was 'Where is everything? How many firewalls do we have?' That was me being naive as an operator thinking this is stuff that is actually done," recalls Sima, who was formerly CISO at CapitalOne.
Sima says the sprawl of cloud services used at organizations has made keeping track of assets much more difficult. "You've got sprawl everywhere, and it's not created through a single entity" like physical network assets, he says. "Assets are really objects, not just IP assets," and that includes operating systems, web apps and what they're built from, and databases, authentication software, and services that the assets access.
Breaches most often occur when the victim organization doesn't know about a specific device or its configuration and software versions, he notes. He says JupiterOne places all assets into a central location with continuous updating of their status.
"It's foundational," Sima says of this type of technology. "It's going to be a big space," with many more vendors rolling out such services.
"I also believe a lot of products are going to be built on top of this," he says.
There are several IT asset inventory firms that identify products as physical devices and don't encompass the cloud-native assets nor the layers of a device. Sima say the closest thing to JupiterOne is Axonius, a security asset management tool provider.
Metasploit creator and renowned security expert HD Moore shook up the space last year with the release of his IT asset discovery tool, Rumble Network Discovery, which detects an organization's devices and their status on a network without requiring administrative access to reach them. IT asset management tools are not new — there's open source Nmap as well as commercial offerings from Armis, Claroty, Forescout, Senrio, and others — but Moore's approach was novel in that it doesn't require credentials to inventory devices or to monitor the ports.
Will Gregorian, CISO of wealth management service Addepar, ditched his GRC (government, risk management and compliance) tool for JupiterOne's service, in part because it was built with Zheng's perspective as a security practitioner, not a security vendor. "They [the GRC vendor] were more interesting in telling you how they think about security," Gregorian says.
Compliance is the financial service platform's key interest in JupiterOne's technology. "It looks at the entirety of everything out there, measures it, and teases out the potential [issues] no one seems to know about," he explains. Addepar, which now has automated its policies as well, has integrated the service with various security tools, including Okta and its security awareness platform.
JupiterOne's funding round was led by former Symantec CEO Enrique Salem — now with Bain Capital Ventures; Chenxi Wang at Rain Capital; and LifeOmic, a healthcare SaaS firm, from where JupiterOne spun off and is now a subsidiary.