Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/22/2020
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Startup Aims to Map and Track All the IT and Security Things

Security service JupiterOne spins off from a healthcare service provider's homegrown technology.

A security-as-a-service startup that emerged from stealth last week with $19 million in Series A funding aims to tackle a longstanding challenge for IT and security teams: finding — and keeping up-to-date — all of an organization's online devices and assets, including cloud-native services and connections.

JupiterOne joins the ranks of the emerging and maturing IT and security asset management sector, with products and services that offer an automated inventory of devices and services running on increasingly growing and diverse enterprise networks. Misconfigured systems and network settings as well as unknown unpatched devices sitting on the network are among the most common weak links that expose enterprises to attacks and data breaches, and Internet of Things (IoT) devices have exacerbated the problem of managing network and IT assets. To date, it's been a mostly manual process.

Related Content:

6 Lessons IT Security Can Learn From DevOps

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: A Hacker's Playlist

"We're 'the Google' of your digital infrastructure," explains Erkang Zheng, founder and CEO of startup JupiterOne, which spun off as a subsidiary of healthcare software-as-a-service (SaaS) firm LifeOmic, where as CISO Zheng had helped build JupiterOne's platform for the firm's internal use. The concept for the service came amid his own frustration as a former CISO of running multiple security tools (security information and event management; security orchestration and response, vulnerability management; governance, risk management, and compliance security) that require much manual correlation to get on top of security threats and vulnerabilities.

Zheng says his company's service drills down into functions and not just physical devices. "Not just every server instance, but also server functions," for example, he says. "Knowing what those are, how they are configured is one aspect. Second is knowing how it's connected and to be able to absorb and query it in a meaningful way. ... It's a graph to connect all the dots."

Some early adopters of the service are layering it with their security operations. Detailed inventory then provides a "database of the source of truth" when attackers get in, notes Caleb Sima, vice president of security for Databricks, which runs the SaaS. "We know instantly when a database has been opened or a new data store. ... It not only triggers [an alert] that there's a new AWS S3 bucket, but it also knows the user account and also maps to the Okta user" to reveal that User A opened a bucket without permission, for example, he says. The service then contacts the user via email or Slack and alerts them about the unauthorized activity and automatically closes down the bucket.

"When I was at CapitalOne, one of my first questions was 'Where is everything? How many firewalls do we have?' That was me being naive as an operator thinking this is stuff that is actually done," recalls Sima, who was formerly CISO at CapitalOne.

Sima says the sprawl of cloud services used at organizations has made keeping track of assets much more difficult. "You've got sprawl everywhere, and it's not created through a single entity" like physical network assets, he says. "Assets are really objects, not just IP assets," and that includes operating systems, web apps and what they're built from, and databases, authentication software, and services that the assets access.

Breaches most often occur when the victim organization doesn't know about a specific device or its configuration and software versions, he notes. He says JupiterOne places all assets into a central location with continuous updating of their status.

"It's foundational," Sima says of this type of technology. "It's going to be a big space," with many more vendors rolling out such services.

"I also believe a lot of products are going to be built on top of this," he says.

There are several IT asset inventory firms that identify products as physical devices and don't encompass the cloud-native assets nor the layers of a device. Sima say the closest thing to JupiterOne is Axonius, a security asset management tool provider.

Metasploit creator and renowned security expert HD Moore shook up the space last year with the release of his IT asset discovery tool, Rumble Network Discovery, which detects an organization's devices and their status on a network without requiring administrative access to reach them. IT asset management tools are not new — there's open source Nmap as well as commercial offerings from Armis, Claroty, Forescout, Senrio, and others — but Moore's approach was novel in that it doesn't require credentials to inventory devices or to monitor the ports.

Compliance Assist
Will Gregorian, CISO of wealth management service Addepar, ditched his GRC (government, risk management and compliance) tool for JupiterOne's service, in part because it was built with Zheng's perspective as a security practitioner, not a security vendor. "They [the GRC vendor] were more interesting in telling you how they think about security," Gregorian says.

Compliance is the financial service platform's key interest in JupiterOne's technology. "It looks at the entirety of everything out there, measures it, and teases out the potential [issues] no one seems to know about," he explains. Addepar, which now has automated its policies as well, has integrated the service with various security tools, including Okta and its security awareness platform.

JupiterOne's funding round was led by former Symantec CEO Enrique Salem — now with Bain Capital Ventures; Chenxi Wang at Rain Capital; and LifeOmic, a healthcare SaaS firm, from where JupiterOne spun off and is now a subsidiary.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...