Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM
Connect Directly

Startup Aims to Map and Track All the IT and Security Things

Security service JupiterOne spins off from a healthcare service provider's homegrown technology.

A security-as-a-service startup that emerged from stealth last week with $19 million in Series A funding aims to tackle a longstanding challenge for IT and security teams: finding — and keeping up-to-date — all of an organization's online devices and assets, including cloud-native services and connections.

JupiterOne joins the ranks of the emerging and maturing IT and security asset management sector, with products and services that offer an automated inventory of devices and services running on increasingly growing and diverse enterprise networks. Misconfigured systems and network settings as well as unknown unpatched devices sitting on the network are among the most common weak links that expose enterprises to attacks and data breaches, and Internet of Things (IoT) devices have exacerbated the problem of managing network and IT assets. To date, it's been a mostly manual process.

Related Content:

6 Lessons IT Security Can Learn From DevOps

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: A Hacker's Playlist

"We're 'the Google' of your digital infrastructure," explains Erkang Zheng, founder and CEO of startup JupiterOne, which spun off as a subsidiary of healthcare software-as-a-service (SaaS) firm LifeOmic, where as CISO Zheng had helped build JupiterOne's platform for the firm's internal use. The concept for the service came amid his own frustration as a former CISO of running multiple security tools (security information and event management; security orchestration and response, vulnerability management; governance, risk management, and compliance security) that require much manual correlation to get on top of security threats and vulnerabilities.

Zheng says his company's service drills down into functions and not just physical devices. "Not just every server instance, but also server functions," for example, he says. "Knowing what those are, how they are configured is one aspect. Second is knowing how it's connected and to be able to absorb and query it in a meaningful way. ... It's a graph to connect all the dots."

Some early adopters of the service are layering it with their security operations. Detailed inventory then provides a "database of the source of truth" when attackers get in, notes Caleb Sima, vice president of security for Databricks, which runs the SaaS. "We know instantly when a database has been opened or a new data store. ... It not only triggers [an alert] that there's a new AWS S3 bucket, but it also knows the user account and also maps to the Okta user" to reveal that User A opened a bucket without permission, for example, he says. The service then contacts the user via email or Slack and alerts them about the unauthorized activity and automatically closes down the bucket.

"When I was at CapitalOne, one of my first questions was 'Where is everything? How many firewalls do we have?' That was me being naive as an operator thinking this is stuff that is actually done," recalls Sima, who was formerly CISO at CapitalOne.

Sima says the sprawl of cloud services used at organizations has made keeping track of assets much more difficult. "You've got sprawl everywhere, and it's not created through a single entity" like physical network assets, he says. "Assets are really objects, not just IP assets," and that includes operating systems, web apps and what they're built from, and databases, authentication software, and services that the assets access.

Breaches most often occur when the victim organization doesn't know about a specific device or its configuration and software versions, he notes. He says JupiterOne places all assets into a central location with continuous updating of their status.

"It's foundational," Sima says of this type of technology. "It's going to be a big space," with many more vendors rolling out such services.

"I also believe a lot of products are going to be built on top of this," he says.

There are several IT asset inventory firms that identify products as physical devices and don't encompass the cloud-native assets nor the layers of a device. Sima say the closest thing to JupiterOne is Axonius, a security asset management tool provider.

Metasploit creator and renowned security expert HD Moore shook up the space last year with the release of his IT asset discovery tool, Rumble Network Discovery, which detects an organization's devices and their status on a network without requiring administrative access to reach them. IT asset management tools are not new — there's open source Nmap as well as commercial offerings from Armis, Claroty, Forescout, Senrio, and others — but Moore's approach was novel in that it doesn't require credentials to inventory devices or to monitor the ports.

Compliance Assist
Will Gregorian, CISO of wealth management service Addepar, ditched his GRC (government, risk management and compliance) tool for JupiterOne's service, in part because it was built with Zheng's perspective as a security practitioner, not a security vendor. "They [the GRC vendor] were more interesting in telling you how they think about security," Gregorian says.

Compliance is the financial service platform's key interest in JupiterOne's technology. "It looks at the entirety of everything out there, measures it, and teases out the potential [issues] no one seems to know about," he explains. Addepar, which now has automated its policies as well, has integrated the service with various security tools, including Okta and its security awareness platform.

JupiterOne's funding round was led by former Symantec CEO Enrique Salem — now with Bain Capital Ventures; Chenxi Wang at Rain Capital; and LifeOmic, a healthcare SaaS firm, from where JupiterOne spun off and is now a subsidiary.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.