Vulnerability Management Solutions

Interview: JupiterOne’s CEO and Founder Talks Understanding Assets And Improving Security Processes

Expert Insights interviews Erkang Zheng, founder and CEO at JupiterOne, to discuss the importance of asset management.

Expert Insights Interview With Erkang Zheng Of JupiterOne

Security teams in organizations today are often understaffed and overstretched, tasked with securing thousands of assets against increasingly sophisticated cyber-threats. In fact, research from asset management provider JupiterOne has found that the average security team today manages over 165,000 cyber assets, including people, cloud technologies, endpoints, apps, and more. So, how can security teams keep on top of such a wide range of assets with robust security processes?

Expert Insights spoke to Erkang Zheng, JupiterOne’s CEO and founder, to get his insights into these security risks. Zheng founded JupiterOne in 2018, and the company has quickly emerged as the market leader, reaching unicorn status with an estimated $1 billion valuation in 2020.

Our interview covers the JupiterOne platform, key features organizations should look for when considering an asset management platform, the importance of Zero Trust, and Zheng’s advice for organizations to improve their security processes.

This interview has been edited for clarity and length.

Can you tell us about your security background, and what led you to founding JupiterOne?

I’ve been in cybersecurity pretty much my whole career; I’ve spent more than twenty years in this industry. I’ve been a practitioner, a leader, and a former CISO myself.

I used to run multiple security practices at IBM Security, and led software and cloud security for Fidelity Investments. In addition, I served as a CISO at a technology software company, and I’ve also been an engineer and hands-on practitioner.

Through the years, I’ve witnessed transformations in engineering,  IT, DevOps, Agile, and of course, cloud and public cloud transformation.

And I firmly believe that security is a little bit behind in that journey of digital transformation. So, we can no longer simply just take an analyst’s approach or a network engineer’s approach to look at security.

We must look at security with a software-defined approach, a data-driven approach, where we think more like engineers, and also think more like attackers. That’s what led me to build JupiterOne.

Jupiter One takes a unique approach to security, focusing on Cyber Asset Attack Surface Management (CAASM), as Gartner has termed it. Why did you take this approach, and how does it help organizations to improve their security processes?

That’s a great question. So, what does a unique security approach have to do with building an asset management platform? First of all, we all know you can’t protect what you can’t see. It’s pretty basic, everybody says that, but what does that really mean when you dig into it?

As I said earlier, everything is data-driven and everything is software-defined. In today’s operating model, every company is becoming a technology company. And every company, large or small, has some sort of a cloud footprint, or they will soon enough.

So, what does that mean to security? It really all starts with assets. And not just collecting and knowing what assets you have, but really understanding how they relate to the operations of a company. We at JupiterOne built an asset knowledge platform, using a graph to connect the dots, where the dots represent the assets.

First of all, we define assets by the very granular level of software-defined entities in a digital operation. When people think about assets, they typically think of IT assets like laptops, endpoints, servers, or a virtual machine somewhere. It’s often a  very network-centric mindset. 

So, we have to shift gears. Yes, those are part of it. But there are a lot of software-defined things to take into account such as serverless functions,  data stores, IAM policies, access permissions, or code repositories. All of your changes to code, pull requests, security awareness training, and so on, so forth. All of those.

Are they part of your organization’s operations? Yes, they are. Then why shouldn’t be considered as assets? If it means something to you, it provides value to you as part of your business, then it’s an asset. We should think about it that way because it is software-defined, and we need to kind of look at that in such a way.

And then the second part is that, in security, we talk about reducing the risk, we talk about vulnerability management, we talk about patch management, and all those things. But it all boils down to a single set of questions.

So, think about having an application. You do some scanning around it, you get some security findings, and then you call that application security. Or, say you have an endpoint, and you install an agent, and then you call that endpoint management.

But at the end of the day, if we think of that application as an asset, that endpoint is an asset, and that code is an asset, then it’s done. It all comes down to the single use case of asset management.  And it’s all of those things, including people. If you say to a user, “Hey, you did not complete your security awareness training,” that is a finding on that person.

So, everything is about finding out what assets you have and what findings and problems those assets have. And then which assets are the most important, and who can fix them? So, it all boils down to a single set of questions that surround assets.

How Does JupiterOne help organizations to better manage those assets and improve those security processes?

What we’re doing is not necessarily rocket science, but it is hard. It’s hard because of complexity and scale. We help people do the basics well, at scale. These are the fundamentals of security hygiene. It helps with every different aspect of the security operations.

If you can answer those basic questions in a large, complex environment, and you don’t have to spend days to figure out that answer every time, but you can do it in just ten seconds and automate it, then you save a tremendous amount of time for incident response. You save a ton of time by providing the context for vulnerability management. You save a ton of time for compliance and reporting.

And as a result, your people—who are very talented—can have the time to work on the things that do matter. Whether that is building your organization’s business or identifying more high-risk and complex things that you want your security teams to spend the time on.

That is the biggest challenge that we solve. It’s using that data and automation to help them be better and not to have to do the busy work. But to be better at making decisions, using that data.

Who are JupiterOne’s typical customers, and what are typical challenges they are facing in their security processes?

We have customers, large and small, from early-stage start-ups to Fortune 100 companies like Cisco, and everywhere in between. Across the profile of our customers, they are all very technology-savvy. They have strong technical teams. They are technology companies, or even financial services ones—we have a lot of financial services, and financial services nowadays are driven by technology as well.

If we peel back the onion and look at it, it’s really the technology function or the security engineering function that is our core customer. So FinTech companies, traditional financial services, global banks, and even data platform organizations themselves, like Databrick and HashiCorp are customers. There are many of those within that very similar profile, of all sizes and scales.

And I want to highlight one other thing, which is relevant to our customers and the previous question. At the end of day, you can do this yourself. You can do this just by having a bunch of people doing it, because the data is there somewhere. It’s your data, it’s your configuration, it’s your controls. 

The difference is that you can choose to do that and analyze these assets across ten, twenty, fifty different systems, and spend the time to do it. Or you can take the engineering approach and put them all into one platform such as JupiterOne. You can go to one single place, one system of records, to manage all of them.

And if you want more on top of it, you can build more use cases on top of the JupiterOneplatform. It’s all data-driven. It’s got out-of-the-box things to make it very easy for the smallest customers, but it’s also flexible and extensible to make it powerful for the bigger customers. It works across the spectrum.

What key features should organizations be looking for when considering an asset management platform?

One is the out-of-the-box context. How do you understand something? You understand something by having visibility of it, but also by knowing and understanding the context of that thing, or that set of things.

That’s what we at JupiterOne do best. We have a lot of out-of-the-box visualizations and dashboards and alerts. And then, compliance benchmarks and things like that. Not overwhelming out-of-the-box, just enough out-of-the-box, so that you can focus on the biggest and most important things.

And then the next part is, once you become more complex and advanced, we don’t pretend to understand all of your data. We don’t pretend that every organization is the same because they are not. So, we allow the power users to use APIs, queries, widgets, and reusable components to extend and customize and build their own processes on top of it. It’s all extensible.

One of the big trends in the cybersecurity space today is Zero Trust. What’s your take on Zero Trust, and where does the JupiterOne platform fit into the Zero Trust framework?

I think there’s so much that goes into this now it’s becoming a buzzword: “Zero Trust.” And, to me, the fundamental of Zero Trust is to implement an identity-driven parameter rather than a network-driven parameter.

So, the identity-driven parameter surrounds the asset. The asset could be an application, it could be a data, it could be a workflow, it could be an infrastructure environment. But it’s all driven by strong authentication and access controls, authorizations, and things like that, rather than trusting the network as the perimeter.

So, with that said, there are lot of actual controls you have to implement to do that. You have to implement things like Single Sign On, Multi-Factor Authentication (MFA) and micro-segmentation and there are those type of security tools to do that. But at the end of the day, everything that you implement and everything you protect goes back to the fact that those are assets.

And, our platform has integrations with things like Okta, OneLogin, and Auth0. So that, within that domain of Zero Trust technology and controls, we can then very similarly to how we do all of the other asset aggregations connect the dots and allow you to ask those permission-related questions. Who has access to this data store, is it protected by MFA? Which part of the network is it in? How is it segmented? What’s the blast radius? Those are the answers we can provide from a single system record from a single source, the JupiterOne platform. So, it certainly fits into that visibility, that understanding of your Zero Trust strategy.

And then we can also ask, have you implemented those Zero Trust security controls correctly? If you have implemented all the segmentations, how can you do the analysis? Have you implemented that control correctly? You need an overarching platform to connect the dots and answer those questions so you can actually know that whatever you have implemented is effective.

Finally, what is your advice to organizations looking to improve their security posture and get a better understanding of the security of their assets, where is the best place to start on this journey?

You want to start on this journey early. And even though today you may think your environment is not that complex and you’re going to worry about this later on down the road, I do think that starting this journey early is better. Because what this avoids is making those mistakes along the way and acculturating technical debt. We all hate that, right? It’s better and easier to get started earlier.

And the other thing is that we believe in open source as a company. So, we put out an open-source product called Starbase, so if you don’t want to go with a commercial solution, you can work on it yourself. Using open source, we provide a completely free tier for organizations to get started with. It’s not a free trial, it’s actually a free tier.

So, there’s no excuse not to use it. It’s easy to use and I encourage you to get started today! You will be amazed at the visibility it provides and the amount of time it could save your team.

Find out more about JupiterOne here:

Find out more about Starbase here: