May 4, 2021 (New York): The definition of an “asset” as it pertains to technology and networking has changed over time. The change has been significant enough that enterprises have had to create entirely new processes and vendors have had to build new tools—or at least enhance current offerings—to reflect the increase and diversification of entities communicating across networks. In the interim, the definition of “network” has also expanded. No one working in IT or cyber security today would consider the “network” to be only an on-premises or even an on-prem-plus-cloud environment. Virtual machines, hybrid cloud, multi-cloud, and containers all comprise today’s corporate networks. If that weren’t enough, there is, of course, the prevailing use of SaaS, which further affects companies’ attack surfaces.
It can be exhausting just to keep up with the definitions of all the assets an organization uses, much less do something about the security posture of those assets. Yet, there is a small but growing segment of the cyber security tools market making a play for cyber security focused asset management. That is, companies targeting asset identification (in all its forms) and control (for the sake of protection).
One such company, JupiterOne, a cyber asset management and governance company based in Morrisville, NC, today announces its Series B funding round. Led by Sapphire Ventures, this infusion of capital will be used to fuel product development and market penetration. Although, in a year wrought with scores of challenges, the firm managed to triple its revenue in 2020. As analysts, we at TAG Cyber have no choice but to be impressed.
A true cyber asset management platform, JupiterOne doesn’t stop at automated asset identification. Importantly, the company told us during a recent briefing, their definition of “asset” includes everything from traditional assets (endpoints for example) to GitHub buckets, identity provider data, and workflow integrations. In other words, any connection that could pose a security threat if a vulnerability were exploited. Identification, of course, is the first step, but beyond visibility, JupiterOne automatically maps all interrelationships between assets. Built on a graph backend, the mapping results in an easy-to-understand visualization of the findings.
The next step in the process is Smart Search—a way for admins to query identities, access rights, ephemeral devices, misconfigurations, missing policies, policy-as-code violations, missing patches, pull requests, and more. JupiterOne provides hundreds of sample natural-language queries, but admins can also write their own. Akash Ganapathi, Principal Solutions Architect at JupiterOne explained, “Smart Search lets users ask any question of the environment and then apply it as code. Deployed policies can trigger alerts and workflows, ensuring that the environment is never out of compliance.”
With dozens of managed integrations out of the box, JupiterOne offers a good way for companies of any size to better understand and manage the security risk of deployed assets. Very few tools on the market focus on cyber asset management in the way JupiterOne does, and company executives say that the graph-driven product is unique in its contextual analysis and ability to serve use cases ranging from asset visibility and governance to threat management, incident response, evidence collection, and auditing.
The importance of asset identification and management cannot be underscored enough; there is a reason inventory and control of hardware and software have remained at the top of the CIS Controls list for years, why “identify” and “detect” begin the NIST CSF framework, and why MITRA ATT&CK starts with “reconnaissance.”
JupiterOne is an impressive tool. It is not for the faint of heart, however. While the platform is extensive, it does require a certain level of expertise to operate. Then again, what accompanies the company's new round of funding could be simplification and accessibility for smaller, less-resourced companies. With a talented executive team, strong board of advisors, and impressive investors (which includes Enrique Salem from Bain Capital), we at TAG Cyber are looking forward to watching the platform and the company mature.