The Unknown Unknowns: Cyber Asset Attack Surface Management

Cameron D’Ambrosi [00:00:04] How can you protect a cybersecurity perimeter that you can’t define? Join me for today’s conversation with the founder and CEO of a Cloud native platform seeking to address this fundamental challenge. It’s a great conversation. Stay with us. Welcome to State of identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Erkang Zheng, CEO and founder of JupiterOne. Erkang, welcome to state of identity.

Erkang Zheng [00:00:33] Thank you, I’m excited to be here.

Cameron D’Ambrosi [00:00:37] Excited to have you! Before we dive into what you’ve built at Jupiter one and some of those interesting nuances. I’ve always found it instructive for our audience, to just get a quick hit on your bio, how you came to find the company and maybe what some of those burning questions or burning needs were that you saw out in the market that you didn’t feel were being addressed, that led you to, launching a new platform.

Erkang Zheng [00:01:07] That’s a great starting point. I have been a cybersecurity practitioner and leader for pretty much my whole career, starting as an engineer by trade and have built cybersecurity products and have been in cybersecurity consulting services. I was at IBM Security for many, many years and left the global practices there and was head of software security at Fidelity Investments. And right before Capital One was a former CSO at a healthcare software company. So, throughout my almost 20 years of my own journey in cybersecurity and myself and my team has had a lot of firsthand challenges in this almost feels like a pandemic, right? The cyberspace. So, things like that just don’t work well and continue to break and we continue to have breaches and attacks and social force. And I keep asking myself this question, why is that the case? Why does that keep happening? On the flip side, we have no shortage of great cybersecurity products. There are thousands of them and startups that are popping up many, many of them every year. So why is it that we are still in this situation? Which led me to think about, well, what are the challenges that we really haven’t solved fundamentally, and should we rethink how security as a business function operates? And my conclusion was, at a fundamental level, we just don’t know ourselves all that well given the complexity and the speed of change that happened and is still happening in I.T., in technology, in infrastructure, in business operations, and we’re trying to wrap your head around all those. And we’re trying to protect all those. And it’s not just a technology problem or one specific thing. Right. So fundamentally, how do we. Have a sort of centralized brain almost razed what you really know ourselves and understand ourselves to make better decisions, use a data driven way faster. And that’s what I think is missing. So that’s the reason I credit you for one. And it’s you say, well, what is that fundamental element, right? So, if you think about from an almost from a biology standpoint, what is the fundamental element for a human being? It is your DNA. Then what is that for a digital organization? Well, in fact, they are actually the things that you’re trying to protect. Those are the cyber assets within an organization. And, by assets. It’s not just IT assets. So, assets are anything that provides value to the organization. Those are things that are part of the digital operations. Those could be business processes as well. All of those things, people and equipment and devices and applications and code and all of those things and processes, they’re all part of the equation. They’re all part of what make up an organization. So how do we understand all of that is the reason I built you a better one, and we can get into more about that. But that’s kind of my background and what led me to build you.

Cameron D’Ambrosi [00:04:43] That’s fantastic., a perfect segue into what exactly Jupiter one is. And maybe I’ll take a stab at it and then you can correct me where I may have missed the mark. But, in looking at your platform and what you’ve built, it seems as if the core value proposition you’re bringing more than anything else is, in Donald Rumsfeld terms, addressing those unknown unknowns. Right. How can you understand what your organization’s cybersecurity posture is if you don’t understand the full scope and breadth of your attack surface, all of the systems and subsystems that constitute, , the broader technology landscape within and across your organization and to your point around the challenges that that are facing organizations of every scale, we’ve just seen such massive growth in terms of the potential attack surface. You have, layers upon layers of multi-cloud and various SaaS platforms and identity and access and customer identity and access and that is leaving organizations where they don’t even have a single picture of like, what? What are my assets and how should I be thinking about securing them? Is that being that a safe assessment?

Erkang Zheng [00:06:02] It is. And I can probably try to add some more context and maybe even simplify this a little bit. And we all know that we can protect what we can see. Right. So that’s easy enough to say, but it’s difficult to do. Right. So, what is it that that we really have? Right. So, it really boils down to there are some very fundamental questions that we’re trying to answer, these five questions before we even talk about protecting anything, because, security, we all tend to jump in and say, hey, let me block this and protect this and so on and so forth. Right. But. There are a couple of ways of looking at it. One is, well, yes, you want to have some of the basics, the no brainers that we know that we’ve got to do. Right. So, we got to have MFA. We have some device agents; we have some have encryptions or data storage. Right. So, there are there are basics that we have to cover for sure. But once we have the basics covered, then how do what else to do? What’s next? What do you focus on? So. So these are the five questions that everybody should answer. What do I have? And for all the things that I have. Which ones are more important? Which ones are critical? All of those things that are critical to the business. Do they have a problem? So, this could be misconfiguration, a vulnerability or identity and access over permissions, whatever the case may be. Do they have a problem? And if they do have a problem, who can fix them? And over time, am I getting better? Right. So just to answer those five basic questions, if we can do that really, really well, then we are so much more mature as a security program. But answering those five questions are so hard because decisions systems are complex. There are too many confusing plays or too many things that are moving in their own different directions and not enough people to answer those questions. And so today we try to leverage the human API. So, if I have a question, I go to you, Cameron, and you go to your team and, then then we would play just connect the dots from person to person and trying to aggregate that data information in our head. And then we try to come up with an answer and we try to make decisions based on that. Right. One that is not scalable. And second, that is just not fast enough. There’s just too much going on. So then at the end of day, what is Jupiter one with us? Jupiter, one provides we help organizations connect the dots across cyber assets, people, and risks across all those kinds of three buckets. And the reason and what do you get is you get contextual insights across those so that you can make more confident decisions faster, more informed decisions, faster from one place, from one single source of truth. And that’s what your own platform. That’s what we do, right? Again, connecting the dots to give you a contextual inside from one place. That’s Eddie. Eddie Innovative. What we do. So.

Cameron D’Ambrosi [00:09:18], what has always fascinated me about the transitions in the cyber security space we’ve seen over the past years is, I guess, this fundamental shift in approach, right? Obviously, we started off in the cyber security realm thinking about this notion of the perimeter, securing the perimeter. And as we’ve seen trends like remote work, like BYOD adoption of cloud, shift to SAS more broadly, that perimeter has expanded, maybe not in an infinite sense, but exponentially, let’s say. And we’ve seen, from our perspective, a shift towards kind of an identity centric approach to cybersecurity as opposed to a perimeter centric approach., do you see this trend continuing? And what do you see as the biggest threat facing organizations today from a broader cybersecurity perspective?

Erkang Zheng [00:10:16] I think that’s a great point. And it’s a is an increasing trend. People use terms don’t trust or, all these fancy terms, right. So, any other day. What we’re really seeing is the virtualization of everything and everything becomes software defined. Right. So, we go from a very physical world to a very virtual world to a hardware defined things, corporate boundaries, and whatnot, to a very software defined operating model. So, identity and access, in fact, plays a key role in that. Right? So, I actually think there are only two things that matter in the whole schema of zero trust or the foundation of that, which is assets. Again, going back to what do we have from an overall, digital environment standpoint? And secondly, access, who has access to and how do we protect that access? Now, both of those are very API driven, software defined nature. Right. So, if we can. Incur on those. Right. So then and that really is the foundation of everything else. And again, I so enjoyed those questions that I mentioned. Now, why is this becoming so hard? It really is just the speed of technology. It’s really a double-edged sword. So, on one point that we’re able to move so fast because of the technological advancements. But on the flip side, security teams have always been playing catch up and we still are playing catch up to engineering mechanisms, to infrastructures, to DevOps, to all of those things. And then as a result, what ends up happening is that we have all these very niche and specific products that came out so that we can try to catch up. Right. And then fundamentally, we haven’t really had a chance to go back and revisit the basics. Off again, right? So, understanding ourselves and seeing the things that we have.

Cameron D’Ambrosi [00:12:30] So, going back to the approach that you’re bringing at Jupiter one, and maybe this this notion of the unknown unknowns, how have you differentiated yourself in terms of allowing organizations to make those discoveries about, whether you want to call it just the gaps in the perimeter or maybe even defining that perimeter itself? Are you guys taking kind of an automated programmatic approach or kind of is it incumbent on your end customers to understand enough about their landscape to be able to kind of point that Jupiter one platform at those resources across their infrastructure?

Erkang Zheng [00:13:08] It’s a bit of both. So, I really believe that the going back to the basics and yes, eventually there’s a role for machine learning and A.I. and all of those to play, right. But before that, before we get to that, there are something that’s more foundational that just have to people point us to what they know is there. Right? So like, for example, so we know that we use a WC, we know that we use A.C.P.O and whatever the case may be, we know we use CrowdStrike, we know we use Okta to just point you to one to do some almonds and we would do the discovery of these datasets and the resources in the configurations, and we would do the mapping to connect the dots and say, well, how does this awful OCTA user access this SAS application and the permissions within that, or how does this developer in GitHub push coding to production? And do they have access to data inside of eight abuse environments? Right. So, all of those things. Starts with. The customers telling us and pointing us to the right place of what those are. And then right, we use automation to do the hard work or to or maybe it’s the basic work, right? So, of aggregating those things together, mapping all the configurations and then providing insights based on that data. Now that has to be the starting point, right? Because without the starting point of those data, there’s nothing for machines to learn. There’s, we don’t even need to talk about Amazon in a year without a meaningful starting dataset. So, we should start with understanding that data, which is what J one facilitates the security teams to do to get a much better understanding of the basics of your environment. And then we then continue on to use that to provide more proactive recommendations and machine learnings and whatnot from that point.

Cameron D’Ambrosi [00:15:14] And, how has the that go to market motion being, I think one of the more fascinating things that I, I listen to, founders and CEOs talk about is establishing that initial product market fit and, kind of solving that could start problem., what was the feedback like? And what has the feedback like been from the CISOs that you’ve been working with in terms of how Jupiter one is helping to solve those problems? And the feedback from the market in general about the solution?

Erkang Zheng [00:15:48] Yeah, I think the feedback has been very, very positive in what we do. And of course, we are still fairly early in our journey. So, the company is only not even three years old and that the product is still in its early stages, in the grand scheme of things. Right. So, we have we work with a lot of, early adopters and, finding already product market fit and CISOs and security leaders who are practitioners who are very forward looking and understanding the art of the possible and the eventual future of what we can bring together. Right. So. That has been overwhelmingly positive., on the flip side, and yes, we have a lot of feedback that tell us how we need to and where do we need to improve. Right. So, hey, making covering the data easier and so on and so forth. So, I am making providing some of those insights more proactive and, use machine learning to do some of these things for us, all of those things that we are continuously improving. So, as we advance our product roadmap and so there are organizations who tell us, hey, we want more data from our hybrid environments. So then, okay, great, then let’s do that. So, for more of the traditional Fortune 500 enterprises, right, so, and so and so forth. So, we continue to take those feedback in advancing and improving the product. Right, both from a capability and experience standpoint. But overall, it has been a very rewarding journey for me and the product team and the everybody at GE One, we have seen here, people tell us, oh my God, I did not even see this without Chipotle. Right? So, there was one person who said., we just discovered this user who has already left the company for a month and their access is still there. What the hell? Right. And this shouldn’t have happened. And without you, one we didn’t realize. And Jupiter one just paid for itself for from that one single incident that we could have prevented. Right. So, there are overwhelming feedbacks like that that that is super encouraging and very exciting. And people want to do more creative things, which people want themselves right on top of the platform. Now, of course, there are challenges that we’ve seen as well. Right. So as a as a founder and as a, early product, we continue to get improvements. So, we’re doing it making 1% better every single day. That’s all. That’s all we have to focus on.

Cameron D’Ambrosi [00:18:39] How would you say the shift to Passwordless more broadly is set to impact the cybersecurity landscape and whether it’s, , how platforms are working with Jupiter one or just your insights on the trend more broadly? , I would hope that it’s going to, to some degree bring us a higher degree of overall security just because of the lessened ATO vulnerabilities when you move away from passwords. But that’s not to say that threat actors are not clever enough to use alternate, forms of penetration like social engineering, to convince somebody to use the passkey credential to get what they want. So, how are you seeing, Passwordless uptake in general? And what do you think about that as a trend in its impact on cybersecurity more broadly?

Erkang Zheng [00:19:25] I would love to see that happen sooner than later. So, I think your password related breaches are still happening and they shouldn’t be happening. And it feels like passwords to me almost feels like years ago floppy disks., we wanted them to go away and took a long time. They never went away and followed. Finally did everything became digital. So physical media is no longer a thing. And it feels the same to me. It just is just the transition period is taking very, very long because of the legacy systems and the practices that’s still there. I, I do think that passwords are. Not really natural. People are not meant to remember Complex 20 character alphanumeric and special character passwords. It’s just not how is supposed to be. But we’re getting better. MFA is getting more widely adopted. Just in time authentication and magic links and all of those. Right? So, biometrics and all these multi factors, I think that’s great. That’s the right approach. Can’t wait for completely password is that they to happen sooner than later.

Cameron D’Ambrosi [00:20:43] And from the overall trend in the cybersecurity space. Right., look, we’re a digital identity focused shop and into a hammer. Everything certainly looks like a nail. But I’d like to think we’re also, in the right market space and in taking that right perspective, it seems like the forward-looking organizations are taking a more identity centric approach to access management across their systems, moving away from legacy approaches to, newer, more developer centric platforms like Okta, for example. Does that make your life easier, from a from a Jupiter one perspective, what are the organizations that that you think are impressing you with their approach to these challenges? And, if you’re a CEO that’s listening, what are some of those overall tips that you would have in terms of how you should be thinking about where to prioritize you spend, in these coming months and years?

Erkang Zheng [00:21:42] Yeah. I think you’re absolutely right that identity driven boundaries or zero trust foundations so using octet and similar technologies or zero for customer identities and all of those right. Is a great step forward and it has all of these single signs on capabilities has a way of reducing the complexity and consolidating that management into one place. And it also helps from, Jupiter One’s perspective. So, then it makes the analysis across the board easier, right? So, if your identity systems are aggregated and they are from one source of truth, then putting that data and connecting the dots to everything else in the organization, what are SAS applications or cloud infrastructures or internal operations and, and source code and whatever functions or end user devices or even security awareness training. So, to be able to connect the dots people is at the center of everything. Right. And have the right identity management systems to be tied to DOD. Greatly simplifies and improves the way of doing security analysis. What are is proactive or reactive? So, I think companies are adopting that and going forward with that is, it’s just a way to go. And I’ve been hearing, I think, Cisco, one of our customers. Right. And Microsoft. Right. So, companies like that, they have been piloting Passwordless approaches within their organization. And it’s great. I think we should have more companies doing that.

Cameron D’Ambrosi [00:23:43] So to broaden that question out, , obviously, I think you more than many of our guests have a great perspective on what’s coming down the pike in cybersecurity more broadly. , if I were to ask you to take out your magic crystal ball and make some predictions for what we can expect to see in the space, , where would you lay down some chips?

Erkang Zheng [00:24:06], if you look at the market, as we all see the market condition and economic and things like that. So, we’ve seen companies do layoffs. And the one theme that I think we can all agree on is everybody’s trying to find more efficiency. In all business functions. And security is very critical but is not immune to that trend. So, we are still. We are also looking at how can we make the investments that we’ve made already making security better. And how can we make the teams more productive? How do we do more with less? How can we have? Best of the best of Sweet Solutions Rotterdam, best of breed solutions. And how do we have consolidation of that understanding analysis, which is what Jupiter one provides, right? So, to help truly understand that the controls that we have already investing are actually working, and then how do we know that what we should be really focused the time on? All right. So, we can get people to be, from doing 80% of their time doing the analysis and 20% of time doing work to reverse that and, use. Technology to help with the analysis, like Jupiter one, like, other type of products that are helping speed up the analysis and the decision making so that the teams can be more productive, actually doing work and thinking about and figuring out what to do. I think that will be the trend for more efficient, more productivity, more consolidation for security and just across the board.

Cameron D’Ambrosi [00:25:55] And that’s a really great insight in that it dovetails with a lot of what we have been seeing in the space, which is right, this proliferation over the past decade of an increasing amount of point solutions, that buyers have had to cobble together to meet all their needs. And I think the natural vertical integration push to kind of reduce those point solutions, which again, like that’s not to say you can’t build your posture around, kind of this patchwork approach, but that’s how things fall through the cracks, right? When you’re when you’re knitting together a bunch of disparate solutions, it’s obviously much less elegant, much less more manageable than a vertically integrated solution. So complete cosign on those predictions.

Erkang Zheng [00:26:41] Right. And I would I would want to add to that, Ryan, you say that in order to do that, in order to be more efficient, in order to consolidate, in order to do all of those, we have to be able to go back to the basics and forget about fancy terms and chat throughputs and all of those things where I so let’s just get back to the basics and find good, solid foundational solutions to answer basic questions and do the basics well at scale before we get fancier and fancier. All right. So, let’s do that.

Cameron D’Ambrosi [00:27:18] Couldn’t agree more. And I think we’re in a really exciting time because of the, continued interest in digital identity, the continued, business needs of enterprises that don’t necessarily align to, the previous paradigm of, on prem. And that increased flexibility that cloud brings with, again, the associated vulnerabilities that I think are a tradeoff, but don’t necessarily have to decrease your security posture. If you think about, plugging those gaps in the right way.

Erkang Zheng [00:27:54] Exactly. And I think this is where the futurist is so compelling and exciting is because things are becoming software defined. Right. That complexity. Think about if we have this complexity and is not software defined. You still have to you drive all of these decision makings by hardware-based solutions is impossible. So, the opportunity is here, even though things are more complex, is harder, is more, and so on, so force. The that the nature of the software defined things today make it actually possible to do it. So. So solutions like Jupiter one makes it possible because we can aggregate everything and use the software defined complexity actually to our advantage. So that’s the way that we should think about it, right? So, what or is identity driven a security or zero trust or, asset management and insights that we provide or whatever the case. But what a resource I throw at it. It really is to use the software defined nature of things to get better understanding of ourselves.

Cameron D’Ambrosi [00:29:07] Couldn’t agree more. So, to bring us on home opportunity for what I like to call shameless plug. If anyone is listening and their ears are burning with interest in, connecting with you, learning more about Jupiter one. What is the best place for them to go?

Erkang Zheng [00:29:25] Yeah, if you are listening to this and if you want to connect the dots of your environment. Right. If you want to do more with less, say fewer people. 80% of your time in your day-to-day task, just go to Jupiter one dot com or look me up on LinkedIn or send me an email at or connect your product.

Cameron D’Ambrosi [00:29:47] Love it. Well, thank you so much. Greatly appreciate your time and the insights and looking forward to staying in touch and, seeing what you come up with next. Obviously, I think this is, again, kind of at the epicenter of a lot of the most exciting developments in identity. And I can’t wait to see what you build next.

Erkang Zheng [00:30:05] Sounds great. Thank you, Cameron.

Cameron D’Ambrosi [00:30:07] Thank you.