 Welcome everyone to this CUBE Conversation featuring Jupiter One. I'm your host, Lisa Martin, and today we are very excited to be joined by Sean Catlett, the general manager for EMEA at Jupiter One. Sean, great to have you. Thanks so much for joining me today. Lisa, great to be here. Thank you, thank you for having me. I love the name Jupiter One. Tell us a little bit about that before we really dig into Jupiter One's approach to security. Yeah, Jupiter One actually started back in, it was actually a product that was built out of a practitioner, the CEO, Erkan actually started it while he was trying to solve a problem as a CISO and ended up actually spending the company out to become Jupiter One out of a healthcare company. So it's kind of an interesting arc of a story for Jupiter One and how it came to be. Talk a little bit about Jupiter One's approach to security and what differentiates it from the competition. Yeah, I think there are two main themes that really differentiate Jupiter One and what we're trying to accomplish. I think that the first is cyber assets and how we define cyber assets is very, very different to I think a lot of the industry. So we think first that anything which is software defined in addition to physical assets should be defined as a critical asset and a cyber asset. And really that's anything that your business needs to operate its business and to be able to transit customer information to your customers. But those are also things that are hyper complex when you think of how those are built out of massive lists today of information that are pulled out of source systems, the CMDBs of the past. And really our approach is really to modernize that, connect them and make those into contextual pieces of information around what those assets do for the business and then how they can be secured more effectively. Dig into some of the problems that Jupiter One is solving for customers. I think the first one starts with, how do you keep all that up to date? Like any of us who've operated security teams at scale and I have in a few of my roles, one of the key challenges that I had is, the business asked me a question and I immediately need to be able to offer them not just an answer about what I think but I need to know because at the end of the day the things that we say as a security team or security leader to one of my peers becomes things that they say that they're going to probably create work around and et cetera. So for us to better be armed with information, we have to be make sure it's up to date, make sure we understand the business. And really that's one of the core value propositions in the way that we approach the problem is by linking those assets together and keeping them up to date with real time kind of pulling of the environment, ingesting that and then normalizing it and making it very clear we basically enhance the ability to answer really tough questions. It's got it, so really it's a matter of getting rid of manual processes, human processes as well and finding those attack paths, right? Exactly, one of the key challenges that we all face once something goes bump in the night do you need to answer a question is how do I see that where this environment where maybe something has occurred what does that environment have access to? Who are the user identities or machine identities involved that might have additional capability in another part of the environment? And fundamentally what data would potentially be exposed in that environment or elsewhere and how would an attacker navigate the environment to either get to the data or get the data out? And so for us to be able to do that quickly at scale and kind of provide those insights at speed and know that they're always up to date it just really becomes something that organizations can rely on to be that kind of single source of truth for the types of information that they're looking for and securing their attack surface. Single source of truth is incredibly important. What about compliance? It's often thought of as a process that's very linear but that's a challenge. There's gaps there that organizations are facing. 100%, I think what I find is really interesting is compliance in a really good program actually you used to say it's like the exhaust of a good program, right? You don't aim for compliance. It's something that just comes naturally by having really good security practices, policies, et cetera but doing it effectively means you're doing it all the time. You're not doing it to aim for a one time or two time a year audit but really if you're managing that at source meaning pulling this information in running it as a process where very early in the life cycle when something drifts out of compliance you're able to jump on that when it's small. I'll give you an example that I think is really something that we see quite regularly where an environment is built out that needs to be compliant and very early in the process that business team they think they're doing the right things. They're actually pulling information maybe they're using a repository or set of tools and they're effectively building off of a pattern that might have been made insecure later or been assessed to be something that needed to be fixed. And so the longer if you catch that early in the process something that you can deal with when it's very small there's no business or customer impact and you very much use that kind of shift left mentality for compliance. But if you let it get to where they put critical workloads critical data, a critical customer is using that system then you're talking about maintenance windows and regressions that are really really challenging for the business. So really for us to move earlier in the life cycle and help our business do that and other businesses do that I think it's really something that is a unique part of our solution. So what have you learned so far? You know, we talked about organizations need to have that up-to-date understanding of their cyber assets but they're relying on probably a variety of tools a lot of manual effort that not only is frustrating but it can be challenging. What is it that Jupiter One enables organizations to achieve? I imagine visibility is one of the key elements there. Yeah, it's funny because visibility is actually something that you hear across the industry and for us it's about contextual visibility and what we mean by that is the visibility that you gain if I just take hundreds of thousands of log lines and different pieces and just make that visible to you it actually can be quite overwhelming and it actually is something that is in many cases hurting security teams with all that complexity it just becomes extremely frustrating to get tons of information tons of updates and actually not be able to make sense of it. So for us it's about contextual visibility which means we link that information to the assets that matter to the business units to the asset owners that matter to the business and so then when you receive a piece of information maybe it's a vulnerability finding maybe it's a some sort of security operations alerts or the fact that something is missing you're able to then say okay I now know that that's really important to do something with. I think in addition it's also important of how we can use the tooling to talk to the business in a different way because the graph and the ways to look at link analysis between systems that exists it's just in manual forms most security teams and leaders and engineering leaders they built a whiteboard of their systems at some point and they've drawn that out and said okay I know what my front and my back and those systems are what we do is actually illuminate that keep it up to date and so when we go and say we need to solve this we've already got that graph already in our schools and systems and so when we provide them the context of what needs to be fixed they're able to kind of match and earn a lot of trust versus just bringing them a list of things that is not linked to anything that they've ever seen before and said please go patch this or please go fix this so I think it's also a way to interact more positively with the business. And that context as you mentioned is absolutely critical there because visibility can be overwhelming if not done properly. Walk me through some of the key use cases I think incident response I think vulnerability management what are some of those key use cases that Jupiter one helps organizations to address? Yeah the first one is you said vulnerability management and vulnerability prioritization is really our core use case when you think of how do I take all of this complexity in my environment all these risks and be able to really provide one prioritized list that's not just prioritized from the criticality of the vulnerability itself which is one feature it's obviously a very important one but actually is that vulnerability or set of vulnerability something that I should care about because it's related to business impact business criticality of the systems themselves maybe it's around that system has access to critical data maybe it's a user who was on that system is a vital user to the organization those pieces of context actually help you prioritize and give reasoning on why that vulnerability needs to be closed maybe earlier than another one because we're all drowning in thousands of vulnerabilities and being able to kind of process that at scale is a major challenge for most organizations That prioritization is it sounds like it really could be a game changer for security organizations when you're in customer conversations and they're talking about their security strategy is there looking to develop really solid defenses against spread actors what's the role that Jupiter one plays for security organizations? The first one is really just around making sure that you know your attack surface at all I think most organizations you have an idea of your attack surface but then as you expand your business maybe you've acquired or taken an investment in some other area region those are areas where you may not fully understand and the business might have changed in the amount of time that's taken for you to maybe deploy a control so many times what we're doing is actually helping your business to understand where the denominators a number of assets that exist and then look at okay what sort of posture do I want for those and how do I prioritize the different states of those assets an example is if I have an asset that doesn't contain maybe an intrusion detection capability or a host-based agent of some type does it need to? Is it really important that that one has it versus something else and bringing in the context around who and what organization owns that it can be vitally important to help the business to prioritize that so we see that as a really core use case just understanding what you have and then focusing on what matters I was reading a Jupiter 1 press release the other day it was about the 2023 state of cyber assets report and it talked about assets and growth there and it was like 133% year-on-year growth in cyber assets which is challenging from a security complexity perspective how does Jupiter 1 help organizations manage that year-on-year growth and mitigate the complexity? The growth this comes from business change I think in many cases growth is a good thing from a security perspective you might say oh wow that's something I need to be concerned about or something I need to minimize but that's actually the opposite we need to be doing is security organizations is actually helping the business to manage that complexity understand it make it simpler and find patterns to better protect the information as it's being created stored and used versus saying no and so really you see this proliferation when people move to cloud maybe they have a hybrid cloud strategy they're building assets at the speed of code and that can be on-prem or cloud assets that's where we come in because we're constantly polling the environment to look for change and be able to better link that to the types of information and patterns that they can do to deploy to secure themselves and so really for us expansion of assets it's really for us in the definition we look at assets as anything that can be software defined not just in hardware and assets as I said earlier and so really that helps businesses see that they can provide better security controls to their entire posture instead of very narrowly scoped things like a device or a mobile device or a laptop but really something much more broad which could be an entire environment that was built using Terraform or infrastructure as code So ecosystem wide so with all of the different things whether Sims, CSPM where does Jupiter 1 fit in for customers who are managing multiple tools? Well really it's very similar to I think and you think of Sims 10 years ago really it was about this proliferation of log information and situational data that's being pulled off of systems and something that you said okay I need to be able to correlate this normalize it and make sense of it for us we fit in a very similar vein but now with configuration data if you're able to take an entire environment and build it overnight maybe delete it before your security team has even on call responsibilities have been transferred that becomes a major risk if you don't have real time and regular visibility comprehensively to understand that environment and its rate of change so really similar to the sim market in the past I think our product really fits in the state of looking at the state change information and configuration information rate of change and being able to provide similar analysis as well as insights to be able to just determine your security posture. Right, do you have a favorite customer story that you think where Jupiter 1 really came in and helped them really get that contextual of visibility so that they could optimize, prioritize and really wipe away some of those risks anything that comes to mind that you think really shines a light on your value prop? Absolutely, I think we have a number a number of those one of the ones that sticks out of my mind is a financial services company that really uses our products in a I think a very innovative way for the way that they actually manage the migration of workloads to the cloud by being basically as we talked earlier around continuous compliance they have extremely as you can imagine rigorous controls that they need to be applied but they want to provide guardrails for the business not blocking a sense of capabilities and stopping them from achieving their goal so where they use Jupiter 1 is really alongside the business giving them a lot of flexibility having people be able to operate very quickly at scale but knowing that they have the guardrails in place and the checks that are happening repeatedly and then when they go into production those checks happen really multiple times per day through the lifecycle of that product not just in the deployment in the early stages so it's really like kind of a shift left catching them very early but then all the way through to their production environment And that's critical that end-to-end posture is incredibly important What are some of the things that we can be on the lookout for? What's next for Jupiter 1? Well, really for us it's how do we make complexity simpler and then enable customers to gain more visibility in their environment so where we started in cloud and I think for most people know us for our work on the cloud side we are expanding to bring more information in from on-premises It's just vitally important that we have both sides of the story for customers who everyone will have some form of cloud but they also will have many parts of on-premises systems as well as just making the views around our devices and our systems much clearer bringing in additional types of analytics and metrics so that customers can make better decisions So really for us we're heavily focused and invested in that in the future and we're really looking for ways that we can better take a massively complex environment and then make that very simple to help customers really get that contextual visibility prioritize vulnerabilities and prioritize findings and then ultimately optimize their environment and look for places that they can know that their security posture is as strong as possible Right, and that's a huge differentiator for your customers as well knowing that they've got a strong security posture incredibly important Sean, thank you so much for coming on theCUBE as part of this CUBE conversation helping us understand Jupiter 1, your history, what you're all about and what you're helping customers achieve from a security perspective we really appreciate your insights and your time Thank you We want to thank you for watching and reminding you to keep it right here for more action on theCUBE your leader in hybrid tech event coverage