One of the big topics of discussion at AWS re:Invent 2022 was cybersecurity, and with good reason: Bad actors are getting more sophisticated. Cloud security needs to respond in kind.

JupiterOne Inc., a “cyber asset attack surface management” company, believes the trend hasn’t been good in the cybersecurity industry — perhaps one issue gets resolved, but a hundred follow in its wake.

“I do think that we’re at a point where we have enough painkillers and Band-Aids,” said Erkang Zheng (pictured), founder and chief executive officer of JupiterOne. “We need to start looking at how we can do better, fundamentally, with the basics and do the basics well. Because a lot of times, it’s the basics that get you into trouble.”

That might seem like a simple solution, but it’s not always the case in practice. It’s easy to think that users should have multi-factor authentication, or MFA, enabled or endpoint protection on devices.

“But the question being, how do you know it is working 100% of the time? How do you know that?” Zheng asked.

Zheng discussed that issue, and JupiterOne’s potential solutions, during a conversation with theCUBE industry analyst John Walls at AWS re:Invent, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. (* Disclosure below.)

Boiling it down to five questions

JupiterOne believes security is a data problem that needs an engineering approach and a platform for consolidation. It raised $70M on a $1 billion valuation to boost its market capabilities earlier this year.

For Zheng, it’s essential not to find out MFA or endpoint protection is not functioning after the fact, when it’s too late. To prevent that, organizations need to ask themselves five basic questions: What do I have? What’s important out of all the things I have? Out of those things, do I have a problem? If so, who can fix it? And, finally, over time, am I getting better?

“You just keep asking these questions in different areas, in different domains, with a different lens,” Zheng said. “Maybe that’s endpoints. Maybe that’s cloud. Maybe that’s users. Maybe that’s product and applications. But it really boils down to these five questions. That’s the foundation for any good security program.”

Approaching it that way — thinking about it as diagnosing a problem and applying medicine to it — forms the essence of JupiterOne’s approach.

“We spend a lot of time doing attacker research from the outside, but we don’t fundamentally understand, in a complete way, what’s the complexity within our own environment in terms of digital assets,” Zheng said. “And that’s almost like the DNA of your own work.”

On trying to find experts in everything

For years, there’s been a constraint refrain in the cybersecurity space: There is a lingering skills shortage, making it difficult for organizations to find and retain skilled staff.

Why is there a skills shortage when many talented people are out there? It has to do with the “mind-boggling” number of tasks requested of security people, according to Zheng. For example, suppose one asks a security analyst how to protect something or deal with an incident. What one is asking that individual to do is not only understand the security concept and be a domain expert in security, but also to understand AWS, other clouds, endpoints, code, and applications to do an analysis and a response properly.

“It’s impossible. You have to have a person who’s then an expert in everything,” Zheng stated. “That’s one thing we have to resolve; it’s how we use technology like JupiterOne to provide an abstraction so that there’s automation in place to help the security teams be better at their jobs without having to be an expert in deep technology.”

JupiterOne models the data and provides the analysis and visualization out of the box so organizations can just focus on security practices. Then, the company seeks to change mindsets — for example, regarding vulnerability management.

“The mindset for vulnerability management has been, how do I manage findings? Now we have to change it to the concept of more proactive, how to manage assets,” he said.

If mindsets aren’t fundamentally changed, that poses a problem, Zheng added.

“I have to look at things, not from a reactive, findings perspective, but really starting from an asset-centric, day-one perspective, to look at that and have this foundation — have this map built,” he said. “If I need direction, I go to Google Maps. But the reason that it works is because somebody has done the work of creating the map.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Invent 2022 Global Startup Program:

(* Disclosure: JupiterOne Inc. sponsored this segment of theCUBE. Neither JupiterOne Inc. nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE