well hello everybody John Wallace here on thecube he's continuing our segments here on the AWS Global startup showcase we are at day three of Reinventing irking Zhang is joining us now he is the CEO co-founder of Jupiter one um first off before we get going talking about you know security and big world for you guys I know what's your take on the show what's been going on out here at re invent yeah yeah ring event has been one of my favorite shows there's a lot of people here there's a lot of topics of course it's not just cyber security a lot of cloud infrastructure and just technology in general so you get a lot you know if you go walk the floor you see a lot of vendors you look at us go into sessions you can learn a lot but you're the Hot Topic right everybody's focused on Cyber yeah big time and with good reason right because as we know the Bad actors are getting even smarter and even faster and even more Nimble so just paint the landscape for me here in general right now as you see uh security Cloud Security in particular and and kind of where we are in that battle well we are clearly not winning so I think that in itself is a bit of a uh interesting problem right so as a it's not just Cloud security if you think about cyber security in general as an industry it has it has not been around for that long right but if you just look at the history of it uh we haven't done that while so uh pick another industry say medicine which has been around forever and if you look at the history of Medicine well I would argue you has done tremendously well because people live longer right when you get sick you get access to health care and yeah exactly you have Solutions and and you can see the trend even though there are problems in healthcare of course right but the trend is is good it's going well but not in cyber security more breaches more attacks more attackers we don't know what the hell we're doing with that many solutions and you know that's been one of my struggles as a former CSO and security practitioner for many years you know why is it that we're not getting better all right so I'm going to ask you the question yeah okay why aren't we getting better you know how come we can't stay ahead of the curve on this thing that for some reason it's like whack-a-mole times a hundred every time we think we solve one problem we have a hundred more that show up over here exactly and we have to address that and and our attention keeps floating around yeah I think you said it right so because we're taking this guacamole approach and we're looking for the painkiller of the day and you know we're looking for uh the Band-Aids right so and then we ended up well I I think to be fair to be fair to your industry the industry moves so quickly technology in general moves so quickly and security has been playing catch-up over time we're still playing catch-up so when you're playing catch-up you you can almost only uh look at you know what's the painkiller of what's the band name of the day so I can stop the bleeding right but I do think that we're we're to a point or we have enough painkillers and Band-Aids and and we need to start looking at how can we do better fundamentally with the basics and do the basics well because a lot of times the basics that get you into trouble so fundamentally the foundation I if I hear you right what you're saying is um you know quick changing industry right things are moving rapidly but we're not blocking and tackling we're not doing the X's and O's and so forget changing and we we got to get back to the basis and do those things right exactly you can only seem so simple it seems so simple but it's so hard right so you can you can think about you know uh even in case of building a starter building a company and and in order at one point right so we're blocking uh blocking tackling and then when we grow to a certain size we have to scale we have to figure out how to scale the business this is the same problem that happens in security as an industry we've been blocking happening for so long you know we're the industry is so young but we're to a point that we got to figure out how to scale this scale this in a fundamentally different way and I'll give you some example right so so what when we say the basics now it's easy to to think that say users should have MFA enabled is one of the basics right or another Basics will be you have endpoint protection on your devices you know maybe it's Cloud strike or Sentinel one or carbon black or whatever but the question being how do you know it is working 100 of the time right how do you know that how do you know right you find out too exactly that's right and how do you know that you have 100 coverage on your endpoints those Solutions are not going to tell you because they don't know what they don't know right if it's not enabled if it's not you know what what's the negative that you are not seeing so that's one of the things that you know that's in the basic state that you're now covering so the fundamentals it really goes to these five questions that I think that nobody has a really good answer for until now so the five questions goes what do I have right is it important what's important out of all the things I have you have a lot right you could have millions of things what important now for those that are important does it have a problem and if it has a problem who can fix it because the reality is in most cases security teams are not the ones fixing the problems they're they're the ones identical they're very good at recognizing but not so good exactly identifying the owner who can fix it right right could be could be business owner could be Engineers so the the asset ownership identification right so so these four questions and and then over time you know whether it's over a week or a month or a quarter or a year am I getting better right and then you just keep asking these questions in different areas in different domains with a different lens right so maybe that's endpoints maybe that's Cloud maybe that's you know users maybe that's a product and applications right but it really boils down to these five questions that's the foundation for any good security program if you can do that well I think we cover a lot of bases and we're going to be in much better shape than we have been all right so where do you come in man Jupiter one in terms of what you're providing because obviously you've identified this kind of pyramid yes this hierarchy of addressing needs and I assume obviously knowing you as I do and knowing the company as I do you've got Solutions that's exactly right right and and we precisely answer those five questions right for uh any organization uh from a asset perspective right because all the the answers to all those these five questions are based in assets it starts with knowing what I have right right so the the overall challenge of cyber security being broke broken I I believe is fundamentally that people do not understand and cannot uh probably deal with the complexity that we have within our own environments so again like you know using uh medicine as an example right so in order to come up with the right medicine for either it's a vaccine for covid-19 or whether it is a treatment for cancer or whatever that case may be you have to start with the foundations of understanding both the pathogen and to the human body like DNA sequencing right without those you cannot effectively produce the right medicine in modern uh you know Medicine sure right so that is the same thing that's happening in cyber security you know we spend a lot of times you know putting band days in patches right and then we spend a lot of time doing attacker research from the outside but we don't fundamentally understand in a complete way what's the complexity within our own environment in terms of digital assets and that's that's almost like the DNA of your own work what is that kind of mind-blowing in a way that if again hearing you what you're talking about is saying that the first step is to identify what you have that's right so it seems just so basic that that I should know what I what's under my hood I should know what is valuable and what is not I should prioritize what I really need to protect and what maybe can go on the second shelf yeah it has been a tough problem since the beginning of I.T not just the beginning of cyber security right so in the history of I.T we have this thing called cmdb configuration management database it is supposed to capture the configurations of it assets now over time that has become a lot more complex and and there's a lot more than just it asset that we have to understand from a security and attack service perspective right so we have to understand I.T environments we have to understand Cloud environments and applications and users and access and data and as and all of those things then then we have to take a different approach of sort of a modern cmdb right so what is the way that we can understand all of those complexity within all of those assets but not just independently within those silos but rather in a connected way so we can not only understand the attack surface but only but also understand the attack path that connect the dots from one thing to another right because everything in the organization is actually connected if if there's any one thing that sits on an island right so if you say you have a a a a server or a device or a user that is on an island that is not connected to the rest of the organization then why have it right and it doesn't matter so it's the understanding of that connect connected tissue this entire map where this you know DNA sequencing equivalent of a digital organization is what Jupiter one provides right so that visibility of the fundamental you know very granular uh level of assets and resources to answer those five questions and how does that how do I get better at that then I mean I have you to help me but but internally within our organization um I mean I don't want to be rude but I mean do I have do I have the skill for that do I have um do I have the the internal horsepower for that or or is there some need to close that Gap and how do I do it you know I'll tell you two things right so so one you mentioned the worst skills right so let me start there so because this one is very interesting we also have a huge skills shortage in cyber security we will we've all heard that for years and and and and for a long time but if you dig deeper into it why is that why is that and you know we have a lot of you know talented people right so why do we still have a skills shortage now what's interesting is if you think about what we're asking security people to do is mind-boggling so if you if you get a security analyst to say hey I want to understand how to protect something or or how to deal with an incident and what you're asking the person to do is not only to understand the security concept and be a domain expert in security you're also asking the person to and understand at the same time AWS or other clouds or endpoints or code or applications so that you can properly do the analysis and the in the response it's it's impossible it's like you know if you have you have to have a person who's an expert in everything know everything about everything that's right it's impossible so so so that's that's one thing that we have to to resolve is how do we use technology like Jupiter one to provide an abstraction so that there's Automation in place to help the security teams be better at their jobs without having to be an expert in deep technology right just add the abstract level of understanding because you know we can we can model the data and and provide the analysis and visual visualization out of the box for them so they can focus on just the security practices so that's one and the second thing is we have to change the mindset like take vulnerability management as an example right so the mindset for vulnerability management has been how do I manage findings now we have to change it to the concept of more proactive and how to manage assets so let's think about uh you know say log4j right that that happened and uh you know when it happened everybody scrambles and said hey which which devices or which you know uh systems have log4j and you know it doesn't matter what's the impact we can fix it right going back to those questions that that I mentioned before right and then um and then they try to look for a solution at a time say well where's that silver bullet that can give me the answers now what what what we struggle with though is that you know I want to maybe ask the question where were you six months ago where were you six months ago where you could have done the due diligence and put something in place that help you understand all of these assets and connections so you can go to one place and just ask for that question when something like that you know hit the fan so so if we do not fundamentally change the mindset to say I have to look at things not from a reactive findings perspective but really starting from an asset-centric you know day one perspective to look at that and have this Foundation have this map build we can't get there right so it's like you know if I need direction I go to Google Maps right but the the reason that it works is because somebody has done the work of creating the map right right if you haven't if you don't have the map and you just at you know when the time you say I gotta go somewhere and you expect the map to magically happen to show you the direction it's not going to work right right I imagine there are a lot of people out there right now are listening to thinking oh boy you know and that's what Jupiter one's all about they're there to answer your oh boy thanks for the time of course I appreciate the insights as well it's nice to know that uh at least somebody is reminding us to keep the front door locked too that's just the back door the side doors keep that front door and that garage locked up too definitely um all right we'll continue our coverage here at AWS re invent 22 this is part of the AWS Global startup showcase and you're watching the cube the leader in high-tech coverage foreign