Are you getting ready for the upcoming RSA Conference, the world's leading information security conference and exposition?  The event is quickly approaching, taking place June 6-9, 2022, both digitally and yes, physically, at the Moscone Center in San Francisco.  For four days, you'll gain insights, join conversations and experience solutions that could make a huge impact on your organization and your career.

Ahead of the show, VMblog received an exclusive interview with Jasmine Henry, Field Security Director at JupiterOne, a cyber asset attack surface management (CAASM) platform company that provides visibility and security into your entire cyber asset universe.

 

VMblog:  To kick things off, give VMblog readers a quick overview of the company.

Jasmine Henry: JupiterOne delivers on its unique vision to bring complete visibility into cyber asset data and give greater context that organizations can fully rely on to optimize their security operations.

Our technology is the first cloud-native cyber asset attack surface management (CAASM) platform built on a graph data model to expose the intricate relationships between cyber assets. JupiterOne collects and analyzes data from every single "thing" in your technology stack and digital operations - cloud service providers, code repos, endpoints, SaaS apps, IAM policies, security controls, vulnerability findings, and more - to give you a holistic view of your cyber asset universe that you can't get anywhere else. This unprecedented level of visibility and context, especially across complex cloud environments, improves the effectiveness and precision of key security workflows such as incident response, access management, vulnerability prioritization, security engineering and automation, application and product security, and cloud and SaaS security.

VMblog: What is your message to RSA attendees and those individuals who won't be able to make the conference this year?

Henry: You can't protect what you can't see. Visibility is the foundation of every security program, and the first step in protecting an enterprise is figuring out what needs to be protected. As organizations continue to shift to the cloud to scale their operations, new challenges around visibility arise. Cloud environments have made the attack surface much more dynamic, defying traditional security tools' ability to identify, map, analyze, and secure their cyber assets.

JupiterOne is passionate about combining innovation and execution to deliver practical solutions that address this critical security challenge. Our platform centralizes data aggregation across all of your security tools and data sources to provide a single, unified view of your entire cyber asset universe. This data is also correlated using a relational database that shows how assets are connected and lets you visualize and determine the blast radius of any incident.

VMblog:  What market needs or problems are you addressing in the security space?

Henry: JupiterOne is used daily by organizations of all sizes and is the CAASM platform of choice for companies that have adopted the cloud as the infrastructure for their operations. By delivering on their need for greater visibility and context, security teams can use JupiterOne to:

• Identify, map, analyze, and secure cyber assets and the attack surface
• Fast-track incident response with an interactive view of the threat landscape
• Enhance vulnerability management with a centralized view of cyber assets
• Discover and prioritize identity and access management risks across all cyber assets
• Build continuous security and compliance into the DevOps process
• Simplify IT asset management for improved inventory and monitoring
• Optimize automated processes to better rely on their programmed actions
  

With JupiterOne, users know what they have and how it all operates together while also enabling them to query their entire cyber asset ecosystem to find answers to nearly any question in seconds.

VMblog:  Where/how can attendees find you at the show? 

Henry: You can find the JupiterOne team at the Moscone Center South Hall, booth #S-325. Our team will be ready to answer your questions, walk you through our product demo, and leave you with a few takeaways and giveaways.

You can also catch a book signing for "Reinventing Cybersecurity", a book I co-authored, and the first cybersecurity book written entirely by women and non-binary security experts. It is a collection of original stories on cybersecurity topics such as boardroom presentations, risk management, incident response, and navigating the C-suite; and insights on navigating imposter syndrome, systemic bias, and hiring. Several of the authors will be signing copies on June 7 at 2:30 pm, at the JupiterOne booth #S-325 Moscone South.

VMblog:  What are some of the key takeaways of your solution that RSA conference goers should be aware of? And what sets you apart from the competition?

Henry: JupiterOne is the market's only cloud-native, CAASM platform that provides visibility and security across your entire cyber asset universe. With JupiterOne, security teams can discover, monitor, understand, and act on changes to their digital environments. Cloud resources, ephemeral devices, identities, access rights, code, pull requests, and much more are automatically collected, graphed, and monitored.

This granular insight allows organizations to easily make connections between cloud, development, infrastructure, and cybersecurity-related tooling. In addition, JupiterOne has a much broader and deeper approach to integrations than other technologies on the market. In this way, customers can extract greater context from across all of their security tools to easily analyze their cloud security posture configurations and make connections between all manner of cyber asset classes.

VMblog:  Is your company launching anything new at the show?  Can you give us a sneak peek?

Henry: At RSA, we will be showcasing new feature additions to the JupiterOne platform. These features improve the platform's usability while also reducing the time it takes to query and visualize cyber asset data in a way that no other platform can provide.

One of these new features is Critical Assets, a recently launched solution that helps security teams easily identify, analyze, and secure their most important cyber assets. Let's just say that not all assets are created equal. There are business-critical assets that, if compromised, would have a devastating impact on your business. Those assets and alerts need to be monitored and prioritized because every asset connected to a business is a potential entry point for attackers. Cybersecurity leaders and practitioners need a solution that can help them prioritize their efforts to effectively manage and secure their expanding attack surface.

Critical Assets empowers you to define which cyber assets are business-critical to your organization. This can be a real challenge for organizations with growing cyber asset ecosystems such as communications service providers, users, devices, code repositories, permissions, third-party partners, and more.

The average security team uses dozens of separate tools to manage asset inventories and oversee more than 165,000 cyber assets. With Critical Assets, JupiterOne can quickly surface information about an organization's cyber assets and provide the ability to easily define specific assets as critical, making it much simpler to monitor those assets and take quick action whenever something changes.

We have a few more things in store that we're saving for RSA, so be sure to stop by the JupiterOne booth (#S-325) and check out our demo!

VMblog:  What will you be showing off at the show this year?

Henry: In addition to the new features we'll be demonstrating at the conference, we will be showcasing some genuinely exciting research and thought leadership from the JupiterOne team and community. Visitors to the JupiterOne booth (#S-325) can expect access to unique research such as The 2022 State of Cyber Assets Report (SCAR) as well as complimentary copies of two recent books from JupiterOne Press, Reinventing Cybersecurity and Sounil Yu's Cyber Defense Matrix. There will also be an opportunity to explore JupiterOne's product demos and use cases with our Solutions Architects, or see some of the exciting ways JupiterOne is collaborating with our integration partners.

If I had to summarize what we're showcasing in a single word, it would definitely be growth. This has been a year of incredible growth for JupiterOne in every possible sense. We've been fortunate to grow our customer base, team, product features, partnerships, and community. This has enabled us to deliver a more powerful graph-based CAASM technology to address some really exciting use cases, as well as thought leadership we can share with RSAC attendees.

VMblog:  What are some top priorities for security leaders at RSA to consider this year?

Henry: Across the board, the top priority in security leaders' minds is securing their cloud environments. As remote workforce trends become the norm, and scalability becomes a requirement, organizations have no other option but to leverage the cloud to support their operations and increase their agility. This results in a greater reliance on SaaS applications and cloud storage, both of which introduce new risks and challenges for security teams to address.

Therefore, at RSA, we expect to see security leaders looking for innovative solutions to address every aspect of their cloud security, including asset visibility, access management, vulnerability management, attack surface management, and more. In addition, with the rise of SaaS adoption, we anticipate seeing security leaders from organizations focused on cloud-native software development and delivery to be looking for DevSecOps solutions, including those that can help them monitor and alert on risks and changes to their environments so they don't open security gaps as they write or deploy code.

VMblog:  What are some of the security best practices you would deem critical?

Henry: As the scope of the cyber hygiene challenge outpaces the availability of expert resources, security teams are losing ground in their efforts to protect their organizations. As best practice, security leaders will need to think differently about how to address immediate challenges in security operations to strengthen their security teams, while considering novel ways to attract, train, and retain talent with modern approaches to the security technology stack. 

Modern cybersecurity is built upon knowledge of your infrastructure and cyber assets. Knowing what exists, where it exists, and all pertinent metadata around each asset makes it possible to build an effective security program on top of that knowledge. Not only is it important to connect your cloud, infrastructure, development, and cybersecurity tooling APIs, it is also critical to map the connections between all assets to provide context into how these systems interoperate.

Such deep context makes it possible to ask extremely complex questions and get answers back within seconds. This context shouldn't just be considered best practice, but a must-have for conducting reliable security operations. 

VMblog:  I'm sure the keynotes will discuss big pictures, but what trends are you seeing that we should be aware of in 2022?

Henry: The resource and skills shortage is a noteworthy trend, and one that has a significant impact on CISOs and security practitioners. JupiterOne's research shows that the average security team has 120,561 security findings in their backlog since many security organizations are overworked and understaffed. There will be significant discussion at RSA to the important topic of talent and how we can change the ways we hire for security roles. The talent conversation matters, especially since security practices and tooling are becoming significantly more cloud-native, automated, and data-driven than ever before.

I also anticipate significant discussion around supply chain risk management, including related strategies such as vendor consolidation. In a hopelessly complex supply chain landscape, vendor consolidation is one method that can help organizations gain greater control over their attack surface and third-party risks. Supply chain attacks and macroeconomic conditions are likely to dominate discussions about risk management in the enterprise security organization, and could impact the way RSAC attendees interact with vendors at the event also.

Last, I would mention that I anticipate a response in both talks and solutions to the global ransomware threat vector and its complex impact on organizations of all sizes. Many organizations are encountering more complex policies from their cyber liability insurance providers, including steep barriers to be covered by a policy. The issue is extremely complex and the solution isn't as easy as visibility into the attack surface, although that certainly helps. I expect discussion around increasingly destructive, costly ransomware attacks will recognize the complexity of this issue.

VMblog:  Does your company have any speaking slots at RSA?  If so, can you tell us more about those sessions so people can get them on their schedules?

Henry: We certainly do. Our JupiterOne experts will be delivering several presentations at RSA, including:

• Monday, June 6 - 8:30am to 9:20am in Moscone West 3018

Cyber Defense Matrix: Revolutions

Sounil Yu, CISO and Head of Research, JupiterOne

The Cyber Defense Matrix (CDM) helps people organize and understand gaps in their overall security program. This session will unveil several new use cases of the CDM, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.

• Tuesday, June 7 - 9:40am to 10:30am in Moscone West 3002

How Behavioral Economics Can Help Make Better Security Decisions

Kelly Shortridge, Senior Principal Product Technologist, Fastly

Sounil Yu, CISO and Head of Research, JupiterOne

Using fun props and relevant examples, this session will show how behavioral economics can help practitioners understand why users make "bad security decisions" such as sharing devices, choosing poor passwords, and downloading questionable links. By understanding behavioral economics, security teams can help others, and themselves make better security and risk decisions.

• Tuesday, June 7 - 11:15am to 12:15pm in Moscone South 303

Reinventing Cybersecurity: Tales of Rebellion and Resistance (at DevOps Connect)

Jasmine Henry, Field Security Director, JupiterOne
Tracy Bannon, Senior Principal, The MITRE Corporation
Coleen Shane, Network Security Engineer, Quick Quack Car Wash

Breanne Boland, Product Security Engineer, Gusto

To operationalize a culture where security is shifted left in meaningful ways, the industry needs rebels and revolutionaries who are willing to rethink everything. That idea is the basis of the book "Reinventing Cybersecurity," an anthology of essays by leading women and non-binary security practitioners, and it's the basis of this discussion about how DevSecOps practitioners are leading with influence in their organizations and careers.

• Tuesday, June 7 - 2:25pm to 3:15pm in Moscone South 306

Hacking Her Career (H2C2)

Jasmine Henry, Field Security Director, JupiterOne

Mary Balogun, Security & Compliance Manager at Experian

Keenan Skelly, CEO of Shadowbyte

Mari Galloway, CEO of Cyberjutsu & Architect at Palo Alto Networks

Each interactive roundtable will explore short talks on: Best Cyber Books, Resources, Podcasts; 0wning the Interview; Better Salary Negotiations; High-Growth Careers; Being Heard; Getting Hands-On Tech Experience; Playing to Win; and much more.

• Thursday, June 9 - 8:30am to 10:30am in Moscone West 2020

Cyber Defense Matrix Learning Lab

Sounil Yu, CISO and Head of Research, JupiterOne

Jasmine Henry, Field Security Director, JupiterOne

The Cyber Defense Matrix (CDM) helps practitioners organize their overall security program. This Learning Lab will walk participants step-by-step through several use cases of the CDM, including how to map the latest startup vendors and security trends, organize controls, capture measurements and metrics, and align skill sets needed to support the functions of the security program.

VMblog:  Is your company giving away any interesting tchotchke?

Henry: We have something for almost everyone:

• For the collectors: We are upping our flare game with two new lapel pins of the JupiterOne astronaut and our new mascot, Spot!
• For the readers: We are also giving away copies of our two most recent books from JupiterOne press, "Reinventing Cybersecurity" and "The Cyber Defense Matrix."
• For the cyber geek in all of us: We're raffling a Lego^Ⓡ NASA Space Shuttle Discovery set every day.
• For everyone: Make sure to get your JupiterOne tote bag to transport all of your business hall SWAG.
  

VMblog:  As a show sponsor, do you have any tips for attendees to better prepare or handle the conference?

Henry: This is definitely not my first trip to RSAC as a sponsor or attendee, and I would say that first-time and multi-time attendees should prepare to be overwhelmed in a good way. Historically, the RSA conference has been the largest North American security show, and it's also the first one to kick off the calendar year of major conferences. For many of us, this is our first major event after the COVID-19 pandemic, so I would caution attendees to prepare to stay healthy, hydrated, and rested at what could potentially be a very tiring event. The single best way to prepare is with a plan - start now to plan out which sessions you'll attend, and populate your schedule with time to visit must-see vendor booths and dinners. We certainly hope you decide to stop by Booth #S-325 to see the JupiterOne team and try your luck at a raffle to win a set of space shuttle Legos!^Ⓡ

I would also advise attendees to consider the security of their personal and corporate data. While RSA isn't necessarily known to be the most hostile conference network, it is critically important to protect your payment cards, mobile device, and data from potential security threats at any conference. In JupiterOne's recent book, Reinventing Cybersecurity, author Coleen Shane has a fantastic set of safety tips for attendees to cybersecurity conferences, which I'll paraphrase below:

1. Update all device operating systems, apps, and anti-virus before you arrive.
2. Protect your debit and credit cards with an RFID sleeve or foil.
3. Avoid free WiFi and USB sticks.
4. Close your device ports while you're on-site by turning off Bluetooth and NFC.
5. Be aware of your surroundings, do not leave your bags unattended.
6. Scan your devices for malware.
7. Protect all of your accounts with multi-factor authentication (MFA).
8. Use a VPN
9. Leave your electronics and cards behind if you don't need them on-site!
   

Make sure to protect your personal and work data with these basic cybersecurity hygiene measures, and beyond that, be sure to have fun. RSAC is an experience unlike any other.

##