A Strange Thing Happened on My Way to My Next Job
I’ve been doing cybersecurity for almost as long as we’ve been calling it cybersecurity. Almost…but not quite. Cybersecurity was coined as a term in 1989 and I cut my teeth in this industry in Alaska in the mid-90’s. In fact–for those that remember that time period–I received my first Internet account during the Eternal September. Some would say that makes me part of the problem. Others would say that just means I’m old.
Anyhoo, cybersecurity really appealed to me as I liked the idea of helping people and companies be more secure. I enjoyed the challenge of the continuously changing technology landscape, but I also came to greatly respect the community that grew around the cybersecurity industry. Since the mid-1990s I’ve been a consultant, business owner, CTO, and even did a few stints as CISO. My times as a CISO were rewarding (if not stressful); there were days when I would marvel at how far our industry had progressed, but simultaneously wonder how some foundational issues went largely unaddressed. I’m sure many of you have done the same.
Last year, I was looking for a change of pace and started talking to startups and venture capital firms, contemplating a new CISO opportunity. I enjoy building security programs, I’ve done the startup CISO thing a few times, and figured I’d have another go at it. It was during that process that I met up with Mourad Yesayan from Paladin Capital Group. We had originally met during my early days at Expel, where Paladin was an investor. Mourad and team were great to work with during my time at Expel and it was nice catching up with him while doing a little job hunting at the same time. As we were getting up from our coffee, I casually mentioned, “I have an idea for a product that I’ve been kicking around for a while. I don’t think anyone would fund it but it’s something I’ve always wanted to build.” Mourad graciously listened to my rant…and after several weeks of writing documents, forming a corporation, and pitching my idea to a broader set of folks at Paladin, Turngate landed its seed round of funding.
Super cool. I didn't intend to start a new company, but when the opportunity to build the thing you always wanted to build presents itself, you best jump on it.
Soooo… What was the idea and what is Turngate building?
In my time as a CISO it was striking to me how good our detection and response pipeline has become. There are a lot of technologies that provide high quality signals of bad things happening and tools to automate triage, response, and remediation. In fact, those issues have been the focus of the vast majority of security operations for the last 20 years. The evolution of EDRs, SIEMs, SOARs, and MDRs are examples of how dedicated people advanced the state of cybersecurity in the public and private sector.
The same can’t be said for understanding what’s actually happening in our enterprises. Answering foundational questions about who a user is and what their account has been up to lately is still elusive. Enterprises generate a great deal of audit records from user activities, but beyond looking for security alerts, very little constructive work is being done with them. When an alert fires, we often know very specific information about the bad activity but we lack the context around that activity. Say an alert fires for suspicious activity for Jim in accounting. We know the details of the alert (IP address, date/time, specific bad thing Jim’s account did) but we have no idea who Jim from accounting is, what he does every day, and if the action in the alert really is different than his normal activities, or if some detection tech got a little over excited.
Furthermore, there are many organizations (I’m looking at you, mid-size, cloud-native shops) that have fully ceded their security operations to a third party. MDR and XDR have become commonplace and these technologies have dramatically streamlined detection and response for companies that otherwise would have little to no security operations capability. At the same time, they have little to no ability to see anything useful about user and system behavior. At best: they can export their logs into an ELK stack, data lake, or even a SIEM to try to make sense of the information. But if you’re only looking periodically at the data, it’s very hard to build up the knowledge and muscle memory around understanding what exactly these logs are telling you. Worse, these solutions are often very expensive in terms of licensing and labor to support them.
Which gets us to the last problem. Google Workspace, Okta, and other SaaS providers are prolific at logging user activity. But *woof* is it hard to understand. Google Workspace alone has more than 20 different services, all capturing different information, all of which create audit records. It’s quite a game of whack-a-mole to dig through those logs to try to understand anything, let alone to find the answer to, “Who is Jim from accounting and what is he normally up to?”
What Turngate is Doing
Turngate has created a visual first window into your audit data. We are building an at-a-glance interface designed to be easy to use; said another way, we want our customers to be able to open our product and get answers to their questions without having to take training, get certified, learn a new structured query language, or get knowledge from others that have been on the journey before you.
Throughout all this, my north star has actually been something decidedly not cybersecurity-related. If you’ve seen Disney’s Ratatouille, you’re familiar with Chef Gusteau and his mantra “Anyone can cook.” His general thesis is that everyone knows what good food is like, and there’s no reason that someone who knows what they like to eat can’t learn to cook. They just need to be taught in a way that is approachable and then the results will be surprising.
Similarly, while very few IT and Security professionals know the specific log entries that represent a single sign on event in Okta, they certainly know what a single sign on event IS. The idea of a user entering their username, password, and TOTP token is something that we have great familiarity with. Without requiring deep knowledge of specific log formats, Turngate’s interface allows users to quickly find the logs that are actually useful to them. So, again, while we’re not teaching people to cook, we are making it so anyone with basic IT or security knowledge can perform a security investigation.
As previously mentioned: analysts in even the most sophisticated SOCs can be overburdened with alerts, and may find themselves missing the context provided by user behavior. Contextual information is a key element to addressing alerts and incidents in both a timely and correct manner. Turngate helps bring that information to the forefront.
My goal with Turngate is to make security more accessible to everyone. And for those that already have a security operations program, we will augment existing processes with clarity and understanding that will speed investigations and ultimately lead to better outcomes.
It’s been quite a journey already, but we’re just getting started. After nearly 30 years in this industry, I’m struck by the dichotomy of how far we’ve come, yet we still have many problems to solve. At Turngate, we believe that by helping to provide clarity and understanding of what’s happening in an enterprise, we can leave a lasting impression on the industry and help improve organizations around the world.
We’re excited to see what the next few years bring and I’m glad you’re along for the ride. :)
-Bruce
More blog posts
Get higher confidence in your investigations with articles from the Turngate Team.