In this episode of the Security Ledger podcast, we interview Josh McCarthy, the co-founder of Revelstoke Security, about the challenge of launching a start-up just as the COVID pandemic was breaking across the globe and forcing society – and the economy – into lockdown. We also talk about the growing demand for Security Orchestration, Automation and Response (or SOAR) technology to make sense of the storm of security data and feeds, and Revelstoke’s unique approach to managing security data.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
The COVID pandemic proved to be a ‘make or break’ moment for many companies. The sudden shift from in-office to remote work disrupted long established work patterns and had ripple effects throughout the economy – from commercial real estate to the restaurant and dry cleaning businesses.
Meet the shutdown start-up
For technology start-ups, however, the effects were more muted. The flexible work arrangements and heavy reliance on managed, cloud based infrastructure and tooling often meant that life during COVID was “business as usual.” But what about trying to launch a start up in the midst of an emerging global pandemic? That’s something a lot harder to pull off. But our guest today managed to do it. Josh McCarthy is the chief Product Officer and co-founder of Revelstoke Security, a San Francisco based startup in the SOAR space – that’s Security Orchestration, Automation and Response.
SOAR for the non-Jedi
In this conversation, Josh and I talk about the challenge of starting up Revelstoke just as COVID was shutting down pretty much everything else.
We also talk about the growing need for automation in the security space, as the demands on security practitioners mount. With ever more data from ever more security tools and point products, picking the security needle out of a stack of needles is more important than ever. It’s also a job that the human brain is ill suited to. Josh and I talk about how companies are trying to manage that task and how the SOAR space is evolving to meet that demand.
To start out, I asked Josh to talk about Revelstoke and what a ski town in British Columbia has to do with security automation.
You can listen to the podcast using the player (above) or download the MP3 using the button.
Josh McCarthy Revelstoke: I’m Josh McCarthy. Co-founder and chief product Officer at Rebel Stoke Security.
Paul Roberts, Security Ledger: Excellent. Josh. Welcome to the Security Ledger podcast.
Josh McCarthy Revelstoke: Happy to be here.
Paul Roberts, Security Ledger: It’s great to have you. Okay. So for our listeners who may not have heard of Revelstoke just tell us a little bit about the company and what you do.
Josh McCarthy Revelstoke: Yeah. Happy to do that. So for those that have heard the name Revelstoke is probably, cuz they’re skiers, so…
Paul Roberts, Security Ledger: Yes. So it’s a, when you Google it, it’s a town in British Columbia
Josh McCarthy Revelstoke: yes, that’s exactly,
Paul Roberts, Security Ledger: There’s a story behind that. Yeah.
Josh McCarthy Revelstoke: Yeah, so I’m one of the two co-founders. The other is Bob Cruz, he’s our CEO and he’s an avid skier and so he does skiing all the time. And when we went out to found the company, I said, Bob, whatever you do, I can’t be in charge of naming it because it will be something horrible and dumb.
And so he he came up with Revelstoke, like his first take. It sounded great. And we went with it. For those that have heard the name Revelstoke, that’s probably the context they, they’ve heard in for most. So
Paul Roberts, Security Ledger: I’m gonna say it’s a good name. It’s a good name.[00:01:00]
Josh McCarthy Revelstoke: Yeah. It’s got Revel. It’s got Stoke. You can use ’em,
Paul Roberts, Security Ledger: Sounds edgy and cool, yet it also has some history behind it.
Josh McCarthy Revelstoke: Gives us an eventual location for an offsite,
Paul Roberts, Security Ledger: I was gonna say yeah. That said, you are not based in Revelstoke You are based in California.
Josh McCarthy Revelstoke: Correct. Although we are a very spread out team. So we were founded right at the start of COVID. In fact, we did the first investor pitch. At RSA, the first one that they shut down or almost shut down, like in the middle. In
Paul Roberts, Security Ledger: In 2020. Yeah. Yeah. I was at that.
Josh McCarthy Revelstoke: And so it, the funding took longer to close than we thought because no one knew how to operate in the New World at that point. And We didn’t, we started pitching and didn’t get the funding closed until July of the same year. So it was very interesting navigating that process with the, an unknown over our heads the whole time.
Paul Roberts, Security Ledger: I remember that RSA, it was you felt like you were in Star Wars where there, where they like slide through the closing doors, just, you felt like things were shutting down, like all [00:02:00] around you, and it was just like, let’s just get through this and get home and then everything’s gonna shut down.
Josh McCarthy Revelstoke: Yep. Yeah, we did. It was funny cuz we did the full, speaking of that exact thing, we did the full first like investor, partner pitch like I want to say a week or two later. And we did it at Santana Row in San Jose, which locals will be familiar with. Anyway, we did it and we go to a bar right after to celebrate, right?
And literally we’re in the bar and it’s the same day. Everything is shutting down. They kick us out early because lockdown started. So it was really crazy.
Paul Roberts, Security Ledger: This is the last call to end, last calls
Josh McCarthy Revelstoke: Exactly.
Paul Roberts, Security Ledger: This is the last call for about eight months!
Josh McCarthy Revelstoke: The flatten the curve calls. . . Yeah.
Paul Roberts, Security Ledger: So what looking back on it, it’s, in some ways starting a company from scratch during the pandemic, maybe not such a bad thing. because there’s a lot of, a lot of runway when you’re starting a company.
There’s a lot of downtime where you’re not out there actively trying to sell or, so was it, looking back, was [00:03:00] it good? Was it a good thing to start during a pandemic or not?
Josh McCarthy Revelstoke: I Maybe there’s pros and cons for sure. I think one of the pros was that it allowed us to hire. Wherever we wanted because there wasn’t gonna be a physical office for the foreseeable future. And so
Paul Roberts, Security Ledger: was like off the table.
Josh McCarthy Revelstoke: Yeah, exactly. And so that part was of cool because it let us hire in a new and different way that I had never done before.
And it’s worked out really great for us so far. And I think it would’ve missed out on that if it wasn’t for Covid. So that part was good. The only negative is you can’t all meet as a team, right? Like you’re trying to build these bonds early on, especially if it’s all over Zoom, which was a little different.
We had an advantage in that even today most people at Revelstoke have worked with at least one other person before. So everybody has worked with probably half the people or more at previous companies. So that, that got us over that hurdle a bit, but it still, it’s nice to meet in person from time to time, which just wasn’t an option early on.
Paul Roberts, Security Ledger: Yeah, I don’t know [00:04:00] about you, but like in the past probably six months, these sort of oh I’m about to go meet this person for the first time, who I’ve actually been working with for years.
Josh McCarthy Revelstoke: Yep.
Paul Roberts, Security Ledger: But we’ve never actually met face to face and we’re gonna meet for the first time.
And it’s like such a strange experience. I mean one thing that’s interesting is, when you’re starting a company, obviously usually for startups, particularly in, kind of Silicon Valley, office space is a huge expense for startups. It’s just gonna be a big part of whatever your, funding round is gonna provide.
But I’m guessing for you guys it was maybe less so now, but and guess for you guys in the context of the pandemic, it was like, let’s not even bother looking for office space.
Josh McCarthy Revelstoke: We we did is you have to have an address for certain, like shipping and places and bills and all that stuff. And so we ended up going with a, they’re called spaces and they’re like a offshoot of Regis, and so we just rented a space from them. It was small, but we only had two people that were going in full time at that point it, it was completely fine for how we.
Kinda architected employee wise, so that saved us a ton of money.
Paul Roberts, Security Ledger: So , you’re in the SOAR space [00:05:00] And talk to us that is a really busy, interesting space in the information security industry. So is security orchestration. Automation and response. Is that, do I have it right?
Josh McCarthy Revelstoke: Yep, you got it.
Paul Roberts, Security Ledger: Nailed it. Nailed, nailed my Gartner acronym. So I guess for our listeners – and they’re a pretty technical bunch of information security people by and large – but just give us the elevator pitch, what is SOAR? And talk to us a little bit about kind of Revelstoke and your unique perspective or take on SOAR, which is again, a category that’s been around for a while.
Josh McCarthy Revelstoke: SOAR is about achieving efficiency in the SOC or in a security team doesn’t necessarily have to be a SOC by automating away things that don’t actually require a human right. So we would always tell you that we want humans focused on things that actually require a person to do them. Not. If you’re looking at something like phishing, you shouldn’t be, manually copying and pasting all the URLs and DNS names and all that stuff and looking ’em up.
There’s just a ton [00:06:00] of manual, repetitive work that goes along with a lot of alerts that get generated from various technologies or from the users themselves, and by. Automating away a bunch of steps in that, in those flows, you can save enormous amounts of time and energy and that can be then used to just save money.
Cause you may not need, as much headcount or something like that. Or you could buy new products or it could be used to then your analyst can spend more time hunting for novel things. Things that are much harder to find , take more thought and looking around. There’s a lot of benefits to having a SOAR and automating a way that work that doesn’t need a person to do it.
And then on top of that, I firmly believe that case management is a critical component of SOAR because it allows you to extend those automation capabilities to the analysts directly while they’re working the case, right? And so again, it’s all about that efficiency and then also, puts up some guardrails, right?
Cuz you can define a process for how someone should respond. So now your brand new analyst is responding in the same way as your seasoned guy because it’s just a step by step process inside the SOAR [00:07:00] system. So that’s also a huge benefit.
Paul Roberts, Security Ledger: Yeah, this is a real, challenge within the information security space. We’ve got tons of tooling, right? We got tons of great point products. And yet at the end of the day, you need a human or something like it to be able to make sense of the output of those tools. And, the noisier the tool the harder it is for human beings to do that.
So this is a great case for automation to sort through that and figure out what’s important
Josh McCarthy Revelstoke: Yeah. What humans are really good at is turning that off or ignoring it when it bothers them too many times. So SOAR can really help with that.
Paul Roberts, Security Ledger: Who are Revelstoke’s clients? Cause again, there, there’s some pretty big players in the SOAR space. There’s some established products. You’re a new company. So what’s new here and what are you bringing to the table that, that you think is, an unmet need in the marketplace?
Josh McCarthy Revelstoke: Yeah, so it’s funny. So I’ll come to our, a little bit of our origin story as I explained this cuz it’ll play into it. But, so Bob and myself were both early employees at Demisto, one of the [00:08:00] earliest, SOAR vendors, I think Phantom was the only earlier one and. We took that from just a handful of customers all the way through the Palo Alto acquisition, and we actually left and left security automation space altogether and went and did something else in security.
And during the course of all of our meetings at this other company, we kept getting dragged back into automation discussions because we obviously go back to the same people we’ve sold to over the years. And a lot of them we had approached with Demisto. And what they would tell us at the end of our meetings is look, I’m not gonna renew Demisto or I bought one of the other products and I need to know what I should buy instead with that money, cuz we’re just not happy. You guys are now neutral. What do you think? And we heard that just a bunch of times and digging into the reasons they were really consistent. So the overwhelming number one reason why people weren’t renewing was complexity with, without like developers attached to their SOC or to the security team, they just [00:09:00] couldn’t progress. Like as soon the presale resource from the vendor went away, post sale, so did the resource that was needed to do all the work. It doesn’t help either that the companies that had someone that could do that, coding and the security work was probably the most recruited person on the security team as well. And so it ended up being like a single point of failure. And so complexity was -for over eight or nine outta 10 people we talked to – that was their number one problem. A smaller group, maybe one in 10 or two in 10 that did have the security people with programming experience or access to developers to, to work on their playbooks and integrations and things like that.
They got blocked on scale. So a lot of the original, SOAR systems were not cloud based, they were developed to be more on-prem, more monolithic, and they would fall over and a lot of ’em still do. And so that, that was a big problem because you had the right resources, but then they would start automating.
It would just blow up in their face, and become really fragile and unstable. [00:10:00] And (we) heard both of those things just a ton of times. And finally, we, Bob myself, have been on the sales and me on the engineering side of sales a long time. You can only tell us about these problems so many times where we just wanna fix ’em so that, we’ll take that renewal
These are, we’re in the space. We know a lot about automation, let’s put it to good use. And so we decided to leave the company we had went to after Palo Alto and found Revelstoke to, to deal with this problem and what we came up with is something called our unified data layer. And so what we do is normalize all the data coming into the platform, but also normalize how you interact with the integrations connected to it.
And what that does is drastically reduce the complexity, but also has a bunch of other benefits. Like now you can swap products, for example, like if you’re a Microsoft Defender shop and you want to move to CrowdStrike, boom, you don’t even have to change your workflow. CrowdStrike, even though it has radically different API calls to do the same thing as Defender.
We’ve normalized that. So it just works. Like you don’t have to do [00:11:00] anything. And so that, that’s a huge benefit, especially to the more sophisticated shops that were feeling that they got vendor locked once they got enough, progress in their SOAR platform. platform
Paul Roberts, Security Ledger: Yeah. That’s the other danger, right? Is that lock in, right? Like done, we’ve done all this customization, and now we’re over a barrel because…
Josh McCarthy Revelstoke: And they couldn’t even tell you where they put all the custom code at that point. a lot of cases. So it’s really messy. So that, that’s been our main solution. And there’s other things, like we go with a different workflow designer view that’s a little more based for the analysts and that kind of thing.
But the primary thing we do is the unified data layer and then our cloud native design is the scale answer.
And talk about the customers and what problems they’re coming to you with. I What, where, what’s the utility of your platform in terms of, threat detection, incident response, all the things that companies are struggling with right now.
Yeah. I would say about half the customers coming to us today have not ever purchased a SOAR, and the other half, maybe not quite half, like 40% or so, bought a SOAR and shelved it. Yeah. Or have yeah. Or have a single production flow and [00:12:00] that’s it. Because that’s all they could get done.
And and again, not, it’s not a knock on them, it’s some of these systems, like if you’re not writing like raw python all day, you just, you’re not gonna get anything done. So that’s the spread we’re seeing and they’re coming to us. If you break it down to those two buckets for the Greenfield people, they’ve heard the promise of SOAR and they want to have it delivered upon for them.
And they’ve talked to their peers who’ve had bad experiences and don’t want to also have a bad experience. And so wanna make sure that they can, not have to have the same coding requirements and actually use the system. So they’re coming to us to solve the same SOAR use cases that the earlier players solve.
A lot of phishing, a lot of. EDR malware, anything that’s a high alert volume is something they’re looking to solve first. And kinda work your way down to the more unique stuff as you go. And then for the other people, it’s about like the ones that maybe had SOAR. It’s about not repeating the mistakes of the past.
And for the ones that are deployed, like making something that’s scalable and not fragile a lot of ’em have systems that just every day or every other day are being rebuilt, because they just can’t keep with the load and they just want to stop the [00:13:00] madness.
Paul Roberts, Security Ledger: Yeah, I mean it’s, gap between what you read in the marketing literature and the reality of deploying some of these products, into production – it always blows me away
Josh McCarthy Revelstoke: That’s why for us, we don’t, we consciously don’t wanna say no code. We go with low code, if you read our marketing in most places, and that’s because to get that last mile, you might need a little bit of code. Each company does. Unique stuff in a lot of cases, they want some unique metric or reporting item or whatever it is, and, we strive to get something in, in production and showing a ton of value.
Without code. But if you wanna get that last little sprinkle, you wanna gold plate that thing that’s gonna be a little bit of code in a lot of cases. And so we certainly want to enable that. And we just, we wanna be realistic. We don’t wanna , we don’t wanna come in and say, you’re not gonna touch code.
And you, you pull the system, you’re like, what’s all this json? Like, why am I staring at this? So that, that, that’s our approach.
Paul Roberts, Security Ledger: I know, in, in everybody’s dreams it’s like Minority Report, right? And that’s like the future of SOAR, right? Where [00:14:00] you’re kinda moving boxes with your hands and like zooming in on things.
And but we’re a few years out from that. So what . But is no code or is no code you think the future of the SOAR space really just get that expensive, hard to retain developer out of the process and have it so that, a SOC analyst without necessarily a lot of coding experience can customize it however they want.
Josh McCarthy Revelstoke: Yeah. And what we actually saw for the most successful customers in when we were at Demisto were ones that…the same person that was doing the coding also understood the security and business logic for the workflow itself. It’s just really hard to iterate when there’s two different, or even sometimes three different people.
That makes it really hard. So if we can take out a coder, it makes that process not only less complicated, but you end up with a better product because the person that knows the logic is the same person writing the thing. Again, though, I don’t know if it’s realistic in even the next say, three years to say, we’ll get to truly no code.
I [00:15:00] think we can get really close and make it really as easy as possible, but I just don’t see how, in some cases you don’t without, without hobbling the customer, you don’t, have to use a little bit of code sometimes.
Paul Roberts, Security Ledger: So the, it’s an interesting time in the sort of broader InfoSec market. Certainly in the last year you’ve seen the federal government that spent years saying really hardly anything about information security, suddenly get very chatty about guidelines and mandates. Some of them just applying to federal agencies.
But of course, those federal agencies buy a lot of software and services. But we had obviously the Biden executive order back in May of 2021. And then subsequent to that we’ve had a lot, we’ve had some guidance from NIST and from other organizations. We had a memo that came out couple weeks ago focused on supply chain.
Josh McCarthy Revelstoke: Yeah.
Paul Roberts, Security Ledger: And, especially if you look at the executive order, big emphasis on zero trust reading between the lines, I think a, an emphasis on SOAR type [00:16:00] capabilities. But it’s an executive order, right? So it’s only as good as the guy who’s in office.
And what, so what have you seen, what’s been the impact of that? And has it helped make the case for the types of technology that your company uh…sells.
Josh McCarthy Revelstoke: I think it’s helped a little bit. I don’t know that I’ve seen like a ground swell around it, but I think that in combination with, I think in the infrastructure bill, there was a bunch of money set aside to improve cybersecurity for state and local government entities like power, water, other critical infrastructure.
That we’re seeing more movement on. So we were already in the process of doing this, but we actually have partnered recently with a company called Synsaber, and they do like industrial control, security type stuff, right? So by combining what we do with what they do for especially a smaller water power, whatever, we give them a really simplified way.
To work with something they may not have ever touched before because they’re just too small to have worked with this type of security tooling before. So that is, whenever you put money behind it like that , it tends to have an [00:17:00] impact. So we are seeing more movement.. I think, all of ’em combined is really increasing the awareness and drive to do stuff.
Pretty happy with that.
Paul Roberts, Security Ledger: What. What do you think? So it’s interesting you bring up the industrial control system and that’s, that is something we’ve definitely seen a lot of attention to especially with Colonial Pipeline and so on. Those critical infrastructure owner operators, have tended to lag.
The financial services companies, right? And the, tech firms in terms of their investment and expertise in InfoSec. Are you seeing a lot of interest and pickup in that area? Especially given what’s going on in the broader, threat space.
Josh McCarthy Revelstoke: Yeah we’re just starting to see that and that’s again, that’s why we’re doing some of those partnerships, like I mentioned, because it’s not something, a SOAR is never gonna be your source of generating an alert, but in our case, We can make the alert something that, you know, someone that may never have worked with security tools able to respond to.
Cause it’s step by step instructions. So it’s a kind of a natural fit to go in with some of these platforms that focus on something like that.
Paul Roberts, Security Ledger: SCADA systems, industrial control [00:18:00] systems, right? Traditionally developed on a separate branch than traditional IT systems. But you see it as of bring, bringing all the all these into a single pane and glass in terms of,
Josh McCarthy Revelstoke: Yep. And we’re seeing physical securities getting brought in to the broader security team a lot now, so I, it just, convergence just continues to happen.
Paul Roberts, Security Ledger: Skynet man. Skynet,
Josh McCarthy Revelstoke: Hey, I’m not named John, so I’m saying. (Laughter)
Paul Roberts, Security Ledger: I think one question that, that sort of looms large for. For me and for the industry in general is this what Wendy Nather at The 451 Group called the security poverty line, right? Which is how do we take the types of capabilities of a Revelstoke product some of these very cap, very powerful, but, complex or expensive systems and bring them down to the small medium enterprises that make up most of the companies that are out there. And definitely a lot of the companies that are being targeted. And that comes down to talent acquisition as well as technology acquisition. Is what’s your take on that and do you guys being a cloud pla, do you think just [00:19:00] being, being cloud native kind of helps lower that — helps bring you down into that market a little more than the legacy products.
Josh McCarthy Revelstoke: It definitely helps because they’re not gonna wanna maintain their own installations and stuff. It’s much easier subscribe to something. But I think, we’re taking a two-pronged approach. The first is the partnership thing I mentioned, if we can make something streamlined that’s maybe a smaller subset of the product, easier to digest for specific use cases.
That can be very beneficial. And then the other prong would be working with MSSPs MDRs and those guys that tend to focus down market and going in that way, right? Because it doesn’t make economic sense for us to try to chase, a 100 person company, but if they want to purchase through an MDR and MSSP that’s fantastic. Everybody wins. Because there is that talent gap as well that, luckily the MDR and MSSPs of the world have a lot of that talent. That’s our approach to date.
Paul Roberts, Security Ledger: Interesting. We are heading into the end of 2022, 2023. Obviously there’s some, warning signs out there in the economy at large, but I how do you see the New Year’s shaping up and what’s on the radar there at Revelstoke, both in terms of, feature development and [00:20:00] use cases?
Josh McCarthy Revelstoke: Yeah, I we are extremely focused on just acquiring customers and making sure the customers we’ve already acquired are staying, really successful. So that’s priority number one. And luckily we’ve not seen a huge drop off in cybersecurity spend. At least not yet.
With the we’ve had our customers tell us their stopping spend in some other infotech areas. But so far, other than a few outliers…
Paul Roberts, Security Ledger: Cyber is kind of recession proof. I’m not sure I’ve ever seen a cyber recession.
Josh McCarthy Revelstoke: Yeah, no, I I was at Fire Eye for the 2008 recession and it didn’t drop then either knocking on wood, it stays the same.
But so far it’s that hasn’t been a big issue for us. Yeah.
Paul Roberts, Security Ledger: Josh, it’s been a, this has been a pleasure. And if people wanna learn more about Revelstoke, Josh, where should they go?
Josh McCarthy Revelstoke: Just to our website, revelstoke.io. You can find out all sorts of stuff there. There’s contact forms, all that good stuff that you’d expect.
Paul Roberts, Security Ledger: Listen, thanks so much for coming on and speaking to us on Security Ledger podcast and best of luck, I’m sure we’ll have you back on.
Josh McCarthy Revelstoke: Awesome. Thank you so much.