Interview With Mark Turnage, OWL Cybersecurity

Have you ever wondered what kind of information hackers have on your company, and what kind of data might have been comprised from your systems, and are now floating out there on the Internet? For our company profile today, we have an interview with Mark Turnage, the CEO of Denver-based OWL Cybersecurity (, who tells us how the company has created a product which lets companies figure out exactly what might be out there with criminals, to help them respond.

What is OWL Cybersecurity developing?

Mark Turnage: We have a proprietary platform that continuously scrapes data out of the Darknet. A lot of people don't know what the Darknet is, so I'll explain it. The Internet is what we all use daily, the sites where you access via your Google bar. That's the surface net. Below that is the Deep Web, which is what is behind all those password protected sites. That's your banking information, and other information which Mark Turnage cannot access from your Google bar. Those are the home servers on the deep web, those company servers on the deep web, big company databases. Those are all places that aren't linked to your Google bar directly—but are still accessible from the Internet. What were talking about, is below the Deep Web, the Darknet. The Darknet was initially set up to anonymize users. You have to access it using a special browser, and there are ways that disguise the users of the Darknet. It was originally set up as a secure communications channel so that people could talk to each other confidentially, for people such as political dissidents, journalists, and government users—who are still big users of it. But, it didn't take long for the bad guys to figure out they could also use the Darknet to figure out how to buy and sell illicit goods.Both buyers and sellers can have their identity disguised, and as it turns out, it's also a repository for the bulk of stolen credentials, stolen addresses, financial account information, and stolen credit cards. There's a vast amount of information which is bought and sold on the Darknet. That information is hacked or stolen out of companies and organizations from around the world. What we do, is we go into the Darknet, automatically, and scrape data out of the Darknet. We put that all in a database, which is continually updated, and can be accessed by our lients, who are generally financial institutions, healthcare companies, tech companies, and retail companies. Organizations who get access to our database can search for their own stolen information, without getting into the Darknet themselves.

So, given all that criminal activity on Darknet, how do you get that information?

Mark Turnage: I could tell you, but I would have to kill you. (chuckling) That's part off the secret sauce, is how we are getting in and getting out with megabytes. It's not easy, but part of the challenge here is to extract what we call the Darknet big data. We now have the largest database of Darknet content anywhere in the world. So, once you have that data, there is managing that data in such a way that our clients can get access to it. They get access to it by a license, a per-seat license, through our software-as-a-service product. It literally goes in, looks like your Google bar, you type in the name of your organization, what you're looking for, and if it's out there, we will show you were it is, where we got it, and if it's compromised. It's very easy to use.

What's your background, and how did you get into this?

Mark Turnage: My background is as an entrepreneur, though I think of myself as a recovering lawyer. I go to lawyer's anonymous three times a week (laugh), but I haven't practiced in the last 20 years. I was at a company, which became the largest provider of anti-counterfeiting technology, which was in Denver. We sold that company, and I joined OWL Security a year ago. We went through a ownership structure change, where my partner, the CFO and I, went to owning the company earlier this year.

If your customers do find data in the Darknet, what do they do from there?

Mark Turnage: We get asked that by customers all the time. Whether they have 25 accounts, or 250, or 2500 accounts which they find out there for sale, whether that's credit cards, or a dump of client emails, they ask—what do I do? The short answer, is you now know that is information that criminals will try to use. If it's credentials, so you'll change passwords, shut down accounts. It's actually a perfect roadmap for clients to know what they have to do. If a client has come in and stolen my IT credentials, for example, the very first thing is to change those credentials, change those passwords, so that no one from the Darknet can access those systems. If it's financial data, you cancel credit cards, and with bank accounts, you put a circle around that bank account and don't let anyone access it without specific authorization, so that no one can extract dollars. The sooner you know specific information is out there, the better you are able to mitigate it. The cost to a large retail organization of being hacked, if there are millions of their customer accounts compromised, could run into the tens or hundred of millions of dollar costs of a breach. The Target breach cost something like north of $200M to mitigate. If they had known sooner, they could have mitigated the costs associated with that.

How long have you been doing this?

Mark Turnage: The company was originally set up in 2009, this product launched early last year in its current form, and we've now been running with it for four and a half, five months.

What's the biggest lesson you've learned from this, from the standpoint of security for your customers?

Mark Turnage: Three big lessons. One, is if you don't think you've been compromised, you're wrong. In fact, it's now the norm. It's very, very common. In fact, with our sales presentations and demos with companies, usually in our sales presentation we show them there's a significant quantity of compromised data for that company. If you are a company, and don't think you have compromised data , you're wrong. There's information on virtually everyone out there. Secondly, you should take the steps steps necessary to ensure the most important data in your company in the most protected data. Lots of companies unwisely try to build high, think, digital walls around their organization. They think those walls will protect everything, that's not the case. Hackers are smart enough to get in, it's not if, but when. If that's the case, if you concede some information will leak out. What you want to ensure, is that your most sensitive information is the best protected information. Third, you better have a plan in the company ready to go, if and when you're breached. For users of our systems, the ability to meaningfully mitigate leak of data is heavily dependent on a plan on what to do when you find out.

Finally, what's next for the company?

Mark Turnage: As I said, we just bought the business in the early part of the year. We've been hiring, and have more than doubled our staff, and we're continuing to hire. We want to own the Darknet. No one has a product as unique as ours. There are lots of our competitors, who are competing to try to find the same data, manually, with analysts. We've automated that process. We've collected a lot more data. We want to be the company most associated with intelligence on the Darknet, and we want to grow in terms of both employees and in terms of revenues. Speaking as a citizen of Denver, we like that we're in Denver, and that we're in the Rocky Mountains. The cybersecurity network here in Colorado is very strong.