How to crowdsource your way to better security
- 18 November, 2015 15:27
The best defense is a good offense, as the saying goes, and nowhere is that more true than in enterprise security. Finding vulnerabilities and exploits before hackers do can prevent devastating breaches, data loss, and prevent crippling hits to your operations and your reputation.
Most enterprises use one of two approaches: manual, by which a human tests for potential weaknesses; or automated, in which a vulnerability scanner screens networks for exploit potential. But neither of these approaches is entirely effective on its own.
"Today's vulnerability solutions are flawed. Some are human-centric, point-in-time penetration tests, which are limited to the skillsets of individual testers and project timelines. Others are solely reliant on scanner technologies, which overwhelm today's already-strained IT organizations with duplicates, false positives, uneven quality levels and thousands of submissions that require manual review," says Mark Kuhr, CTO of cybersecurity solutions firm Synack, in a statement.
Synack, founded by former NSA analysts Jay Kaplan, now Synack's CEO, and Kuhr, takes a novel approach to the problem by combining the best of man and machine: crowdsourcing vulnerability assessment to the Synack Red Team (SRT), a group of independent, expert security researchers who work globally, using both their skills and expertise and cutting-edge technology to identify potential weaknesses, and the new Hydra technology, which continuously scans client networks for vulnerabilities and delivers intelligence to internal security teams and to the SRT.
[ Related Story: Crowdsource your way to a better IT team ]
The idea is to crowdsource cybersecurity by using the best minds, the best technology and best practices to present an objective view of potential vulnerabilities, and remediate them quickly and effectively, according to Kaplan.
SRT members are elite cybersecurity pros who are vetted, tested, screened and subject to extensive background checks before they can join SRT. The process is intensive and challenging that the acceptance rate for candidates is only about 10 percent, says Kaplan. SRT members work on a freelance basis; many often have jobs as security pros at other IT companies. They're paid on a case-by-case basis, Kaplan says, when they discover a vulnerability and remediate it for a client.
"This is crowd security intelligence. Clients get continuous coverage of their assets with this model, and they get a diverse, objective view of what they look like from the outside -- their security posture. Instead of one or two individuals, we're talking a team of a hundred people, constantly looking for threats," Kaplan says.
Synack's private "bounty for bugs" model is one that prizes anonymity. Because of confidentiality obligations, Synack doesn't disclose its customers, but Kaplan says the firm is experiencing customer growth in excess of 300 percent quarter over quarter in the Fortune 500.
"We anticipated a need to educate and overcome barriers to entry, but instead we've found that companies from even the most regulated and conservative industries are adopting Synack enthusiastically," Kaplan says.
[ Related Story: 8 In-demand IT security certifications ]
Of course, even hundreds of dedicated security pros can't work fast enough to handle every possible exploit. Networks, software and applications are just too complex -- and hackers too good -- for that, especially at a large enterprise scale. Synack's new Hydra technology works in conjunction with SRT and with clients' internal security to speed the process of identifying threat vectors so they can be patched, at scale.
Hydra's continuous monitoring capabilities are designed to streamline the SRT's reconnaissance phase of the testing process, allowing them to test faster and deeper across large enterprise assets without jeopardizing quality. This optimal pairing of man and machine is a unique approach to combating the real and ongoing threat of compromise that the enterprise faces on a daily basis -- strategically pitting a solution that leverages advanced technology to scale researcher intelligence against the threat of skilled black hat hackers.
The Hydra platform offers three subsets of functionality -- host monitoring, Web application analysis and mobile application analysis -- all of which will be released in phases. Host monitoring capabilities became available to Synack customers last month, with Web and mobile testing capabilities to be released in the first half of 2016. Hydra technology is a SaaS offering, so there is no physical or virtual appliance to install, no software to deploy and no physical infrastructure to acquire and maintain, says Kaplan.
"Our clients already saw the value of having these researchers at work for them, but we started to question how to effectively scale the service to complex, vast enterprises and keep SRT productive. With Hydra, we can leverage the depth and breadth of human experience and skills and rely on machines for replicating tasks to make everything faster and more efficient," says Kaplan.