Penetration testing - Synack

Innovative Crowdsourced Penetration Testing

Penetration testing is supposed to help organizations find and fix vulnerabilities in their systems before criminal hackers can exploit them. Staying ahead of the game is crucial in cybersecurity, but unfortunately many organizations are falling behind, even when they follow best practices. A spokesperson for Synack tells us more about penetration testing and the firm’s latest launch.

Most organizations conduct some sort of penetration testing, and they are most likely compliant with the standards that they are held to within their industries. Unfortunately, traditional penetration testing practices aren’t standing up against today’s modern cyber threats. According to IBM, only 38% of global organizations are equipped to handle a complex cyber attack. When traditional penetration testing can no longer empower companies to find and fix their vulnerabilities before criminal hackers exploit them, and when so much is at stake (ie: Yahoo’s 3 billion customer base), it’s time for security leaders to reconsider tradition and look to something more effective.

The security industry is increasingly looking towards crowdsourced penetration testing to combat the security talent gap – more than 3.5 million cybersecurity positions are expected to be left unfilled by 2021 (Cybersecurity Ventures). Crowdsourcing ethical hackers from around the world gives organizations the ability to effectively and efficiently test multiple assets on their growing attack surface.

Synack is the leading crowdsourced security platform that not only harnesses the power of crowdsourced human intelligence to beat cyber threats, but they are also augmenting humans with smart technology to help make them more effective, cover a wider attack surface, and speed up their time to find and fix vulnerabilities. This year, Synack launched the industry’s first cybersecurity platform to integrate crowdsourced human intelligence augmented with artificial intelligence to help security teams work smarter, not harder, to protect digital assets continuously and at scale.

“While humans can’t scale, machines can’t think. We will always need the creativity of human intelligence. But to scale at the pace of the threats, we need to automate wherever possible and keep building technology to test ‘smarter’,” Dr. Mark Kuhr, Synack CTO and cofounder said.

Synack’s industry-leading cybersecurity Platform 2.0 delivers a smarter, more efficient security test through the use of smart platform technology and new product, SmartScan. Together, the platform’s new features and advanced technology seamlessly orchestrate the optimal combination of human and machine intelligence for more effective, efficient security on a 24/7/365 basis. SmartScan helps security teams increase their attack surface coverage and gain new insight by continuously scanning for suspected vulnerabilities and engaging the company’s crowdsourced network of ethical hackers to validate them. The augmented intelligence offered by Synack’s “smart” Crowdsourced Security Platform, if applied to all penetration testing, would add 4x more efficiency to security teams.

Additional benefits of Synack’s Crowdsourced Security Platform to security teams include:

• Noise Reduction: 99.98% of total noise is reduced by leveraging Synack SmartScan in combination with Synack Red Team crowdsourced vulnerability triage and patch verification services.

• Higher Value: The latest version of Synack’s platform with augmented intelligence increases the ROI of Synack’s original offering by over 50%. Customers will see a 159% ROI with the Synack Crowdsourced Security Platform in comparison to a traditional penetration test. And if comparing the Synack platform to a traditional scanner, they will get a 262% ROI. If deployed universally across application security testing, SmartScan would add ~$3B in security value back to the market.

Not only has Synack launched SmartScan, but the company has introduced additional new and enhanced features as part of its innovative platform. Apollo, the “brain” or engine behind Synack’s testing orchestration, utilizes machine learning and automation to
optimize the integration of humans and technology during security testing. LaunchPoint+ is an iteration on the company’s secure testing gateway with added researcher endpoint control and enhanced workspaces to support privacy for highly regulated environments. Synack customers also now receive superior analytics and reporting to understand their security testing metrics.

Along with delivering ROI to executive boards, CISOs often have to convince the organization to adopt methods such as crowdsourcing and innovative technology platforms. Gartner predicts that by 2021, over 50% of organizations will be using crowdsourcing and automation to secure their assets. Security leaders know that their jobs aren’t just to be compliant when it comes to penetration testing; they need to be able to truly protect their businesses, their brand reputation, and their customers.

Amongst more than 1000 American contributors to the 2018 Edelman Trust Barometer report, trust in businesses came in at a paltry 49%. None of the top brands in a poll of 1000 American consumers scored more than 6 out of 10 in terms of trust. In a world where trust in even the most well-regarded brands is so low, what happens when companies start thinking about trust as their key differentiating strategy, and put security at the center of their value proposition? There is a huge opportunity for trust-minded companies to capture market share, increase customer loyalty, and up their brand value, using security as the fulcrum.

Today’s digital business environment requires trust be built into an organization from the ground up, starting with the individual digital assets that makes up a company. Building secure assets ensures that the business can create trusted products and deliver on their brand promise, and by extension, that the customer will trust the business. For a defense company, this could mean delivering cloud services that host and protect data on behalf of their national security clients, and no one else. For a consumer company such as Domino’s, this could mean building pizza delivery apps and infrastructure that uphold the brand’s “30 minutes or less” delivery promise.

Synack helps CISOs ensure trust by showing them how their security is performing and whether their investments are paying off through powerful “Trust metrics” measured by their Attacker Resistance Score. “It’s all about measurement,” says Home Depot CISO Stephen Ward, in remarks quoted in “The 2019 Trust Report,” released by Synack. “CISOs need a way to present security to their executive team and board in a way that clearly demonstrates and measures business risk to the organization. The executive team doesn’t want to talk about security — they want to talk about risk.”

To accompany this new mindset shift towards trust, Synack released their 2019 Trust report earlier this year, saying “Trust has a Number.” The report is the first of its kind to actually quantify organizations’ trust at the asset level, from a hackers’ perspective, and measure security performance over time. Synack gathered and analyzed our unique crowdsourced penetration testing data based on thousands of tests on assets owned by hundreds of companies across nine industries over several years to generate this report. Synack’s penetration testing data and interviews with dozens of executives clearly argued that getting to trust is critical for business success. Here are some of the 2019 Trust Report highlights:

• Manufacturing & Critical Infrastructure and Financial Services lead the way as most Trusted Industries.
• Security teams are making progress! They are enhancing the trust of their organizations, but it requires dedicated practice – Up to 200% higher Attacker Resistance Scores among those
• organizations that work to improve their attacker resistance for 2+ years versus <1 year. • Continuous, rather than point-in-time, penetration testing has a greater impact on security – 43% higher Attacker Resistance Scores on average among organizations that practice continuous vs. point-in-time penetration testing.
• Organizations with the highest Synack Attacker Resistance Scores are: 1) making it harder for attackers to find vulnerabilities, 2) integrating security testing into the SDLC to reduce the cost of vulnerabilities, and 3) remediating security issues quickly.

Synack’s innovative crowdsourced penetration testing platform recognizes that the intersection of a crowd and technology is a critical part of smart security testing. Neither machines nor humans are as effective on their own as they are together – it is important to couple the two together in a trusted way. Synack’s enhanced tests are building trust between humans and machines and providing smarter security to customers.

The more examples we see of humans trusting machines to augment their capabilities, the wider the scope of problems we can solve. Synack helps customers secure their apps just as often as they update and create new code, by implementing security on a continuous cadence through the optimization of the Synack Red Team and smart technology.