How to crowdsource your way to better security

Synack, a company founded by former NSA analysts, attempts to leverage the best of man and machine approaches to provide enterprise cybersecurity protection.

The best defense is a good offense, as the saying goes, and nowhere is that more true than in enterprise security. Finding vulnerabilities and exploits before hackers do can prevent devastating breaches, data loss, and prevent crippling hits to your operations and your reputation.

Most enterprises use one of two approaches: manual, by which a human tests for potential weaknesses; or automated, in which a vulnerability scanner screens networks for exploit potential. But neither of these approaches is entirely effective on its own.

Flawed solutions

"Today's vulnerability solutions are flawed. Some are human-centric, point-in-time penetration tests, which are limited to the skillsets of individual testers and project timelines. Others are solely reliant on scanner technologies, which overwhelm today's already-strained IT organizations with duplicates, false positives, uneven quality levels and thousands of submissions that require manual review," says Mark Kuhr, CTO of cybersecurity solutions firm Synack, in a statement.

Synack, founded by former NSA analysts Jay Kaplan, now Synack's CEO, and Kuhr, takes a novel approach to the problem by combining the best of man and machine: crowdsourcing vulnerability assessment to the Synack Red Team (SRT), a group of independent, expert security researchers who work globally, using both their skills and expertise and cutting-edge technology to identify potential weaknesses, and the new Hydra technology, which continuously scans client networks for vulnerabilities and delivers intelligence to internal security teams and to the SRT.

[ Related Story: Crowdsource your way to a better IT team ]

Crowdsourcing security

The idea is to crowdsource cybersecurity by using the best minds, the best technology and best practices to present an objective view of potential vulnerabilities, and remediate them quickly and effectively, according to Kaplan.

SRT members are elite cybersecurity pros who are vetted, tested, screened and subject to extensive background checks before they can join SRT. The process is intensive and challenging that the acceptance rate for candidates is only about 10 percent, says Kaplan. SRT members work on a freelance basis; many often have jobs as security pros at other IT companies. They're paid on a case-by-case basis, Kaplan says, when they discover a vulnerability and remediate it for a client.

"This is crowd security intelligence. Clients get continuous coverage of their assets with this model, and they get a diverse, objective view of what they look like from the outside -- their security posture. Instead of one or two individuals, we're talking a team of a hundred people, constantly looking for threats," Kaplan says.

Synack's private "bounty for bugs" model is one that prizes anonymity. Because of confidentiality obligations, Synack doesn't disclose its customers, but Kaplan says the firm is experiencing customer growth in excess of 300 percent quarter over quarter in the Fortune 500.

"We anticipated a need to educate and overcome barriers to entry, but instead we've found that companies from even the most regulated and conservative industries are adopting Synack enthusiastically," Kaplan says.

[ Related Story: 8 In-demand IT security certifications ]

Hydra technology

Of course, even hundreds of dedicated security pros can't work fast enough to handle every possible exploit. Networks, software and applications are just too complex -- and hackers too good -- for that, especially at a large enterprise scale. Synack's new Hydra technology works in conjunction with SRT and with clients' internal security to speed the process of identifying threat vectors so they can be patched, at scale.

Hydra's continuous monitoring capabilities are designed to streamline the SRT's reconnaissance phase of the testing process, allowing them to test faster and deeper across large enterprise assets without jeopardizing quality. This optimal pairing of man and machine is a unique approach to combating the real and ongoing threat of compromise that the enterprise faces on a daily basis -- strategically pitting a solution that leverages advanced technology to scale researcher intelligence against the threat of skilled black hat hackers.

The Hydra platform offers three subsets of functionality -- host monitoring, Web application analysis and mobile application analysis -- all of which will be released in phases. Host monitoring capabilities became available to Synack customers last month, with Web and mobile testing capabilities to be released in the first half of 2016. Hydra technology is a SaaS offering, so there is no physical or virtual appliance to install, no software to deploy and no physical infrastructure to acquire and maintain, says Kaplan.

"Our clients already saw the value of having these researchers at work for them, but we started to question how to effectively scale the service to complex, vast enterprises and keep SRT productive. With Hydra, we can leverage the depth and breadth of human experience and skills and rely on machines for replicating tasks to make everything faster and more efficient," says Kaplan.

Join the CSO newsletter!

Error: Please check your email address.

More about KaplanNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sharon Florentine

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts