It was this predicament, combined with Kaplan’s yearning to take present-day security a level higher, which spurred the genesis of Synack. Taking cues from how the NSA conducts its vulnerability research, Kaplan and his team has pioneered an elegant solution that mimics the perspective of the potential hackers or attackers by combining the power of human ingenuity with the scalability of a security platform.“We reside in an age where technology has outpaced humans in every industry except security. The software developed today can’t keep up with the creativity and ingenuity of a human hacker,” says Kaplan. Replacing the static security solutions that follow the traditional compliance or point-in-time driven model, the Synack solution primarily focuses on vulnerability discovery. The company has developed an advanced vulnerability intelligence platform—Hydra—that has taken penetration testing to the next level. The platform pursues the methodology of assessing their clients’ vulnerabilities and constantly evaluating their system’s resistance to any potential attacks.
“With hackers becoming more sophisticated and threats turning more severe, the lack of cybersecurity talent in the US and abroad has never been more dire,” points out Kaplan. To respond to the creativity and persistence of a human hacker, Synack crowd sources an army of security researchers and white hat hackers that plug this growing talent gap. “Every type of hacker approaches the problem very differently with a very creative mindset. This is what we are trying to bring to our customers,” he adds. The Synack Red Team constitutes top hackers or security researchers from around the world who are employed to discover exploitable vulnerabilities across client’s mobile or web application and host-based infrastructure. Powered by the Synack Red Team, Synack’s platform not only makes the client aware of the business critical liabilities but also presents it with an impact statement that implies the severity of each of those susceptible components, practically demonstrating the potential damage that could be caused by the attacker.
The highly-curated members of the Synack Red Team go through a vetting process that ensures that they are trustworthy in addition to possessing the relevant skills for the job.
Software cannot keep up with the creativity and ingenuity of a human hacker
Furthermore, Synack provides a fully managed, white glove service, MissionOps that enables their customers to launch within 24 hours of activation. This internal team of vulnerability experts works closely with the clients to deliver services like asset definition and scoping, Synack Red Team (SRT) communication and management, real-time vulnerability triaging and periodic engagement briefs. All vulnerabilities discovered are validated by MissionOps team and also undergo practical exploitation by one of the hackers. “We go back once the customer believes they’ve remediated the problem to verify that the remediation was successful,” adds Kaplan. Synack even provides a centralized online portal and platform that alerts the customer of any new vulnerability.
“Customers are keen to acquire the information we provide, as it creates awareness on how to avoid these vulnerabilities in the future; preventing it from becoming a recurring occurrence,” informs Kaplan. The range of Synack’s clientele span from financial services, healthcare, and technology to government institutions like DoD and IRS. Answering to the Pentagon’s initiative of “Hack the Pentagon,” Synack’s crowd sourcing methodology was leveraged to lock down a critical system that was deployed globally and was relied on to relay commands that are critical to warfighters for execution of their daily responsibilities. “Despite our previous successes, we were thrilled at the success of our solution at the Pentagon,” reports Kaplan, specially, because the solution discovered vulnerabilities in a hardened DoD system that was cleared by traditional security solutions. “Once the vulnerabilities were identified, the DoD began urgent remediation within 24 hours of the test, recognizing the severity of the discovery,” adds Kaplan. Additionally, Synack is also employed by the IRS to prevent any leakage of information through continuous monitoring of their changing infrastructure.
Synack is encouraged by the progressive thinking pattern they witnessed among government agencies and other enterprises. “These institutions welcome the adversarial perspective we offer and understand that this should be the de-facto way of performing security tests. It is the only way to understand what your attack surface looks like from an adversary’s point of view,” says Kaplan. In days to come, the company intends to enrich and augment their platform’s productivity along with their high-end bug bounty program.