Synack: Security from an Adversarial Perspective

Synack: Security from an Adversarial Perspective

Jay Kaplan, CEO & Co-Founder, SynackJay Kaplan, CEO & Co-Founder
In a world with a bewildering array of IT security threats, there is more to security than just achieving compliance and security regulations. Often closely associated with standards and regulations, security is assumed to be synonymous with just being compliant. While these two terms are closely knit, it is a perilous assumption. Jay Kaplan, a former cyber analyst at the National Security Agency (NSA) and the DoD, propounds that the current security landscape demands “a change in focus from achieving compliance and security regulations to aiming for actual security.” In doing so, it is imperative to reflect on the criticality of the overall risk from an adversary’s perspective. In this scenario, the question is: How can you beat the hackers at their own game while ensuring high-end security and compliance, at the same time?

It was this predicament, combined with Kaplan’s yearning to take present-day security a level higher, which spurred the genesis of Synack. Taking cues from how the NSA conducts its vulnerability research, Kaplan and his team has pioneered an elegant solution that mimics the perspective of the potential hackers or attackers by combining the power of human ingenuity with the scalability of a security platform.“We reside in an age where technology has outpaced humans in every industry except security. The software developed today can’t keep up with the creativity and ingenuity of a human hacker,” says Kaplan. Replacing the static security solutions that follow the traditional compliance or point-in-time driven model, the Synack solution primarily focuses on vulnerability discovery. The company has developed an advanced vulnerability intelligence platform—Hydra—that has taken penetration testing to the next level. The platform pursues the methodology of assessing their clients’ vulnerabilities and constantly evaluating their system’s resistance to any potential attacks.

“With hackers becoming more sophisticated and threats turning more severe, the lack of cybersecurity talent in the US and abroad has never been more dire,” points out Kaplan. To respond to the creativity and persistence of a human hacker, Synack crowd sources an army of security researchers and white hat hackers that plug this growing talent gap. “Every type of hacker approaches the problem very differently with a very creative mindset. This is what we are trying to bring to our customers,” he adds. The Synack Red Team constitutes top hackers or security researchers from around the world who are employed to discover exploitable vulnerabilities across client’s mobile or web application and host-based infrastructure. Powered by the Synack Red Team, Synack’s platform not only makes the client aware of the business critical liabilities but also presents it with an impact statement that implies the severity of each of those susceptible components, practically demonstrating the potential damage that could be caused by the attacker.

The highly-curated members of the Synack Red Team go through a vetting process that ensures that they are trustworthy in addition to possessing the relevant skills for the job.

Software cannot keep up with the creativity and ingenuity of a human hacker

Boasting a 10 percent acceptance rate, the applicants need to pass through a clearance process that entails third-party background checks and ID verification. The Synack Red Team works with Hydra to locate, confirm and report exploitable bugs, and to provide real-time actionable insights. In addition to automation of scanning on systems for potential liabilities, Hydra helps the Synack Red Team understand what the environment looks like at any particular time and performs continuous security testing to detect the changes if any. These highlighted changes are relevant as they can be indicative of a new security issue. All Synack Red Team testing activities are routed through Synack’s secure, gateway technology called LaunchPoint, which offers the client complete transparency and control.

Furthermore, Synack provides a fully managed, white glove service, MissionOps that enables their customers to launch within 24 hours of activation. This internal team of vulnerability experts works closely with the clients to deliver services like asset definition and scoping, Synack Red Team (SRT) communication and management, real-time vulnerability triaging and periodic engagement briefs. All vulnerabilities discovered are validated by MissionOps team and also undergo practical exploitation by one of the hackers. “We go back once the customer believes they’ve remediated the problem to verify that the remediation was successful,” adds Kaplan. Synack even provides a centralized online portal and platform that alerts the customer of any new vulnerability.

“Customers are keen to acquire the information we provide, as it creates awareness on how to avoid these vulnerabilities in the future; preventing it from becoming a recurring occurrence,” informs Kaplan. The range of Synack’s clientele span from financial services, healthcare, and technology to government institutions like DoD and IRS. Answering to the Pentagon’s initiative of “Hack the Pentagon,” Synack’s crowd sourcing methodology was leveraged to lock down a critical system that was deployed globally and was relied on to relay commands that are critical to warfighters for execution of their daily responsibilities. “Despite our previous successes, we were thrilled at the success of our solution at the Pentagon,” reports Kaplan, specially, because the solution discovered vulnerabilities in a hardened DoD system that was cleared by traditional security solutions. “Once the vulnerabilities were identified, the DoD began urgent remediation within 24 hours of the test, recognizing the severity of the discovery,” adds Kaplan. Additionally, Synack is also employed by the IRS to prevent any leakage of information through continuous monitoring of their changing infrastructure.

Synack is encouraged by the progressive thinking pattern they witnessed among government agencies and other enterprises. “These institutions welcome the adversarial perspective we offer and understand that this should be the de-facto way of performing security tests. It is the only way to understand what your attack surface looks like from an adversary’s point of view,” says Kaplan. In days to come, the company intends to enrich and augment their platform’s productivity along with their high-end bug bounty program.