13 June 2019

Building Trust Between Humans and Machines with Smarter Security Testing

Synack

Many news articles introduce artificial intelligence as a threat to displacing humans’ jobs. However, in the cybersecurity industry, we’re seeing a different story play out. While the technology we use is becoming more advanced, malicious hackers are still outpacing it; it’s evident as we watch these attackers continue to expose the data of millions of consumers almost daily and even impact the integrity of our election infrastructure. To keep up with the pace of cyber threats, many companies have adopted crowdsourced penetration testing to replicate the diversity, creativity, and skill sets of malicious actors, in the form of ethical hackers. It’s clear AI won’t ever be able to replace the creativity of the mind of a hacker, but what if AI could help augment ethical hackers?

Crowdsourced testing is a creative way to utilize the talent of a global network of ethical hackers in today’s resource-strained reality – there are 3.5 million unfilled cybersecurity jobs expected by 2021 according to Cybersecurity Ventures. However, bug bounty and crowdsourced security models often don’t have the framework to support a key component – Agile methodology in the software development lifecycle (SDLC). As most companies are now releasing code every 2 weeks, unknown vulnerabilities are now appearing in different parts of an attack surface, constantly. It can be challenging for humans to ensure broad, continuous coverage on assets that are dynamically changing without a huge incentive model, especially when there are no asset change indicators to alert them, coupled with a lack of technology with these methodologies

Outside of security, crowdsourced companies like Uber, Pinterest, and Airbnb have been utilizing automation and smart technology to augment humans for years. More importantly, the crowd in these platforms are trusting the technology to help them – cars now come equipped with sensors to help people park efficiently, and humans are looking to machine learning algorithms to recommend safe lodging in foreign countries. How can we utilize the same trust component in security?

Traditionally in security, machines and humans have worked separately to try and solve the same issues. Machines like scanners have been used to scale across attack surfaces, but they’ve proved to be noisy and inefficient, over burdening security teams and wasting precious security resource cycles, resulting in the potential for security teams to miss remediation on higher priority vulnerabilities making companies and consumers vulnerable. Until now, there hasn’t been a crowdsourced pen test model that marries machine intelligence and automation with the creativity of human discovery, in a way where humans can trust machines. Security hasn’t kept up with the advancement of the digital transformation… Until today!

We’re very excited to announce the latest version of our crowdsourced security platform that delivers a smarter, more efficient security test by leveraging smart technology in the Synack platform and our new product, SmartScan. We are revolutionizing the way people have inherently thought about crowdsourced penetration testing. Our new crowdsourced testing solutions recognize that the intersection of a crowd and technology is a critical part of smart security testing. Neither machines nor humans are as effective on their own as they are together – it is important to couple the two together in a trusted way. Synack’s enhanced tests are building trust between humans and machines and providing smarter security to customers.

How we build trust between humans and machines

Human creativity is unsurpassed. We count on humans to find certain types of vulnerability categories that wouldn’t normally be detected by a scanner, such as Business Logic, where a human has to go through the legitimate app specific workflow to reach a negative conclusion. However, at the same time, humans are unable to scan lots of targets quickly as they cannot automatically recognize a vulnerability as exploitable. Time must be spent on different targets in order to find a hole, which can be difficult to do at the speed necessary to keep up with the crazy pace of today’s software development lifecycle (SDLC). Scanners on the other hand, are able to scan across multiple apps very quickly to check for security flaws. However, the output is less than ideal. Pages and pages of vulnerabilities are reported, with little guidance to security teams on which vulnerabilities offer the highest risk of breach or what should be prioritized.

How do we provide continuous security testing in an efficient manner, to our customers on apps that are continuously updating in the SDLC? SmartScan uses an optimized technique of both Hydra, our proprietary scanner, and the Synack Red Team, our highly vetted, exclusive crowd, to look for the needle-in-the-haystack type of vulnerabilities. Hydra alerts the SRT to suspected vulnerabilities, vulnerabilities the machine has flagged as highly probable for exploitation. The SRT will then triage these findings to find the vulnerabilities most at risk of a breach. This technique in conjunction with our continuous engagement from the SRT provides an additional layer of rigor to our crowdsourced security tests. As a result, our penetration tests have become much more effective and efficient, leveraging our best of both worlds – vulnerability assessment, bug bounty and penetration testing all together in one crowdsourced model.

Customers have talked about how the vulnerability intelligence they’re seeing with us is helping them to integrate security in the development process by spreading this information across the organization. Not only have we already seen success with our customer betas finding exploitable vulnerabilities they normally wouldn’t have found without Platform 2.0, but we’ve also seen success for our researchers as well. Ethical hackers find higher severity vulnerability types than scanners such as complex authentication, which often lead to exploitable vulnerabilities. As an example, the severe BlueKeep Remote Desktop Services vulnerability of May 2019 relates to Input Validation (according to NVD). Scanners check for many kinds of input validation, but humans can creatively seek any kind of input validation error. With SmartScan’s optimized technique, Hydra is able to reduce 99.63% of vulnerabilities for the SRT allowing them to focus on exploiting only the suspected vulnerabilities, increasing their efficiency by 86%. The more examples we see of humans trusting machines to augment their capabilities, the scope of problems we can solve will widen. Synack was founded in always solving the right problems – and we wanted to help our customers secure their apps just as often as they update and create new code, security on a continuous cadence, while optimizing our Red Team through our technology. Our next version of the Platform does just that.