10 June 2019

Crowdsourced Security Now Delivers Enhanced Controls for Highly Regulated Environments

Synack

This blog was written by Synack Senior Director of Product Strategy, David Charlton.

Having worked in the financial services industry in both end-user and consulting capacities for over 15 years, I know the scrutiny frontline cybersecurity teams are subject to. When operating a penetration testing program, first and foremost, the team needs to ensure that complete, thorough and accurate technical results are being produced. This is achieved by incentivising the discovery of high impact, exploitable vulnerabilities that present a risk to business operations and data and by ensuring that the entire attack surface is subject to review using a repeatable approach using highly capable security experts.

However, it doesn’t end there. The penetration testing program needs to ensure operational risks are being appropriately managed, risks such as: How can you ensure approved testing activity is not mistaken for a malicious attack (or vice versa) and how do you manage the risk of testing activity causing an unexpected impact to production? It is vital to be able to demonstrate that robust operational controls have been implemented to a level that will be acceptable to second and third lines of defense, typically operational risk and audit.

Synack has provided a proven solution to these challenges for years now with Synack LaunchPoint. LaunchPoint offers a controlled means of managing access from our private crowd – the Synack Red Team (SRT) – to customer targets through our original secure VPN testing gateway. LaunchPoint enables monitoring of all network communications with full packet capture, provides analytics of attack surface coverage and the vulnerability classes exercised, and has given customer operations teams the ability to whitelist test traffic and pause/resume testing at any time.

Last week, the Synack team announced LaunchPoint+, and I am really excited about our company’s latest capability and what it means for the future of crowdsourced testing.

LaunchPoint+, a Synack managed virtual attack workstation for the SRT that helps customers meet enhanced requirements for data protection and security control.

For customers who are operating in a highly regulated business sector such as the financial services industry, the ability to have enhanced security controls applied directly to the attack workstation will help ensure all data privacy and compliance requirements are met and consistently enforced. All data created, transferred or downloaded during a penetration test is protected and monitored within our secure, isolated desktop environment – this provides the highest level of security control possible. This approach enforces isolation of tasks between test and client data to remove the risk of data contamination, and upon request Synack can delete the data.

LaunchPoint+ not only delivers on data protection requirements, but also implements centralized control of the security posture of the virtual workstation to ensure it is patched to the latest level, the build configuration is security hardened and is subject to modern malware detection, prevention and monitoring.

Synack is unique in that it has always focused on delivering a better, smarter penetration test. LaunchPoint+ now enables our crowdsourced security testing to be delivered with greater data protection and security controls than ever before, meeting and exceeding the security standards typically deployed on the penetration testing platforms used by large enterprises and traditional penetration testing providers. The combination of our thoroughly vetted researchers and tightly managed and controlled testing process delivered through LaunchPoint+ makes the adoption of Synack’s trusted, crowdsourced security testing in a highly regulated environment a reality.