18 April 2019

3 Lessons Learned from Synack’s 2019 Government Roundtables on Crowdsourced Security Testing

Synack

The Cyber Workforce Gap in the U.S. Federal Government

The cyber workforce gap is reaching a breaking point in the United States Government. Suzette Kent, the U.S. CIO of the federal government, recently gave testimony at the US House Oversight and Government Reform Committee on the “15,000 unfilled IT and security positions in government.” Kent has already rolled out a number of policy programs to help bridge the human talent gap, including a cybersecurity reskilling academy for federal workers. DHS’ CISA has offered a machine element through scans at NCATS to help federal departments, states, and industry stay secure. If we want to truly bridge the cyber talent gap, we will need more programs that integrate great talent AND technology.

Synack has convened private companies, federal agencies, and policy-makers from the White House and the US Congress at the Billington Cybersecurity Summit, RSA, and the Microsoft Innovation & Policy Center to discuss the cyber workforce gap and potential solutions. The public and private sector agree: the effort to “Develop a Superior Cybersecurity Workforce,” as stated in the National Cyber Strategy, is a priority. However, the “how” is a challenge.

Human talent brings creative, valuable raw intelligence to the mission set, but it does not scale easily (hence the talent gap). This is not a new problem, Cybersecurity Ventures estimated that there will be an 3.5m personnel gap by 2021 (2017). More specifically, “penetration testing, secure system design, incident response, and tool development” are areas where there are growing talent shortages (CSIS, 2019). On the other hand, technology can be built to scale, but it lacks the creativity of the human mind. In fact, 80-90% of valid vulns found by the Synack Red Team are missed by a scanner. In today’s cyber war, we need the best of both worlds. Cyber solutions must combine human and machine elements.

As the talent gap becomes more stark, an increasing number of agencies will be under even greater pressure to do more with less. Over the past two years, Synack has witnessed 15x growth in agency adoption as agencies see the value in solutions like Crowdsourced Security Testing (CST) that help them scale by combining human and machine intelligence. But not all crowdsourced solutions are created equally.

3 Lessons from Agencies using Crowdsourced Security Testing to Scale

As other agencies consider CST programs, here are some best practices from our government partners about their own Crowdsourced Security Testing programs:

1. Balance FISMA and “Effective Security” – Increasingly, agencies don’t want to have to choose between realizing real security and achieving compliance. FISMA is a comprehensive framework that helps agencies guard against human or machine cyber threats, but it was passed in 2002. To give some perspective, the iPhone was invented five years later in 2007. While this was a great first step toward encouraging agencies to follow a compliance standard and there was an additional piece of legislation in 2014 (i.e. FISMA Act of 2014) to help bring the legislation up to speed, there are some components that are still outdated and lack a modern element of human “creativity” when it comes to searching for vulnerabilities. No malicious actors go through a standard checklist when they are trying to exploit a SQL-I through a website, or gain third party access to sensitive consumer data; they use cutting-edge, unique and creative problem solving as they look for new vulnerabilities to exploit. Synack provides checklist-based compliance testing to help organizations meet basic compliance requirements such as those included in NIST 800-53, and we also go a step further to help agencies replicate a real “hunt” for vulnerabilities so both compliance and real security are achieved.

2. Proactive Security on Sensitive/Critical Assets – A common question among agencies at the onset of testing is how and what should be prioritized in their testing queue. Do all assets need to be tested with the same rigor? Forward-thinking CISOs and CIOs are increasingly testing their highest value, internal assets first. For instance, the Air Force recently published a press release on an engagement with Synack about testing their Reliability and Maintainability Information System, which is “among the most important IT systems for maintaining weapons technology”. Externally-facing web apps hold sensitive data too and in some cases could be just as important, especially when PII compliance concerns are involved. Washington Post published an article recently on how Chinese hackers stole sensitive data related to underwater warfare and China plans to build a “supersonic anti-ship missile for use on U.S. submarines by 2020”. Information on the weapon was stolen from a contractor’s unclassified network. While federal agencies are working around the clock to make sure their internal and external environments are secure, agencies should also take the additional step of working to identify and prioritize important targets to help prevent these kinds of catastrophic scenarios.

3. Look for Quality not Quantity of Vulns – Another hot topic during the roundtable was vulnerability submissions and the budget needed to remediate them. Should the focus be on maximizing the number of vuln submissions, or on the quality of submissions? While there is a mentality that more is always better, with limited security resources to work through the submissions, focusing only on the vulnerabilities that could be badly exploited is essential. Cluttering the already over taxed system with low criticality, low quality and duplicative vulns threatens the very security we are striving to achieve. We should shift our thinking to prioritize getting to a place where we can better trust our security. In reality, we’ve found that dedicating budget and resources to finding and remediating severe/critical vulns ASAP is the most helpful for reducing risk and cleansing agencies’ internal and external environment. It’s critical to choose a solution that focuses on quality and respects the challenges of internal resources.

How agencies and policy-makers should work together in 2019: Crowdsourced Security Working Group?

As agencies address these concerns, policymakers are also increasingly looking for more effective solutions. Is it more internal testers? Penetration testing? Scanners? Crowdsourced Penetration Testing? What roles should Congress and the executive branch play in providing legislation on this issue? Through Crowdsourced Security Testing, we have intelligence and insight that offers greater efficiency and ROI through combining human and machine components. However, we should also read the fine print. We need to trust the right researchers, maintain control over what is in and out of scope and make sure that we provide analytics (hours on target, attack surface covered, etc.) to make sure Crowdsourced Security Testing engagements provide ROI. That is why it’s important for agencies, Congress, and the White House to continue to communicate about what’s working and what’s not when it comes to Crowdsourced Security Testing. At our last panel, we even discussed creating a Crowdsourced Security Working Group to help address lessons learned. We look forward to convening agencies and policy-makers at our roundtables in the future to keep the conversation going in 2019.