17 April 2018

A Security Score Built for Attacker Resistance

Mark Kuhr

Too often, security strategy has mimicked the action of throwing darts at a dart board. Which, if we’re honest, isn’t much of an effective strategy at all. What if, instead, we thought of our security strategy like how a coach manages their athlete’s training regimen…Their goal is to make the athlete stronger, faster, and better than before, so the training is ongoing. 60 yard dash, squat max, standing vertical jump: athletes are always being tested so that they can see the improvements they’ve made over time. After training and testing, good coaches adjust training plans in order to maximize the returns on each athlete’s training.

By enforcing continual work and continual testing, and then emphasizing specific training areas that will provide the most improvement, coaches ensure that their athletes’ performances improve over time in relation to their competition. Thanks to crowdsourced testing programs, security teams have been able to perform continuous work and testing on their systems. Unfortunately, though, measuring their success hasn’t been as simple as timing a 60 yard dash, and knowing how to maximize the returns of testing has been nearly impossible. Today, Synack makes it easier. We’re pleased to announce a big evolution in security testing: a realistic security score calculated through actual hacker testing activity that allows organizations to understand, benchmark, and increase “Attacker Resistance” over time.

Security Scoring Way Back When

For too long, the industry has relied on measuring security through the quantity and severity of vulnerabilities found by a scanner. These estimates fail to consider what a creative human might be able to accomplish if he/she was trying to break into a system. Increasing volumes of data and open source information have led to the rise of venture-backed security rating services. These companies leverage publicly-available data to hypothesize about digital security, but they still fail to measure it directly. Security scores have sought the easiest metrics to measure instead of the ones that truly matter.

the evolution of security score measurements

Finally, a security score that matters…

The score is calculated based on customers’ unique crowdsourced penetration test data to provide a measure of how susceptible an asset is to attack. Synack’s hacker-powered security platform captures all testing traffic in order to generate a unique Attacker Resistance Score for every asset and organization, respectively.

ARS is calculated based on the data generated by the Synack Red Team (SRT) and proprietary technology during a crowdsourced pen test. ARS inputs include:

  • Attacker Cost: How much time/effort was required to discover vulnerabilities in an environment
  • Severity of findings: The impact and quantity of vulnerabilities discovered in an assessment
  • SRT Skill: A measure of the level of complexity of the vulnerability based on the researcher skill level required to discover it
  • Remediation Efficiency: How efficiently an organization is able to resolve identified issues in your environments

attacker resistance score client dashboard view

What does the Attacker Resistance score say about an organization’s security?

The first time you conduct a Synack Crowdsourced Penetration Test on your assets, your scores will highlight which assets are hardest and where you need to focus more resources on additional testing and remediation. Over time, you can expect to get credit where credit is due. The Attacker Resistance Score is dynamic and changes over the course of testing to reflect changes in an asset’s hardness. As you remediate, your score increases, and your organization can show how you’ve made it harder for the adversary to attack.

What can you do with the Attacker Resistance score?

  1. Security teams can now get a realistic assessment of which assets should be prioritized for remediation and hardening. They can diagnose the readiness level to deploy applications. As assets harden over time, security risk is effectively reduced.
  2. Development teams can now assess their security hygiene and adherence to security best practices.
  3. The security team now has an effective way to review meaningful metrics on a company’s security risk with the executive team and board members.
  4. As an organization, teams can compare testing performance across assets within an organization and against other organizations.

Just like no athlete will ever achieve perfection (even Lebron), no system is impenetrable. There is always work to be done, testing to measure, and adjustments to make. We believe that Synack security scoring will enable and empower security teams to keep fighting the good fight against cyber adversaries. The adversary is always evolving, evolve with it.

For more information, read about it here or Contact Us.