16 December 2020

TAG Cyber’s Top Five Ideas for your 2021 Enterprise Security Program: The Synack Way

Lauren Newman

As the new year approaches, Ed Amoroso, CEO of TAG Cyber, world-class cybersecurity research, advisory, and consulting firm, recently published an article outlining the importance of “transcending conventional security” to stay ahead of the adversary. The article offered 5 superb ideas for enterprise security programs to adopt in 2021, based on their work with commercial vendors, enterprise security professionals, and government agencies. As a crowdsourced security platform that leverages the diverse skill sets and deep experiences of the Synack Red Team to stay ahead of the adversary by testing like the adversary, Synack takes a more effective, efficient approach to penetration testing than traditional methods. 

Below is Synack’s take on each of the five ideas. Organizations can apply these 5 ideas to their security testing strategies to set themselves up for a more secure 2021. 

Idea 1: Localize Your Security Compliance

“Perhaps you might consider focusing on a divide-and-conquer approach to security compliance. Think small and local in your compliance work, versus large and overarching.”

In order to localize the crowd on specific, targeted tasks (e.g. by vulnerability type, asset, business unit etc.), the Synack Red Team (SRT) conducts Missions by completing pre-determined tasks and providing documentation of their work. Synack’s Missions were created for security leaders to utilize the SRT for targeted vulnerability discovery such as demonstrating adherence to regulatory standards or focused research on specific assets.

Synack handles a wide range of target types that can be tested individually or in combination (such as a Mobile App using a REST API). Hybrid target environments (such as the infrastructure and applications in a PCI Cardholder Data Environment) are eligible for testing. As TAG suggested, dividing your compliance initiatives into smaller, more manageable projects is a great way to reach the type of completeness that is required by most auditors and assessors. Synack’s Missions can help with that. 

Idea 2: Crowdsource Your Security Testing 

“The foundation justification is that a diversity of techniques, tactics, backgrounds, expertise levels, and motivations will help uncover unforeseen exploitable vulnerabilities in your infrastructure.”

As TAG pointed out, the diversity of thought provided by a crowd of researchers from varying backgrounds and expertise provides invaluable creativity, allowing you to uncover vulnerabilities from the adversarial perspective. However, without proper crowd standards, quality assurance, or technical controls and management, bug bounty can introduce unwanted risk and operational burden into an organization. Furthermore, it can be daunting managing hundreds, if not thousands, of ethical hackers.  Synack’s crowdsourced security testing platform provides bounty-driven security testing with the right crowd and platform. This means you get the scale and rigor of bug bounty, but with optimal control and quality.

This includes:

  • A realistic view of your attack surface from the world’s best ethical hackers
  • An ability to rapidly deploy tests
  • Real-time analytics on testing activity, coverage and benchmarking performance
  • Additional scale through a machine-learning enabled scanner
  • Access to actionable, audit-ready reports complete with a compliance checklist

Synack goes beyond bug bounty to address many of the challenges where bug bounty falls short. We recruit and retain only the top-performing crowd and vet them through a 5-step process for both skill and trust. Our customers receive high-quality, actionable results with a 99% signal to noise ratio. Essentially, by combining the best elements of human and machine intelligence, you’re better equipped to take your security to the next level in 2021. 

Idea 3: Simplify Your Security Dashboard 

“Every company seems to have dozens of dashboards for reporting data to leadership, and the design goal appears to be 100% coverage of every square inch on the PowerPoint screen….we strongly recommend simplifying your enterprise security dashboard in 2021.” 

At one of our recent Courageous Women CISO Virtual Events, Jeanne Tisinger, former CIO of the CIA said, “Speak the truth in a way that people can hear it.” The truth behind this statement cannot be understated. From interns to executives to customers, the ability to communicate key information in a way they can hear it is essential to success in any context. With that said, dashboards for test management and reporting are critical elements of security testing. 

As far as simplifying the security dashboard for testing management, the Synack Client Portal enables security teams to quickly and easily manage security testing enterprise-wide, monitor security performance, prioritize assets for testing and share detailed findings with your team. Inside the portal, access the main dashboard with a summary of your findings reported in real time as they are discovered and triaged. Some of the key values on the dashboard include:

  1. How many SRT members have signed up to hack
  2. Number of testing hours completed
  3. Breakdown of SRT activity
  4. Number of active scans 

From the main dashboard of key metrics, you can double click any of the high-level metrics for details and view detailed vulnerability findings, manage active assessments, get analytics on security performance (Attacker Resistance Score™ rating), learn outcomes of SRT security checks through Missions and read or download audit-ready reports, as needed.

So that reports can be tailored to the right audience, Synack’s platform goes beyond traditional reporting (often manual, point-in-time, and lacking in usable insights) to develop powerful, on-demand, customizable reports by presenting your testing data in a functional, easy to understand way. These reports help your organization make more informed security decisions. You can choose between human-written analysis, audit-quality reports for compliance mandates, custom report templates, high-level summaries with key metrics for leadership, as TAG suggests, or even actionable vuln data for development teams.

Idea 4: Expose Complexity to Executives 

“The biggest mistake we see on a day-to-day basis in the communications between CISOs and other executives is the over-simplification used to convey security concepts to non-security leaders. In the best case, this involves a bit too much baby-talk.”

Indeed, measuring security involves complex variables and concepts that cannot be disregarded or overlooked when communicating with senior executives or board members. Nevertheless, per Idea #4 and Jeanne Tisinger’s point, information must be communicated in a digestible fashion. 

Synack’s Attacker Resistance Score rating is a trusted benchmark to measure and track your security. The score is calculated based on customers’ unique crowdsourced penetration test data to provide a measure of how susceptible an asset is to attack. The image below outlines the inputs used to calculate each score.

The Attacker Resistance Score is dynamic and changes over the course of testing to reflect improvements in an asset’s hardness. As you remediate, your score increases, and your organization can show how you’ve made it harder for the adversary to attack. The higher a score, the lower the security risk.  They can diagnose the readiness level to deploy applications. This metric allows security teams to review meaningful metrics on a company’s security risk with the executive team and board members without disregarding key inputs in an effort to simplify. As an organization, teams can compare testing performance across assets within an organization and against other organizations.

Idea 5: Expand Your Security Internships 

“It is commonly reported (including from the ad-board on the C-Train to Brooklyn) that a skills shortage exists in cyber security. … We thus recommend that you consider increasing the intensity, scale, coverage, and investment in your internship program in 2021.” 

As part of our ongoing efforts to address the lack of diversity in cyber and the dramatic skills gap the industry faces, we launched the Synack Academy. The cybersecurity community must create new pathways for minorities to excel in the field and generate new passions and interests in future careers in cybersecurity for underrepresented minorities. In partnership with Blacks in Cybersecurity (BIC), the program aims to provide individuals from underrepresented minority groups access to career pathways in technology and/or cybersecurity through structured, support-driven training and mentorship.  The Synack Academy’s mission is to create a welcoming and inclusive environment in cybersecurity anchored by ongoing mentorship. We’re committed to fostering the next generation of Cybersecurity professionals. Through the Synack Academy and BIC, students will have the foundational knowledge and confidence to continue their cybersecurity journey and pursue further knowledge that can be applied to many fields within the technology and security sector.