synack Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

synack

The Synack platform expands to confront the cyber skills gap

960 640 Guest Post

By Peter Blanks Chief Product Officer, Synack

At Synack, we’re committed to making the world a safer place. We’re doing that by helping organizations defend themselves against an onslaught of cyberattacks. We’re doing it by harnessing the tremendous power of the Synack Red Team, our community of the most skilled and trusted ethical hackers in the world, and through the most-advanced security tools available today.

Now, the Synack Platform is expanding to help organizations globally overcome the worldwide cybersecurity talent gap. I am excited to announce the launch of Synack Campaigns to provide on-demand access to the SRT, who will be available 24/7 to execute specific and unique cybersecurity tasks whenever you need them — and deliver results within hours. This new approach to executing targeted security operations tasks will fundamentally change organizations’ approach to cybersecurity by providing on-demand access to this highly skilled community of security researchers.

During my time at Synack, I’ve seen firsthand how the Synack Operations and Customer Success teams creatively engage with the SRT to address a growing range of clients’ security operations tasks, in addition to our traditional vulnerability discovery and penetration testing services.

Now, we are making these targeted security activities directly available to every organization in the form of Synack Campaigns, available through the new Synack Catalog, also launching today on the Synack Client Platform.

The new Synack Catalog, where customers can discover, configure, purchase and launch Synack Campaigns is available now on the Synack Client Portal. Please speak with your CSM to have this feature enabled for your organization.

I know from speaking to our clients across multiple industries that security teams are struggling to keep pace with the speed of product development. At the same time, they are trying to scale defenses to meet the complexity and magnitude of today’s threats. Our customers ascribe challenges with their growing backlog of security tasks such as CVE checks and cloud configuration reviews. On top of all of that, there’s the need to implement industry best-practice frameworks such as OWASP & Mitre Att&ck. Essentially, customer security teams are struggling with demanding workloads and have asked us for assistance in a number of areas:

  • On-demand access to talented Synack Red Team members who are available 24/7 and capable of completing diverse security operations activities across a growing range of assets.
  • A flexible security solution that can be configured to meet their specific needs in one centralized platform with their existing pentesting insights.
  • A security solution that delivers results quickly (hours and days, not weeks or months) and is aligned with their agile development processes.

Synack Campaigns expands the core capabilities of the Synack Platform, including our trusted community of researchers, an extensive set of workflows, payment services, secure access controls and intelligent skills-based task-routing to provide customers with the ability to execute a growing catalog of cybersecurity operations.

With Synack Campaigns our researchers can augment internal security teams by performing targeted security checks such as:

  • CVE and OWASP Top 10 vulnerability checks
  • Cloud Configuration Checks
  • Compliance Testing (NIST, PCI, GDPR, etc.)
  • ASVS Checks

Synack Campaigns are built to complement our vulnerability management and pentesting services, and help customers achieve long-term security objectives, such as Application SecurityM&A Due Diligence, and Vulnerability Management.

Synack works with Microsoft to provide a one-stop shop for Microsoft Azure-based cloud security

960 640 Stuart O'Brien

By Synack

Microsoft Azure comes equipped with all the right security controls, but effective deployment and management of these controls is an ongoing process, driven by evolution and risk tolerance . Proper implementation of cloud rollouts and ongoing maintenance can be a challenge, even for large organizations, leading to a lack of protections such as least privilege for access controls. And attacks on the cloud appear to be growing. Verizon’s 2021 Data Breach Investigations Report found that “external cloud assets were more common than on-premises assets in both incidents and breaches.”

Security teams are left responsible for not only securing cloud assets, but also for ongoing cyber hygiene training and developing common sense policies to protect an organization’s assets. It can be an overwhelming task. Based on an increase in cloud misconfiguration vulnerabilities reported by the Synack Red Team in 2020, it is clear the existing solutions and frameworks are fragmented—leaving ample room for malicious exploits.

But now, finally, there is a better way!

By combining the power of Synack, the premier crowdsourced platform for on-demand security expertise, with Microsoft’s Azure Security Modernization (ASM) solution, enterprise and government organizations now have a scalable solution for cloud security planning, management, and improvement.

Per a Microsoft Blog Post from earlier this year, Microsoft Azure applications and infrastructure deployments have grown at leaps and bounds for nearly 20 years. In parallel, Microsoft has emerged as a cybersecurity leader—recently announcing a whopping $10 billion in revenue for its security business over the past 12 months. This represents more than 40 percent year-over-year growth (Vasu Jakkal, 2021). Microsoft security experts have deployed Microsoft services and solutions to secure 400,000 customers across 120 countries, including 90 of the Fortune 100. Integrations such as the one with Synack amplify Microsoft’s ability to continue to grow and innovate across all types of organizations.

Microsoft ASM solution  helps its clients stay ahead of adversaries. It deploys a Microsoft Azure-centric, continuous approach to security (see chart below), led by Microsoft security experts, and powered by the Synack Platform. Microsoft ASM includes a four-phase continuous security model: Plan, Develop, Deliver, and Measure which programs, implements, and tests Microsoft Azure security requirements and controls.

Synack’s unique combination of a continuous, crowdsourced platform and smart vulnerability detection technology makes the discovery of security vulnerabilities easy, fast, and actionable! Synack-found vulnerabilities are reported and fed into Microsoft ASM’s “Measure” phase to enable future “Planning” phases with real-world security testing data. Synack’s controlled and 24/7 testing, alongside its Azure integrations, ensures the changing boundaries and assets of today’s dynamic environments are tested safely and comprehensively.

“Thanks to our integration with Synack, we can now go beyond reviewing security configurations against recommended practices to include real time scanning of an environment against known security vulnerabilities. This allows us to help our customers further reduce risk by having a more comprehensive and tailored remediation plan fit to their needs.” says Heath Aubin, Director of Business Program Management, Security Strategy and Solutions at Microsoft Corp.

Synack’s cloud integrations allow for quick deployment of a variety of testing methodologies within a Microsoft Azure environment based on an organization’s goals and requirements. The first is open vulnerability discovery to uncover and report exploitable issues within a Microsoft Azure environment. The second includes targeted, offensive assessments aligned to the Microsoft Azure Security Benchmark.

Synack designed these targeted tests alongside the Microsoft ASM Solution Owners for an on-demand mechanism to quickly highlight areas of weakness within a Microsoft Azure environment.

Leveraging the integration between Synack and Microsoft ASM customers can experience a comprehensive testing and mitigation sequence to support compliance, asset management and planning, and expert level insight into the security of their Microsoft Azure assets.

To find out more, download our datasheet here.

The economy runs on trust – The Synack 2021 Trust Report

960 640 Stuart O'Brien

By Jennifer Bennett, Synack

The Synack 2021 Trust Report 

The pandemic has accelerated initiatives to digitally transform operations, and drove efforts to implement Zero Trust security for remote workforces. Reinforcing cyber resilience continues to be top of mind in organizations, firms, and societies, and goes hand in hand with trust.

The 2021 Trust Report is Synack’s essential guide for CISOs, CIOs, security practitioners, C-suite and board executives to understand how to measure security, determine risks and build trust with data and insights on the state of different industries and sectors of the economy.

In its fourth volume, the authoritative global report shares data from the most trusted brands based on thousands of security tests conducted by the world’s most skilled ethical hackers, The Synack Red Team (SRT). The report spotlights the different industries and sectors of the economy and reveals new insights into how critical organizations are prepared to fight ransomware and other digital threats and stay resilient.

Average Industry ARS rating by years
(As published in previous Trust Reports)

Industry 2019 2020 2021
Government 47 61 64
Healthcare 60 56 61
Financial Services 57 59 58
Technology 46 55 57
Ecommerce 48 47 57
Retail 45 46 55
SLED 46 50 49
Consulting/Business & IT Services 53 48 52
Manufacturing/Critical Infrastructure 70 45 50

ARS rating based on data from the Trust Report: 2019. Data through January 2019
ARS rating based on data from the Trust Report: 2020. Data through July 2020
ARS rating based on data from the Trust Report: 2021. Data through April 2021.

The report data is based on Synack’s patented Attacker Resistance Score (ARS)™ Rating and includes a macro industry comparison that demonstrates how the most trusted organizations use the ARS rating and how to use the rating to benchmark attacker resistance against other industries.

All too often, vulnerabilities leave organizations dangerously exposed. Last year, the US-CERT Vulnerability Database recorded nearly 17,500 vulnerabilities—a record number for the fourth year in a row. More than a third— 16%—of vulnerabilities found in 2020-April 2021 by the Synack Red Team (SRT), our global network of highly skilled and vetted security researchers were considered critical. Beyond that, the SRT saw a 14% increase over the past two years in authorization and permission vulnerabilities, which can give attackers access to the most sensitive networks and systems.

According to Synack’s CEO, Jay Kaplan: “We’re facing a global cybersecurity crisis. Some organizations are doing the right thing, creating effective defense strategies and being proactive. Others are simply checking boxes. But the nature of today’s threat requires an aggressive and assertive approach,” said Jay Kaplan, CEO and Co-Founder of Synack. “The Trust Report and the ARS are vital tools for understanding the gaps in any organization’s security plan, and can be used as a tool for CISOs and other security leaders to prioritize security efforts and focus on the most pressing threats and vulnerabilities first.”

The increased sophistication of today’s threats makes the CISO even more vital. On top of digital transformations, organizations faced punishing nation-state hacks with cyber attacks continuing to rise in 2021. Going forward, the role of the CISO and security teams will continue to evolve and expand. In fact, 55% of enterprise executives plan to increase their cybersecurity budgets in 2021 and 51% are adding full-time cyber staff in 2021.

“Testing—when it comes to security, safety, and resilience—makes all the difference in the world,” wrote Ritesh Patel, Security Principal at bp, in the foreword to the 2021 Synack Trust Report. “Measurements such as the Attacker Resistance Score (ARS) keep us honest and informed. The ARS lets us constantly assess our performance and compare how we’re doing across sectors. It’s a strong indicator that bp is performing above industry average, which sends a clear and powerful message within the organization that security—and trust—are essential in everything we do at bp.”

Read on to learn how the most trusted brands in the world measure security and build trust while diving into the different industries and sectors of the economy.

Synack leads the industry in finding the most critical and dangerous vulnerabilities in customers’ digital assets and apps, giving them the insight necessary to prevent attacks as found in our report’s key findings.

2021 Signals in Security Report: Renewed focus on vendor security

960 640 Stuart O'Brien

By Synack

The operational chaos of last year not only accelerated a number of cybersecurity trends, but elevated the importance of vetting secure vendors and the trust that goes hand in hand with each partnership.

We also found that training employees in cybersecurity best practices and integrating security more tightly into the development cycle stalled in 2020 as companies shifted priorities to adapt to the new norm and conduct business as usual, according to the 2021 Signals in Security report.

The urgency around many of these critical security efforts, unfortunately, slowed down last year as the pandemic and remote work took precedence, according to the vast majority of security professionals who responded to the survey. During that period, compliance issues and shifting security became less of a priority than in previous years.

But the pandemic didn’t upend every security priority. Finding and fixing vulnerabilities is still the No. 1 concern with 75% of respondents saying that was an “extremely urgent” or “very urgent” priority.

And being perceived as a secure vendor became the 2nd most urgent priority in 2021. Pre-pandemic, a greater portion of respondents considered fixing vulnerabilities (48%) and maintaining status as a secure vendor (43%) are extremely urgent, compared to 37% and 31% in 2021. The decline is yet another indication of the shifting security priorities during the pandemic. Remote workers may also have focused more on securing their own devices in 2020 rather than considering the company as a whole.

When it comes to security testing, the Signals in Security Report showed that despite a drop in urgency, it remained a top priority. When ranking the importance of testing, 88% said it was extremely or very important in 2021 compared with 97% last year. At the same time, however, attack surfaces have grown and hacking activities have increased.

Recent hacks have shown that testing should remain a top priority, especially in tumultuous economic periods such as the pandemic. This is especially true after the supply-chain attacks, such as Colonial Pipeline and JBS, that have led to widespread business disruptions. Furthermore, in December 2020, companies and the US government warned of a supply-chain attack using SolarWinds’ Orion remote management software that compromised more than 18,000 businesses and government agencies. Early in 2021, a zero-day attack on Microsoft Exchange servers, which reportedly impacted 30,000 organizations, led to additional compromises.

With the recent supply chain attacks, security teams should renew efforts to integrate cybersecurity throughout the entire business process. Security should be incorporated into the due diligence of third-party relationships, and security testing should be part of the onboarding of third-party applications.

Read more about these insights in the 2021 Signals in Security Report. Click here to download the full report.

Government and Financial Services best equipped to defeat cyber attacks

960 640 Stuart O'Brien

Government and Financial Service sectors globally are the most hardened against cyberattacks in 2020.

That’s according to the third edition of the Synack Trust Report, a data-driven analysis of cybersecurity preparedness across all sectors and industries, found that government and Financial Services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020.

Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent.

Throughout the year, both sectors faced unprecedented challenges due to the global COVID-19 pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risk from cyberattacks.

“It’s a tremendously tough time for all organizations amidst today’s uncertainties. Data breaches are the last thing they need right now. That’s why it’s more crucial than ever to quickly find and fix potentially devastating vulnerabilities before they cause irreparable harm,” said Jay Kaplan, CEO and Co-Founder of Synack. “If security isn’t a priority, trust can evaporate in an instant.”

The 2020 Trust Report is grounded in data from the patented Attacker Resistance Score (ARS) Metric, which drew information directly from tests conducted on the Synack Crowdsourced Security Platform from 2019 through July 2020 — right through the COVID-19 response period. Synack calculates a unique ARS metric between 0 and 100 for every asset, assessment and organization it tests. The calculation takes into account attacker cost, severity of findings and remediation efficiency. The higher the ARS, the more hardened assets are against attack.

“The 2020 Synack Trust Report is a must-read for anyone who has ever been asked by their C-Suite, CEO, or Board: ‘Can I trust our digital systems? And how do we compare to other companies?'” wrote Michael Coden, Global Leader Cybersecurity Practice, BCG Platinion, Boston Consulting Group, in his forward to the 2020 Trust Report. “The report makes it clear that companies surviving the continuous barrage of cyberattacks are the ones that frequently test as many of their digital assets as possible with the appropriate depth and breadth to the criticality of that asset.”

Key 2020 Trust Report findings include:

The Government sector earned 61 — the highest rating

The chaos of 2020 added new hardship to many Government bodies, but security hasn’t necessarily suffered as many agencies have become more innovative and agile. Their ability to quickly remediate vulnerabilities drove this year’s top ranking. 

Financial Services scored 59 amidst massive COVID-19 disruptions

Financial Services adapted quickly through the pandemic to help employees adjust to their new remote work realities and ensure customers could continue doing business. Continuous securitytesting played a significant role in the sector’s ARS.

Healthcare and Life Sciences scored 56 despite pandemic challenges

The rush to deploy apps to help with the COVID-19 recovery led to serious cybersecuritychallenges for Healthcare and Life Sciences. Despite those issues, the sector had the third highest average score as research and manufacturing organizations stayed vigilant and continuously tested digital assets.

Severity of vulnerabilities found on the Synack platform increases

Twenty-eight percent of the vulnerabilities discovered by the Synack Red Team, the community of ethical hackers working on the Synack platform, were considered high, very high or critical. Synack leads the industry in finding the most critical and dangerous vulnerabilities in customers’ digital assets and apps, giving them the insight necessary to prevent attacks.

ARS scores increase 23 percent from continuous testing

For organizations that regularly release updated code or deploy new apps, point-in-time securityanalysis will not pick up potentially catastrophic vulnerabilities. A continuous approach to testing helps ensure vulnerabilities are found and fixed quickly, resulting in a higher ARS metric.

Visit www.synack.com to download the report for free.