The best defense is a good offense, as the saying goes, and nowhere is that more true than in enterprise security. Finding vulnerabilities and exploits before hackers do can prevent devastating breaches, data loss, and prevent crippling hits to your operations and your reputation.
Most enterprises use one of two approaches: manual, by which a human tests for potential weaknesses; or automated, in which a vulnerability scanner screens networks for exploit potential. But neither of these approaches is entirely effective on its own.
"Today's vulnerability solutions are flawed. Some are human-centric, point-in-time penetration tests, which are limited to the skillsets of individual testers and project timelines. Others are solely reliant on scanner technologies, which overwhelm today's already-strained IT organizations with duplicates, false positives, uneven quality levels and thousands of submissions that require manual review," says Mark Kuhr, CTO of cybersecurity solutions firm Synack, in a statement.
Synack, founded by former NSA analysts Jay Kaplan, now Synack's CEO, and Kuhr, takes a novel approach to the problem by combining the best of man and machine: crowdsourcing vulnerability assessment to the Synack Red Team (SRT), a group of independent, expert security researchers who work globally, using both their skills and expertise and cutting-edge technology to identify potential weaknesses, and the new Hydra technology, which continuously scans client networks for vulnerabilities and delivers intelligence to internal security teams and to the SRT.
The idea is to crowdsource cybersecurity by using the best minds, the best technology and best practices to present an objective view of potential vulnerabilities, and remediate them quickly and effectively, according to Kaplan.
SRT members are elite cybersecurity pros who are vetted, tested, screened and subject to extensive background checks before they can join SRT. The process is intensive and challenging that the acceptance rate for candidates is only about 10 percent, says Kaplan. SRT members work on a freelance basis; many often have jobs as security pros at other IT companies. They're paid on a case-by-case basis, Kaplan says, when they discover a vulnerability and remediate it for a client.
"This is crowd security intelligence. Clients get continuous coverage of their assets with this model, and they get a diverse, objective view of what they look like from the outside -- their security posture. Instead of one or two individuals, we're talking a team of a hundred people, constantly looking for threats," Kaplan says.
Synack's private "bounty for bugs" model is one that prizes anonymity. Because of confidentiality obligations, Synack doesn't disclose its customers, but Kaplan says the firm is experiencing customer growth in excess of 300 percent quarter over quarter in the Fortune 500.