The Power of Synack’s Crowdsourced Cybersecurity Testing Platform

Of all the possible outcomes of a cyberattack, business downtime is the biggest worry for most C-suite executives. The chances that those concerns could become a reality are more likely than ever.

Today, it’s as cheap as $34 for malicious hackers to carry out an attack that can have devastating consequences, according to a recent study. Some criminal cyber gangs operate on only $3,800 a month, but can generate up to $1 million per month in profits.

How can businesses fight back against the proliferation of attacks that are cheap to carry out but have such damaging and costly consequences?

Crowdsourced cybersecurity begins to answer that question. Compared to short-term penetration testing exercises or short-lived bug bounty programmes, leveraging crowdsourced, penetration testing gets realistic, adversarial insights into organisations’ attack surfaces, using many of the same techniques and tools wielded to such devastating effect on companies every day.

That’s the value of an offensive approach to cybersecurity that companies like Synack have pioneered. With a crowd of ethical hackers, organisations can more quickly find and fix the dangerous vulnerabilities before criminals are able to exploit them and cause harm. Synack has also developed a proprietary metric  for business decision makers to better understand how susceptible they are to cyberthreats.

Synack’s Attacker Resistance Score (ARS) is a patented algorithm that is a product of the overall cost to an attacker (in terms of effort required to achieve their aims), the severity of the potential breach, and the efficiency of the organisation’s remediation efforts. The higher the ARS score, the more hardened an organisation is against attacks.

Source: Synack

Over the course of several years, extensive research from Synack has shown that in some sectors, ARS scores are gradually rising (in government and quasi-governmental bodies, for example); however, in manufacturing, facilities are increasingly at risk, as falling ARS figures show.

The full report titled The 2021 Trust Report is available here and shows several trends that should be of concern to cybersecurity experts, professionals in the IT industry, and business leaders alike.

The 2021 Trust Report states that industries that have fared poorly over the last few years — manufacturing has had low ARS scores until 2020 — have recently improved their resilience over the last year. In fact, the average ARS score across all organisations has risen a couple of points.

Yet, attacks like those emanating from the SolarWinds compromise, this year’s Exchange zero-days and the Colonial Pipeline ransomware attacks have represented the significant effects of malicious actors’ activity in very public ways.

To achieve the highest levels of security, the Report proposes continuous testing of defences and empirical proof that remediation is in place for each potential vulnerability. To achieve that self-same aim, many organisations deploy automated software to probe the business’s public-facing assets.

However, reliance on ‘bots is less effective than human-led penetration testing, yet the latter is known to be not cost-effective at scale.

Synack’s own approach is to use the inherent power of the crowd, deploying and managing large teams of penetration testers — a continuous and self-creating bug bounty programme, for want of a better description.

The report stresses the importance of increasing the effort to reduce the cadence between vulnerability discovery and remediation, and this is achievable by operationalising cybersecurity processes. Achieving this at scale will be a major challenge for security professionals in all industries, the Report states.

Source: Shutterstock

Using a crowdsourced methodology over traditional penetration testing is one way that the process of tightening can be achieved highly efficiently. Organisations are prioritising critical vulnerabilities and patching 72 percent of critical vulnerabilities found, closing them on average in 32 days.

That’s a slight improvement over the figures from 2020, and seems to be allowing a shift in focus on less severe findings. This implies adoption of better detection mechanisms, with crowdsourced penetration testing offering the most effective answer for organisations battling cybercrime.

With budgets under the cosh, and a newly distributed workforce to protect, many companies are struggling to keep themselves and their employees safe: the rise in digital attack success rates is proof of this (see the 2020 Verizon Data Breach and Investigations Report).

The Synack Crowdsourced Security Platform gives companies access to the best of the worldwide security community to get an adversary’s view of the presented attack surface. Under the company’s direction, the crowdsourced teams find exploits, advise on remediation, and verify the effectiveness of steps taken.

In combination with its own automated scans, Synack’s Crowdsourced Security Platform provides organisations with practical defences against cyberattacks and helps ensure business continuity. Synack delivers best-quality results and helps embattled internal security teams scale up fast.

To find out more, learn about the Synack Red Team, and explore the different options, head over to the Synack site and speak to a representative.