Data breaches have quickly become a major threat to industries operating in the digital space, causing companies to get proactive with their security strategies and tactics.
The best way to prevent hackers is to know how to think like one. Based in Redwood City, California, Synack is a security company that is revolutionizing the ways in which we view cybersecurity: through the eyes of a hacker.
Co-founders Mark Kuhr and Jay Kaplan formerly worked for the National Security Agency. They noticed that old-school security tactics were dated and ineffective, leaving companies with defenseless security systems in desperate need of being updated.
We spoke with Jay Kaplan to learn more about how Synack got started and to better understand this new concept of “ethical hackers.”
Founded in 2013, Synack is one of the few companies taking a different approach to web security using what’s called “bug bounty programs.” These programs take a “white-hat” approach where hackers are actually hired to find and report flaws found in computer software, hardware and networks. This allows companies to be proactive instead of reactive when dealing with the security of their digital assets and client information.
Synack’s security testing platform was developed to utilize both skilled, ethical hackers and technology to scale testing and drive meaningful data and metrics. Kaplan emphasized the critical need for humans and machines to work together in solving today’s cybersecurity threats. That’s what makes Synack’s Red Team so valuable.
An Offensive Approach to Data Breaches
The Synack Red Team (SRT) is the company’s group of ethical hackers who are hired to test systems with an adversarial approach. They are modern-day bounty hunters who collect appropriately termed “bug bounties” for testing the world’s tightest security systems for various bugs and system vulnerabilities.
Bug bounty programs employ teams like the SRT to test systems for security vulnerabilities, but they don’t work on incidental responses. In other words, they aren’t fixing the damage done by a breach. Instead, they are looking for potential weaknesses and vulnerabilities where a data breach could happen.
The advantage to operating offensively is to detect weaknesses before incidents occur, and the SRT has access to some of the most affluent companies in the world, known as “exclusive targets.” These targets are only open to SRT hackers because they’ve gone through a rigorous vetting process to prove their skills and ethical background.
The SRT is a group of crowdsourced ethical hackers who respond to bug bounties in order to earn some extra money, but the majority of SRT members have either a full- or part-time job outside of ethical hacking and collecting bug bounties. Often there are numerous hackers working on one project or “target,” which is beneficial because multiple vulnerabilities can be found on the same app.
“Our new offensive approach to security testing would build a private community of the world’s best ethical hackers and incentivize them to find critical vulnerabilities in organizations’ digital environments,” Jay Kaplan said.
This model has the potential to uncover high-impact vulnerabilities that were previously unknown, saving a company from a devastating data breach. Unlike traditional penetration testing, Synack offers testing that is on-demand and scalable, as well as utilizing a diversity of testing skill sets and taking an adversarial approach.
No Industry Is Safe from Hackers
Synack’s solution is tailored to meet the needs of all organizations across different industries because everyone is a target and at risk of getting breached.
“The adoption of Synack’s groundbreaking model has become increasingly prevalent across government agencies, global enterprise leaders and high-growth organizations who realize they must act now—and act differently—when it comes to cybersecurity,” he said.
One of the most susceptible industries to cyberattacks is the financial industry. This seems relatively obvious and easy to explain; the sheer magnitude of transactions, consumer data and capital make the financial industry an easy pick for unethical hackers. However, that makes the financial services industry the perfect candidate for employing ethical hackers that use an offensive strategy.
Synack’s financial services program is helping to specifically target weaknesses in the financial sector, but it doesn’t come without challenges. With such a negative connotation surrounding the word “hacker,” it’s been quite a challenge for industries to fully trust these programs since they are willingly allowing hackers to hack their systems and software.
Nonetheless, with the realization that the most effective way to beat a hacker is to stop a hack before it can happen, the social attitude is changing. Trust in ethical hackers is growing since cybersecurity companies like Synack have been able to prove that offensive approaches work well, and bug bounty programs are growing both in numbers and power.
“It took some time for people to trust the model, but the market is moving fast,” he said. “Now we’re seeing a lot of Fortune 500 companies and government organizations embracing ethical hackers as crowdsourced security models are becoming standard.”
Synack and its SRT have permeated the fabric of the U.S. security system even as far as Washington, where the U.S. Department of Defense has turned away from in-house security systems and toward ethical hacking prowess.
Looking forward, ethical hacking through Synack’s SRT could change the way companies protect user data and will hopefully pave the way for safer cyber presence in the future.