THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Jay Kaplan, CEO & Co-FounderIt was this predicament, combined with Kaplan’s yearning to take present-day security a level higher, which spurred the genesis of Synack. Taking cues from how the NSA conducts its vulnerability research, Kaplan and his team has pioneered an elegant solution that mimics the perspective of the potential hackers or attackers by combining the power of human ingenuity with the scalability of a security platform.“We reside in an age where technology has outpaced humans in every industry except security. The software developed today can’t keep up with the creativity and ingenuity of a human hacker,” says Kaplan. Replacing the static security solutions that follow the traditional compliance or point-in-time driven model, the Synack solution primarily focuses on vulnerability discovery. The company has developed an advanced vulnerability intelligence platform—Hydra—that has taken penetration testing to the next level. The platform pursues the methodology of assessing their clients’ vulnerabilities and constantly evaluating their system’s resistance to any potential attacks.
“With hackers becoming more sophisticated and threats turning more severe, the lack of cybersecurity talent in the US and abroad has never been more dire,” points out Kaplan. To respond to the creativity and persistence of a human hacker, Synack crowd sources an army of security researchers and white hat hackers that plug this growing talent gap. “Every type of hacker approaches the problem very differently with a very creative mindset. This is what we are trying to bring to our customers,” he adds. The Synack Red Team constitutes top hackers or security researchers from around the world who are employed to discover exploitable vulnerabilities across client’s mobile or web application and host-based infrastructure. Powered by the Synack Red Team, Synack’s platform not only makes the client aware of the business critical liabilities but also presents it with an impact statement that implies the severity of each of those susceptible components, practically demonstrating the potential damage that could be caused by the attacker.
The highly-curated members of the Synack Red Team go through a vetting process that ensures that they are trustworthy in addition to possessing the relevant skills for the job.
Software cannot keep up with the creativity and ingenuity of a human hacker
Furthermore, Synack provides a fully managed, white glove service, MissionOps that enables their customers to launch within 24 hours of activation. This internal team of vulnerability experts works closely with the clients to deliver services like asset definition and scoping, Synack Red Team (SRT) communication and management, real-time vulnerability triaging and periodic engagement briefs. All vulnerabilities discovered are validated by MissionOps team and also undergo practical exploitation by one of the hackers. “We go back once the customer believes they’ve remediated the problem to verify that the remediation was successful,” adds Kaplan. Synack even provides a centralized online portal and platform that alerts the customer of any new vulnerability.
“Customers are keen to acquire the information we provide, as it creates awareness on how to avoid these vulnerabilities in the future; preventing it from becoming a recurring occurrence,” informs Kaplan. The range of Synack’s clientele span from financial services, healthcare, and technology to government institutions like DoD and IRS. Answering to the Pentagon’s initiative of “Hack the Pentagon,” Synack’s crowd sourcing methodology was leveraged to lock down a critical system that was deployed globally and was relied on to relay commands that are critical to warfighters for execution of their daily responsibilities. “Despite our previous successes, we were thrilled at the success of our solution at the Pentagon,” reports Kaplan, specially, because the solution discovered vulnerabilities in a hardened DoD system that was cleared by traditional security solutions. “Once the vulnerabilities were identified, the DoD began urgent remediation within 24 hours of the test, recognizing the severity of the discovery,” adds Kaplan. Additionally, Synack is also employed by the IRS to prevent any leakage of information through continuous monitoring of their changing infrastructure.
Synack is encouraged by the progressive thinking pattern they witnessed among government agencies and other enterprises. “These institutions welcome the adversarial perspective we offer and understand that this should be the de-facto way of performing security tests. It is the only way to understand what your attack surface looks like from an adversary’s point of view,” says Kaplan. In days to come, the company intends to enrich and augment their platform’s productivity along with their high-end bug bounty program.
The milestone approval signifies that various U.S. agencies now have the authorization to utilize Synack's top-tier penetration testing and vulnerability management solutions. This includes systems that handle Controlled Unclassified Information and other official or sensitive data.
"This achievement is a gamechanger for our federal clients," said Dr. Mark Kuhr, Synack CTO and co-founder. "It also sends a clear message to all our customers: You can trust Synack to keep your data secure as we deliver pentesting of the highest caliber."
The Government Accountability Office has issued a warning regarding the escalating threat of cyberattacks from malicious actors on federal targets, posing a significant risk to national security. In response to this evolving landscape, FedRAMP serves as a fundamental element of the U.S. government's strategy to enhance security measures, especially as agencies transition crucial data to cloud platforms. Additionally, White House mandates, such as Memorandum 22-09, mandate agencies to adopt a zero-trust architecture strategy by September 2024.
As part of a zero-trust strategy, the implementation of dedicated application security testing programs is crucial. Synack takes pride in facilitating agencies to carry out such services within a FedRAMP Moderate Authorized environment.
"This FedRAMP designation clears the way for Synack's premier security testing platform to protect more government systems," said Synack vice president for public sector Catherine Bowen. "We are doubling down on our goal to improve the security posture of agencies and companies handling mission-critical government applications, internally and externally."
To attain Moderate Authorization from FedRAMP, Synack has effectively implemented and enforced 325 security controls, undergoing rigorous third-party scrutiny of its security infrastructure. This achievement underscores Synack's steadfast commitment to enhancing global security by providing immediate access to the Synack security testing platform and its extensive Synack Red Team, comprising over 1,500 vetted security researchers.
The successful bid for FedRAMP authorization was sponsored by the U.S. Department of Health and Human Services (HHS). This announcement marks a significant advancement from Synack's previous designation of FedRAMP Moderate "In Process," obtained in 2022, when the company was initially included in the FedRAMP marketplace.
Synack has collaborated with HHS and numerous other federal agencies, conducting tests on internal assets to enhance their security postures. The company actively participated in the Defense Department's inaugural "Hack the Pentagon" program in 2016, contributing to the identification and resolution of high-impact vulnerabilities in various military networks. Following this initiative's success, the DoD continued to engage with Synack in subsequent programs, aiming to establish a trusted and crowd-sourced approach to security testing.