Criminals and foreign adversaries know how to exploit our digital weaknesses and vulnerabilities to attack the U.S. government and American businesses. But a growing number of federal agencies and some of the biggest businesses in the world use those same offensive techniques and strategies to help defend against increasingly sophisticated cyberattacks.
Digital security has never been more important — nearly 80 percent of IT leaders worry their organizations aren’t sufficiently protected against cyberattacks at a moment in history when those attacks are coming more frequently than ever. The recent SolarWinds Orion hacking campaign and the barrage of attacks targeting vulnerable Microsoft Exchange servers are only the latest examples.
That’s why a new approach to cybersecurity is essential.
Overcoming flawed security
“Historically, most large corporations and government agencies would leverage internal resources to evaluate security or use consulting firms to perform a time-bound penetration test or security assessment,” says Jay Kaplan, CEO and co-founder of Synack, a crowdsourced security testing firm. “But both of these approaches are flawed, and a single missed vulnerability can lead to a complete breach of an entire network. It really just takes one foothold.”
The solution is a “crowdsourced” security model that brings the most skilled ethical hackers — researchers who approach security from the attacker’s point of view — to help organizations stay ahead of criminal and nation-state hackers by testing and improving their digital defenses.
“The goal is to create a higher-efficacy model that better mimics the offensive mindset,” says Kaplan, a former government hacker at the National Security Agency. “And I think we’ve really done that.”
At least 22 U.S. government agencies and departments — as well as many of the biggest global businesses and financial institutions — have embraced the approach. Like many businesses, the federal government has also recognized that the crowdsourced penetration testing model is about as close as an organization can get to testing systems against a real-world adversary.
In fact, over the past several years, the Department of Defense has run numerous “Hack the Pentagon” programs that allowed independent security researchers to find vulnerabilities inside Pentagon networks. Increasingly, government officials have embraced the approach and see the growing value of crowdsourcing when it comes to protecting the most sensitive networks and systems in the world.
Initially, however, some government agencies and officials were leery of allowing outside researchers access to their critical technology or digital assets, Kaplan notes. But those early concerns have faded away as officials learn about the rigorous requirements for groups such as the Synack Red Team, that company’s network of ethical hackers, and the benefits from the crowdsourced approach to security testing.
Kaplan says that all of the “white-hat” hackers on their crowdsourcing platform are highly vetted with background screenings and skill assessments. And every security researcher on their Red Team goes through a nondisclosure process and is under contract with Synack.
Kaplan sees the role of crowdsourced security growing rapidly. Synack’s platform offers always-on security, a managed vulnerability disclosure program, AI-powered security testing, crowdsourced vulnerability discovery and continuous penetration testing. The company currently protects more than $6 trillion in Fortune 500 and Global 2000 revenue in addition to working across the U.S. government.
That breadth of experience has given Kaplan and others in this space plenty of insight into government security, and many see a greater role for this kind of testing to help agencies defend themselves against sophisticated attacks such as the SolarWinds campaign, which affected some 18,000 government and enterprise victims.
“If you’re looking at the first line of defense for U.S. government agencies, there are two technologies in place: EINSTEIN 3 Accelerated (E3A) and Continuous Diagnostics and Mitigation (CDM) Program,” he notes. “None of those detected attacker activity due to the SolarWinds compromise.”
Kaplan is optimistic that more government agencies will realize the power of a crowdsourced approach to security, but he warns that alone won’t solve the cybersecurity problem for the U.S. “The government needs to be more prescriptive,” he says. “Right now, the onus is on each individual agency to come up with their own cybersecurity strategy — there is really no unifying strategy.”
The bottom line is simple, Kaplan says. “Before deploying any new endpoint to the network, or any new application, every single digital asset should undergo a crowdsourced security assessment.”
For more information about on-demand crowdsourced security testing, visit www.synack.com.