As the new year approaches, Ed Amoroso, CEO of TAG Cyber, world-class cybersecurity research, advisory, and consulting firm, recently published an article outlining the importance of “transcending conventional security” to stay ahead of the adversary. The article offered 5 superb ideas for enterprise security programs to adopt in 2021, based on their work with commercial vendors, enterprise security professionals, and government agencies. As a crowdsourced security platform that leverages the diverse skill sets and deep experiences of the Synack Red Team to stay ahead of the adversary by testing like the adversary, Synack takes a more effective, efficient approach to penetration testing than traditional methods.
Below is Synack’s take on each of the five ideas. Organizations can apply these 5 ideas to their security testing strategies to set themselves up for a more secure 2021.
Idea 1: Localize Your Security Compliance
“Perhaps you might consider focusing on a divide-and-conquer approach to security compliance. Think small and local in your compliance work, versus large and overarching.”
In order to localize the crowd on specific, targeted tasks (e.g. by vulnerability type, asset, business unit etc.), the Synack Red Team (SRT) conducts Missions by completing pre-determined tasks and providing documentation of their work. Synack’s Missions were created for security leaders to utilize the SRT for targeted vulnerability discovery such as demonstrating adherence to regulatory standards or focused research on specific assets.
Synack Client Portal enables security teams to quickly and easily manage security testing enterprise-wide, monitor security performance, prioritize assets for testing and share detailed findings with your team. Inside the portal, access the main dashboard with a summary of your findings reported in real time as they are discovered and triaged. Some of the key values on the dashboard include:
- How many SRT members have signed up to hack
- Number of testing hours completed
- Breakdown of SRT activity
- Number of active scans
From the main dashboard of key metrics, you can double click any of the high-level metrics for details and view detailed vulnerability findings, manage active assessments, get analytics on security performance (Attacker Resistance Score™ rating), learn outcomes of SRT security checks through Missions and read or download audit-ready reports, as needed.
So that reports can be tailored to the right audience, Synack’s platform goes beyond traditional reporting (often manual, point-in-time, and lacking in usable insights) to develop powerful, on-demand, customizable reports by presenting your testing data in a functional, easy to understand way. These reports help your organization make more informed security decisions. You can choose between human-written analysis, audit-quality reports for compliance mandates, custom report templates, high-level summaries with key metrics for leadership, as TAG suggests, or even actionable vuln data for development teams.
Idea 4: Expose Complexity to Executives
“The biggest mistake we see on a day-to-day basis in the communications between CISOs and other executives is the over-simplification used to convey security concepts to non-security leaders. In the best case, this involves a bit too much baby-talk.”
Indeed, measuring security involves complex variables and concepts that cannot be disregarded or overlooked when communicating with senior executives or board members. Nevertheless, per Idea #4 and Jeanne Tisinger’s point, information must be communicated in a digestible fashion.
Synack’s Attacker Resistance Score rating is a trusted benchmark to measure and track your security. The score is calculated based on customers’ unique crowdsourced penetration test data to provide a measure of how susceptible an asset is to attack. The image below outlines the inputs used to calculate each score.
and against other organizations.
Idea 5: Expand Your Security Internships
“It is commonly reported (including from the ad-board on the C-Train to Brooklyn) that a skills shortage exists in cyber security. … We thus recommend that you consider increasing the intensity, scale, coverage, and investment in your internship program in 2021.”
As part of our ongoing efforts to address the lack of diversity in cyber and the dramatic skills gap the industry faces, we launched the Synack Academy. The cybersecurity community must create new pathways for minorities to excel in the field and generate new passions and interests in future careers in cybersecurity for underrepresented minorities. In partnership with Blacks in Cybersecurity (BIC), the program aims to provide individuals from underrepresented minority groups access to career pathways in technology and/or cybersecurity through structured, support-driven training and mentorship. The Synack Academy’s mission is to create a welcoming and inclusive environment in cybersecurity anchored by ongoing mentorship. We’re committed to fostering the next generation of Cybersecurity professionals. Through the Synack Academy and BIC, students will have the foundational knowledge and confidence to continue their cybersecurity journey and pursue further knowledge that can be applied to many fields within the technology and security sector.