the journey from discovery to remediation€¦ · the journey from discovery to remediation...
TRANSCRIPT
JUNE 2016
The Journey from Discovery to Remediation
According to the National Institute of Standards and Technology (NIST), “Penetration testing is security testing in which
assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or
network.” Penetration testing, or pen testing, can be performed by internal security personnel, 3rd-party “pen testers”, or a
combination of the two. However, traditional penetration testing engagements are limited in both time and coverage scope,
and “success” is variable— limited by the skills and experience of the resources available.
With a clear emphasis on mimicking real-world attacks, the NIST definition implores penetration testing vendors to adopt
an adversarial mindset. To beat a hacker, you have to think like a hacker, hence adversarial penetration testing is crucial to
discovering the most critical vulnerabilities a malicious hacker seeks to exploit. But gaining access to qualified and scalable
pen testing teams capable of truly emulating the adversary is a serious issue as the information security world struggles with
a well-documented talent shortage/gap.
With adversaries rapidly evolving and attack techniques increasing in complexity, the only way to make sure that the latest
attacker tradecraft is being leveraged for penetration testing is to create a platform wherein real-world ethical hackers
can become the driving force of these new-age penetration testing models. But to further disrupt the penetration testing
market, these new-age models need to move beyond pure vulnerability discovery—to mitigation and resolution. Companies
and vendors, alike, are realizing that discovery is meaningless unless the exploitable vulnerabilities can be mitigated and
subsequently remediated. The longer the process, the more likely that they will lose in the “invisible” race against the true
adversaries—a loss with potentially catastrophic effects.
Discovery
There is often debate on choosing between automated vulnerability scanning and human-driven penetration testing
as the best way to discover vulnerabilities within an organization. Machines lack the creativity and critical thinking of
humans, while humans lack the raw speed of machines, and a hybrid approach that brings the best of man and machine
together is key solving this problem.
Automated scanning technologies can’t incorporate business logic; they take linear testing paths through digital
environments, feeding back dense vulnerability reports with excessive volumes of background noise- with little to no
prioritization or business risk context. Additionally, relying solely on automated scanners to uncover newly published
vulnerabilities doesn’t alleviate the problem since scanners can only leverage known signatures. Even if the latest
signatures are present, scanners can merely indicate known “potential” vulnerabilities, but can’t provide any information
about actual exploitability.
The Journey from Discovery to Remediation
Perceived Security Discovery
96% signal-to-noise ratio
The Synack Advantage
Synack continuously protects your most valuable IT assets by pairing the human ingenuity of the world’s best ethical hackers with
the scalability of an automated vulnerability intelligence platform. For this, Synack uses a private community of highly-curated
security researchers, the Synack Red Team (SRT), all of whom have been vetted for both skill and trust. Acceptance into the SRT
is highly selective (<10% acceptance rate), as Synack admits only the most qualified and ethical security professionals. Essentially,
Synack connects enterprises with a private crowd of the most sought-after skilled and trusted ethical hackers in the world to provide
continuous testing coverage that seamlessly integrates with your development processes.
Additionally, all SRT activities, from reconnaissance through exploitation, are always monitored and logged using Synack’s patented
full capture gateway platform, LaunchPoint. LaunchPoint adds additional layers of transparency and trust, allowing enterprises to
take advantage of bounty-driven application testing for even the most sensitive internal environments and production applications.
Before a vulnerability is seen by a customer, the Synack Mission Ops team will have deemed it to be a valid issue via a rigorous
review process that includes vulnerability reproduction and cross-checking with the engagement scope and existing known
vulnerabilities to eliminate duplicate reports. This allows Synack to deliver a 95% signal-to-noise ratio to customers— when you hear
from Synack, it matters.
An adversarial approach that utilizes the world’s best hacking talent and pairs them with technology should form the
underpinnings of your penetration testing program. By continuously monitoring your applications and infrastructure for
vulnerabilities and confirming exploitability before the report reaches your desk, this approach can help security operations
teams stay ahead of the game, while minimizing risk for the organization.
Other characteristics of this new adversarial penetration testing model should encompass:
A. The latest tools, tactics and procedures that real world malicious adversaries are leveraging so that you can detect the
latest vulnerabilities and prevent them from being exploited.
B. Continuous penetration testing of critical applications that is integrated with your continuous code deployment
strategy—Attack threats don’t revolve around a “9–5” schedule, for a few weeks at a time, real-world adversaries are
relentless and constantly adapting with new attack techniques. For that reason, traditional point-in-time penetrations
tests will always leave a window of exposure during which new vulnerabilities can be exploited. Moreover, with frequent
software updates and increased usage of agile software methodologies, the attack surface keeps evolving and the next
generation of penetration testing solutions need to seamlessly integrate with these processes.
C. Prioritization of ‘exploitable’ vulnerabilities is no longer optional, but rather is non-negotiable. With security operations
teams often fighting multiple fires, resources are scarce and their time is valuable (and costly). Long lists of scanner
results can be filled with false positives and vulnerabilities with low exploitability. In order to scale, security teams
need a better way to separate the wheat from the chaff. The reality of the situation is that there isn’t enough time
or resources to fix all vulnerabilities. The focus needs to be on surfacing exploitable vulnerabilities with meaningful
business impact.
The Journey from Discovery to Remediation
Full packet capture with LaunchPoint
Vetted & Qualified Red Team
The Journey from Discovery to Remediation
Mitigation
Mitigation is a step that is often overlooked when choosing a penetration testing vendor. The reality of the vulnerability
management lifecycle is that it could take between a few days to months to develop, test and patch new vulnerabilities.
In the meantime, the vulnerability and the risk of exploitation continues to exist. During this period, security teams should
identify and implement mitigations in order to prevent these vulnerabilities from being exploited by adversaries. These
countermeasures could vary from establishing Web Application Firewall (WAF) rules to enforcing reduced functionality
of apps. Instant WAF rule mitigations allow the security team to minimize disruption to the normal development cycle—
fixes can be planned out in a rational manner and avoids the dreaded hot fix scrambles. Thus, mitigation can be a crucial
step to maintain business continuity and productivity. However, it’s key that security teams are armed with proper
measures and vulnerability intelligence to effectively assess the situation when deciding between patching a system
versus applying more significant modifications to the overall architecture. A clear understanding of adversarial tradecraft
and with the capability to gather exploitation intelligence from captured web traffic is of paramount importance while
establishing these countermeasures.
The Synack Advantage
Synack has seen that in 19% of the cases, initial mitigation efforts by organizations have failed to stop the exploit. The Synack
Mission Ops Team assists enterprise security teams with conceptualizing, constructing and verifying appropriate mitigation counter-
measures, allowing customers to focus internal efforts more on what matters most to the enterprise—vulnerability remediation and
risk reduction—than on spending countless hours internally theorizing fixes (that may or may not work).
Some patches take longer to implement than others. Rather than leave yourself unprotected while waiting for a critical patch,
in many cases Synack can create plug-and-play WAF rules that help you identify and prevent any further exploitation of the
vulnerability. These WAF rules are fully tested by Synack in advance, so you can be assured that they work as intended.
Before Mitigation After Mitigation
Plug-and-play fully tested WAF rules in instances where its helpful
The Journey from Discovery to Remediation
Remediation
Faced with relentless threats across growing attack surfaces, enterprises must adapt by establishing responsive and
effective processes for patching vulnerabilities as part of their vulnerability management life cycle. However, it doesn’t
end with applying a patch. Security organizations must have the assurance that a patch is effective in truly fixing the
vulnerability. The lack of an independent patch verification process can lead to a false sense of confidence in patch
effectiveness. Worse, poorly implemented patches may even introduce new vulnerabilities with potentially catastrophic
business impact.
Development organizations often engage in code reviews while fixing vulnerabilities. Additionally, security teams may
verify patches independently of the development team to provide additional perspective. Once the patch is reviewed, the
fix is considered complete. While internal reviews are essential, security teams often lack sufficient visibility into how the
patch was implemented. More importantly, security teams do not possess full visibility into the tactics, techniques, and
procedures (TTPs) of the adversaries who are dedicated to the discovery and exploitation of vulnerabilities, including the
one presumed to be fixed.
The Synack Advantage
The Synack Mission Ops team acts as an extension of your internal security teams. Once the Mission Ops team has verified the
exploitability of the vulnerability, it leverages its expertise in understanding your applications and infrastructure, and in many cases
is able to recommended a fix with accompanying remediation guidance steps for the vulnerability. Once this fix moves through your
vulnerability management process and a patch is created, Synack provides customers with a way to confirm the efficacy of the
patch through Synack’s patch verification process.
Patch verification creates a tried and tested find-to-fix model for the enterprise that can be managed and tracked within the
Synack portal. Patch verification gives customers the ability to request an independent review of a vulnerability patch in order
to ensure that the attack vector specified by the vulnerability report has been closed. All patch verifications are performed by
Synack Red Team (SRT) member(s) working in conjunction with the Synack Mission Ops team.
Before Remediation After Remediation
Hacker powered patch verification
About Synack
Synack is pioneering a trusted hacker-powered approach to protecting an organization’s digital surface, arming security teams
with hundreds of the world’s best hackers who want to be your allies, not your adversaries. Our private crowd of skilled and
trusted hackers provide proactive application and penetration testing services from a truly adversarial perspective—detecting
and reporting vulnerabilities within clients’ web and mobile applications, host infrastructure, and connected IoT devices, that
often remain undetected by traditional security solutions.
The Synack Crowd Security Intelligence Solution
To beat a hacker, you have to think like a hacker, and to protect an enterprise against constant, complex threats, you have to ignite
hundreds of the world’s best ethical hackers into rapid action. Synack’s Crowd Security Intelligence™ platform does just that.
The Synack solution combines the human ingenuity of the Synack Red Team (SRT) with the scalability of Hydra, an advanced
vulnerability intelligence platform, to continuously discover exploitable vulnerabilities across web applications, mobile
applications, and host-based infrastructure. Synack takes an adversarial approach to exploitation intelligence to show the
enterprise where their most business-critical vulnerabilities are and how these vulnerabilities can be exploited by the adversaries.
The Synack solution allows the enterprise to initiate an engagement quickly with more time on target, and presents a controlled
and continuous adversarial view of the organization’s application and infrastructure security. Acting as a closely integrated
extension of internal security teams, the Hydra-enabled SRT provides comprehensive testing coverage across large, complex
enterprise assets. The Synack solution delivers exploitation intelligence allowing customers to reduce their window of exposure
and strengthen their security posture.
SRT + Hydra Technology
The SRT, supported by Hydra,
continuously discover vulnerabilities with
high efficacy. Once vulnerabilities are
patched, the SRT even helps verify the fix
LaunchPoint™
All SRT testing activity is routed
through our secure gateway
technology, providing our clients with
full transparency and control
Mission Ops
Synack Mission Ops expertly manages,
triages, and prioritizes ALL vulnerabilities
submitted by the SRT, helping customers
focus their internal efforts on remediation
Synack, Inc.
855.796.2251 | www.synack.com | [email protected]
© 2016 Synack, Inc. All rights reserved. Synack is a registered trademark of Synack, Inc.
Report
10/10 CVSS
Client AssetsLaunchPointTM
Mission Ops
Web ManagementPlatform
Patch Verification
YOU
Hydra Technology
Synack Red Team