crowd security intelligence solution overview€¦ · traditional security solutions. the...
TRANSCRIPT
The Financial Services sector suffers one of the highest cyber incident rates and average breach costs of any
industry1. The industry looks to Synack to secure their assets and their reputations, in addition to meeting compliance.
Hacker-Powered Penetration Testing for High-Value Assets
Financial Services companies’ large volumes of financial assets, transactions, and customer data under
management make the industry a no-brainer target for cybercriminals. As emerging policy frameworks, such as the
EU General Data Protection Regulation, heighten the penalties for a breach, executives are facing increasing legal,
reputational, and financial repercussions of a breach. Financial Services companies need an offensive approach to
defense that helps them understand their security risk from an adversarial perspective.
Synack’s innovative, hacker-powered approach to penetration testing enables Financial Services companies to
understand their security risk from the adversary’s perspective. Synack Crowd Security Intelligence provides an
on-demand offensive approach to an organization’s security defenses to uncover vulnerabilities left undetected by
traditional security solutions. The intelligence platform provides real-time insights on Financial Service companies’
attack surfaces and exploitability to enable clients to rapidly remediate sources of security risk and protect their
assets, customers, and brands before damage can be done.
WHAT WE TEST:
WHAT YOU GET:
Crowd Security Intelligence®
Web—Get insight into
how a cybercriminal
could exploit security
vulns to gain entry to
a web app, sensitive
customer data, and
funds.
Mobile—Discover
unknown
vulnerabilities in mobile
apps and APIs that
hackers could exploit
to access customer
accounts.
Host—Uncover
vulnerabilities within,
and any changes
to, networks & host
infrastructure before
they cause downtime
and revenue loss.
IoT—Analyze how
vulnerabilities within
internal and consumer-
facing devices impact
the grander enterprise
ecosystem.
Real-Time Analytics—
Real-time analytics on when,
what, and how clients’ assets
were tested. Insight into how
hardened digital assets and
businesses are against attack.
Actionable Reports—Detailed,
actionable assessment and
vulnerability reports with
firsthand reproduction and
remediation instructions from
the Synack Red Team members
who found the vulnerabilities.
Continuous Support—Complete customer control
and visibility throughout the
engagement; all Synack Red
Team members are rigorously
vetted and all testing traffic is
captured via LaunchPoint® for
real-time adversarial intelligence.
1 IBM 2016 Cyber Security Intelligence Index; Ponemon 2016 Cost of Data Breach Study: Global Analysis
F INANCIAL SERVICES
Solution Overview
Client Onboarding—Synack Mission Operations worked closely with the client to scope the
engagement, including defining the objectives and outlining the rules of engagement.
Hydra—Synack’s proprietary vulnerability intelligence platform kicked off the engagement by scanning and
mapping the attack surface. Hydra continuously pushed vulnerability intelligence to the Synack Red Team
for additional investigation and manual testin.
Synack Red Team (SRT)—Synack’s crowd of top security researchers searched for and tested
vulnerabilities using their unique techniques and tradecraft. All of their testing traffic and adversarial
intelligence was captured through Synack’s secure gateway, LaunchPoint, giving the client complete
control and auditability. Almost immediately after testing began, the SRT began to discover and report
critical vulnerabilities. For example, one researcher reported a XSS vulnerability that would allow an
adversary to steal customer data and gain access to customer bank accounts and funds. An attacker
could insert an XSS payload into the target’s CRM system that would enable the attacker to hijack
a user’s CRM session and install malware. Using the malware, the attacker could obtain customer
credentials and drain their accounts without alerting the security team.
Mission Operations—Immediately after the researcher submitted the vulnerability report, Synack
Mission Operations triaged the vulnerability, conducting complete vulnerability reproduction and
validation. Once the team confirmed the quality of the vulnerability, they prioritized the vulnerability and
alerted the client.
Client—Upon receiving the alert in the web-based client portal, the client’s security team passed the
detailed vulnerability report and suggested fix on to the remediation team. Through the Synack API, the
client seamlessly ingested the vulnerability data into their internal systems and processes, including Jira.
After the vulnerability was patched, the researcher that discovered the vuln worked with the client team
to verify the patch. Through Synack’s Coverage Analytics on what/when/how the asset was tested by
the Synack Red Team, the client was also able to obtain an assessment of the web app’s overall security
risk and resistance to attack.
Client: F500 Financial Services Company
Problem: This Financial Services company had met all security and privacy compliance requirements. The firm
was using a penetration testing contractor and automated vulnerability scanner to look for vulnerabilities in their
systems. However, after an attacker was able to penetrate the network and steal customer records, the client
decided to try Synack’s crowdsourced penetration testing solution to mimic the diversity and creativity of the
adversary and gather real-time intelligence on how many vulnerabilities and how much risk lay beneath the surface.
Assessment: Financial Services CRM Web Application
Impact: Using an incentive-driven model that mimicked the creativity and diversity of the adversary, this F500 financial
services company was able to address and prevent a potential exploit that could have cost this company millions, if
not billions, in funds, as well as their reputation. In preparation for the EU’s General Data Protection Regulation, Synack
Crowd Security Intelligence provided the client with an attacker-driven perspective on their risk of a breach.
Case Study: Customer Relationship Mismanagement
Synack, Inc.
855.796.2251 | www.synack.com | [email protected]
© 2017 Synack, Inc. All rights reserved. Synack is a registered trademark of Synack, Inc.
v2017.1—INT US
Synack at Work:
Report
1
2
3
4
5