Synack works with innovative government security leaders who are responsible for protecting their organizations by finding and remediating exploitable vulnerabilities before they can be used by an attacker. In this effort we have formed trusted partnerships with federal agencies and their consultants, helping them to achieve mission-critical goals safely. Synack has worked with more than 30 federal agencies to quickly identify known and unknown vulnerabilities before attackers can take advantage of them. And Synack has received Moderate “In Process” status from the Federal Risk and Authorization and Management Program (FedRAMP) underscoring Synack’s commitment to stringent data and compliance standards. This work is especially important in light of President Biden’s recent cybersecurity memorandum laying out steps that federal agencies need to take to protect the nation’s critical assets – its networks and data.

An example of such recent and essential work brings us back to December 12, 2021, when the U.S. Department of Homeland Security (DHS) issued a warning about the Log4j vulnerability. Federal agencies were required to identify if they had the vulnerability and remediate it by December 24th. The challenge for agencies trying to find this vulnerability was that the effort could take weeks. Synack’s SWAT team was able to identify vulnerability (and variants) in a matter of hours for agencies. Without Synack, this could have taken days or weeks to find. One Synack federal customer was able to successfully test more than 520 active hosts and 200 in a 24-hour period for this critical vulnerability. 

Accenture Federal Services (Accenture) is a premier consultant to cabinet-level federal agencies, providing end-to-end cybersecurity services and skilled professionals to help agencies innovate safely and build cyber resilience. In partnering with Synack, Accenture brings to bear the power and speed of the Synack platform to help federal agencies be more proactive with their cybersecurity practices. Working together, Synack and Accenture are delivering innovative solutions, including continuous security testing, which empowers agencies to quickly detect and remediate vulnerabilities before they can be exploited. Synack’s comprehensive security testing complements Accenture’s hands-on consultative engagements support agencies integrating security into their organization.

Proactive components of security programs are so critical and yet often hard to perform at scale, primarily due to the cyber talent gap. Together, Accenture and Synack are successfully building proactive measures into agency-wide security programs with clear impact and staying power. We are regularly delivering on unprecedented find-to-fix vulnerability cycles, Vulnerability Disclosure Programs VDP (BoD 20-01), and testing in pre-production environments. 

The Power of Synack & Accenture Federal Enables Security Teams for On-Demand Security Testing

• Penetration testing at scale
• Nimble responsiveness to time-sensitive customer needs
• Continuous security posture testing
• Evaluation of high-value assets and testing of internal, external, and cloud assets
• Policy and compliance audits

The Synack/Accenture  partnership is a strong example of how Synack can provide a higher level of pentesting and security evaluation to government customers with varying levels of security expertise. In-house pentesting is difficult to scale, but Synack’s community of the world’s most skilled and trusted ethical researchers delivers effective, efficient, and actionable security testing on-demand and at scale, allowing security teams to focus on the vulnerabilities that matter most.

The post Synack and Accenture—Working Together to Protect the Nation’s Critical Assets appeared first on Synack.

Government cybersecurity leaders know all too well that traditional pentesting is complex and doesn’t scale. The need to quickly resource up in order to effectively identify, triage and remediate vulnerabilities has become increasingly critical and, for most, a compliance requirement. 

Synack empowers government agencies with on-demand, continuous pentesting, pairing the platform’s vulnerability management and reporting capabilities with a diverse community of vetted and trusted researchers to find the vulnerabilities that matter. 

Synack also helps government security teams achieve the most effective vulnerability management possible to satisfy Binding Operational Directive (BOD) 22-01’s identification, evaluation and mitigation/remediation steps. The Synack approach also facilitates detailed vulnerability reporting that the agency can easily hand off to CISA if desired. 

Let’s quickly review what BOD 22-01 mandates, and how federal agencies can achieve compliance with help from Synack. 

CISA Binding Operational Directive 22-01—Reducing the Significant Risk of Known Exploited Vulnerabilities

Recent data breaches, most notably the 2020 cyber attack by Russian hackers that penetrated multiple U.S. government systems, have prompted the federal government to improve its efforts to protect the computer systems in its agencies and in third-party providers doing business with the government. As part of the process to improve the security of government systems, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01. 

CISA Directive 22-01 directs federal agencies and contractors to what they are required to do regarding the detection of and remediation for known exploitable vulnerabilities. The scope of this directive includes all software and hardware found on federal information systems managed on agency premises or hosted by third parties on the agency’s behalf. Required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Directive 22-01 Compliance Requirements

In addition to establishing a catalog of known exploited vulnerabilities, Directive 22-01 establishes requirements for agencies to remediate these vulnerabilities. Required actions include: 

• Establishment of 1) a process for ongoing remediation of vulnerabilities and 2) internal validation and enforcement procedures
• Setting up of internal tracking and reporting
• Remediation of each vulnerability within specified timelines
• Reporting on vulnerability status to CISA

CISA’s Cybersecurity Incident & Vulnerability Response Playbooks describe a standard program for vulnerability management. The program steps are identification, evaluation, remediation and reporting.

1. Identify reports on vulnerabilities that are actively exploited in the wild.
2. Evaluate the system to determine if the vulnerability exists in the system, and if it does, how critical it is. If the vulnerability exists, determine if it has been exploited by said system.
3. Mitigate and Remediate all exploited vulnerabilities in a timely manner. Mitigation refers to the steps the organization takes to stop a vulnerability from being exploited (e.g. taking systems offline, etc.) and Remediation refers to the steps taken to fix or remove the vulnerability (e.g. patch the system, etc.).
4. Report to CISA. Reporting how vulnerabilities are being exploited can help the government understand which vulnerabilities are most critical to fix.

Evaluating Vulnerabilities with Synack

Synack finds exploitable vulnerabilities for customers through its unique blend of the best ethical hackers in the world, specialized researchers, a managed VDP, and the integration of its SmartScan product. SmartScan uses a combination of the latest tools, tactics and procedures to continuously scan your environment and watch for changes. It identifies potential vulnerabilities and engages the Synack Red Team (SRT) and Synack Operations to review suspected vulnerabilities. The SRT is a private and diverse community of vetted and trusted security researchers, bringing human ingenuity to the table and pairing it with the scalability of an automated vulnerability intelligence platform. 

If a suspected vulnerability is confirmed as exploitable, the SRT generates a detailed vulnerability report, with steps to reproduce and fix the vulnerability. Vulnerabilities are then triaged so that only actionable, exploitable vulnerabilities are presented – with severity information and priority information.

Mitigating and Remediating Vulnerabilities with Synack

Once the Synack team of researchers has verified the exploitability of the vulnerability, it leverages its expertise in understanding your applications and infrastructure. From that point, and in many cases, the SRT is able to recommend a fix with accompanying remediation guidance for addressing the vulnerability. And Synack goes one step further, verifying that the remediation, mitigation, or patch was implemented correctly and is effective.

Reporting to CISA

Synack’s detailed vulnerability reporting and analytics offer insight and coverage into the penetration testing process with clear metrics that convey vulnerability remediation and improved security posture. 

Comply with CISA Directive 22-01 with Help from Synack

CISA continues to add exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, and federal agencies are expecting urgent CVEs to pop up in the not-too-distant future. The recent rush to address the log4j vulnerability will come to mind for many. The Synack Red Team can aid organizations by rapidly responding to such situations.

To secure your agency’s attack surface and comply with the CISA Directive 22-01, a strong vulnerability management strategy is essential. The Synack solution combines the human ingenuity of the Synack Red Team (SRT) with Disclose (the Synack-managed VDP), along with the scalable nature of SmartScan, to continuously identify and triage exploitable vulnerabilities across web applications, mobile applications, and host-based infrastructure. Synack takes an adversarial approach to exploitation intelligence to show the enterprise where their most business-critical vulnerabilities are and how those vulnerabilities can be exploited by adversaries.

The post How Synack Helps Organizations Comply with Directive 22-01 appeared first on Synack.