Why the hackers at Synack need $25M to hunt down major security flaws

The vast number of attacks in 2014 have catapulted information security into the forefront of the media and the minds of many enterprises.

Hacks of major companies like Sony, Target, and Home Depot recently caused President Obama to sign an executive order calling for collaboration between the public and private sector in hopes of sharing threat data and mitigation tactics.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1665297,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

Following that trend, security firm Synack, a high-end bug bounty program that also connects companies with analytical threat data, took $25 million in funding this week. The company takes a different approach to security, employing a team of highly trained security contractors that are paid by the bug.

We sat down with founder Jay Kaplan to talk about his company, the security space, and what it will take to get businesses to start prioritizing security infrastructure.

VentureBeat: Your approach to security is different than most bug bounty programs and also different from most security analyst driven models.

Jay Kaplan: First of all, security is something that companies need to take a layered approach to. We’re really hitting one layer of the overall comprehensive security model and that is vulnerability discovery. How can we find these holes before companies get breached or compromised?

We looked pretty hard at this space, and if you look at the existing model, you see two main models. One is the consulting space. Let’s bring in consultants, we’ll pay them on time and materials, and then they’re gone. Then the company says, OK, let’s fix the problem there and then we’re good. First of all, there’s questionable talent out there in the consulting space. There’s also not a lot of motivation for consultants to do good work, because they’re just trying to get to their next project. Plus, just doing an audit once a year goes against the way that companies exist.

The second model you see are the automated tools out there. There are a variety of tools that try to predict what threats will come through. The problem is automation can’t replicate human activity. The way that companies have developed an application and use it can’t be understood by a machine. That’s where the bug bounty space comes in.

We had kind of bridged the gap, with the best of the human elements and the best of the technology elements. It’s not quite a bug bounty, because there’s no pre-qualifier for joining a bug bounty program. The reality there is, you get a lot of noise from people who don’t really know what they’re doing. You put yourself at risk by people doing things that could degrade performance or by causing something to be damaged. So you have no trust.

We vet our people from a trust perspective. We put them through rigorous exams, we interview them to get a sense of where they’re coming from. We have [non-disclosure agreements]. On the trust side we hold IDs on file and we do background checks. We also reject 90 percent of the people who apply to our program. We interact with very large enterprises; they need to know that they can trust us.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1665297,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

What’s really cool is that we can offer [our services] on a continuous basis, which is pretty unprecedented.

VB: Even with all of your various tests and background checks, working with contractors in the security space is somewhat controversial, because companies don’t want to divulge their infrastructure to near strangers. Do you think that will inhibit your company’s growth?

JK: When you talk about the security space, companies are very protective, and we see this today when we talk about [President] Obama’s new sharing initiatives and that people don’t believe that companies are going to share this information. I think when you start talking about contractors, companies think, “How can I be sure that I can trust these individuals?”

Putting provisions in place is important, but there really needs to be a mentality shift. And I think that when [companies] see that we are getting attacked every day and we do need to harness a global team of experts, regardless of the fact that they’re treated as contractors, we’ll start to see a mentality shift.

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":1665297,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

You don’t trust these contractors? Well, you don’t trust the people who are attacking your business either.

VB: Your company just landed $25 million in investor funding. Why is security so hot right now?

JK: High efficacy with our customer base. We’re looking to snowball the early success. Expansion of that early success. All the way from operations to a robust customer pipeline. Brand awareness out there for companies looking to protect themselves. Recruitment efforts, making sure that we’re getting the best individuals. And engineering, we’re building some cool technology. We’re 40 people, and we’re looking to double this year. We have a lot of hiring to do.

The people we’re hiring are not 100 percent security focused. We do have an r/d who can effectively do white hat hacking. Security engineers or operations people who have worked at other enterprises. The exposure that we’re now getting will help with those recruiting efforts.

[aditude-amp id="medium3" targeting='{"env":"staging","page_type":"article","post_id":1665297,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

We’re lucky we’re in 32 different countries, so we’re all over the place. So continuing to expand that pool is a lot easier than getting people in house.

VB: Information security is a relatively new field, and so I imagine talent resources are small. How do you think that affects the security space, especially as it pertains to black hats or people hacking for malicious reasons?

JK: I think that’s changing. I think more and more people are getting exposure to additional environments they wouldn’t be able to work on in the past and other educational opportunities.

Whether that’s through courses, SANS is a great example. They have not only certifications, but also course work where people are performing live hacking. Then when you look at conferences, you look at Black Hat, Def Con, AppSec. These are geared at showing how these people are breaching technology. I think that’s exposing people to more techniques and the possibilities that are out there.

[aditude-amp id="medium4" targeting='{"env":"staging","page_type":"article","post_id":1665297,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

There’s also in-depth research. There’s a lot of online resources now. Whether that’s in a quasi-corporate network that can arrange for [white hat hackers] to test their tools and techniques on. And I think there’s a lot more opportunity within companies to do this work internally. You see companies employing red teams, for example.

Five to ten years ago, this just wasn’t a field that companies invested a lot in. You can argue that black hats have been at this for a little longer. But I think you could make the argument that there’s plenty of smart people who understand applications better than the black hats.

VB: What are the big security issues we’ll face in 2015 and beyond?

JK: Internet of things is a great example. It’s great technology for convenience, but the reality is that security was never part of the initial design. As things are starting to become interconnected, I think companies are not realizing we need to look at how secure these things are. That’s going to be a big area this year.

[aditude-amp id="medium5" targeting='{"env":"staging","page_type":"article","post_id":1665297,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

We pulled apart 15 different cameras and smart alarms, showing how these devices themselves are relatively insecure by design. Before this was considered completely unethical or something that a company might prosecute you for. Now with appropriate disclosure [companies] see it as a great thing and are saying “Let’s take the research that they’re doing and make ourselves more secure as a result.”

You’re going to continue to see a lot of focus on application security. With everything now being available through web or mobile interfaces, I think companies will continue to invest so that data housed in the cloud is going to be protected.

I think there’s always going to be new technology that tries to solve for advanced persistent threats, whether that’s malware protection or remediation or trying to protect against phishing attacks. It’s really hard to protect against these adaptive threats, and it’s going to be really important that these companies keep their own internal environments secure.