Synack’s Jay Kaplan Has a White Hat Hacker Army: Interview
You can crowdsource just about anything these days, including security.
By Dan Costa
Jay Kaplan is CEO and cofounder of Synack. Earlier, Jay served in multiple cybersecurity-related positions at the Department of Defense and as a Senior Computer Network Exploitation and Vulnerability Analyst at the National Security Administration. At Synack, Kaplan built an automated threat-detection system and a created network of hundreds of security researchers across the globe to take penetration testing to the next level. In a recent discussion in San Francisco, we talked about the state of cybersecurity, white hat hackers, and the steps he takes personally to ensure his security online.
Dan Costa: Of all your titles, CEO and co-founder may be very impressive, but the thing that impresses me is working as a member of a red team at the Department of Defense. I understand that you may not be able to tell us all of the details, but what exactly does that mean?
Jay Kaplan: As a member of any red team as part of any organization you’re responsible for acting like an attacker, like the adversary that we’re all trying to defend against every single day. So my work at the DoD was very focused on red teaming DoD systems. Whether that’s military systems, networks, devices deployed out in the field, whatever it might be, we wanted to make sure they were secure and weren’t susceptible to actual breaches.
You couple that with my work at the NSA, where instead of attacking for defensive purposes, I was on the attack side for offensive purposes. You marry those two positions together [and] it really helped us formalize the whole concept behind Synack and the business model that we have today.
It seems to me that you’ve taken that same approach, brought it into the private sector, and you are, I guess, employing legions of hackers and crowdsourcing network security. Talk to us a little about how that works.
The approach that we take is more of a hacker-powered approach. What we do is leverage a global network of top white hat security researchers in over 50 different countries and we effectively pay them on a results basis to uncover security vulnerabilities across our enterprise customers, and now we’re doing a ton of work with the government as well.
The whole goal here is to get more eyes on the problem. I mean it’s one thing to have one or two people looking at a system, a network, an application, and trying to rid that application of vulnerabilities. It’s another to say maybe 100, 200 people, everyone look at this one piece of IT equipment, or whatever it might be, and try to figure out what the vulnerabilities are, and when you’re successful pay you. It’s a really big paradigm shift and it’s working extremely well in practice.
Who would be the typical customer? Would it be like a Microsoft that says “We’re launching a new Azure platform, come and try and poke holes in our system?”
It can be anywhere from a big technology company like Microsoft to a large bank where they want to test their online and mobile applications, banking applications. It could also be the federal government; we’re working with the DoD and the Internal Revenue Service to lock down where you submit taxpayer information, or from the DoD’s perspective things like payroll systems, and other systems that house very sensitive data. It’s important that these things don’t get compromised, as we’ve all seen in the past it can be very, very damaging. They’re finally taking a more progressive approach to solving the problem, moving away from the more commoditized solutions that we’ve seen in the past.
How do you find people? I imagine you don’t just post it on a message board and say “Hey, direct your energies towards this and then if you find something let us know and we’ll pay you.”
In the early days we obviously leveraged our network pretty heavily. We brought on people we knew, and that grew organically and we started to bring on people all over the world practicing cybersecurity, and even those who don’t necessarily do cybersecurity day-in, day-out. We have a lot of developers as a part of our network, engineers part of big technology companies. The power of what we do is giving customers the diversity of resources, access to talent they would not traditionally have access to.
If you look at some of the statistics, they say that by the year 2021 we’re going to have 3.5 million open cybersecurity jobs. There’s a massive supply and demand disconnect and challenge that we’re trying to solve. Utilizing crowdsourcing to solve this problem has worked tremendously well for us because we don’t have to hire them. They’re freelance and really just getting more eyes on this problem lends to better results.
Of course the veracity of that network is paramount to our business as well. We have to know we can trust them and so we have to put our researchers through a rigor of background checks, and ID verification, and we even do auditing of their traffic to make sure that they’re adhering to the scope and rules of engagement, but it’s really exciting to see a mechanism to engage in a crowdsource model but have a ton of control baked in enabling concerned enterprises to gain access to this type of methodology.
Can these hackers make more money with you than they could out on their own on the Dark Web? I mean, is it profitable to be a white hat in this model?
There’s a common misconception that, you know, you operate in the Dark Web and you’re automatically going to be this rich person.
You also get ripped off a lot.
You get ripped off a lot, but the reality is the people that we’re working with are highly professional and ethical. They’re working for very big corporations, or other security consulting firms and there are people that have a lot of ethics in them that they don’t want to do things illegally. They want to act, they love hacking, they love breaking things, but they want to do it in an environment where they know they’re not going to get prosecuted.
That’s a nice plus. What do you see as the major threats in security today? Should we be worried about criminal enterprises? Nation-state actors? Where do you see the majority of the threats coming from?
It’s really interesting. If you would have asked me the question a couple of years ago, I’d say the nation-states are the most well-equipped organizations to be successful at cyber attacks. I mean they are sitting on stockpiles of zero-day exploits, they have a lot of money, and a lot of resources.
Explain that idea of sitting on those stockpiles of zero days. Because that’s something that outside of the security space, I don’t think the average person really understands.
So a zero-day exploit effectively is a vulnerability in maybe a major operating system that maybe no one knows about other than that one organization. They found it, they’re sitting on it, and they utilize it to their advantage. Given how much money they put into research and development, and given how much money they pay their resources, they have an ability to find these things where no one else can find them. That’s a big reason why they’re so successful at what they do.
Usually, they’re doing this for the purpose of intelligence gain and helping our decision makers make better policy decisions. We are seeing a shift over the past couple of years where crime syndicates are taking advantage of some of these leak tools for their advantage. If you look at the Shadow Brokers leak as a prime example of that, it’s getting pretty scary out there. While vendors are patching their systems, the enterprises and companies out there are not actually taking advantage of those patches leaving them susceptible to the attacks and enabling the bad guys to break into their organizations and put out ransomware, as an example, to try to get money out of them.
The WannaCry infection affected a tremendous number of systems, but not Windows 10 systems. It was an exploit that had been patched if people had downloaded and installed, but many millions of people had not and that opened the door.
That’s exactly right. Patch management is a really difficult thing still for the vast majority of organizations. They don’t have a handle on what versions are running, and what boxes have been patched and which ones haven’t, and it’s one of the reasons we created our whole business model — getting more eyes on this problem, being proactive about uncovering the systems that haven’t been patched, and telling our customers: “Hey, you better fix these things or you’re going to be the next big breach or attacks like WannaCry are going to be successful against your organizations.” And it’s customers that employ our services on a continuous basis, this has been a really successful use case for us.
Do you sell your services for short-term testing? Or could be ongoing as well?
Traditionally penetration testing has been a point-in-time type of engagement, right? You say come in for a week, two weeks, give me a report and then we’ll see you a year later when we’re up for our next audit. We are trying to shift customers to the mentality that the infrastructure is highly dynamic, you’re pushing out code changes to your applications all of the time, you could be introducing new vulnerabilities at any time. Why not look at this stuff from a security perspective continuously the same way that you are with your development lifecycle?
And software as a service is a great model. Service as a service is also a great model.
That’s right. We do have big software components sitting on the whole back of this, so we have a whole platform that facilitates not only the interaction between our researchers and our customers, but we’re also building automation in to say “Hey, in order to make our researchers more efficient and effective at their jobs, let’s automate the things that we don’t want them to spend time on.” Right? All the low hanging fruit, giving them more context of the environment that they’re walking into, and we’re finding that that pairing of man and machine works extremely well and it’s very powerful in the cybersecurity space.
You know, there was a big focus at Defcon on voting systems, and I think we’ve all seen plenty of press about that. I think just seeing how quickly the hackers are able to take control of one of these voting systems given physical access is pretty scary. It makes you really question previous election results. Seeing that there’s not a whole lot of systems that have paper trails, I think that’s a pretty scary proposition.
But beyond that, there was a lot of focus on critical infrastructure. There was one talk that focused on basically hacking the radiation systems that detect radiation at nuclear power plants and how easy it is to kind of break into those systems. I mean that stuff is pretty scary, and I firmly believe that our critical infrastructure is in a pretty bad place. I think most of it is actually compromised today and there are a number of implants sitting all over our critical infrastructure just waiting to be leveraged in the event that we go to war with another nation-state.
So when you say “Our critical infrastructure is compromised today,” you mean that there is code sitting at electrical factories, at nuclear generation plants, windmill farms that was placed there by foreign powers that could be activated at any time?
Yes. That’s exactly right. I don’t have anything necessarily to back that up, but just given my knowledge of the state of cybersecurity within these critical infrastructure organizations, I have no doubt that there is a very large percentage that are compromised today, putting us in a pretty scary position in the future.
Can we take any comfort in the fact that we probably have similar leverage over our adversaries and have our code in their critical infrastructure as well so at least there’s perhaps a mutually assured destruction we can rely on?
I would assume we are doing things that are very similar.
Okay. I assume you can’t say everything you might know, but I take comfort in that at least that the war is being waged. We obviously don’t want this to escalate in any way shape or form, but at least we’re fighting on both sides and we should probably focus more on defense.
That’s right. I mean, we should definitely focus more on defense, but our offensive capabilities are just as important. You know, being able to understand how our adversaries are attacking us and what their capabilities are requires an offensive approach, and that’s why the NSA does what they do and the other intelligence organizations have similar capabilities.
So, I wanted to ask you about a topic that’s been in the news in last couple of months, and that is the role of foreign technology companies. Their technology is embedded into our infrastructure, into our corporations, into our government agencies, and then every six months or so there’s a story that says “Oh, we shouldn’t trust Huawei Telecommunications infrastructure.” Lately there’s been a story going around that maybe we should look at Kaspersky Labs security software because they have worked with the Russian Security Services. What’s your take on those types of relationships? Are these independent companies, or are they arms of the states that they operate from?
So, hard to know right? And I think given the fact that we have to question the ties to these organizations we have to just be careful about deployment, especially widespread deployment. Something as widespread as an antivirus solution like Kaspersky on all of our systems, the government is being careful, and given that we have solutions, homegrown solutions, the same way that we try to build our nuclear warheads, and our missile defense systems in the US, we should take advantage of the solutions that are being built in the US some from a cybersecurity perspective. I think that’s what they’re ultimately trying to do.
What do you think is the number one thing that most consumers do wrong from a security perspective?
At a consumer level, it’s just very basic, right? I think most people don’t practice security hygiene. Cycling passwords, using different passwords on different websites, using password management tools, two-factor authentications. I can’t tell you how many people today just don’t use it, and it surprises me that the services that consumers use don’t just force it upon them. I think some of the banks are starting to do that, which is great to see, but still seeing social media accounts get compromised because people don’t have two-factor on is just kind of crazy in my eyes.
So, until we get past the basic security hygiene I don’t think we can start talking about some of the more advanced techniques to protect themselves.
So, tell me a little about your personal security practices? Do you use a password manager?
Of course. Of course. I use OnePassword, so basically every single website that I visit and account I create has a different password, always minimum 16 characters. I change those passwords out regularly and they are all auto-generated. I use VPNs on unprotected networks. Our company has a VPN solution, so any time I’m on a wireless network I’m not afraid to use the wireless network as long as those connections are going through a secure tunnel.
VPN services may slow down your connection a little bit, but they’re relatively easy to set up and you can get one for a couple of dollars a month.
They’re super easy to set up and you want to go with a reputable provider because you are sending traffic through that provider. You just want to make sure that they have a good reputation and you can trust them with your traffic.
At the same time, just doing simple things like updating my system, any time there’s an update on my mobile device, or my computer I take advantage it. I mean there’s a reason why they’re pushing that update out there, so it’s really just the basics. And then of course you’re monitoring your credit reports, and your credit cards, and any signs of suspicious activity you just investigate.
It’s not that crazy. It really isn’t that hard to stay secure as a consumer. You don’t have to use very advanced techniques or solutions that are out there. Just think about common sense.
I think two-factor is a system that confuses a lot of people and intimidates a lot of people. They think that they’re going to have to check off on their phone every time they log into their email account, and that’s not the case. You just have to do it once, you authorize that laptop, and by doing that someone else can’t log onto your account from any other laptop, which is a huge safeguard.
Absolutely. Yeah, for some reason it does scare a lot of people. Some of them are set up where you might have to do it every 30 days or so, but still it’s not as cumbersome as it might sound and it’s a huge security advantage to implement. I would definitely recommend putting two-factor in place.
You haven’t been in this industry that long, but can you share how you’ve seen the landscape change since you started off? How the cyber threats have evolved in that time?
I’ve actually been in cybersecurity and really interested in it for maybe 15 years. Ever since I was 13 years old and I ran a shared web hosting company. There was a lot of focus on protecting our customers’ websites, and server administration, and making sure those servers were locked down. You look at how knowledge has progressed to the attacker’s side. I think security is a nascent industry in its own right, it’s constantly evolving, and there’s always a slew of new innovative solutions and technology. I think it’s exciting to see the rapid pace of innovation in this space. It’s exciting to see companies taking advantage of more of the progressively leaning solutions, kind of moving away from the defacto names that we’ve all heard of, the Symantecs and the McAfees of the world and moving toward some of the new companies that are out there, recognizing that they have to be innovative with how they approach cybersecurity. And if they’re not, the attackers are going to be one step ahead of them.
It used to be that it was mostly about viruses and you would need to update your definitions, and you would pay a company to manage that database for you, and as long as you had that you pretty much were safe from 90 percent of the threats. But the threats evolved much more quickly today. And there is a real-world component to it where people are exposing themselves because they get a phishing attack, they respond and hand over their credentials. That’s how their organization gets penetrated and that’s almost more of an educational issue than a technological issue.
I think the vast majority of the attacks that are successful are not that advanced. The least common denominator of any organization’s security are the people. If the people aren’t educated to not click an email when it looks suspicious, then game over. It’s just too easy these days, and there are a lot of companies trying to attack that problem specifically focused on phishing. In addition to all of the other solutions they’re putting in place addressing vulnerabilities, addressing cyber threats, but we have to address the people problem first because right now we’re just making it too easy.
I would love to see research about how many threats are just email-based. Just thousands and thousands of emails going out and people clicking on things. People creating a process and a series of events that spiral out of control. But it comes through email because email is so easy and ubiquitous and people underestimate it.
We’re starting to see now it transition from just email-based attacks to social phishing, spear-phishing attacks. What’s scary about that is that there is an inherent trust baked into social media. If you see a link coming from a friend of a friend, or even a friend’s compromised account, you’re going to probably be more prone to clicking that link, or downloading a file and that’s scary. You also have an ability to reach a much broader audience, right? You’re not sending emails to people, you now can post a tweet with a link in it that automatically now reaches tens of thousands, millions of people depending on what account you’re sitting on. That’s why these accounts are getting scarier in nature and affecting more people than ever before.
Let me ask you about mobile security. Early days we told people if you have an iOS device you probably don’t need antivirus, if you have an Android device, maybe you want to install it. Have we progressed to a point where we need security software on every phone?
I think we have to really trust the security that’s baked into the devices themselves. Given how Apple, for instance, has designed their operating system so everything is pretty sandboxed, right? An application can’t do a whole lot outside of the confines of that application. Android is designed a little bit differently, but what we do have to realize is that when we’re giving applications access to things like our location, our address book, or any other data that’s on that phone, that is immediately going out the door. And it’s constantly being updated, so as you’re moving your location is being sent back up into the cloud to whoever owns this application. You have to really think about “Do I trust these people with my information? Do I trust the security of this company?” Because ultimately if they’re housing your address book, and your sensitive data, if anyone compromises them, they now have access to it.
And it’s perpetual access.
You must think outside the box. Just because you’re downloading a new game that looks cool, if they ask for your location information and your calendar information, and complete access to the phone, you’re trusting them to have all of that access forever.
That’s exactly right. I think you really need to think about “Why are they asking for this? Do they actually need this?” And it’s okay to say “Deny” and see what happens. Maybe it won’t affect anything and then you really have to wonder “Well why did they really ask for that?”
There are thousands of apps that are created just to collect personal information, they just offer some value on top of it to get you to download it, but the real sole purpose is to collect information on you and monitor your phone.
It’s actually a pervasive problem where you’re seeing these malicious entities creating apps that look like other apps. Maybe they pretend to be your online bank when they’re not. They’re actually just phishing for your credentials, so you really have to be careful. Obviously there’s a diligence process that these apps have to go through before they’re published to the app store, but it’s not foolproof.
I want to ask you the questions I ask everyone that comes on this show. Is there a particular technological trend that worries you the most that keeps you up at night?
Actually we were talking about mobile, and I think the rapid adoption of mobile and pretty much everyone’s transactions occurring on mobile versus in a web browser. What’s scary to me is the lack of security diligence that occurs from a company perspective, the people that are developing these applications. They’re not thinking about security in these applications the same way they are for their corporate networks and their web application environments and so there’s APIs that are susceptible to attacks. They are storing passwords on the device, the cryptography is often implemented incorrectly. That is scary to me, knowing that more and more people are transacting on these devices, yet the companies that are developing these apps are not thinking about the security in the same way they are everything else. I think it’s getting better, but we’re still not there yet.
Is there an app, or a service, or a gadget that you use every day that just inspires wonder, that impresses you?
That’s a good question. I’m a big fan of Google’s suite of tools. They really interact and work extremely well and integrate well together, so I’m a big Google apps user. and it’s not just because Google is an investor in our company.
There’s a little bit of Google everywhere.
There’s a little Google everywhere.
There’s something to be said for taking a moment and giving them credit for what they’ve done. They really wanted to make the world’s information searchable and understandable, and they’ve done a pretty good job of that.
We actually just got a new whiteboard, digital whiteboard in our office — the Jamboard — and it’s one of the coolest devices that I’ve seen in a long time. Just the ability to whiteboard something out, save it off and bring it back up, or interact and engage with someone on another end, or anyone on an iPad. I mean that’s just amazing, and talk about collaboration remotely it just makes it that much easier.
It’s exciting to see that progression in the way that we can work together. We don’t have to have people just centrally located in one office, we can bring bad old ideas and I think that’s really cool.
It’s very, very cool product. We tested it in the lab and we had some trouble with some of the software, but it’s first generation. It just came out like two months ago, and it absolutely is going to be the way that people are communicating in conference rooms for years to come.
It just needs a couple of software updates to make it a little bit easier.
It’s a little buggy, but it’s still amazing.
How can people catch up with you, and follow you online, and keep track of what you’re doing?
Yeah, I’m on Twitter @JayKaplan. Our blog at Synack.com/blog, that’s also a great place for you to hear the latest on cybersecurity news, and what we’re doing as a company, and I have some posts on there every once in a while. I’m on LinkedIn as well, posting on there every so often. I try to stay as active on social media as I can. I’m not the best.
It takes a lot of time.
At it, but I’m trying.
You’ve got a job to do as well.
For more Fast Forward with Dan Costa, subscribe to the podcast. On iOS, download Apple’s Podcasts app, search for “Fast Forward” and subscribe. On Android, download the Stitcher Radio for Podcasts app via Google Play.
Originally published at www.pcmag.com.