Manufacturers are the quickest to patch software vulnerabilities and defend against cyberattacks, according to a new report from Synack. The two-volume report also makes a case for combining artificial intelligence and human intelligence to allow security teams to work at scale.

In “The 2019 Trust Report Volume 1: Trust has a number,” Synack calculated an Attacker Resistance Score based on the company’s database of penetration test performance data.

The average attacker resistance score for each industry is:

  • Manufacturing and critical infrastructure – 65
  • Financial services – 61
  • Federal government – 57
  • Healthcare – 56
  • Retail – 54
  • Technology – 53
  • Consulting, business and IT services – 50
  • State and local governments and education 49
  • E-commerce – 45

Across all industries, Synack found that 63% of vulnerabilities are closed in less than three months. Manufacturing and critical infrastructure companies patch vulnerabilities 57% faster than other industries.

The Synack report found that financial services companies have significantly fewer authorization permission vulnerabilities than average.

SEE: Special report: Cyberwar and the future of cybersecurity (free PDF)

However, there is still room for improvement as Synack found 150% or more breach-worthy vulnerabilities, such as SQL Injection, in financial services organizations and federal government agencies than the industry average. Synack found 10% more XSS vulnerabilities in e-commerce than other industries.

Attacker Resistance Score includes these measurements:

  • Attacker cost — the level of effort exerted by the Synack Red Team to penetrate the attack surface
  • Severity of findings — the severity and quantity of vulnerabilities discovered in an asset
  • Remediation efficiency — the speed of the patch process

Synack offers “crowdsourced penetration testing,” which means that its Red Team of cybersecurity researchers attacks a specific target identified by the client to find security vulnerabilities. Synack’s clients are organizations in the Global 2000, high-growth sector companies, and government agencies.

Synack explains the research methodology for calculating the attacker cost, severity of findings, and remediation efficiency in the report appendix.

The attacker cost input is calculated using the full packet capture data collected by Synack’s secure gateway technology. The raw testing traffic data details all Synack Red Team testing activity for a particular assessment. For the severity of findings metric, Synack assigns each discovered vulnerability a rating from a CVSS scale of 0–10. Synack measure the patch efficacy and application time to estimate remediation efficiency.

The missing element is the amount of data Synack has analyzed. The company will not specify the number of security tests the report is based on beyond “many thousands.” It’s hard to evaluate the Attacker Resistance Score without that context.

Using AI for basic security tasks

In volume 2 of the Trust Report “Trust at Scale,” Synack credits its success to the company’s augmented intelligence strategy—combining human intelligence and artificial intelligence to identify vulnerabilities.

Synack describes the goal of “augmented intelligence” as making humans more efficient and effective, not creating a system that runs without humans.In this optimal combination, humans are responsible for creativity and critical thinking while machines handle large volumes of data

Including an AI component in a security solution means the algorithm can:

  • Identify the most common types of security risks
  • Analyze cybersecurity data with higher accuracy
  • Monitor evolving security threats and anomaly detection to build a threat landscape

Synack reports that security teams that combine humans and artificial intelligence to do penetration testing can find vulnerabilities faster, cover a wider attack surface, and decrease the time needed to fix vulnerabilities. The combination is important because “security risks and threats are always evolving and AI does not excel at higher-order tasks.”

Chase C. Cunningham, an analyst at Forrester Research, said that using AI to augment humans and enhance cybersecurity operational capability is the most directly applicable use case for AI systems on the market.

“We don’t have enough humans to do the job today, and in most cases, the responses needed by the humans that are operating in cybersecurity roles can be automated or augmented to increase efficacy and output,” he said.

Cunningham said that there are few AI tools on the market that are well-tailored for data security.

“The weaknesses we see in ‘AI’ tooling in the market are mainly in that the systems don’t do too well when they try to ‘learn’ outside of the bounds of pretty structured and repetitive analysis and responses,” he said. “What we see in this space is really well-tailored and applied machine learning vectored for specific use cases.”

Synack analyzed data from security tests to create Attacker Resistance Scores. In the chart above, an incident is a security event that compromises the integrity, confidentiality or availability of an information asset. A breach results in the confirmed disclosure— not just potential exposure—of data to an unauthorized party.
Image: Synack