GovStar Logo

GuidePoint Security wins 2016 GovStar Star Performer Award

GuidePoint Security is the 2016 Washington SmartCEO GovStar Award winner in the Star Performer Large category.

GovStar awards honor Washington-area government contractors that demonstrate excellence in government contracting.

SmartCEO honored GuidePoint and other GovStar finalists during a special ceremony Nov. 21 at the Hyatt Regency Reston. More than 500 area executives and guests attended to celebrate winners in each GovStar category. GuidePoint and the other finalists will be profiled in SmartCEO’s November/December issue.

“We are honored to be the 2016 Star Performer winner in the Large category,” said Michael Volk, GuidePoint’s Founder and Managing Partner. “We take a lot of pride in the work we do with our government clients. Our team is committed to helping them meet their objectives.”

According to SmartCEO, the 2016 GovStar finalists collectively generated more than $6.5 billion in annual revenue and employ more than 27,000 individuals in Greater Washington.

“The government contracting industry is one of the most complex and competitive business sectors in the world,” said Jaime Nespor-Zawmon, president of SmartCEO. “But day in and day out this year’s finalists come to work with the passion to not only build great businesses but also serve their country, protect U.S. citizens, and drive innovation in healthcare, technology, and communications. They are inspirational, patriotic, and driven to succeed. We are honored to recognize them for their achievements.”

Earlier this year, GuidePoint won a SmartCEO Future 50 award as one of the region’s fastest growing mid-size companies. Last year, GuidePoint was a finalist in the 2015 SmartCEO GovStar Awards in the Industry Star category.

Among other honors garnered by GuidePoint this year are:

  • No. 3 Washington Business Journal Security Technology Companies list
  • No. 5 Top Security Company Inc. 5000 List
  • No. 14 on CRN Fast Growth 150 List
  • No. 19 Top Virginia Companies Inc. 5000 List
  • No. 22 Top Washington, D.C. Companies Inc. 5000 List
  • No. 30 Washington Business Journal Fastest Growing Companies list
  • No. 308 overall 2016 Inc. 5000 List
  • Trending 40’s D.C.’s Red Hot Companies list
  • F5 Federal Partner of the Year
  • No. 192 on CRN Solution Provider 500 list

About GovStar Awards

The GovStar Awards program honors local government contractors for technology innovation, workplace environment, growth, veteran support, and impact on the industry and the marketplace as a whole. The GovStar program recognizes the many commendable attributes of Greater Washington-area companies striving for excellence in this complex and competitive sector. Each year, an independent committee of local business leaders selects the winners based on their growth, innovation, corporate culture, veteran support, and industry impact. For more information about the awards, visit www.smartceo.com/washington-govstar.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Trending 40

Trending 40 says GuidePoint is Red Hot

GuidePoint Security is one of D.C.’s Red Hot Companies.

The latest honor is from Trending 40, an events program that recognizes and celebrates D.C.-area talent from technology, legal, associations, and corporate communities.

Trending 40 honored GuidePoint and other businesses that made the fastest-growing companies list during a special ceremony Tuesday, Nov. 15, at 1776-Crystal City in Crystal City, Virginia.

“When we founded GuidePoint in 2011, we knew we had something special,” Michael Volk, GuidePoint’s Founder and Managing Partner, said. “Awards like this are a testament to the drive our team has to be the best cyber security solution provider in the market, not just in terms of sales and growth, but in outstanding customer support and satisfaction. Each year as GuidePoint grows, it reflects our commitment to continually exceed our customers’ expectations and work with them to meet all of their information security needs.”

According to Trending 40, “DC has been a hotbed of activity in tech, hospitality, real estate, life sciences, healthcare, and nonprofits in recent years. It’s time to celebrate the success of many of these great companies.”

This honor is among several GuidePoint has garnered this year. In addition to making the Trending 40 list, in 2016 GuidePoint has earned:

  • No. 3 Washington Business Journal Security Technology Companies list
  • No. 5 Top Security Company Inc. 5000 List
  • No. 14 on CRN Fast Growth 150 List
  • No. 19 Top Virginia Companies Inc. 5000 List
  • No. 22 Top Washington, D.C. Companies Inc. 5000 List
  • No. 30 Washington Business Journal Fastest Growing Companies list
  • No. 308 overall 2016 Inc. 5000 List
  • SmartCEO Future 50
  • F5 Federal Partner of the Year
  • No. 192 on CRN Solution Provider 500 list

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

New F5 ASM Version 12.x Features Improve Performance

In today’s blog, we will discuss the newest features of F5’s Web Application Firewall (WAF), Application Security Manager (ASM). ASM has been around for quite some time, but with recent updates I thought it is worth discussion.

F5 Networks recently released version 12.1.1, the first long-term support release for version 12. If you haven’t read through the release notes, take a few minutes and do so. I am really excited by some of the most recent features and I would like to share some of them with you.

I was ecstatic to see Unified Policy Building in 12.0 because now you have one screen to view all learning suggestions. This makes it far easier to sort through. If your policy builds automatically or statically based on your custom thresholds, you now have only one screen to manage.

Following the style already set in ASM, there is a dropdown menu that allows you to select the policy for which you want to see suggestions. Tabbed across the top is also Enforcement Readiness, and they moved Learning and Blocking Settings here as well. This makes the overall flow better while making it easier to see which settings you have for each selected policy — no more bouncing around the mouseover menus.

Next up in 12.0 is Proactive Bot Defense. This is a set of additional features added to the Denial of Service (DoS) functions ASM already used. F5 added improved defense against unwanted browsers and browsing agents that are non-human initiated. CAPTCHA and javascript insertion does this, but with some caveats. If you use CORS (Cross-Origin Resource Sharing), like with AJAX calls, you will have issues and you should add those URLs to the bot whitelist.

F5 Networks also added malicious bot signatures. Now when you update your ASM application signatures, bot signatures are classified as malicious or benign. Just like with application signatures, you can create your bot signatures as well. You even have the ability to create signature sets with either malicious or benign classifications. This gives you greater control. Once created and applied via a “dos” profile, traffic is automatically classified and either accepted or discarded as configured.

Version 12.1 was not outshined by 12.0, and really cranked up the dial. It added more dos enhancements with the ability to track using device IDs. Now device IDs can use dos, brute force, and session hijacking. You can define bad behavior and set thresholds to classify traffic from them and either log or block them. F5 even extended Analytics to sort by these IDs. More reporting is always a good thing!

Using a similar set of metric definitions, you can now automatically blacklist IPs attacking your layer 7 resources and increase your dos footprint. This does not require use of IP intelligence or any other classification engine. This dos feature is through your config definitions. Adding IP intelligence, however, is a good thing in my opinion. I encourage you to look at it as more than just ASM.

Two huge new features in ASM are the ability to define methods per URL and support websockets per URL. In previous versions, methods were globally defined for an application. This is great news. For apps that might have only one page that support a POST, you can define it only for that page.

Websockets are new altogether. Websocket protocol allows client and server to stream data bidirectionally indefinitely. Websockets create a connection over HTTP, but then switch to a single TCP connection using message frames. This allows full duplex and low latency transport. Chances are you used these in your last internet chat. When you think of what could be hiding in one of those, protection really matters.

The last feature I want to mention is the ability for ASM to automatically detect and configure login pages in your application. If you have spent time parsing through someone else’s code to define a login page, you will welcome this feature. Now, that alone would be cool, but if you defined policy settings for brute force and session tracking, it will automatically add those options to the login forms it creates. This is a rockstar feature!

These are some of the main features ASM received in 12.0 and 12.1. There are still others like improved policy building, reduced policy building resource consumption, etc. Once again, if you have not reviewed the release notes, you should. I hope this generates a little interest in seeing what ASM has to offer now, and that you continue to find success in using F5 Networks Application Security Manager.

If you don’t already have ASM, consider what ASM can do for you. If you are already a Guidepoint Security customer and want to know more, reach out to your representative. If you are not a customer and would like to learn more, please feel free to contact us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Networks’ ASM: Secure Your Applications, Don’t Give Away Your Kingdom

It occurred to me while I was writing another blog that we need to talk about Web Application Firewalls (WAF). We think everyone should use one. Your current network and security infrastructure is the castle and drawbridge, whereas WAF is your portcullis. Not securing your applications is like giving away the keys to your kingdom.

What is a WAF?

WAFs are the first and last line of defense for your application. A WAF takes over at layer 4 of the Open Systems Interconnection (OSI) model, moves up to layer 7, and looks at the request, response, and payload. It validates data and the package it’s carried in, and its authenticity. In essence, a WAF applies a set of security rules to all aspects of an HTTP conversation.

The difference from your next-generation firewalls (NGFW) and IDS/IPS units, which only inspect packet-by-packet, is that a WAF digs into HTTP content and conversations, and validates the content request, response, and payload against white and black lists. Using predefined signatures or behavioral baselines, the WAF takes appropriate countermeasures based on configured policy elements. WAFs also include enhanced logging, alerting, connection intermediation, and even content manipulation to mitigate the impacts of attacks, mislead attackers, or inject content designed to raise confidence levels for WAF detection mechanisms.

A WAF validates traffic and payloads by learning the way the application should work, prevents bad input or manipulations, and prevents dangerous query/responses. A WAF maintains HTTP RFC compliance on all aspects of the session, and enforces session rules and session flows. It is a multifaceted tool.

F5 Networks Application Security Manager (ASM), in my opinion, is the right tool for the job. It is a tool that complements the F5 Global Traffic Manager (GTM) and Local Traffic Manager (LTM) devices you already use. To illustrate this, let us look at the traffic flow.

First, the GTM picks up the DNS request. Utilizing GTM, you can create a high-speed query frontend with DNS Express and can secure that zone with DNSSEC. GTM also evaluates your DNS request and traffic-shapes your response based on a host of criteria and settings, sending your session on to the network.

Sure, you have a firewall at your internet edge. It might even be next-gen, performs packet inspection, and has some signatures to eliminate some bad traffic. The same might also be true of your IPS/IDS, but these are packet-by-packet inspections and not the whole HTTP conversation (for the most part) and bad traffic gets by.

Here is where the F5 picks up and starts defending. LTM gets the traffic first and blocks malicious IPs, sorts out countries you may or may not want, defends against DDoS, and mitigates ciphers that are too weak or broken, all while restricting IP/port/landing page. LTM also traffic shapes it handoff to the next level, ASM.

ASM starts slow and builds in levels based on policy. It receives that traffic and checks if it matches the defined site. Then it checks to see if it is a new session. From there, it starts checking everything. It checks against signatures, RFC compliance, session-tracking info, methods, request timing, number of requests, header information, etc. And this is only the initial request. We haven’t even gotten to response!

ASM comes with quick-start policy templates for a ton of popular application templates like Exchange, Sharepoint, PeopleSoft, SAP, etc. If one of those doesn’t fit your build, ASM ships with an auto-policy builder. Fire this up and you turn your ASM device into Sherlock Holmes. It watches traffic pass through and automatically starts writing its own suggestions. When those suggestions get enough hits, ASM makes them into policy. The longer it runs, the better the policy.

If you change the application or add to it, it automatically picks that up and starts the building piece again. You can even build policy without affecting users. By keeping it out of blocking mode, you can mature the policy and reduce the likelihood that false alarms will create negative impact for users.

The ASM comes with other cool features, too, such as preventing forceful browsing, where attackers try to gain access to pages not part of the site that might have admin access. You can keep users from bookmarking deep into the app and redirect them to login pages you defined first to define flow. This keeps the application more secure and enables the organization to track sessions to support security, problem resolution, and compliance use-cases.

With this information, you can restrict application access to secondary login pages or other admin-related content by enforcing application flows and protect against webscraping. Brute force protection will even keep those login pages safe by adding a layer of protection including limiting login attempts, identifying automated attacks and more for these critical security entry points for the application.

DataGuard is an awesome feature as well. It protects sensitive fields like credit card numbers, Social Security numbers, and other administrator-defined sensitive data from passing through clear text. Instead, it utilizes masking to overwrite these values in responses with ‘****’. ASM will also mask these in the logs so you don’t have to worry about admins having access to that info as well.

There are so many other features, including signatures and security responses for common web application security threats such as cross-site request forgery (CSRF), cross-site scripting (XSS), clickjacking, cookie manipulation, etc. Any of these topics, as well as the mechanisms ASM utilizes to protect against them, would be worthy of their own blog post.  

I hope this blog has sparked a little more interest in your traffic and maybe even a hard look into the available security measures you can take. If you are already a Guidepoint Security customer, reach out to your representative to learn more. If you are not a customer and would like to learn more, please feel free to reach out to us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Automation Tools Help with Real-Time Incident Response and Protection

Free webinar: Real-world examples of how to keep your environment secure from attacks, accelerate remediation

If you’re an information security professional responsible for incident response, you may feel frustrated and overburdened by all the manual processes needed to keep your environment safe.

You’re not alone.

In a recent Enterprise Strategy Group survey, more than 60 percent of information technology professionals say their organization has taken steps to automate incident response, but 91 percent say those processes are not effective or efficient.

Did you know there are resources and tools available to help facilitate some of these key processes for your organization? GuidePoint Security’s Virtual Security Operations Center (vSOC) analysts and incident responders have real-world experience using these types of tools. One such tool, Carbon Black, helps power GuidePoint’s vSOC enabling analysts and responders to hunt for incidents in real time, visualize the complete attack kill chain, and efficiently defend environments from attacks.

Here are some examples of how they have successfully used Carbon Black to stop incidents and monitor endpoints:

PowerShell Watchlist

Recently, GuidePoint analysts used Carbon Black to create a PowerShell watchlist for an unauthorized user attempt. Once alerted, analysts tracked down a malicious remote address and shut down unauthorized privileges on the host.

Environment audits

In another instance, vSOC analysts used Carbon Black to audit an environment to limit privilege account credentials. The audit alerted analysts to a possible vulnerability that could have allowed unrestricted access to a domain.

PUA/PUP activity

vSOC analysts recently used Carbon Black to create a custom watchlist for PUA/PUP activity. They found an instance that stood out from others and located an unapproved IE toolbar, which was loaded without approval on multiple workstations. The toolbar was isolated as a threat because it had the ability to monitor web-browsing behaviors.

Would you like to know more about these real-world incident response examples and how you can move from playing incident response catch-up to proactively hunting for threats?

Join GuidePoint and Carbon Black for a free, interactive webinar, “Conquering Challenges of Incident Response: Real-Time Hunting and Response,” at 2:30 p.m. Thursday, Nov. 17. The session will last about 45 minutes, with a chance to interact with the presenters, Stephen Jones, GuidePoint’s director of managed services, and Justin Scarpaci, technical solutions lead, Carbon Black.

Register online here.

About the presenters

Stephen Jones has more than 10 years of experience in information technology and cyber security. He specializes in security operations and has extensive experience working within the Department of Defense and the Intelligence Community.

Justin Scarpaci is a technical account manager on the Partner Success team at Carbon Black. In that role, he assists IR/MSSP partners with operationalizing Carbon Black as part of their service offerings. Justin served in the Marine Corps and has worked in multiple security roles for a defense contractor. He has a master’s degree in information security and forensics.

Can’t make the webinar? No worries. Go ahead and register now and we will send you a recording after the live presentation.

About GuidePoint Security

Headquartered in Herndon, Virginia, GuidePoint Security provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.