vSOC SPOT Report – WCrypt (WanaCrypt0r 2.0) – Ransomware Attack

Latest Updates

2017-05-14 10:08 EDT

Researchers are reporting that a new variant of the WannaCrypt malware has been observed in the wild notably missing the kill switch check for the www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain that @MalwareTechLab registered to stop the first variant from propagating as fast. It has been speculated that the kill switch was actually a poorly implemented check to see if the malware was running in a sandbox. Even variants with the kill switch can continue to propagate and infect vulnerable networks through phishing emails or other lateral movement capabilities.

It is imperative that all Windows systems be patched. Microsoft released an out-of-band patch for deprecated operating systems to include Windows XP and Server 2003 Saturday to help thwart this campaign. vSOC will remain diligent in monitoring all client environments for signs of compromise or infection.

GuidePoint recommends disabling SMBv1 using a GPO or PowerShell script:

Via GPO

To enable or disable SMBv1 on the SMB server, configure the following registry key (a reboot is required):

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Via PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 -Force

2017-05-12 22:28 EDT

A UK malware researcher whose Twitter handle is @MalwareTechLab “accidentally” stopped one wide-spread variant of the ransomware from propagating further by registering a domain discovered while analyzing the code. The domain, Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is a kill switch that the code sends a GET request for. If the domain is not found, the code continues and infects the host. If the domain is found the code exits and the host is not infected. As long as the domain does not get revoked or taken down, this particular variant will cease infecting new machines. New variants are likely to spring up in the coming days and weeks without this kill switch feature, so due diligence is highly recommended along with patching all vulnerable systems and disabling SMB v1.

Based on this latest information, GuidePoint recommends our original mitigation steps:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Latest Indicators of Compromise

2017-05-12 22:36 EDT

File Names

  • mssecsvc.exe
  • @wanadecryptor@.exe
  • taskdl.exe
  • taskse.exe
  • tasksche.exe
  • tor.exe
  • @Please_Read_me@.txt

File Extensions

  • .wcry
  • .wncry
  • .wncryt
  • .wncy

Windows Service Name

  • mssecsvc2.0
  • Microsoft Security Center (2.0) Service

File Strings

  • Wanna Decryptor 1.0
  • Wana DecryptOr
  • Wana Decrypt0r
  • WANNACRY
  • WanaCryptOr
  • WanaCrypt0r
  • WANACRY!
  • WNcry@2o17

File Hash Values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Command and Control IP’s:

  • 188.166.23.127:443
  • 193.23.244.244:443
  • 2.3.69.209:9001
  • 50.7.161.218:9001
  • 217.79.179.77
  • 128.31.0.39
  • 213.61.66.116
  • 212.47.232.237
  • 81.30.158.223
  • 79.172.193.32
  • 89.45.235.21
  • 38.229.72.16
  • 188.138.33.220
  • 146.0.32.144:9001
  • 188.166.23.127:443
  • 193.23.244.244:443

Sender IPs:

  • 205.186.153.200
  • 96.127.190.2
  • 184.154.48.172
  • 200.58.103.166
  • 216.145.112.183
  • 162.220.58.39
  • 192.237.153.208
  • 146.0.32.144
  • 188.166.23.127
  • 50.7.161.218
  • 2.3.69.209
  • 74.125.104.145
  • 75.126.5.21

Tor Onion URL’s:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • Xxlvbrloxvriy2c5.onion

Mutex:

  • ShimCacheMutex
  • Global\MsWinZonesCacheCounterMutexA0
  • MsWinZonesCacheCounterMutexA

Domains:

  • R12.sn-h0j7sn7s.gvt1.com
  • Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Email Sender:

  • alertatnb@serviciobancomer.com

Kill Switch Domain:

  • www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Snort Signatures:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray”; flow:to_server,established; content:”|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|”; offset:4; depth:25; content:”|08 ff fe 00 08 41 00 09 00 00 00 10|”; within:12; fast_pattern; content:”|00 00 00 00 00 00 00 10|”; within:8; content:”|00 00 00 10|”; distance:4; within:4; pcre:”/^[a-zA-Z0-9+/]{1000,}/R”; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
http://docs.emergingthreats.net/bin/view/Main/2024218

The ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

attrib +h .
icacls . /grant Everyone:F /T /C /Q
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
@WanaDecryptor@.exe fi
300921484251324.bat
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Files:

  • [Installed_Folder]\00000000.eky
  • [Installed_Folder]\00000000.pky
  • [Installed_Folder]\00000000.res
  • [Installed_Folder]\@WanaDecryptor@.exe
  • [Installed_Folder]\@WanaDecryptor@.exe.lnk
  • [Installed_Folder]\b.wnry
  • [Installed_Folder]\c.wnry
  • [Installed_Folder]\f.wnry
  • [Installed_Folder]\msg\
  • [Installed_Folder]\msg\m_bulgarian.wnry
  • [Installed_Folder]\msg\m_chinese (simplified).wnry
  • [Installed_Folder]\msg\m_chinese (traditional).wnry
  • [Installed_Folder]\msg\m_croatian.wnry
  • [Installed_Folder]\msg\m_czech.wnry
  • [Installed_Folder]\msg\m_danish.wnry
  • [Installed_Folder]\msg\m_dutch.wnry
  • [Installed_Folder]\msg\m_english.wnry
  • [Installed_Folder]\msg\m_filipino.wnry
  • [Installed_Folder]\msg\m_finnish.wnry
  • [Installed_Folder]\msg\m_french.wnry
  • [Installed_Folder]\msg\m_german.wnry
  • [Installed_Folder]\msg\m_greek.wnry
  • [Installed_Folder]\msg\m_indonesian.wnry
  • [Installed_Folder]\msg\m_italian.wnry
  • [Installed_Folder]\msg\m_japanese.wnry
  • [Installed_Folder]\msg\m_korean.wnry
  • [Installed_Folder]\msg\m_latvian.wnry
  • [Installed_Folder]\msg\m_norwegian.wnry
  • [Installed_Folder]\msg\m_polish.wnry
  • [Installed_Folder]\msg\m_portuguese.wnry
  • [Installed_Folder]\msg\m_romanian.wnry
  • [Installed_Folder]\msg\m_russian.wnry
  • [Installed_Folder]\msg\m_slovak.wnry
  • [Installed_Folder]\msg\m_spanish.wnry
  • [Installed_Folder]\msg\m_swedish.wnry
  • [Installed_Folder]\msg\m_turkish.wnry
  • [Installed_Folder]\msg\m_vietnamese.wnry
  • [Installed_Folder]\r.wnry
  • [Installed_Folder]\s.wnry
  • [Installed_Folder]\t.wnry
  • [Installed_Folder]\TaskData\
  • [Installed_Folder]\TaskData\Data\
  • [Installed_Folder]\TaskData\Data\Tor\
  • [Installed_Folder]\TaskData\Tor\
  • [Installed_Folder]\TaskData\Tor\libeay32.dll
  • [Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
  • [Installed_Folder]\TaskData\Tor\libssp-0.dll
  • [Installed_Folder]\TaskData\Tor\ssleay32.dll
  • [Installed_Folder]\TaskData\Tor\taskhsvc.exe
  • [Installed_Folder]\TaskData\Tor\tor.exe
  • [Installed_Folder]\TaskData\Tor\zlib1.dll
  • [Installed_Folder]\taskdl.exe
  • [Installed_Folder]\taskse.exe
  • [Installed_Folder]\u.wnry
  • [Installed_Folder]\wcry.exe

Registry Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] “[Installed_Folder]\tasksche.exe
  • HKCU\Software\WanaCrypt0r\
  • HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
  • HKCU\Control Panel\Desktop\Wallpaper “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Email Subjects:

  • FILE_<5 numbers>
  • SCAN_<5 numbers>
  • PDF_<4 or 5 numbers>

Email Attachment:

  • nm.pdf

Surricata SIgnatures (https://github.com/xNymia/Suricata-Signatures/blob/master/EquationGroup.rules):

# EternalBlue Signature matching potential NEW installation of SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)

# EternalBlue Signature matching return signature for connection to pre-installed SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

# Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual valuealert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

# Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously. alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9;

Overview

On Friday, May 12th, an attack being made against the United Kingdom National Health Service (NHS) and the Spain- based telecommunications company, Telefonica, was made public. Reports now show that both companies have been hit with the WCrypt (WanaCrypt0r 2.0) crypto-ransomware. This attack is being perpetrated through the use of the recently leaked Eternal Blue exploit, belonging to the exploit kits released by the ShadowBrokers dump from the compromise of the National Security Agency (NSA). This exploit has been weaponized as a worm using a previously unpatched SMB vulnerability. This exploit has verified infections in the US as well. While data is still filtering in, early reports indicate FedEx is among the first US businesses compromised.

WCrypt Data

WCrypt is a standard crypto-ransomware which, once on the user’s system, encrypts the user’s files with the threat of deletion of the encryption keys if the user does not pay the ransom within seven days. With this variant, the ransom is demanded within 3 days or the ransom amount doubles, and within 7 days if the ransom isn’t paid, the encryption keys are deleted rendering all encrypted data unrecoverable.

Recognizing WCrypt Infections

The infection stems from a file named: wannacry.exe. The Hashes are located below:

SHA256:

  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA1:

  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c

MD5:

  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

Once a system is infected with the ransomware, a screen similar to the following image appears informing the user of the infection as well as the ransom price and bitcoin address where the payment can be made.

WCrypt

The infection also typically spawns a large number of processes which are the result of the encryption process as well as the desktop theme changes and the decryptor listener.

Infection Vector: Eternal Blue

In the latest dump of the ShadowBroker’s exploits, Eternal Blue was considered especially dangerous due to its use of SMB v1 as the attack vector. This vulnerability was assigned the designation CVE-2017-0143, 0144, 0145, 0146, and 0147, it contains multiple avenues of attack and most Windows operating systems are vulnerable. This has been determined to be the method of infection from multiple sources, including Matthew Hickey, aka HackerFantastic, a reknown malware and security researcher. Of particular note is the presence of worm characteristics in the delivery. Once infected, the system becomes a part of the botnet for pushing the malware out.

Identifying Eternal Blue and the WCrypt Attack

A recently released screenshot, from malware researcher Kafiene, displays the traffic patterns for the Eternal Blue exploit.

Wcrypt Logs

As is evidenced in the image, most traffic is seen using port 445, whch is the standard port used by SMB v1 and v2. Network monitoring is essential to identify threats as they appear.

Mitigation

In order to mitigate this attack, it is recommended that:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Matthew Hickey of Hacker House discovered the decryption binary in a zip file in the PE resources which is encrypted with the password of WNcry@2ol7. This can be used to potentially decrypt the files which were affected by the malware.

Final Analysis

The infections which have been occurring lead vSOC to believe these are not necessarily targeted attacks, rather the infection vectors are exploited automatically by the Eternal Blue exploit kit against vulnerable systems within the enterprise.

References:

GuidePoint Security Hires Former FireMon Executive, Brandy Peterson, as Principal of Technology Integration

GuidePoint Welcomes Brandy Peterson as New Principal to Head up Engineering Unit

HERNDON, VA–GuidePoint Security, a leader in cybersecurity solutions for federal and commercial customers, announced today that Brandy Peterson joined the company’s executive team as their Principal of Technology Integration.

Prior to joining GuidePoint, Peterson served as CTO at FireMon for approximately a year and a half, where he effectively drove business expansion by forging alliances with network security partners, guiding product decisions and innovation, and developing a business plan for a new product build and launch.

Peterson also worked for FishNet Security for over 15 years, most recently as CTO, successfully overseeing the company’s hardware and software strategy, as well as launching their commercial Security Operations Center.

“Brandy’s rich professional history, depth of expertise in information security, and track record for successful business development will be a catalyst for GuidePoint’s own continued growth,“ noted Co-Founder and Managing Partner of GuidePoint Security, Michael Volk.

“We are expanding quickly, and I have full confidence that Brandy’s contributions as Principal of Technology Integration will further GuidePoint’s ability to architect and deliver security solutions that lead the industry,” Volk further added.

Peterson explained that his first priority will be maturing and expanding GuidePoint’s Technology Integration capabilities, with Cloud Security and Security Analytics slated as major focus areas for 2016.

Peterson’s reputation for versatility, his superior level of technical skills, motivation, and executive leadership qualities made him a prime candidate for GuidePoint, as the organization continues to expand their executive team.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

A Long Overdue Innovation in the MSSP Industry

Today’s Managed Security services are broken. More specifically, Managed Security Services Providers (MSSP)vSoc image copy
that focus on providing clients with an outsourced Security Operations Center (SOC) are broken. Organizations have resigned themselves to the fact that true SOC features and coverage cannot be obtained through MSSPs. Rather, only “checkbox” compliance and liability can be successfully outsourced. I have personally experienced this as both a trusted advisor to my clients, as well as an end-user at numerous organizations, and the result is a sad state of affairs.

Given the additional focus and resources dedicated to Information Security these days, the MSSP industry continues to grow, despite its overdue need for innovation. In speaking with GuidePoint clients for the past three years, the above premise of “checkbox” compliance and finger pointing has proven to be the prime reasons for shifting to an MSSP. Information Security leaders are forced to accept these substandard services when balancing limited budgets allocated for protecting their organization against the ever-increasing onslaught of attacks. Most organizations cannot afford to build and fully staff their SOC. The choice comes down to constructing their own SOC with limited coverage, features, and time spent finding qualified personnel or simply settling for the aforementioned benefits of MSSPs.

These limited options are unacceptable to us. And after significant market research, GuidePoint has entered the MSSP arena with a bold, new, first offering of the Virtual Security Operations Center or vSOC. Our goal is to be the best value provider by supplying our clients with the specific services they require, not be the lowest cost alert amplifier on the market. Our vSOC offering will force the legacy MSSP providers to truly rethink their business model and how they are adding value to their clients. Likewise, it will redefine what is possible by partnering with a truly next-generation MSSP.

We’ve developed our vSOC-managed services offering around six core values, all of which significantly differentiate us from the legacy MSSPs. These six core values are:

  • Providing response-time Service-Level Agreements (SLAs), based on time from event or incident validation;
  • Providing volume-based pricing, rather than per device pricing;
  • Developing a vSOC platform that addresses real-world issues;
  • Providing our clients with ownership of, and access to their data;
  • Leveraging the power and scalability of cloud computing; and
  • Providing our clients portability (you can take your vSOC environment and data with you).

If these values sound completely contrary to the MSSP industry you know, it’s because they are! GuidePoint’s innovation in the Information Security space has officially taken its largest step to date. We’re excited to force an industry, long overdue for innovation, to change.

Here’s to advancing Information Security through true innovation.

For more information on our vSOC solution, join us for the “vSOC Technology Sets New Standards, Ignites Change” webinar on April 16th. Register here. GuidePoint Security is also hosting in-person meetings at the RSA Conference 2015 in San Francisco. For more information on how to set-up a meeting, email us at info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Georgia, Michigan, Minnesota, Missouri, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Shellshock – Security Technology Vendor Information

Based on the requests of our clients, as discussed in our previous blog post “How shocking is “Shellshock?” below is a list of security technology vendors whose solutions are susceptible to the Shellshock vulnerability. This list will be regularly updated to provide you with timely information on the security technology vendors that you rely on to protect your organization.

Last Updated: Wednesday, October 1, 2014 13:47 EDT

Vendor

Mobile Security and Privacy in an iOS 8 World

iOS 8 was released on September 17 of this year for the iPad 2, iPhone 4S, and newer devices, and is pre-installed on the new iPhone 6 and 6+, which was released on September 19, 2014. Since blogs and articles detailing the new features and changes in iOS 8 abound, we won’t share those details here. Instead, we will cover only the security and privacy improvements. If you’re interested in all the juicy details surrounding iOS 8, have a look at the iPhone or iPad user guides published by Apple, which are available for free in the iBook store.

Now, on the topic of mobile security, according to 451 Research, mobile device security is the top source of pain for the enterprise security managers who were interviewed for their latest study. The pain points cover several general areas including consumerization, employee expectations, and device management. Mobile device security was a top concern of 16% of respondents, up 13% from last year.

Screen Shot 2014-09-25 at 3.19.24 PM

So, will the security changes in iOS 8 help enterprise security managers sleep at night? Time will tell, but let’s have a look at the goods.

For starters, Apple can no longer unlock a user’s device even if requested by government or law enforcement order – that ability was removed in iOS 8. This is very important for privacy and security, especially with the rollout of the Apple Pay feature available with iPhone 6/6+. Apple also patched the so-called “diagnostic backdoors” that were supposedly used by the NSA to steal users’ data. If that isn’t enough, several other features have been created or modified to quickly enable “un-trusting” of all computers that a device has been connected to and the ability to limit the amount of data that applications collect and share about you. You can even change Safari’s default search from Google to the privacy-conscious DuckDuckGo.

Furthermore, Apple’s updated privacy policy assures users that they don’t use email and Web browsing habits to build a user profile for monetization. As if this isn’t enough to prove Apple is serious about security and privacy, most of the security measures are implemented by default. One exception is the necessity of users to manually implement two-step verification for their iCloud accounts, which will help prevent potentially sensitive data, such as selfies, from getting stolen.

Well, what do you think? Will these changes make a difference for the troubled security managers around the country? They certainly won’t hurt, but anyone involved in enterprise mobility management or mobile security research knows there’s still much to be done to reduce the risk of mobility and BYOD in the enterprise. Reach out to your GuidePoint Security account executive to learn more about what you can do to reduce the risk of adopting BYOD in your organization.

Finally, I’d be remiss if I didn’t mention the partnership that Apple & IBM announced over the summer. In my opinion, this is going to be a good thing for users and enterprises, but not so much for device and application management vendors, who may find stiff competition from companies with much deeper pockets. Will 2014 be the year that Apple and Google finally decide to take enterprise mobility seriously? We’ll all have to stay tuned as this evolves.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

 

 

 

Security Visibility in the Cloud – Logging and Monitoring in AWS

By now we’re all well aware that there is a virtually limitless number of logging and monitoring solutions available on the market. Visit the Amazon Web Services (“AWS”) Marketplace, and you’ll find plenty of options. In fact, it gets really crazy when you start examining security monitoring versus application performance monitoring, often with solutions performing one role better than the other, or even just one of the roles altogether. What’s interesting to me is the lack of common Enterprise logging and monitoring solutions available in the AWS Marketplace. Obviously you can deploy instances to handle implementations of solutions like ArcSight, McAfee, LogRhythm, or NetIQ, but Splunk is the only well-known commercial provider with solutions available in the marketplace.

Now, that’s just the commercial side… what about open source?  Let’s cover a few terms first, for those new to centralized logging.

Shipper – a system agent that collects and forwards, or ships, system and application logs to a centralized server.

Collector / Broker – a message broker is a system that collects and queues logs as an intermediary step to indexing the logs centrally for analysis, monitoring, and alerting. Its primary purpose is to ensure you don’t lose messages when or if your indexer falls behind, crashes, or otherwise becomes unavailable to receive logs.

Collector / Indexer – a system used to collect, parse, and store logs for searching, analysis, monitoring, and alerting.

Dashboard / Visualizer – the dashboard is used to aid in log analysis by providing a search interface, and in some solutions alerting.

Open source logging and monitoring solutions abound, and like the well-known solutions missing from the AWS Marketplace, are typically implemented on purpose-built instances within your AWS Virtual Private Cloud (You are using a VPC, right?)  So what comprises an open source, centralized logging and monitoring solution?

Log shippers like Nxlog, Logstash, Lumberjack, and Fluentd. Brokers like Redis, RabbitMQ, and ZeroMQ. Indexers like Elasticsearch and… well, Elasticsearch seems to be the industry-standard as far as open source goes, but there are also a lot of folks using centralized syslog-ng, or Rsyslog.  Dashboards, such as Graylog2, Kibana (for Elasticsearch visibility, I like ElasticHQ), and security agents like OSSEC complete the architecture.

So, with all of these solutions available, why do I run into so many clients already in AWS, or moving to AWS, that have insufficient logging and monitoring, or worse, no logging and monitoring at all in their Cloud environment? Because Logging and Monitoring is Hard. Don’t get me wrong, it doesn’t require a rocket scientist on staff to get one or more of these commercial or open source solutions deployed. There’s preparation, communication, research, and other steps that have to be taken to properly implement logging and monitoring. I spent over a week researching available solutions, and building out proofs-of-concept in my virtualized lab to determine which solutions met my needs. That is the most critical point one should take away from this article; there is no right or wrong way to implement logging and monitoring in your AWS Cloud. As with all things IT, there is more than one way to accomplish your technical and business objectives. The trick is to find the right way for your organization.

Let’s look at some of the decision criteria that will come into play; this is not an exhaustive list:

People

  1. What expertise is available from my current staff – network engineering, development (if so, which languages), information security, incident handling, etc.?
  2. Do we have experience with a particular commercial solution?  A particular open source solution?
  3. Should I train existing staff, or hire staff with the relevant experience?
  4. Should I forget about managing this myself altogether and go with a Managed Services Provider?

Process

  1. Have we defined and documented the metrics we care about, and established a policy and process around ensuring this data is available and utilized?
  2. Have we defined and documented our business objectives behind logging and monitoring?
  3. Have we defined and documented regulatory mandates related to logging and monitoring? How do we keep our requirements and this documentation current?
  4. Have we determined roles and responsibilities involved in supporting the logging and monitoring initiative?

Technology

  1. Have we defined and documented technical requirements for our logging and monitoring solution? How do we architect our solution?
  2. Have we researched available options, and documented their strengths and weaknesses with regard to operating in our environment or culture?
  3. How do we facilitate a demonstration, proof-of-concept, or evaluation of the targeted solutionWhat do we log? Where do we store logs?
  4. What do we log?  Where do we store logs?
  5. How do we alert appropriate personnel a problem has been detected?

5_bucks

After extensive research, and comparison of features and functionality, I decided upon a Hybrid ELK Stack for this case study.  The ELK Stack is comprised of Elasticsearch Logstash and Kibana. I also added Graylog2 to support alerting, and OSSEC for file integrity and host intrusion prevention. There are numerous guides on the Interwebs to assist with deploying these solutions, so I will not go into installation and configuration in this post. I may write another article later to cover installation and configuration, but I’ve included links to all of the resources I used to get up and running at the bottom of this post. Note that, although this entire process covered a full week, the bulk of the final deployment was completed in about ~12 hours. I built the final environment on AWS’ Free Tier, but didn’t even complete rolling out the dashboards before the Logstash Shipper/Logstash Collector/Elasticsearch Indexer combination on the central server decimated the t1.micro instance (Ubuntu 12.04) I deployed it on (Java consumed all available memory). Rather than tune the overwhelmed box in an attempt to stabilize it, I took advantage of being in AWS and scaled up to a m1.small instance – problem solved.  In total, I spent less than $5 bucks on my, admittedly limited, proof-of-concept.

Kibana_booku_events

Figure 1: Kibana 3… Dead Sexy!

Take a look at the components I selected:

  1. Log Shipper – Logstash on Linux servers, Nxlog on Windows servers. Although Logstash is cross-platform, and is perfectly capable of shipping Windows Event Logs, IIS and MSSQL logs, the author of Nxlog convinced me Why Nxlog is better for Windows.
  2. Broker – This case study doesn’t incorporate the use of a Broker. I was originally going to include RabbitMQ in the architecture, but version dependencies led me down a path that was in danger of kludging up the whole study. In a production environment, you definitely need to use a broker to provide scalability and resiliency, but I pushed onward without including it.
  3. Indexer – Elasticsearch. Ridiculously easy decision for me, since Windows servers are in my test environment, and I was interested in testing something other than syslog.
  4. Dashboard / Visualization – Kibana 3 is dead sexy, and I’m an eye-candy kind of guy. I’d gone into this planning to just use Graylog2, since it is a great visualization tool itself, plus includes alerting capability, but after seeing screenshots of the new and improved Kibana 3.x, I couldn’t help deploying it, too. Regarding alerting, Nagios is often used in concert with Graylog2 for its ability to “roll up” alerts. If you’re interested in configuring email alerting/alarms for your Graylog2 deployment, Larry Smith has a great blog post to get you started here. Last, I also installed the ElasticHQ plugin to monitor my cluster of one’s health.
  5. As an aside, I also deployed OSSEC to the Linux and Windows servers for file integrity monitoring and intrusion prevention.
ElasticHQ

Figure 2: ElasticHQ… Elasticsearch cluster health, and a whole lot more!

A note about the final deployment; ultimately the redesigned, recently released Graylog2 v0.20.1 didn’t work out like I’d hoped. Everything was running smoothly, and based on configuration guidance and the absence of error output, it seemed I was setup properly, but I never saw the data from Elasticsearch in Graylog2. I spent the last few moments I had allocated to this project experimenting with some alternate configurations, and finally strayed so far from my working example that I had to give up. So, after a week of research and implementation time, a diagram of what we have can be seen in Figure 3.

Screen Shot 2014-04-23 at 2.49.08 PM

Figure 3: AWS Logging and Monitoring PoC Architecture

This was a trivial setup – I’m using a single box for a local Logstash shipper, an Elasticsearch index, MongoDB for Graylog2, and three different web interfaces. In a production system, ensure you use a more appropriate architecture including separating each component, utilizing multiple availability zones, inserting a broker to receive messages from log shippers, utilizing SSL, etc. etc.

Although I didn’t have enough time to sort out Graylog2, and get some alerting configured, I’m pleased with the overall outcome of my Security Visibility experiment. I found OSSEC to be an excellent “partner” in my quest for visibility, despite only utilizing and documenting the file integrity portion of its functionality.

ossec

Figure 4: OSSEC Web UI

Nxlog works perfectly for shipping Windows event logs, and of course, the lovely Kibana ties everything together and puts a nice bow on the concept of visualization.

Kibana_event_analysis

Figure 4: Analyzing events with Kibana 3

CP_Halo_deets

 

Although this was not a terribly difficult experiment, from a technical perspective, I still wondered, “Is there another | quicker | better way to gain security visibility in AWS?  Well, yes, and no. Yes, there’s an easy way to get security visibility, plus AWS automation to boot – no, because despite this gem of AWS security visibility, I will still recommend a centralized logging and monitoring platform in AWS. So, what’s this solution, you ask? CloudPassage Halo. But wait, there’s more! Halo has an API that’s made it possible for several SIEM solutions to integrate with it, sharing the Halo security visibility love in a centralized way within your existing, or planned, logging and monitoring deployment.

Halo has enough features and functionality to warrant its own blog post, so I won’t go into those here. Suffice it to say, anyone looking for security visibility, automation, or both in AWS should definitely have a look at what CloudPassage has to offer.

 

CP_win_security_events

Figure 5: Windows security events captured by Halo

Conclusion

Logging and monitoring is hard, but there are more than enough commercial and open source tools available to fit any size organization, with any size of budget. Attaining security visibility and appropriate incident handling isn’t just the right thing to do from a best practice perspective; many standards, regulations, and laws mandate them. So, regardless of the type of solution or solutions you select, choose and implement something, and gain insight into security incidents you may not have any idea are happening. After all, inadequate visibility is better than no visibility at all.

For additional information on this subject and the opportunity to ask questions, please click here to register for our Webinar titled:  Security Visibility in the Cloud – Logging and Monitoring in AWS occurring on May 1st, 2pm (EST).

 

Heartbleed – Security Technology Vendor Information

Based on the requests of our clients, as discussed in our previous blog post “The Heartburn of Heartbleed,” below is a list of security technology vendor information pertaining to the Heartbleed bug. This list will be regularly updated to provide you with timely information on the security technology vendors that you rely on to protect your organization.

Last Updated: Friday, April 18, 2014 8:19 EDT

Vendor

The Heartburn of Heartbleed

The Heartbleed Bug is a dangerous vulnerability found in OpenSSL.  It potentially allows the compromise of encrypted information, that under normal conditions is secured by SSL/TLS. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).

The following versions of OpenSSL are/are NOT vulnerable to the Heartbleed bug:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable;
  • OpenSSL 1.0.1g is NOT vulnerable;
  • OpenSSL 1.0.0 branch is NOT vulnerable; and
  • OpenSSL 0.9.8 branch is NOT vulnerable.

I won’t go into the technical details of this vulnerability, since that has been done en masse. If you are looking for that level of information, I recommend the following analyses:

There are several misconceptions about Heartbleed, with common ones focusing on end-servers running Microsoft IIS and not evaluating upstream technologies like reverse-proxies, load-balancers, or having users change passwords before a fix has been implemented.

What I do want to discuss is a recommended approach for organizations dealing with the “Heartburn of Heartbleed.” We’ve had numerous clients reach out to us asking for assistance in several areas; identification, remediation, and working with security technology vendors to determine when their fixes will be ready. Here is what we recommend for each of these stages:

Identification

There’s been an influx of tools and scripts made available to identify the Heartbleed vulnerability. Below are ones that meet specific use cases:

Manual

Scripting

Vulnerability Management Tools

Remediation

This is where the heartburn starts. Hopefully, your organization maintains a Threat Management Program and you have already addressed your high-risk assets. If not, here is a triage approach:

  1. Patch perimeter systems first, then critical internal systems, then production systems, and then test/dev systems;
  2. If a patch or configuration fix is not yet available, <insert heartburn here>. Taking a proactive approach, you can implement a reverse-proxy (Load Balancer) that is NOT vulnerable, or can be configured as such, to terminate the encrypted connections, thereby eliminating risk to your web and application servers. If you prefer a passive approach, you can implement signatures on IDS/IPS solutions, but I do NOT recommend relying on these. Snort signatures are available here. Bro Heartbleed module here;
  3. Regenerate all SSL certificates with new private keys;
  4. Replace all SSL certificates with newly generated certificates;
  5. Revoke all old SSL certificates;
  6. Force all accounts on affected systems to expire; and
  7. Communicate to account users the necessity for the password resets. CloudPassage did a good job of this; here is a link to their blog post.

Security Technology Vendors

This is where the heartburn can reach extreme levels. Some vendors have done a great job implementing fixes as soon as updates to OpenSSL were available, however, others have been less than forthcoming with their remediation approach and timelines. These are the solutions that you rely on to protect your organization and their internal failure to identify and remediate vulnerabilities in core components of their solutions in a timely manner has left you vulnerable. If this is the case, I recommend emailing your vendor representatives and letting them know you need this information ASAP. If you have formed an internal task force to deal with Heartbleed, it may be worth mentioning this to the vendor representative, and suggest that being “last” to remediate amongst your vendors is probably a bad idea.

If you utilize a Value Added Reseller (VAR), for example GuidePoint Security, I recommend reaching out to your Account Executive (AE) and asking for assistance. Provide your AE a list of all technology vendors you need assistance with, as you probably own more technologies than you have purchased through them. This is an area where VARs can show some of their “Value.”

Lessons Learned

It is my sincerest hope that organizations embrace this opportunity to take a fresh look at how they are dealing with a number of areas within their Information Security Program. Particularly, I believe Heartbleed has forced organizations to look at:

  • Threat Management
  • Vulnerability Management
  • Patch Management
  • Public Key Infrastructure (PKI)
  • Defense-in-Depth
  • SSL Decryption / Visibility Practices

GuidePoint Security can assist your organization in building and maturing these components of your Information Security program, as well as help procure, architect, implement, and optimize security technologies to support them (Hey, I have to get a shameless plug in somewhere, right?).

*** Updated on 4/10/14 @ 13:49 to include vulnerable/NOT vulnerable versions of OpenSSL, replace the python script with one that does not have false positives and clarify my statement on identifying vulnerabilities in core components of security technologies. ***

GuidePoint Security Recognized for Federal Partner of the Year at Third Juniper Networks Global Partner Conference

GuidePoint Security, LLC was awarded the 2013 Federal Partner of the Year at Juniper Networks’ Global Partner Conference in Las Vegas. The 2013 Juniper Partner Awards recognize outstanding achievements and commitment from the company’s top channel partners in the areas of sales, customer service excellence, technology expertise and service specializations.

“Juniper Network’s annual partner awards recognize partners that demonstrate excellence in sales, customer service, technology expertise and service. We congratulate GuidePoint Security for its exceptional achievements and commitment to guiding its customers to build the best networks,” said David Helfer, Vice President, Worldwide Channels and Commercial at Juniper Networks.

“GuidePoint is honored to be recognized as the Juniper Federal Partner of the Year. This award is validation of our ability to deliver solutions to our customers’ most complex requirements with Junipers innovative products and services,” said Jim Quarantillo, Federal Partner at GuidePoint. “This award is also an indication of the training, development and focus by GuidePoint around industry leading security products and services.  Partnering with Juniper to deliver best of breed security solutions has helped GuidePoint tremendously over the past year and we are extremely proud of this award and look forward to a great 2014 with Juniper.”

About Juniper Networks

Juniper Networks (NYSE: JNPR) delivers innovation across routing, switching and security. From the network core down to consumer devices, Juniper Networks’ innovations in software, silicon and systems transform the experience and economics of networking. Additional information can be found at Juniper Networks(www.juniper.net) or connect with Juniper on Twitter and Facebook.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. For more information, visit www.guidepointsecurity.com.

GuidePoint Welcomes Joey Peloquin as Director of Professional Services

RESTON, Va., January 7, 2014 – GuidePoint Security LLC, a leading provider of innovative information security solutions, today announced that industry veteran Joey Peloquin has joined the company’s growing professional services team as Director of Professional Services.  GuidePoint Security’s customized, innovative information security solutions enable commercial and federal organizations to more successfully secure IT resources. The company will leverage Peloquin’s experience to further mature its world-class Information Assurance and Technology Integration services, including application, cloud and mobile security offerings.

“Joey brings a wealth of real-world expertise in dynamic fields of application, cloud, and mobile security,” said Bryan Orme, Principal at GuidePoint Security. “This expertise coupled with his proven records of building elite technical teams forwards our momentum of providing innovative security solutions for our clients’ most complicated information security challenges.”

As commercial and federal organizations further embrace today’s data-centric technologies, including mobile and cloud computing, the need to implement effective information security controls becomes paramount. Traditional thinking and controls no longer appropriately safeguard data and assets against emerging threats. GuidePoint Security provides customized innovative solutions to address the real-world information security threats that its customers face.

“I joined GuidePoint because they have managed to attract and retain a team of brilliant consultants of varying backgrounds, in addition to the founders and leadership that are veterans in the information security industry. In a nutshell, GuidePoint provides the support required to build a successful consulting practice, and the openness and attitude of sharing that will help make sure the journey together is a fun and successful one,” said Peloquin.

Peloquin’s 13 plus years of experience in the information technology industry includes specializing in all areas of information security. Prior to joining the GuidePoint Security team, Joey served as Worldwide Security Architect for F5 Networks focusing on mobile and application security, and authentication and access security. His previous experience also includes managing application and mobile security consulting teams at national security consulting firms, and establishing HP Software’s professional security services division after the acquisition of SPI Dynamics.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. For more information, visit www.guidepointsecurity.com.