EFail

vSOC SPOT Report: EFAIL – Encryption Technology OpenPGP and S/MIME

Overview

On May 14th, 2018, a group of German security researchers, lead by Sebastian Schinzel, disclosed a vulnerability believed to be in the PGP and S/MIME encryption for email. The vulnerability appears when an attacker has gained access or intercepted encrypted emails and manipulates the HTML content of the message, such as images or styles, and then sends the maliciously crafted email to a recipient. Upon opening the message in an email client it is decrypted, along with the external maliciously altered content, allowing the attacker to gain access to any plaintext within the email. The majority of mail clients in use today are impacted by this vulnerability, including Outlook, Gmail, and iOS Mail.  A specific list is provided at the end of this document.

Attack Details

There are two separate attacks in which the attacker is required to have exfiltration channels in place in order to obtain the encrypted emails and these channels can be set up by having access to a client’s system, server, network traffic, or compromising email accounts directly.

The first attack is called “Direct Exfiltration” in which an attacker utilizes Apple Mail, iOS Mail, or Mozilla Thunderbird to view the encrypted emails in plaintext. The attack requires the attacker to send an email that contains three parts with the first part containing the HTML content-type within it, the second part is an image src attribute that contains the ciphertext of the PGP or S/MIME encryption, the third section would then close the image src attribute. Once this email is sent to the victim is opened, it allows the external content to be loaded in plain text within emails is then exfiltrated to the attackers to view.

The second attack takes advantage of the ability to attack encrypted messages if you know any of the plaintext. Since most encrypted messages start with “Content-type: multipart/signed,” it is possible to generate an encrypted gadget derived from this known plaintext containing HTML tags and inject it into existing messages. Then, when the reader opens the message, the client sends the plaintext back to the attacker.

Potential Impact

An attacker who is able to inject the required HTML content into an encrypted message in transit can use the HTML payload to recover the plaintext of the encrypted message.

The attacker will have to get in between the sender and the recipient in order to inject the payload or get onto the system containing an encrypted mailbox. Getting into position to carry out either attack is difficult.

What You Should Do

Since the attack scenarios rely on HTML formatted email, disabling HTML rendering in your mail client is advisable and disallow external links to be loaded within email clients. While not a foolproof mitigation in all mail clients, until vendors release patches, it is the only mitigation. When patches are released for your mail client, deploy them as soon as possible. Mozilla promised updates by the end of the week, while Apple said it will have patches “soon.” Microsoft has not yet stated its plans. In the meantime, be careful about sending sensitive information over email.

For a list of impacted mail clients please refer to the list below provided by EFAIL researchers:

EFAIL Table

Table from, “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels (draft 0.9.0)” by Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk

 

Lisa Morehouse of GuidePoint Security Recognized as a Power 30 Solution Provider in CRN’s 2018 Women of the Channel

CRN®, a brand of The Channel Company, has named Lisa Morehouse, Vice President of Operations at GuidePoint Security to its list of 2018 Power 30 Solution Providers, an elite subset of its prestigious annual Women of the Channel list.

CRN’s editorial team selects Women of the Channel honorees based on their professional accomplishments, demonstrated expertise and ongoing dedication to the channel. The Power 30 Solution Providers belong to an exclusive group drawn from this larger list: women leaders in solution provider organizations whose vision and influence are key drivers of their companies’ success and help move the entire IT channel forward.

Morehouse has worked in the channel for over a decade. Her knowledge, expertise and experience provides GuidePoint Security with an invaluable competitive edge that increases channel business dealings and enhances distribution relationships. Since joining GuidePoint in 2012, Morehouse developed and improves nearly all aspects of the company’s daily operations, from accounting and finance, to legal and contracts. With her guidance and oversight, GuidePoint Security has become one of the premiere cybersecurity companies in North America.

“This accomplished group of leaders is steadily guiding the IT channel into a prosperous new era of services-led business models and deep, strategic partnerships,” said Bob Skelley, CEO of The Channel Company. “CRN’s 2018 Women of the Channel list honors executives who are driving channel progress through a number of achievements—exemplary partner programs, innovative product development and marketing, effective team-building, visionary leadership and accelerated sales growth—as well as advocacy for the next generation of women channel executives.”

“We’re very proud of the many accomplishments and contributions Lisa Morehouse has made to GuidePoint Security,” Founder and Managing Partner Michael Volk noted. “With her business and channel insight, and tireless efforts, our organization has been able to serve a greater and diverse commercial and federal customer base without having to worry about the types of issues other organizations face with such rapid and consistent growth. Lisa is an indispensable member of GuidePoint team. She has made a remarkable difference in our organization as well as with our channel interactions,” Volk added.

The 2018 Women of the Channel list will be featured in the June issue of CRN Magazine and online at www.CRN.com/wotc. For additional information about Morehouse, visit her CRN profile here: https://wotc.crn.com/wotc2018-details.htm?w=285&itc=refresh.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About the Channel Company

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com

GuidePoint Security Named One of 2018 Tech Elite Solution Providers by CRN®

Tech Elite 250 list recognizes IT solution providers with deep technical expertise and premier certifications

CRN®, a brand of The Channel Company, has named GuidePoint Security to its 2018 Tech Elite 250 list. This annual list honors an exclusive group of North American IT solution providers that have earned the highest number of advanced technical certifications from leading technology suppliers, scaled to their company size.

To compile the annual list, The Channel Company’s research group and CRN editors work together to identify the most customer-beneficial technical certifications in the North American IT channel. Companies who have obtained these elite designations— which enable solution providers to deliver premium products, services and customer support—are then selected from a pool of online applicants.

GuidePoint cybersecurity professionals, who make up the majority of our workforce, provide the services, strategies, and solutions necessary to help customers navigate through the risks and threats, which could have devastating consequences. Whether it is helping our customers to maximize older solutions, by implementing untapped security features, or creating brand new offerings, GuidePoint is committed to ensuring our work and solutions result in a safer cyber environment.

“Being named to CRN’s Tech Elite 250 list is no small feat,” said Bob Skelley, CEO of The Channel Company. “These companies have distinguished themselves with multiple, top-level IT certifications, specializations and partner program designations from the industry’s most prestigious technology providers. Their pursuit of deep expertise and broader skill sets in a wide range of technologies and IT practices demonstrates an impressive commitment to elevating their businesses—and to providing the best possible customer experience.”

“We’re honored to be placed on this list among such highly respected and accomplished organizations,” noted Michael Volk, GuidePoint Security Founder and Managing Partner. “Our dedication to hiring the most accomplished professionals and teaming with a wide range of top level vendors are just some of the reasons we are always be able to offer our clients the very best customized solutions to meet all of their security needs,” Volk added.

Coverage of the Tech Elite 250 was featured in the April issue of CRN, and online at www.crn.com/techelite250.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About the Channel Company

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com

The Channel Company, LLC. CRN is a registered trademark of The Channel Company, LLC. All rights reserved.

GuidePoint Security Recognized for Excellence in Managed IT Services

CRN®, a brand of The Channel Company, has named GuidePoint Security to its 2018 Managed Service Provider (MSP) 500 list in the Security 100 category. This annual list recognizes North American solution providers with cutting-edge approaches to delivering managed services. Their offerings help companies navigate the complex and ever-changing landscape of IT, improve operational efficiencies, and maximize their return on IT investments.

In today’s fast-paced business environments, MSPs play an important role in helping companies leverage new technologies without straining their budgets or losing focus on their core business. CRN’s MSP 500 list shines a light on the most forward-thinking and innovative of these key organizations.

The list is divided into three categories: the MSP Pioneer 250, recognizing companies with business models weighted toward managed services and largely focused on the SMB market; the MSP Elite 150, recognizing large, data center-focused MSPs with a strong mix of on-premises and off-premises services; and the Managed Security 100, recognizing MSPs focused primarily on off-premise, cloud-based security services.

GuidePoint Security invested in a specialized team that developed our Virtual Security Operations Center (vSOC), to address flaws commonly found with other Managed Security Service Providers (MSSPs). As a result, GuidePoint’s vSOC provides differentiated customer-centric managed security services.

GuidePoint’s vSOC combines advanced detection and response capabilites, threat hunting powered by proprietary machine learning, and experienced security personnel, all provided as a service.

“Managed service providers have become integral to the success of businesses everywhere, both large and small,” said Bob Skelley, CEO of The Channel Company. “Capable MSPs enable companies to take their cloud computing to the next level, streamline spending, effectively allocate limited resources and navigate the vast field of available technologies. The companies on CRN’s 2018 MSP 500 list stand out for their innovative services, excellence in adapting to customers’ changing needs and demonstrated ability to help businesses get the most out of their IT investments.”

“Significant enhancements to our service offerings and processes, as well as the expansion of our vSOC team over the last year enabled GuidePoint to respond to the increased demand for our offerings,” explained GuidePoint’s Director of vSOC Product Development, Robert Vaile. “Our passion around continued innovation, key technology partnerships and world-class customer satisfaction are powerful differentiators for us and will continue to fuel our success.”

The MSP500 list will be featured in the February 2018 issue of CRN and online at www.CRN.com/msp500.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

No Cookie Cutters

Many organizations trying to mature their Application Security Programs are buying SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) solutions. For those unfamiliar, SAST tools are used for binary, byte, or source code analysis, and look for flaws at the code level, whereas DAST tools are meant to test an application at run time. These tool sets can add a lot of value to an organization, but how they are implemented into the SDLC will determine the true return on investment. Some organizations create a budget, then buy some tools…but beyond that, still need help figuring out next steps. Where there may not be a cookie cutter solution for this, there are common factors that will help you determine the most effective strategy for implementation.

Before we talk about implementing SAST and DAST tools into the SDLC, organizations should first gain an understanding of the size of their application portfolio, how many licenses they can reasonably budget for, and the amount of resources required to implement, tune, support and run these tools. Once those factors are understood, one must put the cart before the horse and ask how the results from these tests will be reviewed, who will review them, and how they will get tracked and prioritized for remediation.

Smaller development shops tend to have tighter budgets and a more tactical approach, given that they may only have one or two application security resources. With environments like this, the development leads are often getting asked for help, and being trained to run the tools themselves so that the application security resources can focus their time on reviewing, validating, analyzing, and tracking the results. Organizations should try to avoid implementing tools which are licensed per user. Why should you have to choose which developer should be able to proactively find issues in the code being developed? The whole purpose of driving automated tools into the SDLC is to encourage all developers to develop based on secure coding principles and be able to test their code as early in the SDLC as possible. When everyone on the development team has the same chance at secure development, a formalized secure coding standard starts to take shape.

Developers leveraging these tools are a very good thing for an organization, but this activity should never replace the more formal review performed by application security professionals. Frequency of testing factors in several other considerations that are a bit off topic for this blog, but may be revisited in a future article.

For issue tracking, the organization may leverage their ticketing, bug tracking, or GRC systems, but needs to also take into consideration what kind of detail is contained within the tickets. In other words, not everyone who can access the tickets should be able to access vulnerability details or application specifics. The ticket should be as generic as possible with details tracked in a system that can be limited to least privilege. Even a developer of one application shouldn’t necessarily have access to the vulnerabilities of another application they don’t work with. It’s important to keep the existence of insider threats in mind when deciding how much detail to reveal within an environment. If the application security issues are available to everyone, and an attack is executed before remediation is in place, this could introduce a great deal of complexity into an internal investigation.

Another important part of the process is aligning the findings that come out of the tools with the security policies/standards that may already be in place. Each tool assigns default levels of severity for each finding. These are typically configurable and should be reviewed, as some organizations may want to change some of these levels based on their own unique environments or controls. It is common for our clients to have a policy or standard in place (whether it be formal or informal) that requires the remediation of all high or medium severity findings prior to code being implemented to production. Ensuring the findings in the tools are configured to help meet this standard also aligns the business and security with the process. It should be noted that if developers can access and run these tools, they should not be able to reconfigure the severity levels themselves and should not deem anything a false positive without a formal review by the security team. Checks and balances are important to maintain, even in a large development shop or organization.

Overall, automated tools are an important part of a Secure SDLC program and provide a lot of value to any development organization. They can help increase the coverage for testing, help identify “low hanging fruit”, and are a great first step to help kick start a new Application Security Program within an existing SDLC. However, organizations must consider implementing usage plans and developing processes to expand the quality and security of the code, as well as provide a much more significant return on investment. Just remember, the solution is as unique as your development environment and overall business. There are no cookie cutter solutions to implementing tools, but GuidePoint is here to help you, and we might even have cookies!

About the Author

Kristen Bell, Managing Security Consultant – Application Security

Kristen is a Managing Security Consultant at GuidePoint Security who started in Application Security in 2005. Prior to joining GuidePoint, Kristen consulted for numerous companies performing application security services. Kristen has a background in the government sector, building application security programs and providing guidance in secure application design.

Kristen’s experience includes conducting application security assessments and database security reviews, secure SDLC consulting, as well as working with clients to improve their enterprise vulnerability management. Kristen’s ability to bridge the gap between technical and non-technical people, coupled with her strong interpersonal skills, has made her a strong champion for application security frameworks and controls for her customers. Kristen earned a Bachelor of Science degree in Computer Science from Kentucky State University.

Exim MTA

vSOC SPOT Report: Exim Remote Code Execution Vulnerability

Overview

On March 6th, 2018, a security researcher by the name of Meh Chang of Devcore, a Taiwanese security consulting firm, published a remote code execution vulnerability that is present in the mail transfer agent, Exim. Exim is a mail transfer agent (MTA for short) for Unix servers that was developed at the University of Cambridge. Its use is very widespread, estimated to be used on hundreds of thousands of different servers, and it is the default mail transfer agent on some popular web control panels, such as cPanel. It is also the default mail transfer agent in the Debian and Ubuntu Linux distributions. Due to the widespread use of Exim, we believe this vulnerability is particularly dangerous. The vulnerability was first disclosed to Exim on February 2nd, 2018, and a patch was published on February 10th to resolve this issue. This vulnerability is currently being tracked under CVE-2018-6789.

Attack Details

The attack exploits the Base64 decode function of the Exim MTA. The AUTH function of Exim, in most cases, uses Base64 encoding to communicate with the client. Exim uses a buffer to store the decoded Base64 data. Chang found that it was possible to use a certain invalid Base64 string to cause Exim to allocate less space for the buffer than it consumed, creating a buffer overflow. Normally this buffer overflow is harmless, but it is possible to craft the Base64 string to a certain length to overwrite critical data.

Remote execution is possible depending on the use of the Access Control List (ACL) strings in Exim. Chang found that it was possible to overwrite the ACL strings, and then initiate an ACL Check using the ‘MAIL FROM’ SMTP command. When an ACL Check is performed, any code in these strings will be executed if it encounters ${run{cmd}}.

Potential Impact

There have been no known active exploits or proofs of concept of this vulnerability, but this is expected to change in the days following the disclosure due to the ease of exploiting it. Also, the estimated number of machines affected by this vulnerability is very high. A successful exploit of this vulnerability could allow the attacker to gain full access to the mail server. This could then be used to compromise privileged information through the use of reading emails, or the copying, modifying, sending, or deleting of email. This server can then be used as a launching point for further attacks within your network. Even if you are not using Exim within your environment for mail, you could still be vulnerable if Exim is installed and there are open SMTP ports that allow incoming mail.

What You Should Do

Exim has already published Exim 40.9.1 to fix this vulnerability. ALL versions of Exim prior to 40.9.1 are vulnerable to this. Patches are available for Debian, Fedora, SuSE, and Ubuntu Linux distributions as standard packages. Some vulnerability scanners have already added checks for this vulnerability, such as Qualys, Rapid7 and Tenable. We would recommend you review your environment for any indication of vulnerable mail servers and ensure these are updated

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

GuidePoint Security recognized as recipient of 2018 Splunk Partner+ Awards

GuidePoint Security Named Global Partner of the Year and Americas Partner of the Year for Outstanding Performance

HERNDON, VA – March 5, 2018 – GuidePoint Security, a cybersecurity company that provides world-class solutions, today announced it has received the Splunk 2018 Global Partner of the Year award as well as the Americas Partner of the Year award, for exceptional performance and commitment to the Splunk® Partner+ Program. The prestigious Global Partner of the Year and Americas Partner of the Year awards recognize the Splunk partner who has demonstrated the ability to find and lead incremental business with a continued commitment to their partnership with Splunk. Learn more about the Splunk Partner+ Program here.

The Splunk Partner+ Awards are designed to recognize members of the Splunk ecosystem for industry-leading business practices and dedication to constant collaboration. Areas of consideration for an award include commitment to customer success, innovative program execution, investment in Splunk capabilities, technology integrations and extensions, and creative sales techniques.

“We’re honored to receive such prestigious awards,” GuidePoint Security Co-Founder and Principal Justin Morehouse noted. “It’s a testament to the strong partnership our two organizations developed over several years. Beyond our capabilities to provide Splunk certified professional services, our strategic partnership is supported by GuidePoint’s vSOC Managed Security Services, which continues to disrupt the MSS industry,” Morehouse added.

“As a vital partner to Splunk, we applaud GuidePoint Security for being recognized as the Global Partner of the Year and the Americas Partner of the Year, said Cheryln Chin, vice president of Global Partners, Splunk. “The Splunk Partner+ Awards recognize partners like GuidePoint Security who exemplify the core values of the Partner+ Program coupled with a strong commitment to growth, innovation and customer success.”

Winners of the Splunk Partner+ Awards reflect the top-performing partners globally and regionally. All award recipients were selected by a group of the Splunk executives and global partner organization. Read more about the Splunk Partner+ Program.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

When user behavioral analytics isn’t the right name

There is a lot of talk about “machine learning” and “behavioral analytics” in the cybersecurity world. Some products and companies are doing a great job designing big data based solutions that use higher math and analytics to find and alert on unusual or malicious activities. Some products are simply a higher order of signatures hiding behind a shiny veneer to make them look like math and analytics.

But sometimes there is a way of doing things that’s simply, well, more than that. There are user behavioral products out there that I think really should be named something different. I’m not sure what that marketing name should be, but let me explain what they do and maybe someone can create a cool shiny name for it.

These products do in fact use math and analytics to baseline activities and alert on deviations, but more importantly, they collect up activities around those deviations and create timelines of total activity and then score them. This is higher order incident response. If you walk into any SOC when a major alert is being investigated, the first thing a SOC analyst will do is collect up evidence and create a timeline of activity around it. Then once all this information is plotted together of “what just happened” they make a decision about whether it was a user who hit something, an application that hiccupped, or the possibility of something much more sinister.

At least one of the user behavioral analytics products does most of that heavy lifting, and does it fast and automatically. Its hands over the timelines and evidence for a human to then validate the “risk score” or invalidate and throw in the trash. Who wouldn’t like to have more time back for their SOC analysts to go proactively hunting instead of reacting? It could be a game changer for many cash and talent strapped agency SOCs.

So, what should these products be called? They aren’t classic automation and orchestration products. They aren’t an IR tool for forensics. They are doing rock star user behavioral analytics, that’s true. Oh alright, I’ll keep calling them user behavioral analytics for now… until someone smarter than me figures out that cool shiny marketing term.

Join GuidePoint Security and Exabeam on March 21st, for a live webinar, to learn more about how they aren’t, well maybe are,  the best User Behavioral Analytics product on the market.  Click here for more information.

About the Author

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

Enabling Public Cloud Application Performance and Security

There has been a lot of talk about cloud security and how to monitor SaaS and IaaS access and usage, both sanctioned and unsanctioned. However, one thing that needs to be talked about more is how applications that are known, tracked and managed are being deployed in the cloud, via IaaS.

When deploying applications on premise, either in a datacenter or in a DMZ, there are firewalls, network monitoring and various security controls that are known and already in place before an application even enters the discussion. However, when moving an application to the cloud via IaaS, none of those security controls exist by default, despite what customers might believe. This specifically applies to application hosting front ends such as ADC/WAFs.

Unfortunately, many cloud hosting deployments are being managed by development teams, not network or security teams. And while developer teams know what they are doing and are professionals, they often are not even aware of what network and security teams have done before they deploy their applications. An example of this is how many development teams are deploying default application delivery controllers offered up by IaaS providers. These ADCs appear to be point and click and cheap. And they are.

The problem is that they lack the performance and security that typical enterprise ADC/WAF appliances, virtual or otherwise, offer. Some of the clearest examples are features like DAST that allows an application to be scanned and resulting vulnerabilities be virtually patched by the application. Another example is the ability to automate security controls and requirements through industry standard DevOps tools like Ansible, Puppet, Chef as well as classic scripting languages like python and PowerShell. Further, using a product like F5 ASM that leverages broad industry support, application templates can be deployed with little or no customization or for custom applications, creating a custom security policy that can be accomplished with little or no user interaction with a Rapid Deployment Policy interface.

The final value, and probably the most critical, is a must-have for any government agency. A true enterprise virtual ADC/WAF offers FIPS level data encryption for application data in-flight. Without integrating with physical FIPS hardened appliances, the private keys necessary to do secure SSL transit data cannot be stored properly. Default ADC/WAFS supplied by the major IaaS providers do not have the ability to do this. Therefore, an enterprise software version is required.

Besides the added functionality, using a software enterprise ADC/WAF like F5 also provides consistency across on premise physical, on premise virtual and cloud application hosting. First and foremost, no new learning is required to ensure that the ADC/WAFS in the cloud are meeting security policy and are configured correctly. Any security issue can be resolved in the same manner that is currently used and probably will be used for on premise applications in most agencies that are going to persist to be hybrid computing for some time. A single management can be used for all and no additional training or risk of misconfiguration is added into the application life-cycle.

This consistency can be the difference between resolving a security issue with a few clicks in the proxy of an enterprise solution, and scrambling to figure out how to patch or fix code in an application that now has a major vulnerability and is in production. A common example is Heartbleed. When that hit enterprises, F5 front ended applications were able to resolve all applications, in some cases hundreds by simply pushing out a mitigation at the proxy, and then mapping out the patching and code fixes of the applications with more time and planning.

For a deeper dive into the differences between default IaaS ADC/WAFS, HSM integration to secure application traffic in-flight and how to securely move application to the cloud, join GuidePoint Security, F5 and Thales Security on Feb 27th for our live webinar.  Click here to register.

About the Author

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

vSOC Background

GuidePoint Security Managed Services and Splunk providing value together

Recently, mainstream industry surveying and analyst firms have echoed what security leaders have known for some time, there are insufficient skilled security professionals to meet the demands for in-house cybersecurity expertise. This is driving security leaders from all industry segments to consider capable external security services providers to deliver needed expertise. Even organizations that have traditionally preferred or mandated that staff security resources be provided internally, have begun to explore outsourcing security capabilities. Federal government agencies that have strict control requirements and historically internal security teams are increasingly looking externally for capable managed security service providers (MSSP).

One of the hottest areas of need is Splunk expertise. Both installing, configuring and running as well as “eyes-on-glass” SOC analysts are using the application to keep agencies secure. While Splunk is an incredibly powerful platform that is taking the Federal government by storm, the situation has created an expected inability to find qualified “Splunkers” at an affordable cost for government agencies.

The challenge and opportunity for MSSPs like GuidePoint Security, is to deliver highly mature services that are compatible with the requirements of government organizations. For example, GuidePoint employs only US citizens who are based in the United States to manage security services for our customers. GuidePoint vSOC managed services, based on Splunk technology, can be deployed to FedRamp environments, and support FedRamp controls. These types of capabilities will be key to supporting an increasing government client base.

But government clients do not simply require checkbox compliance requirements to be met, they also expect sophisticated operational capabilities and high levels of service. Agencies expect to maximize the value delivered by the MSSP, and to minimize the time and effort of scarce internal security resources. GuidePoint prides itself on delivering white-glove service to its customers by managing SIEM to a higher level than typical of MSSPs. For example, vSOC analysts validate every Splunk event with the intent of eliminating false positives before providing an alert to clients. GuidePoint has augmented its core service (vSOC Detect) with advanced technologies and processes that integrate natively with Splunk, including extensive threat intelligence enrichment, darkweb threat monitoring, security automation and orchestration, active threat hunting, and managed endpoint detection & response. These capabilities allow GuidePoint to deliver advanced security operations that can significantly augment a client’s internal security capabilities. These service features also offer a level of capability and sophistication required by government clients.

Join us on Thursday Feb 22nd, for a live webinar, to hear more about how GuidePoint’s vSOC managed security services is leveraging Splunk to provide differentiated SOC-as-a-service to federal agencies.  Register now.