Steve Schlarman

Security Operations Management: Castor and Pollux

Blog Post created by Steve Schlarman Employee on Jan 14, 2014

Last week, a security flaw was uncovered in the X Windows system that has sat unnoticed almost 22 years.   According to the advisory ‘This bug appears to have been introduced in the initial RCS version 1.1 checked in on 1991/05/10, and is thus believed to be present in every X11 release starting with X11R5 up to the current libXfont 1.4.6.’   Now I consider myself a semi-grizzled veteran but 22 years ago, I hadn’t even started my security career.   In my last blog, I talked about the ongoing feud between the White Hat(fields) and the McCriminals.   It is these types of issues that rise up and remind us that this feud is a constant battle that involves both new and old cracks in our castle walls.

 

Vulnerabilities rarely make top IT news – but a 22 year old vulnerability is a bit rare.  So on the happenchance that it makes some ripples in your CIO’s immediate attention, you could be faced with the inevitable question of “Are we affected?  What’s the story around this?  What other 22 year old security flaws might we be facing?”

 

Staying on top of this type of intelligence is critical to maintaining a proactive stance and is what drives security teams to maintain vigilance.  I wrote blogs last year about the importance of Vulnerability Risk Management (VRM).  A VRM program that is an active part of the security posture can use this intelligence to launch preemptive strikes against this vulnerability.  What systems are running X windows?  What systems are listening on port 20? Which of those systems are most critical to the business?  Given this is a *nix based vulnerability, the probability that the affected systems are part of critical infrastructure is pretty good.  A well-functioning VRM program (as I described it in the previous blogs) should be able to give a solid picture on the possible attack vectors and vulnerable systems.

 

This intel should then turn around and inform security operations – those individuals watching for active attacks.   Until the fix is available and rolled out, the monitoring infrastructure can be ratcheted up on those critical devices ensuring that if something does go south, the reaction is planned and swift.  There are other controls that can be adjusted while this vulnerability is investigated and resolved – the main idea is to get the wheels in motion and be prepared.

 

Now – to my Castor and Pollux reference in my title:  Castor and Pollux are the names of the two twins of the “Gemini” in Greek Mythology and thus represent the two headed security approach involving proactive measures (such as Vulnerability Risk Management) and reactive preparations (such as an agile Security Operations strategy) that are absolutely necessary today.  Vulnerabilities pop on the radar from all sources – some lying dormant for decades to be uncovered; some introduced with the latest code – and a security organization that is thinking in terms of a balanced approach is best positioned to address shifting priorities.

  • Potential threat and attack vectors must be identified and responded to as fast as possible.  A Vulnerability Risk Management program is a critical mechanism for this.
  • Actual active attacks must also be identified and responded to as fast as possible.  A Security Operations Management strategy is the main device necessary for this.

Most security organizations are locked in a constant struggle and traveling on the journey of a security strategy to put these two complimentary approaches in place.   I think it is fitting that travellers and sailors appealed to Castor and Pollux for safe journeys and the twins were also regarded as supporters of athletes and thus petitioned by those engaged in athletic contests.   Those that found favor to the Gemini were thought to be aided in in moments of crisis.  Given the ongoing war most security organizations are locked in against malicious adversaries, Castor and Pollux are fitting patrons.

 

For thoughts on Castor (Vulnerability Risk Management), see my previous blog series (1, 2, 3).  For more thoughts on Pollux (Security Operations), stay tuned.  Meanwhile, check out details on our Security Operations Management module.

Outcomes