To respond to mounting cyber-attacks, advanced persistent threats, and insider leaks, enterprises and government entities need reliable, real time visibility into their IT security posture. Unfortunately, it can take weeks or months to detect intrusions using traditional methods, during which time attackers can exploit vulnerabilities to compromise systems and extract data. To address these challenges, organizations are exploring the use of a military concept called the OODA (Observe, Orient, Decide, Act) Loop in their day-to-day cyber risk management operations.
The OODA Loop was originally developed by Colonel John Boyd, one of the most decorated fighter pilots in U.S. Air Force history. The concept describes the process needed to win at war. Boyd used the model to win aerial dogfights in Korea and Vietnam, and later to describe how to gain a competitive advantage in any situation. The OODA Loop is a succinct representation of the natural decision cycle seen in virtually every context. Many experts believe it can be used to identify, visualize, prioritize, and orchestrate the remediation of most cyber threats.
So what are the four steps of the OODA Loop and how do they apply to today’s cyber risk management practices?
Observe
In order to understand what “Act” (a.k.a. remediation actions) is needed to minimize an organization’s cyber risk exposure, observation is the first step. With so many organizations being overwhelmed with the volume, velocity, and complexity of internal security data, it has become crucial to streamline the observation process. For many enterprises, data overload has become the Achilles heel of day-to-day security operations. The
OODA Loop concept calls for automated aggregation of data across different data types; mapping of assessment data to compliance requirements; and normalization for ruling out false-positives, duplicates, and to enrich data attributes.
Orient
Many organizations have primarily focused on their internal security posture when it comes to cyber risk management and therefore have a difficult time prioritizing their remediation actions based on business criticality. Combining the OODA loop model with cyber risk management tools enables organizations to place internal security intelligence, external threat data, and business criticality into context to derive a holistic view of risk posture across networks, applications, mobile devices, etc. In this way, security teams can determine what imminent threats they face from cyber adversaries.
Decide
In cyber war, decisions need to be made swiftly. The OODA Loop concept calls for applying advanced risk scoring and machine-learning technology to classify the severity level that individual threats pose to assets, applications, and business processes. This approach can be used to drill-down and visualize correlated data and application attack paths. Applying intelligence-driven analysis enables security operations teams to focus on risks that threaten the business and in turn significantly speed up the decision process.
Act
Increasing collaboration between security and IT operations teams, with one being responsible for identifying security gaps and the other focused on remediating them, continues to be a challenge for many organizations. In this context, the OODA Loop concept calls for combining workflow, ticketing, and remediation capabilities, assigning detailed remediation steps for each vulnerability and automating real-time risk management.
Using OODA as a blueprint, it’s possible to implement automated processes for pro-active security incident notification and human-guided loop intervention. By establishing thresholds and pre-defined rules, organizations can also orchestrate remediation actions to fix security gaps. Meanwhile, the OODA loop provides a way to measure the effectiveness of remediation actions and ensure risks have been successfully eliminated.
To implement the OODA Loop concept, progressive organizations are using cyber risk management software as an overlay to their existing security infrastructures. This approach provides the necessary aggregation, intelligence-based analysis, and orchestration capabilities to identify and respond to cyber threats early in the kill chain.
