Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

A New Model for Cyber Risk Management: Observe, Orient, Decide, and Act

To respond to mounting cyber-attacks, advanced persistent threats, and insider leaks, enterprises and government entities need reliable, real time visibility into their IT security posture. Unfortunately, it can take weeks or months to detect intrusions using traditional methods, during which time attackers can exploit vulnerabilities to compromise systems and extract data.

To respond to mounting cyber-attacks, advanced persistent threats, and insider leaks, enterprises and government entities need reliable, real time visibility into their IT security posture. Unfortunately, it can take weeks or months to detect intrusions using traditional methods, during which time attackers can exploit vulnerabilities to compromise systems and extract data. To address these challenges, organizations are exploring the use of a military concept called the OODA (Observe, Orient, Decide, Act) Loop in their day-to-day cyber risk management operations.

The OODA Loop was originally developed by Colonel John Boyd, one of the most decorated fighter pilots in U.S. Air Force history. The concept describes the process needed to win at war. Boyd used the model to win aerial dogfights in Korea and Vietnam, and later to describe how to gain a competitive advantage in any situation. The OODA Loop is a succinct representation of the natural decision cycle seen in virtually every context. Many experts believe it can be used to identify, visualize, prioritize, and orchestrate the remediation of most cyber threats.

So what are the four steps of the OODA Loop and how do they apply to today’s cyber risk management practices?

Observe

In order to understand what “Act” (a.k.a. remediation actions) is needed to minimize an organization’s cyber risk exposure, observation is the first step. With so many organizations being overwhelmed with the volume, velocity, and complexity of internal security data, it has become crucial to streamline the observation process. For many enterprises, data overload has become the Achilles heel of day-to-day security operations. The

OODA Loop concept calls for automated aggregation of data across different data types; mapping of assessment data to compliance requirements; and normalization for ruling out false-positives, duplicates, and to enrich data attributes.

Orient

Many organizations have primarily focused on their internal security posture when it comes to cyber risk management and therefore have a difficult time prioritizing their remediation actions based on business criticality. Combining the OODA loop model with cyber risk management tools enables organizations to place internal security intelligence, external threat data, and business criticality into context to derive a holistic view of risk posture across networks, applications, mobile devices, etc. In this way, security teams can determine what imminent threats they face from cyber adversaries.

Advertisement. Scroll to continue reading.

Decide

In cyber war, decisions need to be made swiftly. The OODA Loop concept calls for applying advanced risk scoring and machine-learning technology to classify the severity level that individual threats pose to assets, applications, and business processes. This approach can be used to drill-down and visualize correlated data and application attack paths. Applying intelligence-driven analysis enables security operations teams to focus on risks that threaten the business and in turn significantly speed up the decision process.

Act

Increasing collaboration between security and IT operations teams, with one being responsible for identifying security gaps and the other focused on remediating them, continues to be a challenge for many organizations. In this context, the OODA Loop concept calls for combining workflow, ticketing, and remediation capabilities, assigning detailed remediation steps for each vulnerability and automating real-time risk management.

Using OODA as a blueprint, it’s possible to implement automated processes for pro-active security incident notification and human-guided loop intervention. By establishing thresholds and pre-defined rules, organizations can also orchestrate remediation actions to fix security gaps. Meanwhile, the OODA loop provides a way to measure the effectiveness of remediation actions and ensure risks have been successfully eliminated.

To implement the OODA Loop concept, progressive organizations are using cyber risk management software as an overlay to their existing security infrastructures. This approach provides the necessary aggregation, intelligence-based analysis, and orchestration capabilities to identify and respond to cyber threats early in the kill chain.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.