Time is a precious commodity especially in cybersecurity. Cybercriminals can be in and out of victim environments in less than 24 hours of initial access. Professional cybercriminals and advanced persistent threats (APTs) leverage zero-day vulnerabilities, easily rendering software developers clueless.
When a cyberattack strikes, defenders have only minutes to detect and respond. The faster the detection, the sooner a virus can be arrested from spreading. The faster the response time, the sooner the enemy can be outmaneuvered. To win this race against time, defenders need two things: 1) a robust decision-making model that aids in swift but accurate decision-making; and 2) real-time status checks on the entire infrastructure, allowing security teams the chance of making informed decisions.
Enter the OODA Loop Military Model and its Security Application
The OODA loop is a military mental model developed in the mid-20th century by Air Force strategist Col. John Boyd to boost decision-making skills for fighter pilots during aerial combats.
The OODA loop consists of four iterative phases: Observe, Orient, Decide and Act. “Observe” refers to building a comprehensive picture of the situation. “Orient” means connecting with reality, avoiding cognitive biases, and developing a deep awareness of the situation and its context. “Decide” translates to making decisions based on observations, but not jumping to conclusions. “Act” is about implementing or acting on the decision made.
The OODA loop is a versatile model which can obviously be applied to cybersecurity. It can be used both by defenders (and incident responders) for a variety of use cases such as threat assessment, threat monitoring, and threat hunting. The success of the OODA loop is highly dependent on the quality of security signals and data used for decision making. In other words, poor quality data equals poor decisions and vice versa.
Using SASE to Harness the OODA Loop
Security complexity is one of the biggest roadblocks to effective and timely threat detection. It’s common practice to deploy many disparate security tools (anywhere from 45 to 75 on average) to address a host of threat vectors and security use cases. As a result, security tools are unable to “connect the dots,” failing to produce timely, accurate, and contextual security data for effective decision-making. Because data and applications have moved to the cloud together with users who are working remotely, blind spots come into the picture over which security teams have no data insight or control over.
SASE is a single-pass, cloud-native architecture that tackles the complexity problem by converging multiple security controls (such as data leakage prevention, secure web gateway, zero trust network access, cloud access security broker and other controls) into a single service. Consolidated security tools and native integrations result in real-time visibility over network traffic spanning endpoints, multi-cloud, applications, identities, devices, and Internet of Things. Real-time data is then enriched with contextual details like location and identity, empowering security teams with finer security control and more informed decision-making. The SASE backbone also enables immediate threat response against zero-day exploits via virtual patching. In other words, SASE significantly enhances the OODA loop process because it sees all network flows (‘Observe’), contextualizes all the data it receives (‘Orient’), invokes the policy that needs to be applied (‘Decide’), and enforces policies across the entire infrastructure end-to-end (‘Act’).
Final Thoughts
The OODA Loop is designed for rapid decision-making in highly stressful situations, familiar territory for any security team. Because threats are growing in sophistication, there is a need for faster response times; control and visibility becomes more urgent. The key is having this visibility into all data and its context. By enriching data with context, security teams can make informed policy decisions. Enforcing these policies consistently requires a convergence of security functions. With single-pass processing, security teams can make informed data-driven decisions, enforce the right policies immediately, accelerate their desired security outcomes and fast-track their journey to cyber resilience.