The Information Security OODA Loop: An Introduction

Thursday, March 29, 2012

Rafal Los


The OODA loop is to Information Security as it is to the military - strategic and key to successfully combating threat.

If you've never heard of the OODA (Observe, Orient, Decide, Act) loop then you're missing out. The OODA loop was invented by a military strategist (John Boyd, USAF) and the idea is that in order to win any given incursion you must go through your OODA loop faster than your opponent. 

This obviously applies to the digital world where decisions are made, often poorly, based on the information available to you in a consumable and actionable format. 

There's the key though, the decision you make in any given moment is predicated on having the right information, at the right time, in the right context - so you can act appropriately.

Not to beat this idea to death but we already know that failing to act quickly and appropriately can mean the difference between an incident, and a catastrophic breach. 

If a retailer could know that someone is probing their systems with enough insight into what is also vulnerable and, more importantly, high-risk they could act appropriately by dispatching an incident response team, shutting down ports, or re-configuring services in near-real time. 

There is no shortage of talk about how automation can provide all of this in a nice box - but it all comes down to Observe, Orient, Decide and Act.  Whether it's an automated bash script, or a human being dispatched to turn off a system physically - the requirements for doing a 'good job' are always the same. 

The information required extends far beyond that typically available to an information security organization which means many of us are making critical decisions without having all the necessary information at hand.  This is at very least hazardous to the decision making process, and your enterprise.

I figured now would be as good a time as any to start thinking about how we approach that OODA loop problem, and make decisions faster than our adversaries.  Not entirely coincidentally, a recent talk I gave at Black Hat Europe touches the other side of that decision making loop - from the attacker perspective - which means that it's time to address it from the defender's perspective.

So how confident are you that you have the information, the context, and the ability to act quickly to neutralize your attackers?  If your answer isn't a sound "yes", then you may find the next series of posts informative.  I'm dedicating the next few posts to the OODA loop, addressing each of the components of that critical decision-making process with its own blog post.

I already know you're well aware that incidents *will* happen, and attacks *will* make it through your defensive perimeter - now you should be thinking about how quickly you can act.  You see, the key is to act in the right situations because otherwise you'll be overwhelmed almost immediately with priority issues which may or may not pose an actual danger to you.

So again, how confident are you with your OODA loops?  Perhaps a better question is this - how confident are you that you can execute that loop faster than your opponent?

I think with a little knowledge, a little technology assistance, and a lot of context you can improve your OODA loop time... so stay tuned!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Security Strategies Methodologies Incident Response Network Security Information Security Infosec Cyber Intelligence Information Systems OODA Loop
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.