Your SlideShare is downloading. ×
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action

633
views

Published on

Tim Keanini's Presentation from GFirst 2012

Tim Keanini's Presentation from GFirst 2012

Published in: Business, Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
633
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Applying Boyds OODA Loop Strategy to Drive IT Security Decision and Action TK Keanini, Chief Research Officer nCircle8th Annual GFIRST National Conference, Aug 23, 2012 nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 2. Colonel John Boyd (1927 – 1997)• Fighter Pilot – Forty-Second Boyd• Military Theories – Energy Maneuverability Theory • Drove requirements for the F15 and F16 – Discourse on Winning & Losing – Destruction & Creation – Many modern military strategies based on Boyd• The OODA Loop – the concept that all combat, indeed all human competition from chess to soccer to business, involves a continuous cycle of Observation, Orientation, Decision, and Action nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 3. Simplified OODA in the Context of Time Continuous Monitoring• Intelligence — Observation — Orientation• Execution — Decision — Action nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 4. Feedback Loops of the OODA Loop nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 5. Conflict: Red vs. Blue O O D A Blue Ops Red Ops A D O OProblem:IT has no offense and cannot act on its adversary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 6. OODA for IT Security O O D A Red Ops Blue Ops O O D A A D O O Continuous Monitoring and Rapid Change nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 7. Continuous Monitoring/ OODA Loop• Observation and Orientation (OO) increases your perceptive boundaries. – Superior Situational Awareness• Sampling Rate of the OO is relative to the rate of change• Your Decision and Actions should drive your rate of change• Your rate of change should be beyond the perceptive boundaries of your adversaries Observation and Orientation. – Actively monitor for this knowledge margin nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 8. What is the Objective of your DefensiveStrategy?The primary objective of your IT strategy is:A) Business continuity and agility?B) Catching crooks and crime fighting?IT Security has no directoffensive measures so itsdominant strategy mustfollow that of a prey species!How can we raise the cost to our predators/adversaries?(without raising our own costs) nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 9. Foraging Patterns of Predator Species• Cruising (widely foraging) Dominant strategy back in the day. Servers were the targets and you had – Continually move to locate prey to find them• Ambush (sit-and-wait) With the proliferation of browsers, the – Rely on prey’s mobility to prey became mobile and server could initiate encounters ambush• Saltatory (hybrid) – Very little exposure when Phishing, DNS poisoning, CA cruising spoofing, etc. – Cheap ambush resources nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 10. Defensive Patterns of Prey Species• High space and time costs – Locations not easily found – Location at a high energy cost to predator• Tolerance – Divert the predator to eat non-essential parts – Enhanced ability to rapidly recover from the damage• Befriend your predators enemy – Attract the presence of your predators predator• Confrontation – Mechanically or chemically nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 11. Anti-Predator Strategies (cost/benefit)• Cost of identification & misidentification • Camouflage • Overtly advertise negative benefits• Cost of attack • Energy gained from the kill / energy spent in the hunt• Cost of handling/ingest • Energy spent to convert • Lifetime of the gain Loss is a part of the design The Organism is the target, not the Species nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 12. The Patterns of a Prey Organism Species ServiceOrganism Organism Organism Organism Server Server Server Server• The game of survival and resiliency is at the level of species and not at the level of organism• Diversity, redundancy and a high rate of change at the organism level provides stability at the species level• Loss at the organism level is informational• With no offensive measures, prey must advertise unprofitability and raise the cost to its opponent nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 13. Change is Not Happening Fast Enough!• Server A is configured, tested, and put in to production• In a 96 hour period, your adversary is able to perform enough recon to pick a strategy• Server A will remain in that original production state until – A change is required by the business – A change is required by the discovery of a vulnerability – A change is required by a fault – Otherwise, it remains the same for what could be months or years (prime real estate for a parasite) – Can’t eat just one! What works on A will work on B through ‘n’The adversary will take advantage of the fact thatyour cost of change is too high nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 14. Decoupling Organism from SpeciesPattern: The abstraction of a [re]sourceA few examples include:Virtual LANS Logical partitioning of broadcast domainsVirtual Storage Logical presentation of disksVirtual Service Load Balancers, Proxies, etc.Virtual Machines VMware, Xen, Microsoft’s Virtual Server, etc Advantage: Decoupling the resource from the source nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 15. Nuke & PaveWhat if we could lower the ‘Mean Time toRecovery’ of the service to seconds?What if we could change characteristics in theserver while keeping the service the same? nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 16. Orientation: Information SetsBob: Targets X• Ego-centric understanding — What you know about your targets nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 17. Orientation: Information SetsBob: Targets X Alice: Targets XBob: Alice: Targets X Alice: Bob: Targets XBob: Alice: Bob Targets X• Allo-centric understanding — What you know, what your opponent knows about your targets — What you know, what your opponent knows, what you know about your targets. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 18. The cost of your adversaries Observation andOrientation (OO)• Your common target attributes• Your common practices• Your High Cost of Change: MTTR (Mean Time to Repair) or TTM (Time to Manufacture)• How can we lower the effectiveness of their tools or process?• How can we raise their costs? nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 19. Knowledge MargindT arg et dAdversaryObservation  dTime dTime“If a target system can cause the adversary to constantly have to recompute their tactics, to cause uncertainty on the adversarys causalmodels, they can achieve a knowledge margin that is feasible and sustainable.” - TK nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 20. Creating a Knowledge Margin• Leverage virtualization for synthetic provisioning• Ability to provision the entire ‘backend’ on a per session basis• Continuously monitor for diversity without adding administrative costs nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 21. Example: Synthetic ProvisioningUser A User B User CJIT Services A JIT Services B JIT Services C Service Specifications & Jitter Virtual Virtual vLAN Server Server Server Virtual Storage Machines CPUs MPLS Specifications & Jitter CPU OS LAN Storage Physical Memory WAN Infrastructure nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 22. Continuous Monitoring/ OODA LoopSummary• We must find a way to raise the cost to our adversary while not raising our own administrative costs• Observation and Orientation (OO) increases your perceptive boundaries.• Sampling Rate of the OO is relative to the rate of change• Your Decision and Actions should drive your rate of change – Proactively introduce change at the server level while holding to your service level agreements• Your rate of change should be beyond the perceptive boundaries of your adversaries Observation and Orientation. – Actively monitor for this knowledge margin nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 23. ContactTwitter: @tkeaniniEmail: tk@ncircle.comLinkedin: http://www.linkedin.com/in/tkkeaninipub nCircle Company Confidential © 2012 nCircle. All Rights Reserved.