Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The OODA Loop: A Holistic Approach to Cyber Security


Published on

A holistic approach to cyber security is one that includes the threat actors, advance telemetry of the network and a defensive strategy that continuously adapts to the adversaries capability and threat landscape.
By collecting and analyzing network data via technologies such as NetFlow, organizations can obtain the security intelligence needed to fill in the gaps left by conventional tools and more effectively feed their OODA loop - a cyclical process for Observation, Orientation, Decision and Action. By embracing the OODA loop, and turning the network into a sensor grid for delivering key security information, organizations can dramatically improve their situational awareness, incident response and forensics procedures.
When you leave this session you will...
• Understand how the motives and techniques of online attackers have changed over the last couple of decades
• Realize why conventional security tools like firewalls and antivirus are no longer enough to fend off today’s advanced threats, and why more holistic cyber security strategies are needed
• Know about the “OODA loop” and how it can be applied to cyber security to protect IT infrastructure and data from advanced adversaries
• Understand how network data such as NetFlow can be cost-effectively collected and analyzed to feed and speed up your OODA loop
• Have a strategy for dramatically improving incident response and forensics

Published in: Technology
  • Be the first to comment

The OODA Loop: A Holistic Approach to Cyber Security

  1. 1. The OODA Loop: A Holistic Approach to Cyber Security TK Keanini, CTO Lancope Dude, follow me on twitter @tkeanini
  2. 2. Cyber Security Strategy Retrospective 2  Fragmented Tactics  Deterministic Threat  Push exploits to Enterprise  Single-Step Exploits  Overt Tactics (cost to exploit)  Threat Intelligence Optional  Holistic Strategy  Adaptive Threat  Pull exploits to Enterprise  Multi-Step Exploits  Covert Tactics (cost to remain hidden)  Threat Intelligence Mandatory Continuously evaluate your strategy Yesterday Today
  3. 3. A Holistic Approach to Cyber Security • Holistic Strategy (Framing the Conflict) • Holistic Telemetry (Data Complete) • Holistic Understanding (Information and Knowledge Complete) 3
  4. 4. Holistic Strategy • Inclusive of all the players – Not just operations, must include bad guys • Must be a continuous process – If it does not look like a loop, it’s probably wrong • A framework for the changing dynamics of conflict – Understanding the game dynamics • Sun Tzu • Musashi • Clausewitz How to Best Frame Conflict 4
  5. 5. Colonel John Boyd (1927 – 1997) • Fighter Pilot – Forty-Second Boyd • Military Theories – Energy Maneuverability Theory • Drove requirements for the F15 and F16 – Discourse on Winning & Losing – Destruction & Creation – Many modern military strategies based on Boyd • The OODA Loop – the concept that all combat, indeed all human competition from chess to soccer to business, involves a continuous cycle of Observation, Orientation, Decision, and Action
  6. 6. Simplified OODA in the Context of Time • Intelligence — Observation — Orientation • Execution — Decision — Action
  7. 7. Feedback Loops of the OODA Loop
  8. 8. Conflict: Red vs. Blue O O D A A D O O Red OpsBlue Ops Spin your loop faster than your adversary OODA for Cyber Security
  9. 9. OODA Loop Summary • Observation and Orientation (OO) increases your perceptive boundaries. – Superior Situational Awareness • Sampling Rate of the OO is relative to the rate of change – Fast enough to represent change • Decision and Actions raise the cost to your adversaries’ Observation/Orientation • Operate at a faster tempo or rhythm than our adversaries Ultimately you are making it more expensive for the adversary to operate and hide
  10. 10. Holistic Telemetry • Multi Sensor – No place to hide (space and time) • Metadata as Context • Observation of Data – Completeness • Orientation of Information – User Centric – App Centric Data Complete 10 Flows IP MAC Noun S: (n) telemetry (automatic transmission and measurement of data from remote sources by wire or radio or other means) App Users
  11. 11. Holistic Understanding Intelligence 11 CraftKnowledge •Synthesis of Information Sets •Know how •Observer Centric Fusion of DataInformation •Synthesis of Data Sets •Information Sets AtomicData •Identifiers, Addresses, Counts, Types, etc. •Sets of Signals & Symbols AnalyticSynthetic
  12. 12. Holistic Cyber Security The Art of Cyberwar 12 Decision Action Observation Orientation Data Information Knowledge Automated Semi Automated Manual SDN Cloud
  13. 13. OODA Loop and the Kill Chain Infiltration Exfiltration
  14. 14. Your Infrastructure Provides the Observation... InternetAtlanta San Jose New York ASR-1000 Cat6k UCS with Nexus 1000v ASA Cat6k 3925 ISR 3560-X 3850 Stack(s) Cat4k Datacenter WAN DMZ Access NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow © 2013 Lancope, Inc. All rights reserved. 14
  15. 15. …for Total Visibility from Edge to Access. StealthWatch delivers the Orientation InternetAtlanta San Jose New York ASR-1000 Cat6k UCS with Nexus 1000v ASA Cat6k 3925 ISR 3560-X 3850 Stack(s) Cat4kDatacenter WAN DM Z Access © 2013 Lancope, Inc. All rights reserved. 15
  16. 16. Data Observation 16© 2013 Lancope, Inc. All rights reserved.
  17. 17. Geographic Traffic Orientation
  18. 18. Time of Day Orientation
  19. 19. User Location Orientation
  20. 20. Data Hoarding Orientation
  21. 21. Data Disclosure Orientation
  22. 22. @Lancope (company) @netflowninjas (company blog) Thank You 22© 2013 Lancope, Inc. All rights reserved. TK Keanini, Chief Technology Officer @tkeanini