The OODA Loop: A Holistic Approach to Cyber Security TK Keanini, CTO Lancope Dude, follow me on twitter @tkeanini
Oct 19, 2014
The OODA Loop: A Holistic Approach to Cyber Security
TK Keanini, CTO Lancope Dude, follow me on twitter @tkeanini
Cyber Security Strategy Retrospective
2
Fragmented Tactics
Deterministic Threat
Push exploits to Enterprise
Single-Step Exploits
Overt Tactics (cost to exploit)
Threat Intelligence Optional
Holistic Strategy
Adaptive Threat
Pull exploits to Enterprise
Multi-Step Exploits
Covert Tactics (cost to remain hidden)
Threat Intelligence Mandatory
Continuously evaluate your strategy
Yesterday Today
A Holistic Approach to Cyber Security
• Holistic Strategy (Framing the Conflict) • Holistic Telemetry (Data Complete) • Holistic Understanding (Information and
Knowledge Complete)
3
Holistic Strategy
• Inclusive of all the players – Not just operations, must include bad guys
• Must be a continuous process – If it does not look like a loop, it’s probably
wrong
• A framework for the changing dynamics of conflict – Understanding the game dynamics
• Sun Tzu • Musashi • Clausewitz
How to Best Frame Conflict
4
Colonel John Boyd (1927 – 1997)
• Fighter Pilot – Forty-Second Boyd
• Military Theories – Energy Maneuverability Theory
• Drove requirements for the F15 and F16 – Discourse on Winning & Losing – Destruction & Creation – Many modern military strategies based on Boyd
• The OODA Loop – the concept that all combat, indeed all human competition from
chess to soccer to business, involves a continuous cycle of Observation, Orientation, Decision, and Action
Simplified OODA in the Context of Time
• Intelligence — Observation
— Orientation
• Execution — Decision
— Action
Feedback Loops of the OODA Loop
Conflict: Red vs. Blue O O D A
A D O O
Red Ops Blue Ops
Spin your loop faster than your adversary
OODA for Cyber Security
OODA Loop Summary
• Observation and Orientation (OO) increases your perceptive boundaries. – Superior Situational Awareness
• Sampling Rate of the OO is relative to the rate of change – Fast enough to represent change
• Decision and Actions raise the cost to your adversaries’ Observation/Orientation
• Operate at a faster tempo or rhythm than our adversaries
Ultimately you are making it more expensive for the adversary to operate and hide
Holistic Telemetry
• Multi Sensor – No place to hide
(space and time)
• Metadata as Context
• Observation of Data – Completeness
• Orientation of Information – User Centric – App Centric
Data Complete
10
Flows
IP
MAC
Noun S: (n) telemetry (automatic transmission and measurement of data from remote sources by wire or radio or other means)
App
Users
Holistic Understanding Intelligence
11
Craft Knowledge •Synthesis of Information Sets •Know how •Observer Centric
Fusion of Data Information •Synthesis of Data Sets • Information Sets
Atomic Data • Identifiers, Addresses, Counts, Types, etc. •Sets of Signals & Symbols
Analytic Synthetic
Holistic Cyber Security The Art of Cyberwar
12
Decision
Action
Observation
Orientation
Data
Information
Knowledge
Automated
Semi Automated
Manual
SDN Cloud
OODA Loop and the Kill Chain
Infiltration
Exfiltration
Your Infrastructure Provides the Observation...
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow NetFlow
© 2013 Lancope, Inc. All rights reserved. 14
…for Total Visibility from Edge to Access. StealthWatch delivers the Orientation
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
© 2013 Lancope, Inc. All rights reserved. 15
Data Observation
16 © 2013 Lancope, Inc. All rights reserved.
Geographic Traffic Orientation
Time of Day Orientation
User Location Orientation
Data Hoarding Orientation
Data Disclosure Orientation
http://www.lancope.com
@Lancope (company) @netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas
Thank You
22 © 2013 Lancope, Inc. All rights reserved.
TK Keanini, Chief Technology Officer [email protected] @tkeanini