Applying the OODA Loop to Cybersecurity and Secure Access Service Edge

Organizations can best defend themselves on the cyber battlefield by adopting a military-style defense.

Etay Maor, Senior Director of Security Strategy, Cato Networks

December 6, 2022

5 Min Read
OODA loop: observe, orient, decide, act
Source: canbedone via Alamy Stock Photo

Data leaks, breaches, and cyberattacks are becoming the norm, spawning discussions on how organizations can effectively defend themselves against an ever-evolving threat landscape. With the modern battlefield extending to cyberspace and adversaries adopting military-style tactics, today's defenders see analogies from the military sector as increasingly relevant.

An Introduction to the OODA Loop

The OODA loop was introduced by US military strategist and Air Force Col. John Boyd in the mid–20th century. The idea is to create a framework where decisions could be made quickly, using the latest contextual information, helping defenders outpace and out-innovate their opponents.

The loop consists of four phases: Observe, Orient, Decide, and Act. It refers to an iterative decision-making process through which entities observe evolving information, contextualize it, decide on next steps, implement an action plan, and adapt a strategy based on observations and results obtained.

How Can the OODA Loop Benefit Cybersecurity Teams?

While the OODA loop was originally developed as a strategy for fighter pilots to use in dogfights (a rapidly evolving environment where stakes are extremely high), a number of litigation, law enforcement, and military organizations have been using OODA successfully for years.

With technology undergoing a massive transformation over the past decade, it's become nearly impossible to monitor and track such a vast ecosystem of infrastructure, users, and applications. All in all, the stakes couldn't be higher for security teams, and since cybersecurity operations have a lot to learn from a real battlefield, the OODA loop is now witnessing an increased amount of attention from the security industry.

The OODA model is applicable to both defenders and incident responders. From a defender's perspective, OODA can be used by security teams for day-to-day operations such as monitoring security events, assessing potential risks, and conducting threat-hunting exercises. From an incident responder's perspective, OODA can help identify, investigate, and respond to potential security issues in a way that recovery can be expedited and damages can be minimized.

How Can Cybersecurity Teams Leverage the OODA Model Effectively?

The OODA loop alone doesn't lead to effective cybersecurity. For the model to truly be successful, organizations must ideally be able to "observe" all activity across infrastructure, users, and applications, "orient" themselves with the right contextual information so they can make the right security decisions, and finally, have a "just-in-time" cybersecurity system that can help implement controls in real-time and across the entire ecosystem.

If your organization is looking to implement the OODA model effectively, it must consider deploying a single-pass cloud engine, a converged software stack based on SD-WAN that secures all traffic based on identities — including routing, decryption, deep-packet inspection, and security policy enforcement decisions — known to be native to secure access service edge (SASE). Here are three reasons why:

1. End-to-End Visibility Is Key to Observation and Orientation

Gaining insight into what's happening on the entire attack surface requires a holistic security system that provides end-to-end visibility of all network and security activity. Standard security and threat intelligence services today are siloed and do not communicate well with each other. Security teams therefore lack the right data to implement sound security decisions. On the other hand, as part of the SASE architecture, the single-pass engine ingests all network flows, including Web and cloud traffic, devices, users, applications, systems, and even the Internet of Things (IoT). Since all information flows through a single system, security teams can "observe" end-to-end flows, "orient" themselves with the right context (such as identity, device, network, application, or data), and "decide" on actionable next steps.

2. Rapid Decision-Making Requires Just-in-Time Situational Awareness

When organizations encounter security incidents, time is of the essence. But for dynamic and effective security decisions, security teams require just-in-time situational awareness on infrastructure activity, user behavior, and data movement, etc., as well as contextual information like applications, user identities, locations, and time. Such information is needed to reduce the time taken from observation to action and is critical in incident response scenarios. Not to mention, legacy security tools are fragmented and usually don't provide the full picture needed in rapid OODA looping and crisis situations. With single-pass processing, all services are delivered within the architecture and therefore, security teams benefit from contextual single-pane-of-glass information, which helps them "act" (the last stage of the loop) and respond to a crisis more efficiently and minimize potential damages.

3. Real-Time Actions Need a Comprehensive and Ubiquitous Security Backbone

Attack vectors and threat surfaces evolve so rapidly that security teams must evolve and adapt their defenses according to the observations they make across the industry or their own environment. Cyberattacks, breaches, and vulnerabilities come unannounced at any point in time, which is why security teams need a robust infrastructure that enables them to have seamless control over the entire IT environment at any sudden moment. With SASE, because networking and security management are combined in one place and can be applied to any user or application from anywhere, it's easier to manage security controls and apply patches to applications or devices that do not have an official patch yet (using virtual patches).

It's probably safe to say that the more cybersecurity professionals practice OODA in their everyday decision-making, the more proficient they will become and the faster they will operate. That said, one of the fundamental pillars of the OODA Loop is having an end-to-end security system that provides the right security data, in the right context, at the right time, and with the right levels of controls. This is where SASE and its single-pass cloud engine comes into play in securing the infrastructures of the future.

About the Author(s)

Etay Maor

Senior Director of Security Strategy, Cato Networks

Etay Maor is the Sr. Director Security Strategy at Cato Networks and an industry-recognized cybersecurity researcher and keynote speaker.

Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Before that, Etay held numerous leadership and research positions as an Executive Security Advisor at IBM, where he created and led breach response training and security research, and as Head of RSA Security's Cyber Threats Research Labs, where he managed malware research and intelligence teams and was part of cutting-edge security research and operations.

Etay is an adjunct professor at Boston College and holds a BA in Computer Science and a MA in Counter Terrorism and Cyber Terrorism. Etay is a frequent featured speaker at major industry conferences and is part of RSA Conference and QuBits conference committees.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights