Mapping the OODA Loop to SASE’s Single-Pass Cloud Engine

Jan. 18, 2023
Applying military concepts to the cybersecurity battlefield

Cybersecurity borrows many of its concepts and strategies from the military domain. For instance, Lockheed’s famed Cyber Kill Chain is the cyber adaptation of the military kill chain, which identifies the enemy’s attack steps. Its first step, “reconnaissance,” is also an implication of the military term used for strategic survey of the enemy’s territory. It all makes sense because in many ways the cyber landscape itself is comparable to a battleground.

Today’s cyberspace is reminiscent of guerilla warfare in which organized cybercrime syndicates and lone hackers all leverage countless attack vectors to exploit inevitable vulnerabilities and loopholes in an ever-broadening attack surface. Their sophisticated and rapidly evolving military-style cyberattack tactics need an established preventive and combative approach that ensures military precision and meticulousness.

The OODA Loop (observe-orient-decide-act) is one of the many military concepts that apply just as beautifully to other domains, including cybersecurity. It’s a tried-and-true framework for fast and effective information processing and decision-making in high-stakes situations. That’s precisely what defenders need in today’s multi-variate threat environment, where different kinds of attacks can come from any direction, and ubiquitous visibility and situational awareness are as vital as they are implausible.

Applying the Four Stages of the OODA Loop to Cybersecurity

Developed by the US military strategist and Air Force Colonel John Boyd, the OODA Loop features four discrete stages for making fast and accurate decisions. The idea is to outmaneuver the enemy by predicting its next move based on available contextual information.

Here’s how it works in high-risk dogfights and cybersecurity scenarios, too:

  1. Observe: Gather relevant information about the external threat landscape, internal environment, and unfolding circumstances.
  2. Orient: Analyze the observations using past experience, new and changing information, and established patterns and baselines.
  3. Decide: Decide a plan of action using the relevant data and context.
  4. Act: Implement the decision.

 The success of the OODA Loop primarily depends on the fidelity and completeness of the observation data and how effectively you “orient” it based on past judgments and the latest situational information. Needless to say, it is as effective as your visibility and contextual awareness.

How Single-Pass Cloud Processing Enhances the OODA Loop

Traditional approaches to networking maintain several point solutions for all the various network and cybersecurity functions. Each point solution supports its own management console and requires complex configurations and management processes. With each point solution, organizations drive IT complexity and introduce additional points of failure.

Single-pass cloud processing is a core SASE (Secure Access Service Edge) capability that converges all networking functions and cybersecurity capabilities in a single, cloud-based solution. For starters, it reduces the complexity of monitoring and managing multiple-point solutions and the latency associated with decrypting, processing, and re-encrypting data packets at each point solution. In addition to that, this unique approach to cybersecurity also enables organizations to implement rapid and effective OODA looping.

Here’s how single-pass cloud processing can simplify and expedite each stage of the OODA Loop in network security:

Observe:  Gapped visibility in network security is as good as no visibility. Point solutions only consider the information they need for their specific functions and do not communicate with each other. This tunnel vision creates many visibility gaps. For instance, a traditional IPS (Intrusion Prevention System) is oblivious to the insider threat and the risks associated with particular cloud applications. Malicious actors only ever need one blind spot — a remote user, a BYOD device, or a misconfigured IoT device — to proliferate a network.

Single-pass cloud processing rids organizations of the tunnel vision that plagues siloed network security architectures. Every traffic flow, including cloud-bound and east-west traffic, from users, applications, IoT devices, and systems, all go through the single-pass processor. To further simplify monitoring, SASE’s single pane of glass visibility unifies and orchestrates end-to-end traffic flows and data in one place.

Orient:  To make sound decisions based on the “observed” data, it must be contextualized to extract actionable insights. For instance, a specific TI (threat intelligence) feed can mistakenly identify an IoC (an indicator of compromise), except networking data indicates it is frequented by legitimate network traffic. To connect the dots, security teams will need access to networking data in addition to security alerts.

Single-pass cloud processing consolidates all networking and security data, allowing individual functions to share context. Security solutions and teams get to see the bigger picture, including contextual information such as user and device identities, behavioral baselines, and application and data attributes. This way, they can rapidly “orient” the data based on historical data and just-in-time situational awareness.

Decide:  Security teams need comprehensive data and rich context to make timely, informed, and intelligent policy decisions. Based on single-plane-of-glass visibility and shared context enabled by single-pass processing, security teams can quickly “decide” the right policies for all traffic flows across users, devices, services, and environments.

Act:  The success of the OODA Loop not only depends on drawing efficient decisions but also on the ability to enforce the “decided” policies rapidly. With single-pass processing and SASE’s unified management console, admins can centrally enforce security policies and apply security controls in an instant to any user, application, or device no matter its location.

OODA is all about making sound decisions and reducing the time to action in highly uncertain and critical situations — challenges security teams face in their everyday operations. At the core of successful OODA looping is the ability to see everything — the data and its context — and to use that context to enrich the data. This lays the groundwork for apt policy decisions that organizations must have the ability to enforce on everyone, everywhere, anytime. This is where SASE’s single-pass processing comes into action by converging it all together, providing end-to-end visibility and rich context to derive actionable insights and the ability to enforce the right policies right away.

About the author: Etay Maor is the Senior Director of Security Strategy for Cato Networks. Previously, Etay was the Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and a MA in counterterrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.