The OODA loop has been around for roughly 50 years, and we’ve referred to it within the context of cybersecurity for decades. Developed by Colonel John Boyd, the OODA loop—shorthand for observe, orient, decide and act—describes a decision-making cycle that he trained U.S. Air Force pilots to use in dogfights and, when mastered, allows them to outwit adversaries. The concept being if you can work through this cycle faster than your adversary, you can gain the upper hand in battle. Given how security automation is evolving, I think the OODA loop is worth revisiting.
Security automation is a topic the industry has talked about and debated for quite some time, but finally, we’re seeing organizations become more confident in it. In fact, 84% now have some level of trust in automation outcomes, up from 59% last year, and 98% say their automation budgets are increasing. However, barriers remain with technology cited as the top blocker to adoption.
SOAR Platform Laid the Groundwork
To understand why, let’s roll back the clock a bit to the first category of solutions to really center on automation—security orchestration, automation, and response (SOAR) platforms. Organizations turned to them to offload work from security personnel by automatically running a playbook in reaction to an incident or issue without the need for human intervention. Early SOAR platforms were off to a fast start, but they focused on automating entire processes and required significant engineering and implementation expertise to set up. Additionally, because environments are dynamic and variable, playbooks needed to be updated frequently which took time and required human insights and involvement. As the number of playbooks grew so did the complexity, and organizations soon discovered this process-driven approach didn’t streamline operations as intended.
Since then, automation has continued to evolve, and a data-driven approach is starting to emerge that allows security teams to focus on automating a few simple steps that are well-defined. For example: when “X” happens, always do the following steps. It’s not necessarily that “X” happens frequently or is intensive and takes up a lot of time. That’s not the point. The point is that when we can collapse the time it takes to work through a cycle of steps and eliminate complexity, we can move faster than the adversary and gain an advantage which is in the intent of the OODA loop.
- Let’s begin with a simple scenario of using automation for the enrichment of internal threat and event data. The first step could be: When the external threat intelligence we ingest into our security operations platform includes source IPs, look through them and separate those that are coming from a country of concern. Automating this one step alone is a quick and easy way to accelerate that loop, and get to a decision point, and action point faster.
- Building on this scenario, we can move into the realm of enabling extended detection and response (XDR). The next step could be: Take any file hashes that are related to that grouping of IP addresses and send that to the SIEM to make sure that it is in an alert set. We may also decide to automatically push that data to the endpoint detection and response (EDR) system if it’s above a certain risk score.
- Next, we can create a step that says: Alert the intelligence analysts that there are file hashes that match IP addresses of concern which cuts down human-to-human communication time. Analysts can quickly pivot to that adversary and may learn there are additional IP addresses related to that adversary, and search across other tools for evidence of those addresses.
- If intelligence analysts find additional signs that something bad might be happening, the final step in this scenario could be: Automatically alert the threat hunt team that they have a lead to chase down further.
By identifying a few simple steps that we know will happen every time and triggering them based on data and business logic, we were able to automate four separate workflows and also push them together to create and automate a well-defined process and accelerate it.
Like fighter pilots, cybersecurity teams have to be nimble and move fast. The OODA loop is about gathering and processing rapidly changing information that is relevant at that point in time and making decisions and taking actions faster to beat out adversaries. This is only possible when data—not the process—is driving automation.