SLIDE 1
Th The OODA A Loop
- op for
- r CISOs
NY NYMJCSC 2020 NY NYMJCSC 2020
Background
KeyCaliber Department of Homeland Security (US-CERT) Executive Office of the President (Obama Administration) Uplevel Security
Th The OODA A Loop oop for or CISOs Roselle Safran - - PowerPoint PPT Presentation
Th The OODA A Loop oop for or CISOs Roselle Safran - - PowerPoint PPT Presentation
Th The OODA A Loop oop for or CISOs Roselle Safran roselle@keycaliber.com Background KeyCaliber Uplevel Security Executive Office of the President (Obama Administration) Department of Homeland Security (US-CERT) NY NYMJCSC 2020 NY
SLIDE 2
SLIDE 3
NY NYMJCSC 2020 NY NYMJCSC 2020
What is the OODA Loop?
Observe Orient Decide Act
SLIDE 4
NY NYMJCSC 2020 NY NYMJCSC 2020
Benefits of the OODA Loop
Optimizes decision-making process Ensures continuous knowledge transfer Increases agility Enables constant improvement
SLIDE 5
NY NYMJCSC 2020 NY NYMJCSC 2020
Tactical Versus Strategic OODA Loop
Tactical: Address immediate threats Optimize speed “Block & tackle” Narrow scope Strategic: Achieve long-term goals Optimize resource allocation Prioritize projects “Big picture”
SLIDE 6
NY NYMJCSC 2020 NY NYMJCSC 2020
Common Challenges to Strategic OODA Loop Implementation
Decide/Act impact cannot be adequately measured Act requires collaboration with other teams Observe/Orient cannot keep up with Decide/Act Manual processes create bottlenecks
SLIDE 7
NY NYMJCSC 2020 NY NYMJCSC 2020
Thoroughly Observe
Observe Orient Decide Act
Frequency Your Organization
- Match cadence of
decisions-making process
- Leverage existing
security stack
Your Adversaries
- Utilize internal
and external info
SLIDE 8
NY NYMJCSC 2020 NY NYMJCSC 2020
Know Your Organization – Data Sources
Observe Orient Decide Act
GRC Data Cloud & Network Data Endpoint Data
- Critical
assets
- Risks
- Firewall
- IDS
- Cloud mgmt
- EDR
- AV
Application Data
gateway
- Vulnerability
scanner
SLIDE 9
NY NYMJCSC 2020 NY NYMJCSC 2020
Know Your Adversaries – Data Sources
Observe Orient Decide Act
Threat Intelligence Open Source Data
- Tactics, techniques,
and procedures (TTPs)
- Internal
- External
- Current events
- Industry news
Alert/Incident Data
- Attribution
- Attack type
- Targeted assets
SLIDE 10
NY NYMJCSC 2020 NY NYMJCSC 2020
Orient By Strategic Impact
Observe Orient Decide Act
Critical to Operations Valuable to Organization
- Mission functions
- Business continuity
- Intellectual property
- Financial data
- Customer data
- PII / PHI
Monetary Savings
- Risk reduction
SLIDE 11
NY NYMJCSC 2020 NY NYMJCSC 2020
Slice and Dice Observed Data
Observe Orient Decide Act
Aggregates Trends
- Asset types
- Business units
- Locations
- Monthly
- Quarterly
- Yearly
SLIDE 12
NY NYMJCSC 2020 NY NYMJCSC 2020
Decide Based on the Numbers
Observe Orient Decide Act
Increase Revenue Reduce Risk
- Added capability
- Differentiator
- Quantified current state
- Quantified future state
Reduce Costs
- Technology
- People
- Processes
SLIDE 13
NY NYMJCSC 2020 NY NYMJCSC 2020
Decide Based on Comparisons
Observe Orient Decide Act
Frameworks Industry Peers
- NIST CSF
- CMMC
- CIS 20
- Open source data
- Sector information
sharing centers
SLIDE 14
NY NYMJCSC 2020 NY NYMJCSC 2020
Decide Based on Priorities of Others
Observe Orient Decide Act
Board CEO
- Fiduciary
responsibilities
- Bottom line
CIO/ CSO/ CRO
- Regulations
- Accountability
SLIDE 15
NY NYMJCSC 2020 NY NYMJCSC 2020
Define Actions with OODA Loop Data
Observe Orient Decide Act
We have X [O [Observe], which means Y [O [Orient], so we will accomplish Z [D [Decide] by doing A [Ac Act] t].
SLIDE 16
NY NYMJCSC 2020 NY NYMJCSC 2020
Track Actions
Observe Orient Decide Act
What Why When
- Decide & Act
(project/task)
- Observe &
Orient
- Deadline
Who
- Responsible
individual/ group
SLIDE 17
NY NYMJCSC 2020 NY NYMJCSC 2020
Implementation Tips
Measure with key performance indicators (KPIs) and metrics Document procedures with other business units Develop each step of the process Automate, automate, automate
SLIDE 18