the ooda loop: a holistic approach to cyber security
Post on 19-Oct-2014
3.109 views
DESCRIPTION
A holistic approach to cyber security is one that includes the threat actors, advance telemetry of the network and a defensive strategy that continuously adapts to the adversaries capability and threat landscape. By collecting and analyzing network data via technologies such as NetFlow, organizations can obtain the security intelligence needed to fill in the gaps left by conventional tools and more effectively feed their OODA loop - a cyclical process for Observation, Orientation, Decision and Action. By embracing the OODA loop, and turning the network into a sensor grid for delivering key security information, organizations can dramatically improve their situational awareness, incident response and forensics procedures. When you leave this session you will... • Understand how the motives and techniques of online attackers have changed over the last couple of decades • Realize why conventional security tools like firewalls and antivirus are no longer enough to fend off today’s advanced threats, and why more holistic cyber security strategies are needed • Know about the “OODA loop” and how it can be applied to cyber security to protect IT infrastructure and data from advanced adversaries • Understand how network data such as NetFlow can be cost-effectively collected and analyzed to feed and speed up your OODA loop • Have a strategy for dramatically improving incident response and forensicsTRANSCRIPT
The OODA Loop: A Holistic Approach to Cyber Security
TK Keanini, CTO Lancope Dude, follow me on twitter @tkeanini
Cyber Security Strategy Retrospective
2
Fragmented Tactics
Deterministic Threat
Push exploits to Enterprise
Single-Step Exploits
Overt Tactics (cost to exploit)
Threat Intelligence Optional
Holistic Strategy
Adaptive Threat
Pull exploits to Enterprise
Multi-Step Exploits
Covert Tactics (cost to remain hidden)
Threat Intelligence Mandatory
Continuously evaluate your strategy
Yesterday Today
A Holistic Approach to Cyber Security
• Holistic Strategy (Framing the Conflict) • Holistic Telemetry (Data Complete) • Holistic Understanding (Information and
Knowledge Complete)
3
Holistic Strategy
• Inclusive of all the players – Not just operations, must include bad guys
• Must be a continuous process – If it does not look like a loop, it’s probably
wrong
• A framework for the changing dynamics of conflict – Understanding the game dynamics
• Sun Tzu • Musashi • Clausewitz
How to Best Frame Conflict
4
Colonel John Boyd (1927 – 1997)
• Fighter Pilot – Forty-Second Boyd
• Military Theories – Energy Maneuverability Theory
• Drove requirements for the F15 and F16 – Discourse on Winning & Losing – Destruction & Creation – Many modern military strategies based on Boyd
• The OODA Loop – the concept that all combat, indeed all human competition from
chess to soccer to business, involves a continuous cycle of Observation, Orientation, Decision, and Action
Simplified OODA in the Context of Time
• Intelligence — Observation
— Orientation
• Execution — Decision
— Action
Feedback Loops of the OODA Loop
Conflict: Red vs. Blue O O D A
A D O O
Red Ops Blue Ops
Spin your loop faster than your adversary
OODA for Cyber Security
OODA Loop Summary
• Observation and Orientation (OO) increases your perceptive boundaries. – Superior Situational Awareness
• Sampling Rate of the OO is relative to the rate of change – Fast enough to represent change
• Decision and Actions raise the cost to your adversaries’ Observation/Orientation
• Operate at a faster tempo or rhythm than our adversaries
Ultimately you are making it more expensive for the adversary to operate and hide
Holistic Telemetry
• Multi Sensor – No place to hide
(space and time)
• Metadata as Context
• Observation of Data – Completeness
• Orientation of Information – User Centric – App Centric
Data Complete
10
Flows
IP
MAC
Noun S: (n) telemetry (automatic transmission and measurement of data from remote sources by wire or radio or other means)
App
Users
Holistic Understanding Intelligence
11
Craft Knowledge •Synthesis of Information Sets •Know how •Observer Centric
Fusion of Data Information •Synthesis of Data Sets • Information Sets
Atomic Data • Identifiers, Addresses, Counts, Types, etc. •Sets of Signals & Symbols
Analytic Synthetic
Holistic Cyber Security The Art of Cyberwar
12
Decision
Action
Observation
Orientation
Data
Information
Knowledge
Automated
Semi Automated
Manual
SDN Cloud
OODA Loop and the Kill Chain
Infiltration
Exfiltration
Your Infrastructure Provides the Observation...
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow NetFlow
© 2013 Lancope, Inc. All rights reserved. 14
…for Total Visibility from Edge to Access. StealthWatch delivers the Orientation
Internet Atlanta
San Jose
New York
ASR-1000
Cat6k
UCS with Nexus 1000v
ASA Cat6k
3925 ISR
3560-X
3850 Stack(s)
Cat4k Datacenter
WAN
DMZ
Access
© 2013 Lancope, Inc. All rights reserved. 15
Data Observation
16 © 2013 Lancope, Inc. All rights reserved.
Geographic Traffic Orientation
Time of Day Orientation
User Location Orientation
Data Hoarding Orientation
Data Disclosure Orientation
http://www.lancope.com
@Lancope (company) @netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas
Thank You
22 © 2013 Lancope, Inc. All rights reserved.
TK Keanini, Chief Technology Officer [email protected] @tkeanini