The Information Security OODA Loop Part Two - Observe

Sunday, April 01, 2012

Rafal Los


As I brought up in my introductory post on the OODA Loop, Information Security is in a constant chess match with the opposition - that is, the 'attackers' who are better resourced, better funded, and often significantly better equipped. 

In order to have some way of fighting this type of asymmetric digital warfare the good guys need to have an organized, formalized way of identifying current threats and reacting in near-real-time in order to reach a state of detente.

As you likely already know, asymmetric warfare on a digital and global stage is much different than the sorts of things we were used to years ago in information security. 

Script kiddies, while still dangerous because they'll SQL Inject your databases if you're not careful, aren't the predominant threat in the type of stage we're talking about.  The rise of the determined attacker as a primary threat agent I feel, is something we're going to have to live with going forward in information security as a whole.

Whether you're thwarting state-sponsored cyber espionage, or trying to prevent your poorly written database-driven application from being completely pillaged - the requirements are the same. 

Information Security requires vision and visibility into nearly every aspect of an organization's operations.  This visibility goes past the typical security bits though, and needs to look into operational and physical aspects of any organization's operation to ensure a decent OODA Loop is even possible.

So here's the thing with the first O - Observe, you have to know that there are a few components to observation.  First off, we have to make our peace with the fact that observation is not always the first step in any engagement cycle.  Also, in the kinetic sense observe means keeping your eyes open to the evolving environment and situation, while in the cyber world it means being able to virtually see what's going on.  So far, so good.

So what sorts of things do we want to observe if we're in an OODA Loop?  It's not fair to say "everything" because you can't feasibly observe everything, nor is everything observable... so let's be realistic.  Here's a short, non-exhaustive list of the things that we're going to be interested in:

  • information security-related events (typical dashboard stuff)
  • network performance data - latency, saturation, utilization, connectivity, etc.
  • system performance data - utilization, patch status, baselines (and deviations from baselines)
  • application performance data - utilization, uptime, capacity, query times, load times, usage
  • Internet threat intelligence (collective data from across the Internet)
  • physical security information - employee/user audit trail (success, failure, baselines), employee movement, new users, privilege changes, etc.
  • ...and so much more

As you can see, the Information Security organization has a snowball's chance in he** of being able to effectively collect this information if they live in an operational silo, like many do today.  Instead, many effective organizations - either through movements like DevOps, SecOps, and others - operate cross-functionally across not just the entire organization, but also across the community of security. 

Sharing intelligence not only internally but with the general security community through available programs is critical to the success of your security defensive strategy, and your ability to execute the first O - Observe effectively.  This is not the only time reaching outside your own organization is critical.

Now, you've taken this first step and are amassing an amazing amount of information - but what do you do with it?  Where will you store it and how will you prepare for the second O - Orient? 

Let's think of a completely realistic scenario where you have a system that not only accepts internal security-related information, but also other non-security information... and on top of that feeds from other systems and threat intelligence in a custom manner and processes that all to give you visibility into the real-time picture of what you're doing.  An intelligence platform, dare I say SIRM platform, is what you're looking for in order to be able to have "eyes wide open" in your organization.

This is not a sales pitch, this is reality.  The quality of your intelligence aggregation system is directly proportional to your ability to 'see' your threats.  You've likely got millions upon millions of [security] events in any reasonably large enterprise... so you're not just looking for a needle in a haystack - you're looking for a needle in a haystack of needles. 

It's simple to get caught up chasing ghosts, phantoms and irrelevant events... when what you really need is a way to find that one or two all-important, carefully hidden and masked 'serious issue.'

Well now that we have the "Observe" part of the OODA Loop down, let's talk about the second O - Orient - next. Until then...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Security Strategies Methodologies Incident Response Attacks Network Security hackers Information Security Infosec Cyber Intelligence OODA Loop
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.