During the Korean War, John Boyd, an Air Force pilot and military strategist, studied why the F-86 Sabre was so successful in shooting down the Russian MiG-15 of that generation. He discovered that the U.S. planes, while inferior in terms of speed, range and altitude, were more manoeuvrable and thus able to act faster than the MiG could react.
Boyd characterised the Sabre's ability to turn in rapid response to the more cumbersome MiG as thinking and reacting ahead of the enemy. His system was to gather all the facts, observe the way the target reacted, process all the information and then make lightning decisions.
He called this an OODA loop - Observation, Orientation, Decision, and then Action. The strategy? The decision-maker who moves fastest through the OODA loop beats their opponent by acting first and changing the situation for an adversary.
Boyd's strategy resonates when we assess cyber security. I've often compared cyber security professionals to spy hunters who deploy effective counter intelligence to beat rival attackers. For some time, I've preached that we must hunt the threats before they hunt us. These ideas mirror Boyd's strategy for modern times. A cyber attack places the target in an OODA loop that requires a lightning fast response. Reacting to a cyber attack will always be too late.
In order to win the OODA loop paradigm, security teams must make a superior, faster decision than the attacker using only the information directly at hand. Boyd's theory centred on how we view the world around us as we insist it should be rather than shifting our perceptive to incorporate circumstances as they change.
In the world of cyber attacks, circumstances, attack vectors, different malware and new exploits change on every day that ends in a Y. If we are not able to think with flexibility, adapt quickly to changing circumstances and make a decision that beats our attacker to the punch, a catastrophic breach may occur.
Effective cyber security will orient faster to an actionable decision than an attacker. Such cyber security will focus on a few critical areas to always win the OODA loop:
- Security will focus on the endpoint. This moves security and response closest to the most common point of attack - the human that makes a mistake.
- Decisions will be made with the best available information. During an attack there is no time to conduct research or ask for help. Security will leverage big data and analytics, instantly updated from the cloud to make the best decisions.
- Security will move to a collaborative approach. When threats and exploits are shared among many people, the potential attack surface is mitigated. If one member on an ecosystem is attacked, all other members will know about the attack and immediately orient to act to prevent future attacks. This will make the cost of designing an attack higher than the gains from successfully attacking many consumers.
- Security operations will be simplified. Remember that the first party to effectively orient to a situation, decide and act wins. By simplifying operations, security can move protection through the process faster than the attacker.