A holistic approach to cyber security is one that includes the threat actors, advance telemetry of the network and a defensive strategy that continuously adapts to the adversaries capability and threat landscape.
By collecting and analyzing network data via technologies such as NetFlow, organizations can obtain the security intelligence needed to fill in the gaps left by conventional tools and more effectively feed their OODA loop - a cyclical process for Observation, Orientation, Decision and Action. By embracing the OODA loop, and turning the network into a sensor grid for delivering key security information, organizations can dramatically improve their situational awareness, incident response and forensics procedures.
When you leave this session you will...
• Understand how the motives and techniques of online attackers have changed over the last couple of decades
• Realize why conventional security tools like firewalls and antivirus are no longer enough to fend off today’s advanced threats, and why more holistic cyber security strategies are needed
• Know about the “OODA loop” and how it can be applied to cyber security to protect IT infrastructure and data from advanced adversaries
• Understand how network data such as NetFlow can be cost-effectively collected and analyzed to feed and speed up your OODA loop
• Have a strategy for dramatically improving incident response and forensics
3. A Holistic Approach to Cyber Security
• Holistic Strategy (Framing the Conflict)
• Holistic Telemetry (Data Complete)
• Holistic Understanding (Information and
Knowledge Complete)
3
4. Holistic Strategy
• Inclusive of all the players
– Not just operations, must include bad guys
• Must be a continuous process
– If it does not look like a loop, it’s probably
wrong
• A framework for the changing dynamics
of conflict
– Understanding the game dynamics
• Sun Tzu
• Musashi
• Clausewitz
How to Best Frame Conflict
4
5. Colonel John Boyd (1927 – 1997)
• Fighter Pilot
– Forty-Second Boyd
• Military Theories
– Energy Maneuverability Theory
• Drove requirements for the F15 and F16
– Discourse on Winning & Losing
– Destruction & Creation
– Many modern military strategies based on Boyd
• The OODA Loop
– the concept that all combat, indeed all human competition from
chess to soccer to business, involves a continuous cycle of
Observation, Orientation, Decision, and Action
6. Simplified OODA in the Context of
Time
• Intelligence
— Observation
— Orientation
• Execution
— Decision
— Action
8. Conflict: Red vs. Blue
O O D A
A D O O
Red OpsBlue Ops
Spin your loop faster than your adversary
OODA for Cyber Security
9. OODA Loop Summary
• Observation and Orientation (OO) increases your perceptive
boundaries.
– Superior Situational Awareness
• Sampling Rate of the OO is relative to the rate of change
– Fast enough to represent change
• Decision and Actions raise the cost to your adversaries’
Observation/Orientation
• Operate at a faster tempo or rhythm than our adversaries
Ultimately you are making it more expensive for the adversary
to operate and hide
10. Holistic Telemetry
• Multi Sensor
– No place to hide
(space and time)
• Metadata as Context
• Observation of Data
– Completeness
• Orientation of
Information
– User Centric
– App Centric
Data Complete
10
Flows
IP
MAC
Noun
S: (n) telemetry (automatic transmission and
measurement of data from remote sources by wire or
radio or other means)
App
Users
11. Holistic Understanding
Intelligence
11
CraftKnowledge
•Synthesis of Information Sets
•Know how
•Observer Centric
Fusion of DataInformation
•Synthesis of Data Sets
•Information Sets
AtomicData
•Identifiers, Addresses, Counts, Types, etc.
•Sets of Signals & Symbols
AnalyticSynthetic
12. Holistic Cyber Security
The Art of Cyberwar
12
Decision
Action
Observation
Orientation
Data
Information
Knowledge
Automated
Semi Automated
Manual
SDN
Cloud
13. OODA Loop and the Kill Chain
Infiltration
Exfiltration