The Information Security OODA Loop Part 4: Decide

Wednesday, April 04, 2012

Rafal Los


(part one)(part two)(part three)

Welcome to one of the most difficult parts of the OODA Loop series - the actual decision.

If you go through the OODA Loop (Observe, Orient, Decide and Act) faster than your opponent, you will win any given incursion.  In previous episodes we discussed the observation and orientation portions of the cycle, but now it's time to decide. 

What exactly are you going to decide?  After all, you've gathered a lot of information, made an attempt to understand the context of that information from many different angles, but now what?  You must decide.

There are many decisions to be made, for example, whether to act or to simply carry on.  You may need to decide with what type of response you want to act, or how swiftly, or when, or who to involve... but the decision is the key to a good action.

There are any number of possible decisions to be made in an information security OODA Loop cycle.  Sometimes the most basic decision to be made is whether to move onto the act step or to stay your position.  Too often information security tends to look at a potential event and assume that the response must be action.  Let's take a concrete example...

You see an obvious SQL Injection attack come across your IPS.  If you don't already have it set to block (and let's face it many organizations are still gun-shy about blocking anything) then the natural response is to go into triage mode when a packet triggers an SQL Injection attack pattern.  This sounds like the right response until you look deeper into the issue and realize that the attack was aimed at a NoSQL database which can't possibly be SQL Injected in the traditional manner. 

If your response was action then you just wasted time and effort that could have been put into responding to an actual threat.  With the crunch for time in IT resources it's hard to justify losing a few minutes to chasing something irrelevant - so the decision becomes key.

There are, I believe, 3 key aspects of a decision in the OODA Loop as it applies to information security.  If you're going to make a decision, these 3 components should be thought about and accounted for, and at the front of your mind...

  • Authority - Is the decision being made from a point of authority?  The question isn't one of whether you're the boss or not; rather, whether the decision is being made from a position of being well-informed.  Authority requires that you have all the information in context so a decision cannot easily be called into question.  This is an issue information security professionals have struggled with for years in our field. Everytime we want to pull the trigger on a decision - usually some sort of action - the action is questioned by not only our peers but our superiors as well.  Having an authoritative decision making capability means that you've analyzed all aspects of the information from all the required perspectives.
  • Timeliness - If a decision is to be made, especially in information security, time is almost always of the essence.  Taking too long to make a decision often leads to catastrophic results.  While you're collecting information and bringing it all into context in the Observe and Orient portions of the OODA Loop, keep in mind that the Decide portion has an expiration date that generally comes quickly.  If you're under a cyber attack it is likely that the difference between an attack and a full-scale compromise may be a matter of a few packets of data on the wire.  At today's Internet speeds and processing capabilities that gives us mere micro-seconds to decide what to do.  The situation is not always so dire, but the point of timeliness must be understood.
  • Defensibility - When you've made a decision with both authority and timeliness in mind - you're going to likely have to defend it at some point in time.  This is a fact of life when working in information security.  Too often we find that in order to stop an intrusion sacrifices had to be made and legitimate business was slowed or interrupted.  Can you defend the decision you've made, even based on all the information and results being positive?  Sometimes a positive result doesn't mean your decision won't be questioned - make sure you're defensible.

There you have it, my 3 key points for making a good decision in the information security OODA Loop.  Next time, we act!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Security Strategies Methodologies Incident Response Attacks Network Security Information Security Infosec Decisioning OODA Loop
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.