Learning Security Protocols From the OODA Loop

A thought process originally envisioned by the U.S. Air Force for training its fighter pilots may also help IT managers deal more effectively with security challenges.


AUSTIN, Texas—When a fighter pilot is in a dogfight, a specific set of skills plays a role in whether the pilot survives the encounter. One set of those skills is a particular way of reacting to what’s going on during the aerial competition. Those same skills can also help you deal with security threats.

According to Bruce Schneier, author of “Click Here to Kill Everybody” and formerly the CTO of Resilient Technologies, now part of IBM, that set of skills is called OODA. That’s an acronym for Observe, Orient, Decide and Act. In the IT world, it goes something like this:

Observe: What’s happening in your network in real time?

Orient: How does it tie in to what’s happening in the real world?

Decide: Given your view at the time, what do you need to do to prevent damage?

Act: Take action on your decision.

The OODA loop was developed by military strategist and USAF Col. John Boyd. Boyd applied the concept to the combat operations process, often at the operational level during military campaigns.

Ideally, in the IT world, you should practice OODA constantly when dealing with a threat. Once you’ve gone through the process, you should immediately start doing the same thing again until the threat is eliminated—thus the OODA loop.

Speaking at the SpiceWorld conference here, Schneier provided a number of examples of how such an OODA loop could work. Later, speaking with eWEEK, he elaborated.

“You can see where your deficiencies are,” he explained. “How well is your network management system handling a security attack? Do you have a threat feed, and if you do, are you getting actionable information? Who can make the decisions that you need to take action?”

Weak Points in Security Plan Can Be Revealed

Schneier said that just the process of taking action can reveal weak points in your security plan—as well as in your company’s management structure.

“Suppose you had to make a decision in five minutes,” he asked. “Would you be able to do this?”

Schneier said that it’s important to know who you would ask and to determine how quickly they could respond. How many steps up the line in your chain of authority would a decision take? How quickly could your management respond? Would you be able to react to a security incident in time to make a difference?

Chances are, you don’t know whether you could get a decision to take critical action to fight a cyber-threat in five minutes. Who would you call to get permission to take the company website offline in five minutes? How about to take the company offline? How many people would have to sign off to make such a decision?

But the unfortunate truth is that such fast action is now required. Schneier pointed out that a company can fall victim to a ransomware attack in minutes because of a misconfigured router. Sometimes the only way to protect the company is to take everything offline while the router is configured, and that may need to be done in minutes, not hours.

Keeping Up With the Attackers, Who Constantly Improve

Much of the problem is that attackers get better continuously. Tools get better, but the software from vendors doesn’t get better at the same rate. Schneier said that this expands the attack surface, while also shrinking the time to act.

One important fact about the OODA loop is that you have to know your available choices when you get to the decision point, and you need to know what your permissible actions are. While every company is different, it’s critical that the IT staff has specific guidance on what actions they are allowed to take to protect the company’s network and IT systems. And they need to know specifically who they need to ask to get authority to act if the action goes beyond the authority already granted.

The only way to do this is to work it out in advance. You need to start with your immediate supervisor, and ask what actions you’re allowed to take—what actions your supervisor can authorize, and what actions need to be referred to someone farther up the chain of authority.

Once you’ve done that, you need to find out whom to ask when that person isn’t available, perhaps because they’re out of the office. Then you need to develop procedures for how quickly the decision must be turned around. If you need to take the company offline to fix a misconfigured router, you need approval in a couple of minutes, not in a half hour when the right person gets back from lunch or out of a meeting. Do you have the procedures set up to do that?

Bake In the OODA Loop Routine Before an Attack Happens

When the cyber-attack begins, and it will, you may have time to run through the OODA loop a few times, but you won’t have time to decide what you’re allowed to do, and you won’t have time to determine what actions you’re allowed to take. These steps need to have been done already.

One critical final step once you’ve determined what decisions you can make, what decisions others must make and what your authorized actions are is to write everything down in a formal procedure, and then get it signed off by those along the way who will be involved.

When the barbarians are at the gate, that’s not the time to have some manager ask who gave you the authority to lock the door.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...