A good presentation should give the audience some food for thought. I’ve sat through my share of presentations, and I try to learn from those experiences to make sure that I deliver value to my audience during my own talks.
Delivering a remote presentation constitutes a whole other level of difficulty, of course, and so I’m always looking for tips on how to improve. While I rarely get the chance to practice what I’ve learned, I recently had just such an opportunity to deliver a webinar together with Jonathan Trull, the CISO of Qualys.
Jonathan went first, and normally in that situation I’d be busy reviewing my own slides, notes, and talking points. However, in this instance, I found myself following his presentation. In particular, one of his themes was the OODA loop.
This is something that I’ve written about before in the context of security, but it strikes me as particularly relevant in the context of SecOps. There are a few phases that comprehensive security has to go through:
- Observe: Track security bulletins
- Orient: Analyse patching status
- Decide: Identify risks
- Act: Roll out patches
The concept of the OODA loop was famously developed by John Boyd to analyse aerial dogfighting. The idea is that both fighter pilots are running their own OODA loop, but to be successful, one fighter has to execute their loop faster – get “inside the loop.”
Jonathan’s theme from our webinar is that attackers tend to be able to execute their loop faster than the security measures in place to stop such attacks. This speed enables them to get inside a defender’s loop and complete their attack successfully – stealing data, impacting business service availability or performance, defacing a website, or whatever their goal might be.
Much of the focus in security has been on the earlier parts of the OODA loop, trying to make sure that we detect the issues (and that’s very important!) Many of the big breaches of 2014 have this factor in common: the initial breach was not detected for a very long time – weeks or even months.
However, once an attack or a breach has been detected, somebody needs to take action to go fix the problem. This is the Act phase, where the IT Operations team takes action to address whatever problem was detected.
In the same way as the Security group focus on the earlier parts of the cycle – in particular on detecting attacks and vulnerabilities – Operations teams focus on acting as fast as possible. The problem is that even if individual steps can be executed rapidly, if the process is not connected attackers will still be able to get inside the loop. The SecOps Gap occurs when the decision process is connected too weakly to the remediation action to be taken, slowing or even breaking the cycle around the Boyd Loop.
This is why the alliance between BMC and Qualys is so important: by connecting vulnerabilities to remediation actions and process governance, our joint approach enables IT to iterate far more rapidly around the loop preventing attackers from getting inside their decision loop.