How Analysts can use the OODA Loop to Strengthen their Skillsets


For many years, cybersecurity professionals have talked about the OODA loop. Devised by Colonel John Boyd, it describes a decision-making cycle that fighter pilots apply in dog fights, and when mastered, allows them to outwit adversaries. The acronym stands for Observe, Orient, Decide and Act, and if you can go through this decision cycle faster than your adversary, you can defeat them. In light of the shortage of skilled cybersecurity professionals, the more aspects of this often highly manual process that we can automate, the more effective and efficient we can be at improving security operations. So, let’s automate the OODA loop and we’ll be set, right?

Not so fast. The SANS 2021 Report: Top Skills Analysts Need to Master says that “the keys to this loop are the activities and critical thinking that take place in the orientation phase and the fact that it is an iterative feedback model that allows analysts to adapt their decision-make based on the results of their analysis.” We can’t automate critical thinking. The OODA loop is based on the assumption that there is a person behind it bringing human intelligence – intuition, memory, learning and experience – into the process so that we can continuously refine and move faster through the loop to better mitigate risk.

However, we can enable and accelerate the OODA loop in two ways. First, by automating investigative tasks as well as actions once decisions are made. With the ThreatQ Platform, you can use automation to simplify and accelerate the process of translating threat data into action. For example, automation is great for aggregating millions of threat-focused data points into a central repository and translating it into a uniform format. It can also help overlay context by correlating external and internal threat data. You can apply automation to help filter out some of the noise and get the right intelligence to the right tools at the right time. It can even help with learning, provided the system can retain and analyze data. The ThreatQ Platform does all of this for you.

The second way we can accelerate the OODA loop is by supporting investigative or critical thinking. As SANS discusses in their report, security analysts are increasingly becoming investigators. This means that the “orient” and “decide” phases take center stage which requires human involvement. After all, who understands your environment better than you to define risk and customize scoring and prioritization? And who has the experience to determine the right action to take in your environment? Automation can accelerate and simplify processes across your security operations, but humans are an essential component, drawing on memory and learnings to turn unknown stimuli into known so you can move through the process faster for better decisions and accelerated action.

This is where ThreatQ Investigations comes into play. Bringing together threat data, evidence and users in a single, collaborative environment, all analysts involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work, and they can share and benefit from the human intelligence they each bring to the table. Validating data and sharing their collective insights and understanding, fosters critical thinking that drives successful investigations. Managers of all the security teams can use ThreatQ Investigations to see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results. Embedding collaboration into the investigation process ensures that teams work together to take the right actions faster. 

Automation is a key strategy to offload repetitive tasks and empower humans to engage in advanced security operations activities more efficiently and effectively. This is why tools like ThreatQ Platform and ThreatQ Investigations that simplify and accelerate investigation tasks and investigative thinking, used in conjunction with the OODA Loop, are critical to improving security operations.

Download the SANS 2021 Report: Top Skills Analysts Need to Master to learn more.



Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This