Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense. We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries. Read more at the OODA Special Report on Best Practices for Agile Cybersecurity
Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to an enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security and productivity all go up.
Over the past four years there has been an avalanche of new Zero Trust products. However during the same period there has been no measurable reduction in cyber breaches. Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first. To help enterprises benefit from Zero Trust concepts here is a modified OODA loop type process to guide your strategy development and execution.
They’re not cybersecurity experts, but they did stay at a Holiday Inn Express last night. Because we have no common body of knowledge from which to explore and learn from prior art, you can predict like the seasons when another cohort of professionals from other disciplines will attempt to tell
Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why Cybersecurity Awareness Month is such a bad idea.
In our recent OODA Loop Stratigame – Scenario Planning for Global Computer Chip Supply Chain Disruption – in all four scenarios we determined that public-private partnership in the cybersecurity marketplace, including the establishment of industry-wide frameworks and standards, will be crucial. Organizations like the National Institute of Standards and Technology (NIST) will figure prominently in such efforts – and that means scanning the horizon for worthwhile government cybersecurity efforts which make sense for your company’s design innovation process, business models, and ideas around value creation and capture. To start, there is plenty of activity over at NIST related to cybersecurity worth a review.
This is the second part of our special series on Ransomware. The first provided an update on the nature of the threat, including an anatomy of a modern attack. This post, produced with inputs from real world cybersecurity practitioners Matt Devost, Bob Flores, Junaid Islam and Bob Gourley, provides information for Corporate Board of Directors and the CEO. In our experience, the guidance provided here can mitigate the existential risks of a ransomware infection to a low level.
In a recent 4-month long workshop, over 70 experts explored the concept of creating a “Cyber NTSB”. This workshop topic is consistent with themes like innovation and design processes for innovation, which cut across much of our recent OODA Loop research and analysis. It all starts with a design metaphor. This recent workshop used the National Transportation Safety Board as a design analogy/metaphor for a National Cyber Safety Board/National Cyber Security Board (NCSB). Specifically, innovation in “lesson-learning systems” for cybersecurity and cyber incidents – taking design process inspiration from the aviation safety models of the NTSB – was the goal of this “Cyber NTSB” workshop.
While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice and At Black Hat Conference 2021, CISA Director Jen Easterly launches CISA JCDC
Noted cybersecurity expert Mike Tanji provides context on what to expect from the cybersecurity actions and policies of the Biden Administration. His insights are based on thirty years in the field. He cautions us all to maintain a level of hope, but to not get too worked up about transitions and talk of change. Everyone is all talk until they sit down in the chair and begin to understand exactly what it takes to govern. That said, there are changes that can be expected. Here are a few signals to watch for to see if they will stick.
See: Meet the New Boss: Context on Cybersecurity and US Federal Leadership
Junaid Islam has 30 years of experience in secure communications. His protocols, algorithms and architectures have been incorporated into a broad range of commercial and national security systems. In the 90s he developed the first implementation of Multi-Level Precedence and Preemption (MLPP) for US Department of Defense C2 applications. He developed the first working Mobile IPv6 client to enable fast hand-off as well as IPv6 address scrambling for high side networks for the DoD’s Netcentric Warfare program. He developed the first network-based Zero Trust Architecture using Software Defined Perimeter (SDP) which was adopted by NIST for their Zero Trust specification 800-207. See: Junaid Islam Discusses 5G Security and Functionality at OODAcon
In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity. In this piece, we’ve conducted interviews with two successful CISOs to provide insight into how they view security alpha issues. Mark Weatherford is a highly experienced and successful CISO who has worked in the public sector at both the state and federal level and also as a CISO for multi-billion dollar commercial organizations. Our Global FS CISO currently works as the Global CISO at one of the largest financial services firms in the world and has 25 years of experience working on cybersecurity and risk management issues.
Foreign bad actors are conducting a covert cyber war. The pace, frequency, and intensity of cyberattacks are now greater than ever. As the physical realm inevitably merges with the cyber one, forming a new kind of infrastructure, cyberattacks on this infrastructure can have a catastrophic impact on our energy, waste, water, transportation, and telecommunications facilities. Examples include potential attack on infrastructures like distributed control system (DCS) and supervisory control and data acquisition (SCADA) that monitor and control processes and plant with many control loops. Additionally, exploitation of supply chain vulnerabilities can substantially disrupt the way we live, work, and play.
In 2019 Congress passed legislation signed into law by the President establishing the U.S. Cyberspace Solarium Commission, chartered to develop a consensus on a strategic approach to defending the US against cyber attacks of significant consequences. The commission was established to be bi-partisan and also staffed and chartered to be as informed as possible by experts who really know the state of technology and cyber defense today. The commission executed its charter through extensive outreach and dialog with leaders in industry, academia, non-profits and government and produced deliverables that will make a positive change in our nation’s defense.
See: What Executives Need To Know About The Report of the Cyberspace Solarium Commission
“You’ve got to read what this kid is writing out of his basement at the University of Vermont…” – recently retired CIA officer to intelligence and military colleagues in 1994. A candid 25 year retrospective on a thesis that launched a tremendous amount of dialogue and action on the issues of information warfare, cyberterrorism, and cybersecurity. See:
In the cyber defense community, we talk about a wide-range of risk mitigating technologies, strategies, and activities. We talk about attacker deterrence and increasing costs for the attacker. We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis. Here’s why one of the most compelling emerging use cases for increasing attacker costs is through the use of deception. For more see: Deception Needs to be an Essential Element of Your Cyber Defense Strategy
This special report provides an overview of the dynamic trends underway in the cyber insurance market, including actionable information that executives can put to use right now in determining the right approach to using cyber insurance to transfer risk. The report also provides insights which can be of use to any tech firm seeking to partner with insurance companies to enhance services to the market. For more see: The Executive’s Guide to Cyber Insurance
There is something you really need to know about the State of California. They have optimized around a key function that they do very very well. They know how to collect money from corporations. They know how to collect taxes, and know how to levy large fines and collect on them. The business that owes California money will pay, and the State will likely do everything in their power to make sure they pay as much as the law allows. Keep this in mind as you read our guidance on the CCPA. For more see: What You Really Need To Know About the California Consumer Privacy Act (CCPA)
Traveling executives are frequent targets for cyber espionage. This report provides guidance for executives and their security teams on how to protect their information and technology while on the go. Produced by OODA co-founders Matt Devost and Bob Gourley, the report provides best practices, awareness of threats, and a deep understanding of the state of technology. A tiered threat model is provided enabling a better tailoring of actions to meet the threat. For more see: OODA Releases a Traveling Executive’s Guide to Cybersecurity
Managing the nexus between physical and cyber security is possible with a deliberate mindset and full cooperation and integration between the two teams. Physical security practitioners should view cyber defense experts as a vital component of their risk management strategy. For more see: For Executive Protection, Physical and Cyber Security Have Fully Converged
Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense. We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries. Read more at the OODA Special Report on Best Practices for Agile Cybersecurity
Mitigating Risks To America’s Cognitive Infrastructure: Our most important infrastructure is also our most neglected.
11 Habits of Highly Effective CISOs: What does it take to be a highly effective CISO?
Making Sense of Cyber Lessons : Lessons for enhanced cybersecurity across multiple domains including government, corporate, think tank and academic.
The CMMC: What business needs to know about how DoD will measure your security posture
Essential Management Strategies for Cybersecurity: Management lessons learned and essential actions to mitigate risks
10 Red Teaming Lessons Learned Over 20 Years – Red teaming is one of the most valuable things you can do within your organization. OODA CEO and Co-Founder Matt Devost offers up his top ten red teaming lessons learned from over two decades of red teaming across hundreds of engagements.
The Five Modes of HACKthink – Explores how to use a hacker mindset to solve complex problems and unlock opportunity.
Email – The Often Overlooked Cybersecurity Risk – Are silly email mistakes putting your sensitive data and customer PII at risk or in violation of GDPR. Matt Devost breaks down four real life examples that highlight inadvertent email risks.
Def Con – The highest yield cyber security event of the year.
The 5G Supply Chain Blindspot – This is the place few are looking regarding 5G security
Flaws In The U.S. Vulnerabilities Equities Process: Deep insights from our own expert Cindy Martinez.
Vulnerabilities, the Search for Buried Treasure, and the US Government: Analysis from noted expert and cybersecurity thought leader (and OODA network member) Jason Healey.
Here is How the FBI Wants You To Protect Your Audio/Visual Devices: From an FBI bulletin
CISA Outlines Agency’s Strategic Intent: Vision of the Cybersecurity and Infrastructure Security Agency
The Key To A Defensible Cyberspace: A look at the work of Jason Healey and the NY Cyber Task Force
How a Presidential Commission Was Tracking Hackers in 1996: New insights into the President’s Commission on Critical Infrastructure Protection
Maturing The Cyber Threat Intelligence Field into a Discipline: based on a career in operational intelligence
Cybersecurity and Technology Due Diligence: Resources that will keep you informed before and during due diligence
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence