Research and Analysis on Defensive Strategies


The New Enterprise Architecture Is Zero Trust

Enterprise technologists use the term “Zero Trust” to describe an evolving set of cybersecurity approaches that move defenses from static attempts to block adversaries to more comprehensive measures that improve enterprise performance while improving security. When the approaches of Zero Trust are applied to an enterprise infrastructure and workflows, the cost of security can be better managed and the delivery of functionality to end users increased. Security resources are matched to risk. Functionality, security and productivity all go up.


Zero Trust Will Yield Zero Results Without A Risk Analysis

Over the past four years there has been an avalanche of new Zero Trust products. However during the same period there has been no measurable reduction in cyber breaches. Zero Trust is a concept where an organization has Zero Trust in a specific individual, supplier or technology that is the source of their cyber risk. One needs to have Zero Trust in something and then act to neutralize that risk. Thus buying a Zero Trust product makes no sense unless it is deployed as a countermeasure to specific cyber risk. Buying products should be the last step taken not the first. To help enterprises benefit from Zero Trust concepts here is a modified OODA loop type process to guide your strategy development and execution.


The False Pundits of Cyber Will Lead Us Astray If We Let Them

They’re not cybersecurity experts, but they did stay at a Holiday Inn Express last night. Because we have no common body of knowledge from which to explore and learn from prior art, you can predict like the seasons when another cohort of professionals from other disciplines will attempt to tell


Want To Reduce Risk? It Is Time To End Cybersecurity Awareness Month

Management guru Peter Drucker said, “what gets measured gets managed.” Which helps to explain why Cybersecurity Awareness Month is such a bad idea.


NIST Cybersecurity Framework Gains Private Sector Traction and Other Noteworthy Cyber Efforts from the Institute

In our recent OODA Loop Stratigame – Scenario Planning for Global Computer Chip Supply Chain Disruption – in all four scenarios we determined that public-private partnership in the cybersecurity marketplace, including the establishment of industry-wide frameworks and standards, will be crucial. Organizations like the National Institute of Standards and Technology (NIST) will figure prominently in such efforts – and that means scanning the horizon for worthwhile government cybersecurity efforts which make sense for your company’s design innovation process, business models, and ideas around value creation and capture. To start, there is plenty of activity over at NIST related to cybersecurity worth a review.


Mitigating Cyber Risk In An Age of Continuous Crisis

In early May we began a discussion with our OODA Network members that started with an observation. About six months prior we had been through the Solar Winds attack, which from our perspective was clearly one of the most damaging attacks/espionage operations in history. Soon after that, the attack series named Hafnium by Microsoft was revealed. Hafnium had started as espionage but then turned into a Gold Rush of criminal activity, one of the worst attacks in history. Then the Codecov attack hit.  This is a widely used tool for software developers that is used for managing continuous integration and continuous deployment of code. Turns out some nation state level actor modified this tool so that all code that was used by it was also copied off and sent to the bad actor. It was brilliant and absolutely one of the worst in history.


The Executive’s Guide To Mitigating The Ransomware Threat

This is the second part of our special series on Ransomware. The first provided an update on the nature of the threat, including an anatomy of a modern attack. This post, produced with inputs from real world cybersecurity practitioners Matt Devost, Bob Flores, Junaid Islam and Bob Gourley, provides information for Corporate Board of Directors and the CEO. In our experience, the guidance provided here can mitigate the existential risks of a ransomware infection to a low level.


Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities

This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See:

Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities


Cybersecurity and Cyber Incidents: Innovation and Design Lessons from Aviation Safety Models and a Call for a “Cyber NTSB”

In a recent 4-month long workshop, over 70 experts explored the concept of creating a “Cyber NTSB”. This workshop topic is consistent with themes like innovation and design processes for innovation, which cut across much of our recent OODA Loop research and analysis.  It all starts with a design metaphor. This recent workshop used the National Transportation Safety Board as a design analogy/metaphor for a National Cyber Safety Board/National Cyber Security Board (NCSB). Specifically, innovation in “lesson-learning systems” for cybersecurity and cyber incidents – taking design process inspiration from the aviation safety models of the NTSB – was the goal of this “Cyber NTSB” workshop.


National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability

National cyber ranges are virtual environments that enable government organizations to test their cyber capability.  It’s important to rehearse military operational plans and develop new tactics, techniques, and procedures (TTP’s) that can work in a contested cyber landscape. These ranges are distributed computing environments with technical experts that can support exercises and operational planning. See: National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability


From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?  See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice and At Black Hat Conference 2021, CISA Director Jen Easterly launches CISA JCDC


The OODA Almanac – 2021 Edition

The OODA Almanac proposes to identify those topics and patterns we see having significance in 2021 to guide your short and long-term decision making. Over the course of 2021, we will continue to inject additional observations on these topics into our analysis or as stand-alone tidbits of observed intelligence (OODINT). See: The OODA Almanac – 2021 Edition


Meet the New Boss: Context on Cybersecurity and US Federal Leadership

Noted cybersecurity expert Mike Tanji provides context on what to expect from the cybersecurity actions and policies of the Biden Administration. His insights are based on thirty years in the field. He cautions us all to maintain a level of hope, but to not get too worked up about transitions and talk of change. Everyone is all talk until they sit down in the chair and begin to understand exactly what it takes to govern. That said, there are changes that can be expected. Here are a few signals to watch for to see if they will stick.

See: Meet the New Boss: Context on Cybersecurity and US Federal Leadership


Expert Practitioner and QuintessenceLabs CEO Vikram Sharma on Quantum Effects and Quantum Security

Vikram Sharma is the CEO of QuintessenceLabs, a company he founded to leverage an understanding of how physics works at the quantum level to address some of the biggest issues in cybersecurity. In this discussion at OODAcon, Vikram provided a high level overview of what years of quantum theory and 1000’s of experiments on the nature of reality tell us about the nature of reality, especially reality when measured at the smallest scale.

See: Expert Practitioner and QuintessenceLabs CEO Vikram Sharma on Quantum Effects and Quantum Security


Junaid Islam Discusses 5G Security and Functionality at OODAcon

Junaid Islam has 30 years of experience in secure communications. His protocols, algorithms and architectures have been incorporated into a broad range of commercial and national security systems. In the 90s he developed the first implementation of Multi-Level Precedence and Preemption (MLPP) for US Department of Defense C2 applications. He developed the first working Mobile IPv6 client to enable fast hand-off as well as IPv6 address scrambling for high side networks for the DoD’s Netcentric Warfare program. He developed the first network-based Zero Trust Architecture using Software Defined Perimeter (SDP) which was adopted by NIST for their Zero Trust specification 800-207. See: Junaid Islam Discusses 5G Security and Functionality at OODAcon


Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon

OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk. This captures:

– Insights from behavioral science and human nature relevant to organizational leadership, career development and training for mitigating risks
– Why modern red teaming provides the only useful security metric today
– Ways to make cyber threat intelligence actionable
– How to automate actions in the network

See: Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon


Seeking Security Alpha

In cybersecurity, it has long been assumed that the attacker has the advantage and that defenders must deploy a disproportionate amount of resources (time, money, etc.) to even try and maintain some parity. In this piece, we’ve conducted interviews with two successful CISOs to provide insight into how they view security alpha issues. Mark Weatherford is a highly experienced and successful CISO who has worked in the public sector at both the state and federal level and also as a CISO for multi-billion dollar commercial organizations. Our Global FS CISO currently works as the Global CISO at one of the largest financial services firms in the world and has 25 years of experience working on cybersecurity and risk management issues.

See: Seeking Security Alpha


Cyber: The Art Of War

Foreign bad actors are conducting a covert cyber war. The pace, frequency, and intensity of cyberattacks are now greater than ever. As the physical realm inevitably merges with the cyber one, forming a new kind of infrastructure, cyberattacks on this infrastructure can have a catastrophic impact on our energy, waste, water, transportation, and telecommunications facilities. Examples include potential attack on infrastructures like distributed control system (DCS) and supervisory control and data acquisition (SCADA) that monitor and control processes and plant with many control loops. Additionally, exploitation of supply chain vulnerabilities can substantially disrupt the way we live, work, and play.

See: Cyber: The Art Of War


What Executives Need To Know About The Report of the Cyberspace Solarium Commission

In 2019 Congress passed legislation signed into law by the President establishing the U.S. Cyberspace Solarium Commission, chartered to develop a consensus on a strategic approach to defending the US against cyber attacks of significant consequences. The commission was established to be bi-partisan and also staffed and chartered to be as informed as possible by experts who really know the state of technology and cyber defense today. The commission executed its charter through extensive outreach and dialog with leaders in industry, academia, non-profits and government and produced deliverables that will make a positive change in our nation’s defense.

See: What Executives Need To Know About The Report of the Cyberspace Solarium Commission


Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict

“You’ve got to read what this kid is writing out of his basement at the University of Vermont…” – recently retired CIA officer to intelligence and military colleagues in 1994. A candid 25 year retrospective on a thesis that launched a tremendous amount of dialogue and action on the issues of information warfare, cyberterrorism, and cybersecurity. See:

Cyberwar Was Coming: A Reflection on the 25 Year Old Thesis that Predicted a Generation of Cyberconflict


Deception Needs to be an Essential Element of Your Cyber Defense Strategy

In the cyber defense community, we talk about a wide-range of risk mitigating technologies, strategies, and activities.  We talk about attacker deterrence and increasing costs for the attacker.  We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis. Here’s why one of the most compelling emerging use cases for increasing attacker costs is through the use of deception. For more see: Deception Needs to be an Essential Element of Your Cyber Defense Strategy


The Executive’s Guide to Cyber Insurance

This special report provides an overview of the dynamic trends underway in the cyber insurance market, including actionable information that executives can put to use right now in determining the right approach to using cyber insurance to transfer risk. The report also provides insights which can be of use to any tech firm seeking to partner with insurance companies to enhance services to the market. For more see: The Executive’s Guide to Cyber Insurance


What You Really Need To Know About the California Consumer Privacy Act (CCPA)

There is something you really need to know about the State of California. They have optimized around a key function that they do very very well. They know how to collect money from corporations. They know how to collect taxes, and know how to levy large fines and collect on them. The business that owes California money will pay, and the State will likely do everything in their power to make sure they pay as much as the law allows. Keep this in mind as you read our guidance on the CCPA. For more see:  What You Really Need To Know About the California Consumer Privacy Act (CCPA)


Traveling Executive’s Guide to Cybersecurity:

Traveling executives are frequent targets for cyber espionage. This report provides guidance for executives and their security teams on how to protect their information and technology while on the go. Produced by OODA co-founders Matt Devost and Bob Gourley, the report provides best practices, awareness of threats, and a deep understanding of the state of technology. A tiered threat model is provided enabling a better tailoring of actions to meet the threat. For more see:  OODA Releases a Traveling Executive’s Guide to Cybersecurity


For Executive Protection, Physical and Cyber Security Have Fully Converged

Managing the nexus between physical and cyber security is possible with a deliberate mindset and full cooperation and integration between the two teams.  Physical security practitioners should view cyber defense experts as a vital component of their risk management strategy. For more see: For Executive Protection, Physical and Cyber Security Have Fully Converged


OODA Best Practices for Agile Cybersecurity:

Members of the OODA expert network continuously track best practices for policy, procedures, technology and governance related to cyber defense.  We work directly defending enterprises in cyber defense and maintain an always up to date list of actions in a form designed to help any organization stay as agile as possible in the face of dynamic adversaries. Read more at the OODA Special Report on Best Practices for Agile Cybersecurity


USG Cybersecurity Initiatives and Updates | OODA Loop

Updated quarterly.  For More See:  USG Cybersecurity Initiatives and Updates | OODA Loop


Additional Cyber Security Reporting and Analysis:

Mitigating Risks To America’s Cognitive Infrastructure: Our most important infrastructure is also our most neglected.

11 Habits of Highly Effective CISOs: What does it take to be a highly effective CISO?

Making Sense of Cyber Lessons : Lessons for enhanced cybersecurity across multiple domains including government, corporate, think tank and academic.

The CMMC: What business needs to know about how DoD will measure your security posture

Essential Management Strategies for Cybersecurity: Management lessons learned and essential actions to mitigate risks

10 Red Teaming Lessons Learned Over 20 Years – Red teaming is one of the most valuable things you can do within your organization.  OODA CEO and Co-Founder Matt Devost offers up his top ten red teaming lessons learned from over two decades of red teaming across hundreds of engagements.

The Five Modes of HACKthink – Explores how to use a hacker mindset to solve complex problems and unlock opportunity.

Email – The Often Overlooked Cybersecurity Risk – Are silly email mistakes putting your sensitive data and customer PII at risk or in violation of GDPR. Matt Devost breaks down four real life examples that highlight inadvertent email risks.

Def Con – The highest yield cyber security event of the year.

The 5G Supply Chain Blindspot – This is the place few are looking regarding 5G security

Flaws In The U.S. Vulnerabilities Equities Process: Deep insights from our own expert Cindy Martinez.

Vulnerabilities, the Search for Buried Treasure, and the US Government: Analysis from noted expert and cybersecurity thought leader (and OODA network member) Jason Healey.

Here is How the FBI Wants You To Protect Your Audio/Visual Devices: From an FBI bulletin

CISA Outlines Agency’s Strategic Intent: Vision of the Cybersecurity and Infrastructure Security Agency

The Key To A Defensible Cyberspace: A look at the work of Jason Healey and the NY Cyber Task Force

How a Presidential Commission Was Tracking Hackers in 1996: New insights into the President’s Commission on Critical Infrastructure Protection

Maturing The Cyber Threat Intelligence Field into a Discipline: based on a career in operational intelligence

Cybersecurity and Technology Due Diligence: Resources that will keep you informed before and during due diligence