Threat Intelligence

    In Cybersecurity, Speed Matters: How to Shorten the ‘OODA Loop’

    Mimecast’s CISO explains how integration among security products via APIs provides a critical speed advantage in the race against adversaries. 

    by Mark O’Hare  

    Key Points

    • Organizations are in a race against adversaries to identify emerging and evolving threats and take action before they cause devastating damage. 
    • Manual methods of analyzing and responding to threats cannot keep up with attackers’ accelerating ability to find and exploit security weaknesses. 
    • An integrated security ecosystem communicating via APIs can take protective action automatically, across multiple products, within milliseconds when new threats appear. 

    Editor's note: This is the second article in a 7-part series on APIs. The series explores the growth of APIs, and how they have provided many opportunities for improving threat intelligence, expanding automation and accelerating response. Read the first article here. 


    As a CISO, I’ve seen first-hand how the speed of cyberattacks has accelerated in recent years. Today’s sophisticated attacks no longer need weeks or even days to be successful; they wreak havoc in hours or minutes.  

    That’s why integration among security products, facilitated by open APIs, has become so important to cyber defense. At a time when the growing complexity of computing and security environments adds to the challenges security teams face, integrating security products enables organizations to react more efficiently and more effectively — within seconds or even milliseconds, in some cases. 

    Like many CISOs, I often think of security in terms of the adversarial framework known as the OODA loop. In case you’re not familiar, the OODA loop (Observe, Orient, Decide, Act) is a decision-making framework based on the process that fighter pilots go through when responding to events in the air around them. Think about two fighter pilots coming head-to-head in combat: Shortening each step in the loop creates a critical advantage. Being the first to see your adversary, the first to orient your weapons, and the first to decide what to do means you can be the first to act — which means you’re likely to win the fight. 

    Winning The Race Against Adversaries 

    The OODA loop accurately describes today’s adversarial cybersecurity environment. We’re in a continuous race against advanced adversaries. Attackers continue to accelerate their ability to find and exploit weaknesses, targeting weapons against those vulnerabilities and using them to devastating effect. If we don’t accelerate our ability to react to new threats, we lose. 

    This means that older, manual, approaches for responding to threats are no longer good enough. By the time security analysts have downloaded information into spreadsheets, manually analyzed it to find patterns and potential causes, and held meetings to decide the best course of action, it’s often too late. 

    An API-enabled ecosystem of cooperating security products enables us to squeeze the OODA loop by automating each stage in the process. Using APIs from Mimecast and our partners, we can exchange information among security tools at machine speed, reducing reaction times potentially to milliseconds. Intelligence gathered by one security tool can immediately be used to trigger protective action by other tools within the ecosystem. 

    This has become much more critical as the complexity of organizations’ technology environments has increased. Organizations have been digitizing more and more of their operations, while at the same time they’ve shifted to the cloud. These linked transitions have taken place with security tools as well as other applications. Many organizations now use a mixture of best-of-breed cloud-based security tools, each selected because it provides the best protection against a specific type of attack or threat. As a result, there’s an urgent need to connect these often-siloed tools so data can quickly be shared across the connected ecosystem. 

    At the same time, the sophistication of attacks has skyrocketed, partly due to a blurring of the line between nation-state actors, organized crime groups and their proxies. These attacks may not specifically target smaller organizations — but any organizations can become collateral damage, especially those that have fewer resources with which to defend themselves. 

    Blocking the Kill Chain

    The good news is that the continuous arms race drives innovation among the security community not just among our adversaries. APIs enable us to combine the power of innovative security tools in ways that are only limited by our imagination.  

    Some examples: Using Mimecast’s APIs, we can pass information about email-borne or web-based threats to products such as CrowdStrike’s endpoint protection tools or Palo Alto Networks’ firewall in near real time, delivering the information they need to immediately and automatically protect the organization against those threats. Alternatively, if they’re the first to see the threats, they can pass the information to Mimecast with equal speed. Organizations that have taken an ecosystem approach are now protected against the threat regardless of the attack vector. Another approach that many organizations use is to push information from multiple tools into a SIEM to enrich their data and to hunt for harder-to-find threats across multiple products in a single interface.    

    Here’s another example, this time based on integration among our own products. Attackers now frequently imitate an organization’s suppliers by creating similar-looking domains and websites and using them to launch attacks that trick the organization’s users into opening phishing emails or clicking on malicious links. Mimecast’s Brand Exploit Protect can find these bogus websites and quickly update our web and email security gateways so that they block those sites. It’s a great example of how to squeeze the OODA loop — dramatically shortening the time between first observing the threat and acting to neutralize it. Instead of waiting for users to get phished and trying to mitigate the damage, we can break the attacker’s kill chain by finding the threat in the wild and blocking it before it impacts the organization. 

    The Bottom Line 

    Squeezing the OODA loop is critical to winning the continuous race against cyberattackers. By allowing security tools to exchange information in near real time, APIs enable organizations to reduce the time between identifying a cyber-attack and being resilient to the attack. As attackers become ever faster at finding and exploiting vulnerabilities in complex systems, swift action will be essential to block threats before they cause widespread damage. 



    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top