The Security Operations Centre (SOC) processes
The OODA loopThe OODA loop was developed by John Boyd of the United States Air Force to help deal with complex and rapidly changing combat situations (Boyd 1987). It has subsequently made its way into many other environments that deal with engaging other entities in combative situations and has been found to be particularly useful in cyber security. Moran (2008). Licensed under CC BY 3.0
The OODA loop is expandable
Want to keep
Coventry University online course,
|The observation stage||This is the first of these stages. It’s during this stage that we bring together all the observations about the current situation. In a cyber security environment, this will include information such as our current system state, network traffic, active users, etc. Ideally, it should also include information about the threat intelligence we have gathered.|
|The orientation stage||This is where we consider our own biases, background knowledge, experience, and strengths and weaknesses. If possible, we should also consider the same for our attacker, although in practice the knowledge of our attacker is often lacking. In a cyber security environment, the policies, procedures and processes in our organisation will play a big part here.|
|The decision stage||This stage can be the hardest. It’s here we bring together what we see (the observation stage) and what we know (the orientation stage) and decide what our action should be. In a team environment, such as is normally found in a SOC, this can be challenging as different people have different ideas about what is the appropriate thing to do. This is made more difficult by the extremely rapid rate at which cyber attacks can be carried out.|
|The act stage||This is the final stage. Here we put our decision into practice. Again, this is where the organisation’s policies, processes and procedures can be very helpful in giving us set ways to react to situations. In a combat situation, this uniformity of action can be an issue, but in a cyber security situation, the uniformity makes it less likely that we will miss anything.|
The PDCA loopThe PDCA loop is designed to help businesses improve their operations, and was originally put forward by Walter Shewhart and later refined and popularised by Edwards Deming (2000). Unlike the OODA loop, which is designed to help deal with rapidly changing and complex environments, the PDCA loop is designed to promote improvements in processes. Like the OODA loop, the PDCA loop is a four-part loop with the following key stages:
|Plan||Here we work out what it is we need to do and the processes we need to get there.|
|Do||This stage is concerned with carrying out the actual work. Small changes are generally preferable as we can evaluate after each change and ensure that we are going in the right direction.|
|Check/study||Originally, this stage was called the check stage as it’s the stage where we check to see if what we have done in the do stage is appropriate. Deming later changed it to the study stage to emphasise the idea that this is not just a simple check box exercise, but that we should evaluate how well the do stage achieved its goal and study its results.|
|Act/adjust||The final stage is the act or adjust stage. In this stage, we make changes based on what we found needed improvement in the check/study stage. These could be changes to the information we are using, changes to our project management, changes to out process or any other similar activities.|
ReferencesBoyd, J. R. (1987) A discourse on winning and losing. Maxwell Air Force Base. AL: Air University Library Document No. M-U 43947 Edwards Deming, W. (2000) Out of the Crisis. Cambridge, MA: MIT Press. 88 Moran, P. E. (2008) ‘OODA.Boyd’. Wikimedia Commons [online] available from http://commons.wikimedia.org/wiki/File:OODA.Boyd.svg#/media/File:OODA.Boyd.svg [30 July 2019]
Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.