Schneier recently used an extremely simplified version of OODA loop to explain how Incident Response fits into the ol’ Protect, Detect, Respond structure - and how products can be designed to fit into this structure to keep pushing out new technology (while pointing out it’s the people thinking that matters). In short, Schneier’s oversimplification has motivated me to rant on my inactive and lackluster site.
I won’t grow a neck beard and point out that OODA loop isn’t a serial process that he outlines. I won’t point out that OODA loops are not about speed of action above all else. I won’t point out that orientation is a key (the key?) in making the right decision. I will even do my best to not explain how OODA loops are only valuable when comparing them to an opponents- who is faster, who is better at making and acting on decisions, who can stall the others decision cycle to gain an advantage? Instead, I will point out that the OODA loop does not fit into the Response phase of ‘Protect, Detect, Respond’. Sure, it can be used as a model on how to think about IR; but it can be used as a model on how you come to any conclusion in any portion of security; protection or detection phases are just as applicable because everything revolves around decisions at some point. Instead, if you zoom out and look at Protect <-> Detect <-> Respond you can see your security organizations OODA loop. If you explicitly build/use technology and brain power to understand what you are observing and how you are oriented then decisions through the entire security org (including response decisions) become fluid and have less resistance. Ever better OODA loops is what, in some ways, create the Red Queen effect that Schneier has referenced in the past. Saying “Respond is the new black” is simply security companies figuring out what new product they can develop and position on the market. “Industry talk” masquerading as “security talk”. Which reminds me, I agree with Schneier about that whole lemon markets point he brought up in his post.