Haystax Advanced Threat Analytics
Whole Person Risk Modeling
Presented at Information Risk Management Research
Board
November 18, 2014
Bryan Ware | CTO |
1
Topics
Haystax Overview
The Insider Threat
From an Analytical Perspective
Enterprise Threat Management
Carbon Personnel Risk Management System
2
About Us
ADVANCED CYBERSECURITY AND THREAT MANAGEMENT
FORMED in 2012 on a 20 year legacy (Digital Sandbox, FlexPoint, NetCentrics)
EMPLOYEES: 350, 90% Cleared
WE OFFER: Cybersecurity & enterprise threat management solutions that provide real-time actionable intelligence for complex, high consequence decisions
We are used by 15 of the 20 largest urban areas to
keep their citizens & assets safe
We developed the protective intelligence
methodology used by the Bill & Melinda Gates
Foundation
We architected, manage & defend some of the most
mission critical networks in the US
We deployed the CIA’s first private cloud with AWS
3
Haystax Technology AcceleratorDEVELOP ADVANCED CONCEPTS AND PRODUCTS
Focus on solving the “really hard”
problems
Advance the state of the art through
agile, out-of-the-box thinking
4
Better a diamond with a flaw than…
“You want a valve that doesn’t leak and you try everything
possible to develop one. But the real world provides you
with a leaky valve. You have to determine how much
leaking you can tolerate.”
--Arthur Rudolph, manager of the Marshall Space
Flight Center Saturn V program office
5
Who do you think you are?YOU ARE NOT YOUR DATA
You are not your account.
Accounts are not identities.
Events are not behaviors.
6
The Signal to Noise ProblemTEACHING A DETECTION SYSTEM TO FIND THE TARGET SEEMS EASY
Target
False Alarm
7
As noise increases, it gets harder to see the signalALL BRUTE FORCE SYSTEMS WILL SUCCUMB
Target
False Alarm
Miss
8
The Signal to Noise ProblemTHRESHOLDS & FLAGS WILL IDENTIFY THE OBVIOUS SPIKES…BUT WILL MISS WEAK SIGNALS
Lowering thresholds will
increase false alarms.
How do you strike a balance between false
alarm Rate and missed detections?
9
The Signal has Become the NoiseANALYTICS ARE NEEDED TO PRIORITIZE SIGNALS
10
The Haystax WayPATENTED ANALYTIC APPROACH
We model first
Models represent human judgment
Disparate information sources are fused
Causality and uncertainty are measured
Outputs represent the degree of belief
11
The Haystax Technology VisionENTERPRISE THREAT MANAGEMENT
Haystax will provide CROs, CIOs and CISOs with a
cloud-enabled platform to identify, monitor and
manage potential threats to the enterprise in an
integrated analytic system
12
Enterprise Threat ManagementBROADER VISIBILITY, REDUCED RESPONSE TIMES & PRIORITIZED RESOURCE ALLOCATION
Profile overall
enterprise threat and
risk
Monitor continuously
and broadly against
that profile
Implement collaborative,
dynamic situational
awareness
Prioritize and route
critical information for
action
13
What is CarbonCarbon is a model of the Whole Person, establishing a Pattern of Life that is
evaluated continuously as data changes or becomes available
Backgr
ound
Check
Peers &
Family
$Financial
RecordsPublic
Records
HR RecordWeb and
Social Media
Counterintelligence
Medical
Criminal Investigators
HUMINT
Family
Peers
Psych
Subject
Command IT Security
14
Carbon is a Threat Optimization SolutionAUTOMATICALLY PRIORITIZES ACTIONS, BASED ON RISK
Automated continuous evaluation
and re-prioritization enables
sustained success
Installed within legacy software
environments
15
How Does the Carbon Software Work
Installed on premises, and connected to
enterprise data sources
Calculates the level of risk of each person in
the organization
Provides a dashboard of all personnel
Maintains information and cases on
personnel
Alerts when significant issues or changes are
detected
Is updated dynamically and continuously as
information changes or more information and
new data sources are identified
16
Data Processing & RoutingOPTIMIZES MACHINE AND HUMAN PROCESSING OF DATA
Low Priority Channels
Data Collection
& Pre-Processing
Analytic
Processing
Archive DB Web
Mobile
3rd Party
Visual Interaction CanvasesAlerts Reports
MapTriage Timeline
Physical
Assets/CIKRHR DataCalls for
Service
Enterprise
Communications Enterprise Data News & Social
Feeds
Network Alerts
Know & Act
Patent # 8874071
17
Closing SummaryYOU ARE NOT YOUR DATA
Separate signal from noise
Whole person risk modeling
Anticipation trumps forensics
Prioritized response
18
Thank You
Bryan Ware
Chief Technology Officer
Haystax Technology
8251 Greensboro Drive
Suite 1111
McLean, VA 22102
(571) 297-3806