Presentation delivered by Bryan Ware, CTO at Haystax Technology at The Research Board Symposium on Information Risk Management in NYC. This presentation provides an overview of the importance of this approach. Contact the author for a more detailed explanation of the approach.
1. Haystax Advanced Threat Analytics
Whole Person Risk Modeling
Presented at Information Risk Management Research
Board
November 18, 2014
Bryan Ware | CTO |
2. 1
Topics
Haystax Overview
The Insider Threat
From an Analytical Perspective
Enterprise Threat Management
Carbon Personnel Risk Management System
3. 2
About Us
ADVANCED CYBERSECURITY AND THREAT MANAGEMENT
FORMED in 2012 on a 20 year legacy
(Digital Sandbox, FlexPoint, NetCentrics)
EMPLOYEES: 350, 90% Cleared
WE OFFER: Cybersecurity &
enterprise threat management
solutions that provide real-time
actionable intelligence for complex,
high consequence decisions
We developed the protective intelligence
methodology used by the Bill & Melinda Gates
Foundation
We are used by 15 of the 20 largest urban areas to
keep their citizens & assets safe
We architected, manage & defend some of the most
mission critical networks in the US
We deployed the CIA’s first private cloud with AWS
4. 3
Haystax Technology Accelerator
DEVELOP ADVANCED CONCEPTS AND PRODUCTS
Focus on solving the “really hard”
problems
Advance the state of the art through
agile, out-of-the-box thinking
5. 4
Better a diamond with a flaw than…
“You want a valve that doesn’t leak and you try everything
possible to develop one. But the real world provides you
with a leaky valve. You have to determine how much
leaking you can tolerate.”
--Arthur Rudolph, manager of the Marshall Space
Flight Center Saturn V program office
6. 5
Who do you think you are?
YOU ARE NOT YOUR DATA
You are not your account.
Accounts are not identities.
Events are not behaviors.
7. 6
The Signal to Noise Problem
TEACHING A DETECTION SYSTEM TO FIND THE TARGET SEEMS EASY
Target
False Alarm
8. 7
As noise increases, it gets harder to see the signal
ALL BRUTE FORCE SYSTEMS WILL SUCCUMB
Target
False Alarm
Miss
9. 8
The Signal to Noise Problem
THRESHOLDS & FLAGS WILL IDENTIFY THE OBVIOUS SPIKES…BUT WILL MISS WEAK SIGNALS
Lowering thresholds will
increase false alarms.
How do you strike a balance between false
alarm Rate and missed detections?
10. 9
The Signal has Become the Noise
ANALYTICS ARE NEEDED TO PRIORITIZE SIGNALS
11. 10
The Haystax Way
PATENTED ANALYTIC APPROACH
We model first
Models represent human judgment
Disparate information sources are fused
Causality and uncertainty are measured
Outputs represent the degree of belief
12. 11
The Haystax Technology Vision
ENTERPRISE THREAT MANAGEMENT
Haystax will provide CROs, CIOs and CISOs with a
cloud-enabled platform to identify, monitor and
manage potential threats to the enterprise in an
integrated analytic system
13. 12
Enterprise Threat Management
BROADER VISIBILITY, REDUCED RESPONSE TIMES & PRIORITIZED RESOURCE ALLOCATION
Profile overall
enterprise threat and
risk
Monitor continuously
and broadly against
that profile
Prioritize and route
critical information for
Implement collaborative,
dynamic situational
awareness
action
14. 13
What is Carbon
Carbon is a model of the Whole Person, establishing a Pattern of Life that is
evaluated continuously as data changes or becomes available
Backgr
ound
Check
Peers &
Family
$ Financial
Records
Public
Records
Web and HR Record
Social Media
HUMINT
Counterintelligence
Medical
Criminal Investigators
Command
Peers
Family
Psych
Subject
IT Security
15. 14
Carbon is a Threat Optimization Solution
AUTOMATICALLY PRIORITIZES ACTIONS, BASED ON RISK
Automated continuous evaluation
and re-prioritization enables
sustained success
Installed within legacy software
environments
16. 15
How Does the Carbon Software Work
Installed on premises, and connected to
enterprise data sources
Calculates the level of risk of each person in
the organization
Provides a dashboard of all personnel
Maintains information and cases on
personnel
Alerts when significant issues or changes are
detected
Is updated dynamically and continuously as
information changes or more information and
new data sources are identified
17. 16
Data Processing & Routing
OPTIMIZES MACHINE AND HUMAN PROCESSING OF DATA
Enterprise
Calls for HR Data
Service
News & Social Communications Enterprise Data
Data Collection
& Pre-Processing
Physical
Assets/CIKR
Archive DB Web
Analytic
Processing
Low Priority Channels
Mobile
3rd Party
Triage Timeline Map
Alerts Visual Interaction Canvases Reports
Feeds
Network Alerts
Know & Act
Patent # 8874071
18. 17
Closing Summary
YOU ARE NOT YOUR DATA
Separate signal from noise
Whole person risk modeling
Anticipation trumps forensics
Prioritized response
19. 18
Thank You
Bryan Ware
Chief Technology Officer
Haystax Technology
8251 Greensboro Drive
Suite 1111
McLean, VA 22102
(571) 297-3806
bware@haystax.com
www.haystax.com
Editor's Notes
Summary…we are going to challenge the status quo….we are in the process of building a strong company and brand.
.
Cloud improves provisioning of secure apps.
SharePoint, Link…
DTaaS should be about improving the user experience. We have worked with MSFT on creating a reference desktop based on familiar collaboration and productivity tools.
It’s not just about analysts, it also about pushing intelligence out to the field in mission critical situations.
It’s not just about analysts, it also about pushing intelligence out to the field in mission critical situations.
It’s not just about analysts, it also about pushing intelligence out to the field in mission critical situations.