haystax carbon for insider threat management & continuous evaluation
DESCRIPTION
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.TRANSCRIPT
COMPANY PROPRIETARY INFORMATION
Actionable Intelligence for Decision Makers
Haystax Carbon for Enterprise Threat Management
COMPANY PROPRIETARY INFORMATION 2
Haystax Technology offers
Advanced analytic solutions that provide real time actionable intelligence for
complex, high consequence decisions
About us
COMPANY PROPRIETARY INFORMATION 3
We have multiple patents for our predictive models & algorithms
DHS used our algorithms for risk based grant allocation
Our analytics now drive the largest public safety ecosystem in the nation
We developed the protective intelligence methodology used by
the Bill & Melinda Gates Foundation
Our heritage is in designing elegant solutions for complex problems not suited for traditional “brute force” analytic approaches
COMPANY PROPRIETARY INFORMATION 4
COMPANY PROPRIETARY INFORMATION 5
Designed to leverage existing source data investments
Designed to fit into existing investigation processes
Includes the high performance Haystax Constellation Analytics
Engine
Designed to enable a wide range of mission optimized business
applications
At the core of our Insider Threat management solution is our innovative, proven & efficient Carbon Risk Rating Platform
Background Check
Peers & Family
Financial Records
$HR
RecordPublic
RecordsWeb and
Social Media
Works with a wide range of data sources/types
Haystax Carbon Risk Rating
Data can be easily handed off for post processing to other applications
Investigative Case
Construction
3rd Party Analytic
Processors
Carbon Whole Person Model
Adjudicative Guideline Mapping
Expert Assessments
Continuous Evaluation
EngineRisk Dashboard
Continuous Data Collection
COMPANY PROPRIETARY INFORMATION 6
Haystax Carbon is based on the understanding that Insider Threat Management is a prioritization problem
Experts & Guideline Compliance
Background Check
Peers & Family
$
Continuous Data
Collection
Carbon Whole Person
Model
Carbon Automated Evaluation
Carbon Prioritization
Ranking
Escala
ted
Resp
on
se
Spend << TimeSpend << $$
Rotate from Service Or Exploit
Financial Records Public
Records
HR Recor
d
Web and Social Media
COMPANY PROPRIETARY INFORMATION 7
The Carbon Whole Person Model provides a single integrated view of an insider for dynamic trust
Single Integrate
d View
Continuous Evaluation
Continuous Monitoring
Public RecordsEmployment Data (Current
& History)Vehicle/Property
OwnershipBank/Credit Records
Criminal RecordsFamily/Peer Comments
Time In/OutAccess Card SwipesLogins/LogoutsNetwork UseDatabase/Data Store AccessPrinter UserTelecom/Email UsePatterns of Use
Outside Work At Work
COMPANY PROPRIETARY INFORMATION 8
Adjudicative Guidelines are mathematically modeled into Carbon to ensure policy compliance at all times
Clearance-worthy
Risk Influence
13 Guidelines
Indicative
Mapping
Enforces scoring results to compliance
guidelines
Enables scoring rules to adjust based on
policy changes
Improves transparency for risk
rating results
COMPANY PROPRIETARY INFORMATION 9
‘Qualitative’ expert knowledge augments existing data to align insider behavior to an organization’s specific threats
Counterintelligence
Medical
Criminal Investigators
HUMINTFamily
Peers
Psych
Subject
Command
SF86 Financial Records
$
Public Records
PAEI
Carbon scales experts with algorithms
IT Security
Reflects knowledge of experts in the Carbon Whole Person Model
Applies data about the subject to the Carbon Whole Person model
Evaluates the model’s knowledge continuously as data or priorities
change
COMPANY PROPRIETARY INFORMATION 10
Carbon is designed to make the results easy to understand for a wide range of end users
Risk timeline, Alerts, dashboards,
Summary level views and drill
downs
Compare subject to peer groups and
historic changes in risk profile
Insider Risk Rating Report
Insider Pattern of life Timeline
Insider Risk Dashboard
COMPANY PROPRIETARY INFORMATION 11
The Carbon Risk Rating runs on the Haystax Constellation Analytic Platform
The Constellation Analytics is optimized for high velocity and high volume data processing
Carbon Model
Natural Language
Association Analysis
Scoring
Entity Resolution
Geo Reasoning
AnalyticProcessors
Data feeds
Actionable Intelligence through automated discovery, fusing and
linking of information with out-of-the box visualizations
Built with Open Source
Flexible cloud
deploymentBuilt using multiple
Haystax patents
COMPANY PROPRIETARY INFORMATION 12
Carbon doesn’t just identify risk, but prioritizes it to enable an optimized Insider Threat management system
Escala
ted
Resp
on
se
Spend << TimeSpend << $$
Rotate from Service Or Exploit
More People
Few People
EnterpriseData
ExpensiveData
Professional Observation / Intervention
Non-Professional Observation / Intervention
Escalated Review / Additional Data
Basic ITControls
DynamicIDAM
Carbon can be easily integrated into existing Insider Threat Management Systems
COMPANY PROPRIETARY INFORMATION 13
The Carbon Risk Rating Platform can serve a wide range of applications
E-Adjudication Automated Periodic Reviews
Insider Threat Investigations
Continuous Evaluation
PTSD Suicide Prevention Workplace Violence
COMPANY PROPRIETARY INFORMATION 14
Carbon is designed to integrate into the overall enterprise security system – Cyber Example
COMPANY PROPRIETARY INFORMATION 15
How is Carbon different from traditional Insider Threat
detection & management?
COMPANY PROPRIETARY INFORMATION 16
The typical approach is to tackle Insider Threat as a signal to noise problem
Traditional rules based systems rely
on knowing ‘precisely’ what a
target looks like
Miss
False
Alarm
Target
Traditional rules based thresholds or flags will identify the obvious, but
miss weak signals
Lowering thresholds will dramatically increase false alarms, increase
investigation time & cost, negatively impact continuous evaluation
How do you strike a balance between false alarm rates & missed detections?
COMPANY PROPRIETARY INFORMATION 17
However, Insider Threat is not a classic signal to noise problem that rules based systems can negotiate well
Target
Miss
False AlarmsOur current systems rely on self-
reporting and tips before an investigation can be launched
Data is available to improve early detection, but complex rules
based systems will generate high numbers of flags
Unlike physical objects, people change so systems need to
account for their “pattern of life”, not static rules Approach was designed for
manual operation on small, infrequent queries
Has financia
l problem
?Has work
problems?
Has alcohol proble
m? Has psychologi
cal problems?
COMPANY PROPRIETARY INFORMATION 18
3,370 reviewed 3,077 total flags identified 2,783 cases created 4 Significant Incident Reports 2 Imminent Threats
FALSE POSITIVE RATE >20%
The ACES Pilot for the DoD showed that traditional rules based approach are too efficient to be viable for large populations
Data
+Rules Based Detection
At this false alarm rate, the USG would generate over 1,000 cases
each day!
Developed by psychologists over 15 years ago – the ideas are useful, but it is not a modern software
system
None of the ACES flags are prioritized or machine readable
placing all of the burden on human analysts
Results
Alarms
COMPANY PROPRIETARY INFORMATION 19
The Target cyber fraud case is an example of the problem of sub-optimal alert prioritization
Headlines make it appear that threat detection worked
However, information needs to be
actionable & prioritized
Systems that generate too many
false positives are a nuisance
The analytic challenge is to scale the human element to connect-the-dots faster
COMPANY PROPRIETARY INFORMATION 20
Haystax Carbon helps overcome the limitations of existing detection systems for Insider Threat management
Carbon Whole Person Bayesian Model
Mathematical configuration of
adjudicative guidelines
Continuous data collection
Prioritization algorithm optimizes threat
management
SF86 Financial Records
$
Public Records
PAEI
Expert judgments integrated into
model
COMPANY PROPRIETARY INFORMATION 21
Haystax Carbon provides an analytic solution to Insider Threat detection & management that cannot be matched by traditional approaches
Bayesian whole person model provides contextual analysis that rules-based systems cannot match for
relevant results
Model driven data ingest beats or matches brute force ‘big machine’ at a fraction of the cost
Prioritization algorithm enables focusing investigative human resources on true high-risk individuals
COMPANY PROPRIETARY INFORMATION 22
We are mature enough to have proven technologies, but new enough to
create cutting edge products and deliver one-of-a kind services to the
national security community
Haystax: A new kind of Analytics Company
COMPANY PROPRIETARY INFORMATION
Contact us: [email protected] us: www.haystax.com8251 Greensboro Drive, Suite 1111McLean, VA 22012