Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
1. Haystax Enterprise Threat
Management
Bryan S. Ware, CTO
A Look Toward the Future of Advanced Analytics
and Their Application to Threat Detection &
Action
February 19, 2015
2. 1
Enterprise Threat Management
and Cybersecurity Solutions
FORMED in 2012 on a 20 year legacy
(Digital Sandbox, FlexPoint, NetCentrics)
EMPLOYEES: 350, 90% Cleared
THOUGHT LEADERS IN:
Advanced Threat Analytics, Network
Management and Cybersecurity
3. 2
“The Data is the Model”
As computing and network are increasingly cheap…
And more and more sensors are generating data on everything…
Analytics can be harnessed to derive insight, predict the future,
etc.
If it works for Google, it should for intelligence right?
The Present Big Data Era
4. 3
What do you do when:
• The past is not necessarily representative of the future
• The threat event has never occurred (or too infrequently for
traditional statistics)
• The quality of the signal data is poor
• You must account for causality or the sequence of events
• You must provide legally or analytically defensible results
Where does this apply?
• Terrorism risk and natural catastrophe risk management
• Insider threat detection, cyber threat intelligence
• Political instability, expropriation of assets, economic and
financial risk forecasting
The Next Frontier
5. 4
“The information you have is not the information you
want. The information you want is not the information
you need. The information you need is not the
information you can obtain. The information you can
obtain costs more than you want to pay”
Peter L. Bernstein
Against the Gods: The
Remarkable Story of
Risk
6. 5
The Haystax Way – Multiple Patents for Risk Management
and Detecting Emergent Threat Activity
We model first
Models represent human judgment
Disparate information sources are fused
Causality and uncertainty are measured
Outputs represent the degree of belief
7. The Haystax Technology Vision
Enterprise Threat Management
Haystax will provide CROs, CIOs, and CISOs with a
cloud-enabled platform to identify, monitor, and manage
potential threats to the enterprise in an integrated,
analytic system.
8. 7
What are all my
assets?
‣ Facilities
‣ People
‣ Network Assets
‣ Missions and Programs
‣ Response Capabilities
What threats and
hazards are likely?
‣ What threats are plausible?
‣ What are the most likely
issues to occur?
‣ Security Threats
‣ Natural Hazards
‣ Accidents and Incidents
What
vulnerabilities
could be
exploited?
‣ What is the impact of a
threat exploiting a
vulnerability?
‣ Human
‣ Economic
‣ Mission
‣ Psychological
What
consequences or
impacts would
occur?
‣ What vulnerabilities can a
threat exploit?
‣ What measures are in place
to reduce those
vulnerabilities?
Enterprise Threat Management – Analytic Framework
9. 8
Low Priority Channels
Data Collection
& Pre-Processing
Analytic
Processing
Archive DB Web
Mobile
3rd Party
Visual Interaction CanvasesAlerts Reports
MapTriage Timeline
Action
News & Social
Feeds
Enterprise
Communications
Network Alerts
Suspicious
Activity Reports.
Access Control
Alarms HR Data
Data from all available sources are processed and
routed for action
11. 10
The Signal to Noise Problem…
Teaching the detection system to find the target (an
airplane here) seems quite easy….
But in practice it’s very hard to precisely define what
the target looks like, and how it’s different from
other clutter.
Target
False Alarm
12. 11
The Signal to Noise Problem…
And it gets much, much harder…
Target
False Alarm
Miss
13. 12
The Signal to Noise Problem…
Simple rules (thresholds or flags) will identify the
obvious spikes…. But will miss weak signals.
Lowering thresholds
will increase false
alarms.
How do you strike a balance between False Alarm
Rate and Missed Detections?
15. 14
What is Carbon?
Counterintelligence
Medical
Criminal Investigators
HUMINT
Family
Peers
Psych
Subject
Command
ITSecurity
Carbon is a model of the Whole Person, establishing a Pattern of Life
that is evaluated continuously as data changes or becomes available.
Backgroun
d Check
Peers &
Family
$
Financial
Records Public
Records
HR
Record
Web and Social
Media
Network
18. 17
How Does the Carbon Software Work?
Installed on premises, and connected to
enterprise data sources
Calculates the level of risk of each person in
the organization
Provides a dashboard of all personnel
Maintains information and cases on personnel
Alerts when significant issues or changes are
detected
Is updated dynamically and continuously as
information changes or more information and
new data sources are identified
20. Bryan S. Ware
Chief Technology Officer
For Additional
Information Contact:
bware@haystax.com
(703) 431-7127
Hinweis der Redaktion
A Look Toward the Future of Advanced Analytics and Their Application to Threat Detection and Action
1)“whole person risk modeling”
2)“anticipation trumps forensics”
3) “prioritized response”
“The information you have is not the information you want. The information you want is not the information you need. The information you need is not the information you can obtain. The information you can obtain costs more than you want to pay”
― Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk
Why Haystax is unique?
The next three slides including this one all have ETM as the header (should probably edit) Also the headers should have consistent font type and size?
This slide is a complete design departure, do you really want that?
Great opportunity for discussion?
how does this map to their enterprises?
What about this appealing?
What about this is concerning?
The data outside the four walls looks like a unique attribute (are there others?)
The constellation platform is the result of our R&D efforts over the last 10 years!
It’s built using the most modern open source analytic technologies – we are using the same frameworks that products like Twitter and facebook use…it’s all proven. In some cases we had to optimize the technologies to make it do what we wanted.
The most important thing is that Constellation is ready to use. It isn’t something we build from scratch for our customers. It just works….
How does it work? That’s the section in the middle
Finally, we present the information through defined visual canvases. What is important to remember is that the end user does not need to do anything to generate these views.
So how is this used?
This is where we talk about ACES pilot results, recent AAG results
Keep tight – hit theme(s)
Focus on the differentiation created by the distillation/incorporation of experts
Great slide to hit theme(s)
You also made a point about the third tier being the most important but I don’t recall why? Likely an important idea tied to theme(s)
Let’s look at it from the position of decision makers: Starting with an analyst.
We are looking at three screens that show analytic fusion from Constellation…
You can explain the text…
Haystax R&D
Has conducted significant research into data sources, sensors, behaviors, and analytics for insider threat detection and analysis
Developed tools to create new models, ingest new data sources, model network behaviors, and simulate risk events.