Haystax Advanced Threat Analytics

Whole Person Risk Modeling

Presented at Information Risk Management Research

Board

November 18, 2014

Bryan Ware | CTO |

1

Topics

Haystax Overview

The Insider Threat

From an Analytical Perspective

Enterprise Threat Management

Carbon Personnel Risk Management System

2

About Us

ADVANCED CYBERSECURITY AND THREAT MANAGEMENT

FORMED in 2012 on a 20 year legacy (Digital Sandbox, FlexPoint, NetCentrics)

EMPLOYEES: 350, 90% Cleared

WE OFFER: Cybersecurity & enterprise threat management solutions that provide real-time actionable intelligence for complex, high consequence decisions

We are used by 15 of the 20 largest urban areas to

keep their citizens & assets safe

We developed the protective intelligence

methodology used by the Bill & Melinda Gates

Foundation

We architected, manage & defend some of the most

mission critical networks in the US

We deployed the CIA’s first private cloud with AWS

3

Haystax Technology AcceleratorDEVELOP ADVANCED CONCEPTS AND PRODUCTS

Focus on solving the “really hard”

problems

Advance the state of the art through

agile, out-of-the-box thinking

4

Better a diamond with a flaw than…

“You want a valve that doesn’t leak and you try everything

possible to develop one. But the real world provides you

with a leaky valve. You have to determine how much

leaking you can tolerate.”

--Arthur Rudolph, manager of the Marshall Space

Flight Center Saturn V program office

5

Who do you think you are?YOU ARE NOT YOUR DATA

You are not your account.

Accounts are not identities.

Events are not behaviors.

6

The Signal to Noise ProblemTEACHING A DETECTION SYSTEM TO FIND THE TARGET SEEMS EASY

Target

False Alarm

7

As noise increases, it gets harder to see the signalALL BRUTE FORCE SYSTEMS WILL SUCCUMB

Target

False Alarm

Miss

8

The Signal to Noise ProblemTHRESHOLDS & FLAGS WILL IDENTIFY THE OBVIOUS SPIKES…BUT WILL MISS WEAK SIGNALS

Lowering thresholds will

increase false alarms.

How do you strike a balance between false

alarm Rate and missed detections?

9

The Signal has Become the NoiseANALYTICS ARE NEEDED TO PRIORITIZE SIGNALS

10

The Haystax WayPATENTED ANALYTIC APPROACH

We model first

Models represent human judgment

Disparate information sources are fused

Causality and uncertainty are measured

Outputs represent the degree of belief

11

The Haystax Technology VisionENTERPRISE THREAT MANAGEMENT

Haystax will provide CROs, CIOs and CISOs with a

cloud-enabled platform to identify, monitor and

manage potential threats to the enterprise in an

integrated analytic system

12

Enterprise Threat ManagementBROADER VISIBILITY, REDUCED RESPONSE TIMES & PRIORITIZED RESOURCE ALLOCATION

Profile overall

enterprise threat and

risk

Monitor continuously

and broadly against

that profile

Implement collaborative,

dynamic situational

awareness

Prioritize and route

critical information for

action

13

What is CarbonCarbon is a model of the Whole Person, establishing a Pattern of Life that is

evaluated continuously as data changes or becomes available

Backgr

ound

Check

Peers &

Family

$Financial

RecordsPublic

Records

HR RecordWeb and

Social Media

Counterintelligence

Medical

Criminal Investigators

HUMINT

Family

Peers

Psych

Subject

Command IT Security

14

Carbon is a Threat Optimization SolutionAUTOMATICALLY PRIORITIZES ACTIONS, BASED ON RISK

Automated continuous evaluation

and re-prioritization enables

sustained success

Installed within legacy software

environments

15

How Does the Carbon Software Work

Installed on premises, and connected to

enterprise data sources

Calculates the level of risk of each person in

the organization

Provides a dashboard of all personnel

Maintains information and cases on

personnel

Alerts when significant issues or changes are

detected

Is updated dynamically and continuously as

information changes or more information and

new data sources are identified

16

Data Processing & RoutingOPTIMIZES MACHINE AND HUMAN PROCESSING OF DATA

Low Priority Channels

Data Collection

& Pre-Processing

Analytic

Processing

Archive DB Web

Mobile

3rd Party

Visual Interaction CanvasesAlerts Reports

MapTriage Timeline

Physical

Assets/CIKRHR DataCalls for

Service

Enterprise

Communications Enterprise Data News & Social

Feeds

Network Alerts

Know & Act

Patent # 8874071

17

Closing SummaryYOU ARE NOT YOUR DATA

Separate signal from noise

Whole person risk modeling

Anticipation trumps forensics

Prioritized response

18

Thank You

Bryan Ware

Chief Technology Officer

Haystax Technology

8251 Greensboro Drive

Suite 1111

McLean, VA 22102

(571) 297-3806

bware@haystax.comwww.haystax.com