Haystax Enterprise Threat

Management

Bryan S. Ware, CTO

A Look Toward the Future of Advanced Analytics and Their Application to Threat Detection & Action

February 19, 2015

1

Enterprise Threat Management

and Cybersecurity Solutions

FORMED in 2012 on a 20 year legacy (Digital Sandbox, FlexPoint, NetCentrics)

EMPLOYEES: 350, 90% Cleared

THOUGHT LEADERS IN:

Advanced Threat Analytics, Network Management and Cybersecurity

2

“The Data is the Model”

As computing and network are increasingly cheap…

And more and more sensors are generating data on everything…

Analytics can be harnessed to derive insight, predict the future, etc.

If it works for Google, it should for intelligence right?

The Present Big Data Era

3

What do you do when:• The past is not necessarily representative of the future• The threat event has never occurred (or too infrequently for

traditional statistics)• The quality of the signal data is poor• You must account for causality or the sequence of events• You must provide legally or analytically defensible results

Where does this apply?• Terrorism risk and natural catastrophe risk management• Insider threat detection, cyber threat intelligence• Political instability, expropriation of assets, economic and

financial risk forecasting

The Next Frontier

4

“The information you have is not the information you

want. The information you want is not the information

you need. The information you need is not the

information you can obtain. The information you can

obtain costs more than you want to pay”

Peter L. Bernstein

Against the Gods: The

Remarkable Story of

Risk

5

The Haystax Way – Multiple Patents for Risk Management

and Detecting Emergent Threat Activity

We model first

Models represent human judgment

Disparate information sources are fused

Causality and uncertainty are measured

Outputs represent the degree of belief

The Haystax Technology Vision Enterprise Threat Management

Haystax will provide CROs, CIOs, and CISOs with a

cloud-enabled platform to identify, monitor, and manage

potential threats to the enterprise in an integrated,

analytic system.

7

What are all my

assets?

‣ Facilities

‣ People

‣ Network Assets

‣ Missions and Programs

‣ Response Capabilities

What threats and

hazards are likely?

‣ What threats are plausible?

‣ What are the most likely

issues to occur?

‣ Security Threats

‣ Natural Hazards

‣ Accidents and Incidents

What

vulnerabilities

could be

exploited?

‣ What is the impact of a

threat exploiting a

vulnerability?

‣ Human

‣ Economic

‣ Mission

‣ Psychological

What

consequences or

impacts would

occur?

‣ What vulnerabilities can a

threat exploit?

‣ What measures are in place

to reduce those

vulnerabilities?

Enterprise Threat Management – Analytic Framework

8

Low Priority Channels

Data Collection

& Pre-Processing

Analytic

Processing

Archive DB Web

Mobile

3rd Party

Visual Interaction CanvasesAlerts Reports

MapTriage Timeline

Action

News & Social

Feeds

Enterprise

Communications

Network Alerts

Suspicious

Activity Reports.

Access Control

Alarms HR Data

Data from all available sources are processed and

routed for action

ANALYTICS FOR INSIDER THREAT

9

10

The Signal to Noise Problem…

Teaching the detection system to find the target (an

airplane here) seems quite easy….

But in practice it’s very hard to precisely define what

the target looks like, and how it’s different from

other clutter.

Target

False Alarm

11

The Signal to Noise Problem…

And it gets much, much harder…

Target

False Alarm

Miss

12

The Signal to Noise Problem…

Simple rules (thresholds or flags) will identify the

obvious spikes…. But will miss weak signals.

Lowering thresholds

will increase false

alarms.

How do you strike a balance between False Alarm

Rate and Missed Detections?

13

The Signal has Become the Noise

14

What is Carbon?

Counterintelligence

Medical

Criminal Investigators

HUMINT

Family

Peers

Psych

Subject

Command IT Security

Carbon is a model of the Whole Person, establishing a Pattern of Life

that is evaluated continuously as data changes or becomes available.

Backgroun

d Check

Peers &

Family

$Financial

Records Public

RecordsHR

Record

Web and Social

Media

Network

15

Counterintelligence

Medical

Criminal Investigators

HUMINT

Family

Peers

Psych

Subject

Command IT Security

Backgroun

d Check

Peers &

Family

$Financial

Records Public

Records

HR

RecordWeb and Social

Media

+ =

Experts Data

Continuously

prioritized risk based

ranking

How Carbon WorksMATHEMATICAL MODELING OF EXPERTS + RISK RANKING + CONTINOUS

EVALUATION = AUTOMATED THREAT AWARENESS

Networ

k

16

Anticipation trumps forensics

17

How Does the Carbon Software Work?

Installed on premises, and connected to

enterprise data sources

Calculates the level of risk of each person in

the organization

Provides a dashboard of all personnel

Maintains information and cases on personnel

Alerts when significant issues or changes are

detected

Is updated dynamically and continuously as

information changes or more information and

new data sources are identified

Thank You

Bryan S. WareChief Technology Officer

For Additional

Information Contact:

bware@haystax.com

(703) 431-7127