the future of advanced analytics
TRANSCRIPT
Haystax Enterprise Threat
Management
Bryan S. Ware, CTO
A Look Toward the Future of Advanced Analytics and Their Application to Threat Detection & Action
February 19, 2015
1
Enterprise Threat Management
and Cybersecurity Solutions
FORMED in 2012 on a 20 year legacy (Digital Sandbox, FlexPoint, NetCentrics)
EMPLOYEES: 350, 90% Cleared
THOUGHT LEADERS IN:
Advanced Threat Analytics, Network Management and Cybersecurity
2
“The Data is the Model”
As computing and network are increasingly cheap…
And more and more sensors are generating data on everything…
Analytics can be harnessed to derive insight, predict the future, etc.
If it works for Google, it should for intelligence right?
The Present Big Data Era
3
What do you do when:• The past is not necessarily representative of the future• The threat event has never occurred (or too infrequently for
traditional statistics)• The quality of the signal data is poor• You must account for causality or the sequence of events• You must provide legally or analytically defensible results
Where does this apply?• Terrorism risk and natural catastrophe risk management• Insider threat detection, cyber threat intelligence• Political instability, expropriation of assets, economic and
financial risk forecasting
The Next Frontier
4
“The information you have is not the information you
want. The information you want is not the information
you need. The information you need is not the
information you can obtain. The information you can
obtain costs more than you want to pay”
Peter L. Bernstein
Against the Gods: The
Remarkable Story of
Risk
5
The Haystax Way – Multiple Patents for Risk Management
and Detecting Emergent Threat Activity
We model first
Models represent human judgment
Disparate information sources are fused
Causality and uncertainty are measured
Outputs represent the degree of belief
The Haystax Technology Vision Enterprise Threat Management
Haystax will provide CROs, CIOs, and CISOs with a
cloud-enabled platform to identify, monitor, and manage
potential threats to the enterprise in an integrated,
analytic system.
7
What are all my
assets?
‣ Facilities
‣ People
‣ Network Assets
‣ Missions and Programs
‣ Response Capabilities
What threats and
hazards are likely?
‣ What threats are plausible?
‣ What are the most likely
issues to occur?
‣ Security Threats
‣ Natural Hazards
‣ Accidents and Incidents
What
vulnerabilities
could be
exploited?
‣ What is the impact of a
threat exploiting a
vulnerability?
‣ Human
‣ Economic
‣ Mission
‣ Psychological
What
consequences or
impacts would
occur?
‣ What vulnerabilities can a
threat exploit?
‣ What measures are in place
to reduce those
vulnerabilities?
Enterprise Threat Management – Analytic Framework
8
Low Priority Channels
Data Collection
& Pre-Processing
Analytic
Processing
Archive DB Web
Mobile
3rd Party
Visual Interaction CanvasesAlerts Reports
MapTriage Timeline
Action
News & Social
Feeds
Enterprise
Communications
Network Alerts
Suspicious
Activity Reports.
Access Control
Alarms HR Data
Data from all available sources are processed and
routed for action
10
The Signal to Noise Problem…
Teaching the detection system to find the target (an
airplane here) seems quite easy….
But in practice it’s very hard to precisely define what
the target looks like, and how it’s different from
other clutter.
Target
False Alarm
12
The Signal to Noise Problem…
Simple rules (thresholds or flags) will identify the
obvious spikes…. But will miss weak signals.
Lowering thresholds
will increase false
alarms.
How do you strike a balance between False Alarm
Rate and Missed Detections?
14
What is Carbon?
Counterintelligence
Medical
Criminal Investigators
HUMINT
Family
Peers
Psych
Subject
Command IT Security
Carbon is a model of the Whole Person, establishing a Pattern of Life
that is evaluated continuously as data changes or becomes available.
Backgroun
d Check
Peers &
Family
$Financial
Records Public
RecordsHR
Record
Web and Social
Media
Network
15
Counterintelligence
Medical
Criminal Investigators
HUMINT
Family
Peers
Psych
Subject
Command IT Security
Backgroun
d Check
Peers &
Family
$Financial
Records Public
Records
HR
RecordWeb and Social
Media
+ =
Experts Data
Continuously
prioritized risk based
ranking
How Carbon WorksMATHEMATICAL MODELING OF EXPERTS + RISK RANKING + CONTINOUS
EVALUATION = AUTOMATED THREAT AWARENESS
Networ
k
17
How Does the Carbon Software Work?
Installed on premises, and connected to
enterprise data sources
Calculates the level of risk of each person in
the organization
Provides a dashboard of all personnel
Maintains information and cases on personnel
Alerts when significant issues or changes are
detected
Is updated dynamically and continuously as
information changes or more information and
new data sources are identified
Bryan S. WareChief Technology Officer
For Additional
Information Contact:
(703) 431-7127