Constellation Update: Enhanced Behavioral Analytics

By John Boatman, February 21, 2017 | SHARE

Haystax Technology has rolled out new analytic capabilities that generate more detailed, accurate and timely intelligence on adverse human activities, reducing the noise and excessive false positives that plague many conventional user and entity behavior analytics (UEBA) solutions.

The company’s award-winning Constellation Analytics Platform™ was designed from the ground up to enable analysts to focus their energies on understanding their highest-priority risks in a more predictive manner. The platform redefines security analytics by blending qualitative expert judgments captured in Bayesian models with other artificial intelligence techniques to find threat ‘signals’ buried inside multiple data sources. It then ranks these threats in priority order, instantly displaying actionable information and delivering alerts to those who need to know.

Optimized Insider-Threat Analytics

Many of the most significant feature additions since our last major Constellation product update are geared towards enhanced analysis of insider threats and the continuous evaluation of the trustworthiness of personnel with security clearances. For example, our Assets (see see featured image, above) and Assessments apps have now reached full operational capability to manage data about individuals, and not just critical infrastructure assets. Similarly, our Incidents and Events apps can be used to manage data regarding individual behaviors and related activities and events.

Additional monitoring and evaluation now can be carried out with the use of tagging, which is a powerful way to capture key characteristics of any data entity. In Constellation, users can add existing tags to an individual with one click, or create new ones. Because tagging works for any concept, an organization can know at a glance who it employs at a ‘high access level’ or who is ‘high risk’ or in ‘finance’ or ‘maintenance,’ or any other characteristic it wishes to monitor. The list pages of all four core Constellation apps are now searchable by tags. For example, typing ‘sysadmin’ into the search box on the Assets app (see image below) will reveal all individuals in Constellation who have been tagged as system administrators. It will also display a list of all personnel assessments performed on each tagged sysadmin in the Assessments app, as well as all incidents or related events involving sysadmins in those respective apps.

Assessments App Enhancements

Constellation’s library of assessment templates continues to grow as well. Given the drastic increase in highly publicized insider-threat incidents over the past few years — and based on lessons learned from Haystax Technology’s work with federal government agencies and large financial organizations — many of these templates focus on assessments of people, as a complement to our existing library of facility assessments. New ‘person assessment’ templates include Supervisor Interview, Insider Employment Application, Insider Risk Level, Insider Watchlist Screening and Insider Reference Check (see image below). New facility templates include a Building Assessment as well as Damage Assessments for businesses, houses and public facilities. The new forms complement our existing SWAT, fire safety and school safety assessment templates for critical infrastructure.

Other significant enhancements to the Assessments app include:

Based on Haystax’s patented model-driven approach to security analytics, Constellation reasons like a team of expert analysts at scale to precisely identify the greatest threats to an organization’s critical systems, data, facilities and people, even when the indicators are hard to detect and regardless of whether the behavior is malicious, negligent or inadvertent.

Now with the addition of tagging and the new person-based assessment templates — plus personnel-centered incident and event management — it will be even clearer to decision-makers why a particular individual may represent a risk that needs to be addressed immediately, and less burdensome to conduct further investigative assessments to confirm or disprove the risk.