Constellation Update: Workflow-Driven Analytics for Actionable Threat Hunting

By John Boatman, March 19, 2018 | SHARE

On any given day, security operations center (SOC) analysts are confronted with streams of alerts that range in importance from highly actionable threat intelligence to screen-cluttering false positives.

Each alert represents one anomalous event — usually from a single device or action on a network — which can quickly snowball into hundreds or even thousands of alerts a day. It’s no wonder, then, that SOC analysts are overwhelmed trying to sort through the clutter and validate the threats that truly matter.

With the latest product release of Haystax Technology’s Constellation Analytics Platform™, SOC teams can pinpoint and act on their highest-priority threats far sooner than conventional data-driven analytics solutions and with far fewer noisy false positives getting in their way.

Because it is driven primarily by probabilistic model-based reasoning on individual behavior, and only secondarily by machine-learning analysis of anomaly alerts, Constellation has always excelled at helping analysts identify individuals who exhibit behaviors that most directly indicate future malicious, negligent or inadvertent risk. In essence, it puts the user back at the center of user behavior analytics (UBA).

The current release further solidifies Constellation’s place in the exclusive solutions domain known as actionable threat hunting, giving security teams the predictive analytical tools they need to get ahead of threats at every stage of their workflows, from initial validation, triage and investigation through incident response, resolution and after-action reporting. Some of the more significant recent Constellation enhancements are described in greater detail below.

Validation and Triage

Analysts rely heavily on the Bayesian inference networks (aka models) that sit at the heart of Constellation when performing initial validation and triage. The models capture the aggregated wisdom and judgment of diverse domain experts from all corners of enterprise risk management, and are tightly integrated with an analytics engine that ingests and processes multiple data sources at a volume, speed and consistency well beyond the capabilities of a human analyst.

In UBA applications, for instance, our Constellation for Insider Threat solution gives the analyst more efficient threat-hunting abilities compared to data-driven solutions, leading to much earlier indications of insider threat, cyber fraud and account compromise activity. And because the Constellation analytics engine continuously applies fresh data to a large body of existing evidence, it continually reprioritizes the biggest risks while filtering out the false positives that machine learning-based solutions seem to produce in ever-growing quantities.

The end product is a set of ranked and validated results that keep SOC teams focused on the individuals most at risk of committing adverse events. And if the ensuing response actions are questioned, the model and its chain of reasoning are fully transparent and can thus be referenced as needed to explain why a particular decision was made (see image below).

Analysis and Investigations

Every time Tier-3 or similar analysts log in to Constellation they will see a new automatically generated risk assessment for every employee, contractor or vendor whose conduct-risk score has changed by more than a certain percentage over a 30-day period. This new alerting mechanism, which augments the automatic incident-generation function based on model results that was developed previously, enables the analyst to immediately review what triggered the score change and then directly access additional personal details about the individual.

Once the analyst has identified a person of investigative interest, a quick search across all Constellation apps will generate a comprehensive list of records related to that individual (see image below, showing quick links to Lewis Holmes’ personal details page, assessment records and incident reports).

If an analyst with even more specialized knowledge is needed to evaluate unusually complex activity — say, of a trader at a bank — he or she can be granted read-only access to view the incident alert or score change that generated the assessment, as well as a more detailed graph of specific activities (pulled from model nodes) impacting the risk score, to verify the system has drawn the same conclusions as a human analyst would.

Because employee-related information can be sensitive enough to require need-to-know clearances, individuals’ details can be redacted and names can be masked with anonymous ID numbers for all but users in the data group with the highest level of system access. When a request for redacted information is received, Constellation will use the redaction data groups to validate the user has read/write access to the hidden information. It will also maintain a log of all access requests, legitimate or otherwise.

The improved Assessments app also features: 1) a comments box in each assessment that can only be filled out by the lead analyst; 2) additional flexibility granted to an assessment approver post-submission; 3) administrator access to a list of all existing assessment templates; and 4) the ability to customize the layout of each Assessment page to suit individual users’ work styles and prioritize the data they need to see first. Moreover, only validated users can be assigned an assessment, and only the user to whom an assessment has been assigned is able to edit that assessment, providing additional layers of security for the sensitive personnel and facility data contained therein.

Risk Response and Reporting

Meanwhile, lead analysts can manage SOC team assignments and track all existing investigations on the Assessments list page (see image below) — and simultaneously on the Constellation Dashboard app, a full-function control center that highlights everything from individuals whose risk scores have changed the most to organization-wide activities that have the highest risk impact.

From either environment, they can make decisions about which employees require deeper levels of monitoring, or take more consequential actions such as reprimands, suspensions or terminations.

At any stage in the analysis and investigations process, Constellation can generate a series of detailed reports from every app. Analysts can create fact sheets on individuals listed in the Assets app or print out a draft assessment for further review by a specialist. Lead analysts can create investigations summaries to be shared digitally or in printed form with officials from legal, personnel or other departments, as well as after-action reports for the SOC director and corporate leadership. Each report can be customized in a number of ways, including selective inclusion or exclusion of sections, and by displaying or hiding photos comments sections and question choices.