Constellation Update: Redefining SOC Automation

By John Boatman, July 13, 2018 | SHARE

Security operations teams in search of deeper threat hunting capabilities and more streamlined investigations of workforce risks will find the enhancements they seek in the latest release of Haystax Technology’s Constellation Analytics Platform.

Constellation provides unprecedented levels of automation and scalability and broader data visualizations than ever before possible. It is currently the only user behavior analytics (UBA) solution delivered via the cloud or on-premises that can display trustworthiness scores and multiple indicators of risk for every employee in an organization on a single screen, from lowest to highest risk, even when there are tens of thousands of employees (image, below).

Risk scores are continuously updated by the Bayesian behavioral model that sits at the heart of Constellation. With the recent enhancements, security operations center (SOC) analysts and threat specialists can now isolate each individual within the model view to ascertain exactly what events are triggering a change in their risk score (image, below). Unlike the often overwhelmed analyst, the model produces consistent, comprehensive and analytically defensible results without ever getting tired or needing a day off.

The ability to zero in quickly on an extremely small high-risk population will save threat hunters hundreds of hours they would normally spend scouring through multiple security systems. The core trustworthiness-related hypotheses and supporting evidence they need — from changes in risk scores to specific events that indicate financial, personal or professional stressors — are already built in to the model and the Constellation environment.

Another new feature is an enhanced data connector framework that makes it easier to bring in additional kinds of data for use as evidence in the model. Most other security systems started only with network data and are now having to tack on new sources to improve their results.  Haystax applies network data but has always connected to numerous non-network sources like HR records, travel and expense reports, printer logs, access badge data and digital media feeds to provide a more holistic whole-person view of workforce risk. The latest enhancements automate much of the work needed to define events from this data and map them directly to the model.

In the newest version, moreover, events now act as complementary evidence to incidents in Constellation. Incidents (e.g., “Low trust score” or “Change in trustworthiness”) are created automatically when an individual’s risk profile crosses a predetermined threshold or changes by more than a certain percentage when model beliefs are updated with new data.

An event, by contrast, can be one of dozens of specific behaviors or actions that triggered a change in score, such as “Inserts Prohibited Device,” “Unsatisfactory Performance Rating,” “Performs Internet Gambling,” or “Cash Embezzlement Case.” Events also include positive life milestones like “Received Masters’ Degree” or “Full Time Employment.”

Details of all events and incidents related to an individual are displayed on the profile page of that person (image, above), giving the analyst a full array of supporting information directly within the Constellation environment as to why an individual’s risk score went up or down. Since personnel information is sensitive, Constellation also has a redaction feature that replaces names, titles and other information of a personally revealing nature with alphanumeric characters. Importantly, these can be unredacted by senior managers in major risk investigations.

Additional Constellation feature enhancements in this release are likewise intended to improve the ease and flow of high-pressure analytic and decision-making operations and thus further automate the SOC. They include: