Security operations teams in search of deeper threat hunting capabilities and more streamlined investigations of workforce risks will find the enhancements they seek in the latest release of Haystax Technology’s Haystax Analytics Platform.
Haystax provides unprecedented levels of automation and scalability and broader data visualizations than ever before possible. It is currently the only user behavior analytics (UBA) solution delivered via the cloud or on-premises that can display trustworthiness scores and multiple indicators of risk for every employee in an organization on a single screen, from lowest to highest risk, even when there are tens of thousands of employees (image, below).
Risk scores are continuously updated by the Bayesian behavioral model that sits at the heart of Haystax. With the recent enhancements, security operations center (SOC) analysts and threat specialists can now isolate each individual within the model view to ascertain exactly what events are triggering a change in their risk score (image, below). Unlike the often overwhelmed analyst, the model produces consistent, comprehensive and analytically defensible results without ever getting tired or needing a day off.
The ability to zero in quickly on an extremely small high-risk population will save threat hunters hundreds of hours they would normally spend scouring through multiple security systems. The core trustworthiness-related hypotheses and supporting evidence they need — from changes in risk scores to specific events that indicate financial, personal or professional stressors — are already built in to the model and the Haystax environment.
Another new feature is an enhanced data connector framework that makes it easier to bring in additional kinds of data for use as evidence in the model. Most other security systems started only with network data and are now having to tack on new sources to improve their results. Haystax applies network data but has always connected to numerous non-network sources like HR records, travel and expense reports, printer logs, access badge data and digital media feeds to provide a more holistic whole-person view of workforce risk. The latest enhancements automate much of the work needed to define events from this data and map them directly to the model.
In the newest version, moreover, events now act as complementary evidence to incidents in Haystax. Incidents (e.g., “Low trust score” or “Change in trustworthiness”) are created automatically when an individual’s risk profile crosses a predetermined threshold or changes by more than a certain percentage when model beliefs are updated with new data.
An event, by contrast, can be one of dozens of specific behaviors or actions that triggered a change in score, such as “Inserts Prohibited Device,” “Unsatisfactory Performance Rating,” “Performs Internet Gambling,” or “Cash Embezzlement Case.” Events also include positive life milestones like “Received Masters’ Degree” or “Full Time Employment.”
Details of all events and incidents related to an individual are displayed on the profile page of that person (image, above), giving the analyst a full array of supporting information directly within the Haystax environment as to why an individual’s risk score went up or down. Since personnel information is sensitive, Haystax also has a redaction feature that replaces names, titles and other information of a personally revealing nature with alphanumeric characters. Importantly, these can be unredacted by senior managers in major risk investigations.
Additional Haystax feature enhancements in this release are likewise intended to improve the ease and flow of high-pressure analytic and decision-making operations and thus further automate the SOC. They include:
- Viewing Options: New screen layout functions in the Haystax interface give users the ability to arrange individual information panes within each app to mirror their particular job priorities and workflows. Analysts monitoring high-risk individuals, for example, can position their model results timeline at the top of a profile page, enlarge several other panes that are part of their daily analytic workflows and hide unused panes for greater screen clarity. Besides the Haystax Assets app that tracks individuals, the layout feature is enabled for Incidents, Events and other apps. Each user can have his or her own layout template, and Haystax will remember the setting every time a new session is initiated.
- Communications: Users have the option of receiving a daily email detailing every action taken across their Haystax tenant in the previous 24 hours. This Daily Digest will report, for example, how many assessments or individual incidents were created, or events or incidents generated, providing a way for users to quickly catch up on the activities of others in their tenant.