For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

PrevThe Case for Student Threat Assessments – Part 227 November 2019NextHaystax Supports California Event Security13 December 2019

Finding Edward Snowden: A Haystax Use Case

December 6, 2019

Edward Snowden. Movies have been made, books have been written and tweets have been tweeted. We know more about him now than ever before. And yet if Snowden still worked for the U.S. government today would his insider threat behavior really stand out to security analysts? We believe the answer is yes.

More intriguing still, how much earlier could we have detected Snowden’s adverse behavior and intervened before he fled the country in 2013 after leaking a huge trove of classified government documents?

The short answer is 2007, a full six years earlier.

We all know what kinds of behavior indicate increased risk of leaking classified or sensitive information, but the real challenge is figuring out a way to connect the dots from relevant behavioral and workplace information into something tangible and actionable.

The intelligence community believes that ‘something’ is a risk score that can change over time. In November 2018 the Director of National Intelligence (DNI) published its Insider Threat Program Maturity Framework, which represents a broad consensus on the best ways to deter, detect and mitigate insider threats.

The 14-page framework is segmented into 19 so-called maturity elements, organized according to minimum standards outlined in the 2012 National Insider Threat Policy.

When it comes to Edward Snowden, the most relevant maturity element is ME16 (image below), which prescribes risk scoring as a way to: 1) “manage the multi-source information flow” regarding behavioral and workplace factors; and 2) “support longitudinal analysis, important in detecting concerning patterns that appear over time.”

Besides diversity of data sources, the other primary concept in ME16 is time, and Snowden is a perfect example of why a time-dependent risk score is so important.

According to publicly available anecdotal information, there were several points at which he could have been stopped before doing serious harm to national security – provided the right analytics and a culture of continuous vetting/evaluation were also in place.

At Haystax, ‘the right analytics’ means not just machine learning and similar data-driven techniques but also a probabilistic model that ingests data as evidence and extrapolates future outcomes from it, producing a risk score for each person in the system that continually refreshes as new data is introduced.

By measuring inherent trustworthiness, this risk score measures an individual’s fitness for a promotion, a security clearance or even just increased access to sensitive information in an organization, using the latest available evidence.

Here’s how the ‘whole-person’ model embedded in our Haystax Analytics Platform would have evaluated Snowden’s suitability for obtaining and retaining a security clearance, using a diverse array of publicly available data.

In the Haystax Timeline window (image above), an analyst can see how Snowden’s risk score would have changed over time. This is because new data is introduced, but also because Haystax’s model-based analytics has temporal relevance ‘baked in’ – meaning things that happened 20 years ago won’t be as relevant as if they happened this year. This temporal relevance is a critical piece in the Maturity Framework, and in our ability to find Edward Snowden amid all the noise generated by false-positive alerts.

The timeline shows that after a nine-month illness and absence from high school, Snowden dropped out (indicating he was not committed to school); he later earned his GED (indicating renewed commitment). Because of the temporal relevance factor, his clearance-worthiness increased over time from 1998 to 2003, with no derogatory events.

Snowden joined the Army in 2004 but was medically discharged only five months later. Haystax uses this data point to influence the model’s concepts of unemployment due to the personal and financial stresses of losing one’s job, plus dealing with a medical condition and the cost of medical treatment. Combined with reports of his online anti-government statements, this created the first significant dip in score in 2007 and presented the first opportunity for detection and intervention.

In 2007 he was granted a Top Secret security clearance while working as a contractor for the CIA. During his tenure there, he was suspected of breaking into classified files. This incident could have been reported through the channels available for security clearance administration – such as the Joint Personnel Adjudication System, or JPAS – or by a supervisor or coworker. If it had been reported, this information would have influenced Snowden’s periodic background reinvestigation during 2011. In its absence, the reinvestigation resulted in a successful renewal of his Top Secret clearance.

Most of the world knows what happened in 2013 but in the year before that Snowden’s life was already starting to unravel, and that was when his adverse behaviors were again detectable. In early 2012 he inserted removable media and began his data exfiltration, which – when combined with his continued open criticisms of the U.S. government – were evidence enough to prompt a drastic drop in score.

The most significant obstacle to finding Edward Snowden was the lack of a system of processes and technologies that focused on person-risk, analyzing multiple information sources the way an analyst would and considering how recently each critical event occurred.

With all the relevant behavioral and workplace evidence displayed as model results on a timeline, centered around Edward Snowden the person, there were several points at which a manager equipped with a risk scoring and automated alerting tool such as Haystax could have stepped in – as early as 2007 but certainly by 2012, one year before he took off for Hong Kong.

#    #    #

Hannah Hein is a Federal Project Manager at Haystax.

Note: Approaches for finding an insider threat employed by the government are somewhat different than those for an insider threat in the private sector. Learn more about how Haystax helps small, medium and large companies find their highest-priority threats by downloading our free white paper: To Catch an IP Thief.

 

Related posts