The newest application in Haystax Technology’s Haystax Analytics Platform provides users with a powerful way to visualize and manage real-time security analytics outputs and threat data generated from the Haystax domain awareness environment.
Called the Dashboard, this app brings together on one easy-to-understand screen a high-level view of activity across the full Haystax ecosystem. It is tightly integrated with all existing Haystax apps, which are designed to provide users with tools for continuous evaluation and prioritization of physical and cyber risks, monitoring of social-media and other digital threats, incident alerting, field interviewing, critical asset management and security assessments, as well as timeline and geospatial apps for contextually visualizing and managing malicious incidents, unusual insider behaviors, natural disasters, large-scale events and more. Each of these data sources becomes its own graph, chart, map or table in the Dashboard – organized into a series of nine windows, as shown below.
Because the Dashboard is fully configurable, users can choose which windows they want to see, as well as their sizing and placement on the screen. Users who focus on security analytics for missions such as insider-threat or cyber-fraud mitigation, can tailor their Dashboards to highlight behavioral anomalies and insider threats of concern. Likewise, incident commanders or emergency-management officials responsible for protecting critical infrastructure will be able to view their assets in context of the threats and hazards that emerge around them. In all cases the Dashboard aims to provide a high-level view that instantly pinpoints the highest-priority risks.
Using the insider-threat mission as an example, the Dashboard provides a graphical at-a-glance snapshot of an individual employee’s trustworthiness on a continuously monitored basis. The Highlights window not only shows the total number of individuals and events being monitored, but also lists individuals with issues of concern or trustworthiness, as well as those who may be on a watch-list. All Highlights data is interactive, meaning that clicking on the watch-list number, for example, will launch a list of those individuals and their details.
Summary analysis results and Analysis scatter plot are two windows for viewing key ‘signals’ on insider personnel. They combine data on trustworthiness and issues of concern, as analyzed through our Carbon ‘whole-person’ threat model. In the scatter plot, for example, each individual (represented by a small colored dot, as shown below) lands somewhere on the spectrum, but the small subset who exhibit several issues of concern and low trustworthiness are distinctly displayed in red on the lower right of the graph, while highly trustworthy individuals with few or no issues land in the upper left in blue.
Most conventional data-driven analytics tools provide alerts every time a new anomaly is detected. These are what might be called ‘dumb and noisy,’ in that they flag any anomaly regardless of context and tend to contain a hefty dose of false positives, which all must then be reviewed by a human analyst (who is likely to be already overwhelmed by prior alerts). Because Haystax is based on a human threat model that ‘knows’ what to look for and then analyzes the anomalous data to rank it in priority order, a shift in an individual’s risk score is the alert.
Another Dashboard window makes it easy to spot areas that are problematic for an entire organization. Top impacts of concern (shown below) displays the Carbon model nodes that have changed the most from prior values, and shows in what direction they have changed. It also displays what percentage of the population being evaluated contributed to these changes. So for example if the window displays a spike in contact activity with foreign nationals, an organization can quickly implement a new training and awareness program for employees relating to international travel and associations.
Other Dashboard windows show timelines of new incidents and anomalies, track assets and other data on a map, display the latest annotations made to assets or incidents or events in Haystax, and view system processing statistics such as the rate of events per second and machine load. There is also a dynamically updated depiction of the model running at all times, which shows the most active model nodes using color coding. In the case of insider threat users, the model deployed is Carbon (see image below), but for other users, different models developed under the Haystax fusion modeling approach would be used.
Customization of Dashboard windows extends beyond simply turning on or off, resizing or relocating them. In the case of the analysis results and scatter plot, users can also zoom, auto-scale, pan, fence off a subset of data and create and download a plot.
In addition, the Dashboard allows the user to filter on date range and/or any tags that have been applied to assets – including people – in the system. For insider-threat users, this means that all individuals who are tagged, say, as candidates for termination (see image below) will be highlighted and displayed across several Dashboard windows.
To learn more about the Haystax Analytics Platform and how it can help meet your mission needs, please click here.
Note: Haystax is Hiring! Want to have a real impact on the field of security analytics? Become part of the Haystax development team. Simply check out our current job listings here.