For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

PrevHaystax Product Update: Streamlined Data, Photo and File Management10 April 2019NextHaystax Product Update: Improved Critical Asset Protection15 May 2019

Multiple-Persona Disorder: Understanding All Your Insider Threats

April 30, 2019

Enterprises with insider threat mitigation programs often focus primarily on detecting and responding to malicious actors. At best, they may subdivide their threats into either malicious or negligent personas.

These are overly simplistic constructs, however, because they ignore several other kinds of threat behaviors that are in fact quite common — and often just as dangerous to the organization.

We’re glad to see, therefore, increasing signs of recognition in the security risk community that insider threats come in all shapes and sizes, rather than being a monolithic entity. That’s an important step towards more effective insider risk mitigation.

The latest example is Verizon, whose recently released Insider Threat Report analyzes a series of insider attacks originally described in its most recent annual Data Breach Investigations Report (DBIR), published last year.

The new report notes that some 20% of all cybersecurity incidents and nearly 15% of all data breaches described in the 2018 DBIR came from trusted insiders. Verizon goes on to list not one or two, but five, categories of insider threat:

  1. Careless Worker: An employee or partner who misappropriates resources, breaks acceptable-use policies, mishandles data, installs unauthorized applications and uses unapproved workarounds. This person’s actions are inappropriate rather than malicious.
  2. Inside Agent: An insider recruited, solicited or bribed by external parties to exfiltrate data. (Note: We would add extorted/blackmailed to that list.)
  3. Disgruntled Employee: Insider who seeks to harm his or her organization via destruction of data or disruption of business activity.
  4. Malicious Insider: Actor with access to corporate assets who uses existing privileges to access and steal information for personal gain.
  5. Feckless Third Party: Business partner who compromises security through negligence, misuse or malicious access to or use of an asset.

With so many different personas to contend with — each with its own unique motivations, levels of intent and behavioral patterns — it’s no surprise that companies and government agencies have great difficulty managing an insider threat mitigation program that can catch them all.

This is where Haystax comes in. Rather than relying solely on conventional machine learning or rules-based systems to analyze network data, we created a probabilistic model of trustworthiness (which we call Carbon) and then integrated it into an analytics platform that allows the model to ‘reason’ on a wide array of ingested data.

The result is a continuously updated risk score for each individual in an organization, derived not just from network activity but from HR, travel, expense, access-badge and many other data sources. Evidence can even be ingested from third-party and publicly available sources, not just from internal data.

Haystax also pulls in data that can provide evidence of financial, legal, personal or professional stressors, as these are very accurate indicators of future insider threat activity.

Our model-based analytics are ideally suited to early identification of all five personas in the Verizon scenarios (the examples below use actual [ModelNodeNames] to illustrate how the data is applied as evidence to the model):

  • The careless worker is discovered from evidence applied to nodes such as [NeglectsSecurityRules], [DisregardsAuthority] and [ExhibitsInformationHandlingIssueOfConcern], all of which influence the higher-level node [CarelessTowardDuties].
  • The inside agent [HasRiskyForeignAssociate], is [SusceptibleToInducement], attempts [UnauthorizedLocationAccess] and/or [HasUnexplainedAffluence].
  • The disgruntled employee typically [ExhibitsDisruptiveBehavior] and [ExhibitsDegradedWorkPerformance], and is [UnderWorkStress], [HypersensitiveToCriticism] and [HabituallyTardy], among other behaviors. These and other nodes influence the higher-level concept of [Disgruntled].
  • The malicious insider has a host of model nodes for which data can be found, including [SuspiciousRemovableMediaExfiltrationAttempt], [CommitsEmployeeTheft], [Untruthful] and [AccessesFacilityUnauthorized].
  • The feckless third party can be discovered with all of the same data used as evidence for careless, disgruntled and malicious employees, especially email and online activity, as well as risky behaviors discovered among public records.

Verizon’s report goes on to list 11 practical countermeasures to help organizations reduce insider threat risks and enhance incident response efforts. Several of these emphasize the need to include IT, Legal and HR in any detection, investigation and response efforts.

We agree completely. This kind of broad cross-departmental coordination and collaboration is a critical requirement for organizations that aspire to effectively manage a holistic risk-based program designed to mitigate any type of adverse insider — regardless of their motivations or behaviors.

#   #   #

Note: For an in-depth look at how one formerly high-flying executive devolves into a disgruntled insider threat, download the newly published second edition of our Insights Series paper, To Catch an IP Thief.

Related posts