Instead of starting with a massive pool of data and then mining it for usable threat intelligence, we first build a system for transforming human expertise into models that can evaluate complex security problems. With further analytics we can then automatically score the highest-priority threat signals and rapidly deliver them to the right people at the right time. We have also built a tightly integrated ‘ecosystem’ of web and mobile apps to enable our users to manage their critical assets and incident responses.
We’ve hit on a novel approach to security analytics
How does it work?
We start with a thorough understanding of an organization’s top risks by using its own experts to help us build a mathematical representation – that is, a model – of the problem, folding in such factors as existing workflows and expected user behaviors. We then transform the model into software. This method is better suited to solving those classes of hard problems for which a data-centric approach is ineffective or does not scale well.
At the core of our approach is Bayesian probability theory, an esoteric-sounding term that simply means it’s possible to come up with a surprisingly accurate prediction of the likelihood of something happening (or not happening) in a transparent and analytically defensible way. Probabilities and their relative importance are baked into each node of the model, making it an excellent tool for spotting even weak indicators of unusual activity, or unprecedented ‘black swan’ events. Because no single model will work for every situation, we tailor our models to prioritize different risks according to what’s important to a particular organization, whether its job is to prevent terrorism, detect insider threats, fight cyber-fraud or close security gaps.
Bring in all relevant data
Once the model is in place, it can generate results immediately. But when data relevant to the domain problem is added, users start to get real insights. The data can come from any internal, third-party or open source – for example network activity, access records, investigations and case data, employee records, news or security sensor feeds – and be structured or unstructured, static or streaming.
Haystax components extract, disambiguate, augment, evaluate and enhance the data, and apply it to the model to make inferences. Using simple connectors and configuration tools intuitive enough for any non-technical person to grasp, users can add data as they discover it and apply it to the problem at hand. We’ve engineered Haystax from the ground up to be able to handle any size or speed of data, so it expands as the threats expand. And because Haystax continuously maps new data inputs, users get continuously updated awareness of their environment.
Connect the dots at scale
The Haystax platform for security analytics is designed to separate critical signals from insignificant noise. A library of ingestion and extraction rules enables the data to be processed at scale and used as evidence of anomalous behavior and malicious intent. The system analyzes and scores data, using the model to identify hidden causalities and relationships or expose potential blind spots, then assigns a priority level to each risk event. Automated messages are generated from the alerting engine on indications of an emerging or high risk. The net effect is a drastic reduction in data overload and analyst fatigue, and earlier detection of the most important threats. As a result, decision-makers are better prepared, empowering them to act with confidence when a crisis strikes.
Anticipate and respond with confidence
The Haystax ecosystem includes ready-to-use apps for collaborative visualization, threat alerting, asset cataloging, event monitoring and incident reporting – all viewable on a single screen, on any device. Our apps were designed with the user in mind and are easy to learn. A powerful set of administrator functions gives authorized personnel extensive control over inviting and registering new users, and in deciding their roles, access levels and functional permissions. Operationally, Haystax apps have been deployed with major commercial, local, state and federal agencies during routine security operations, large special events, and all manner of natural disasters and major incidents.
The technical part …
The Haystax Analytics Platform is designed to scale and work in mission critical environments. Users need only to bring us their interesting challenges, and the system will deliver results at the volume and speed required. Haystax uses the Apache Storm stream processing engine to ingest, process and score incoming data streams. The processed and analyzed items are stored as objects in a no-SQL MongoDB data store for later retrieval and further processing. Various map-reduce and other scripted algorithms are run on the entire data set to compute aggregate information and trends. The data and operations are accessed through self-documented REST API calls served over HTTP. Open APIs and Webhooks ensure our system is not a walled garden: it’s easy to get data in, and easy to get insight out. The entire platform runs on the Linux operating system.