For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

PrevCyber securityIntegrated Risk Management Comes of Age12 June 2018NextImage of Cyber Fraud model on laptopHow Bayesian Networks Glean Better Insights During Clearance Investigations05 July 2018

The Case of the ‘Disgruntled’ Tesla Insider

June 25, 2018
insider threat

Tesla CEO Elon Musk claims that at least one employee stole sensitive intellectual property and sabotaged existing operations at the electric car-maker’s battery plant in Nevada, which would constitute a major insider threat event.

While many details are still unknown, Musk called the employee “disgruntled” and said the “stated motivation is that he wanted a promotion that he did not receive.” It was also suggested that there may be more than one insider involved.

The employee, a technician at Tesla’s Gigafactory, reportedly has been sued by the company and admits to at least some of the allegations — although he views himself as a whistleblower revealing “lies [Musk] told to the public and investors.”

Whatever clarifying information may emerge in the coming weeks, the initial allegations represent one of the more nightmarish scenarios a company’s security team and leadership could ever face. In essence it’s a hybrid insider threat event, and a significantly damaging one at that. But was it preventable?

Musk’s June 17 email to employees describes some of the specific actions the insider is said to have taken, such as “making direct code changes to the Tesla Manufacturing Operating System under false usernames” and “exporting large amounts of highly sensitive Tesla data to unknown third parties” (including confidential photos and video of Tesla’s manufacturing systems, plus other trade secrets).

At least some of the activity underlying these misdeeds was likely detected by the company’s network security systems, but were the corresponding alerts turned into actionable intelligence in a timely manner? Apparently not. Perhaps they were drowned out by numerous other alerts, the majority of them likely false positives. Or perhaps Tesla’s security team was distracted by another event, or understaffed.

Either way, by the time those alerts were triaged, prioritized, investigated and acted upon, the damage to Tesla was already done.

But it’s also true that no matter how stealthily the employee moved or how well he may have covered his tracks, many of the behaviors preceding each malicious act were in fact discoverable — not through network data alone, of course, but certainly through a more advanced user behavior analytics (UBA) solution with the ability to conduct threat hunting.

With access to a broader array of non-network information sources like incident reports, employee complaints, supervisor evaluations or other HR records, plus access badge and printer data, many of these behaviors would have been known in advance once they were analyzed by a UBA solution like Haystax Technology’s Haystax for Insider Threat.

One of the unique features of Haystax is that it takes a ‘whole-person’ approach to assessing risk, using a 700-node probabilistic model of human behavior to continuously analyze employee actions and prioritize those individuals most likely to harm an organization through malice, negligence or even inadvertence. Haystax connects to a wide variety of network and non-network data sources, and uses machine learning and other artificial intelligence techniques to augment the data so that it can be applied as evidence to the model.

A telling piece of evidence of insider risk at Tesla can be found in Musk’s statement that the Gigafactory technician was “disruptive and combative” in the workplace, and even tried to persuade his colleagues to join his scheme. There are several Haystax model nodes that would have reflected this adverse behavior, alerting security analysts to the growing issues of concern around the employee and his diminishing trustworthiness.

Likewise, being passed over for a promotion is crucial evidence for another key risk indicator in the model. In fact, “disgruntlement” is one of the top-level concepts that negatively impacts employee trustworthiness.

Had Haystax been deployed at Tesla, users would have been alerted to the employee’s bad behavior early enough to have paid closer attention, or even placed him on a watch list, so that by the time the data exfiltration or code changes were detected the security team could have acted immediately to avert a larger crisis.

As any security leader will tell you, an ounce of risk prevention beats a pound of post-event response every time.

#  #  #

Note: For a use case that’s eerily similar to the Tesla incident, please see the first report in our Haystax Insights Series: To Catch an IP Thief. It describes how Haystax for Insider Threat discovers a disgruntled employee who steals IP from a large company after being passed over for a promotion — but before he walks out the door with a thumb drive.

 

Related posts