For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

PrevTwo Essential Tools for Successful Insider Risk Mitigation – Part 111 October 2020NextFishtech Group CYDERES to Offer Insider Threat Monitoring as a Service22 January 2021

Two Essential Tools for Successful Insider Risk Mitigation – Part 2

October 30, 2020

In Part 1 of this post we explored the basic characteristics of user activity monitoring (UAM), security information and event management (SIEM), user and entity behavioral analytics (UEBA) and artificial intelligence-based analytics software systems.

In this post we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.

For illustration purposes, let’s consider a company with 10,000 trusted insiders that has the following circumstances:

  • 500,000 files per week are copied to removable media by 2,500 employees
  • 50,000 files per week are being sent outside the company via email
  • 100,000 DLP alerts per week for files being copied to removable media
  • 10,000 DLP alerts for email
  • 500,000 web page visits per week
  • 100,000 files downloaded from websites
  • 7,500 files uploaded to websites

The above assumptions are reasonable if there are few or no controls on the use of removable media and on sending files via email. The number of alerts generated would require a significant effort to review in a timely manner; therefore, there needs to be effective threat scoring to point the analysts to the insiders that pose the greatest threat to the organization.

To contrast the differences of how SIEM/UEBA solutions develop threat scores versus Haystax, and the effectiveness of each approach, we will evaluate three user behavior scenarios:

  1. User A has contextual, technical and non-technical behaviors;
  2. User B has contextual and technical behaviors; and
  3. User C has contextual and non-technical behaviors.

The scenarios and resulting scores are presented below.

User A has both cyber and non-cyber behaviors that should be considered in the overall threat analysis. The SIEM/UEBA score, on a relative scale of 0-100, is low. Scoring assumptions for the SIEM/UEBA are:

  1. Non-cyber behaviors and contextual data did not impact the score;
  2. The non-productive web browsing has low impact because it is not data exfiltration; and
  3. Sending files via email has low impact because the volume is low.

The Bayesian Inference Network (aka BayesNet) probabilities consider all of the activity, resulting in higher threat probabilities. The behaviors of User A could be indicative of many things – disengagement from the organization, unfamiliarity with company policy or attempts to test controls and monitoring. Identifying the increased threat level allows for further investigation (perhaps using the UAM tool) and proactive risk mitigation.

User B has contextual and technical behaviors and the SIEM/UEBA score is high, on a relative scale of 0-100. Scoring assumptions for the SIEM/UEBA are:

  1. The cyber behaviors are scored high due to the large volumes of data being sent outside the network; and
  2. The contextual data has no impact on the score.

The BayesNet probabilities consider all of the activity, resulting in higher threat probabilities. Specifically, the “Conducts Potential Insider Threat Activities” is high due to the data exfiltration. But the overall “Is Insider Threat Concern” is lower because it is impacted by the “Exhibits Concerning Characteristics,” which is lower due to the contextual data (e.g., position as recruiter, longevity with company, absence of other negative behaviors to increase the score). The behaviors of User B are likely that of an employee doing their job – sending company information to prospective employees.

User C has contextual and non-technical behaviors and the SIEM/UEBA score is zero, due to the absence of technical behaviors and the lack of scoring non-technical behaviors.

The BayesNet probability scoring indicates a low probability of “Conducts Potential Insider Threat Activities” due to the attempted access behaviors, and a medium probability of “Exhibits Concerning Characteristics” due to the access to critical data, attempted access, performance review and being a relatively new employee. User C does not appear to be a threat based on this information, but these behaviors should be retained and considered in the light of future behaviors.

These use cases demonstrate that insider threat programs should implement both UAM and advanced analytics. The UAM tools provide necessary details about users’ activities on computers and laptops, but do not contain all the data required to detect insider threat activity.

A broader set of data, usually at a higher level, needs to be integrated into and effectively analyzed by an advanced tool that can effectively consider both technical and non-technical indicators. The Haystax Insider Threat Mitigation Suite employs just such a tool: a BayesNet that effectively and consistently evaluates both of these behaviors, thus developing a picture of the whole person – and any early indications of insider risk.

#    #    #

Note: A former high-flying corporate executive suffers a series of personal and professional setbacks and gradually develops into an insider threat. Find out how Haystax would have used probabilistic analysis and technical/non-technical data to discover him prior to his massive theft of intellectual property, in To Catch an IP Thief.