For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

Prevartificial intelligenceBeyond Machine Learning: Using Models in AI for Security20 October 2017NextHaystax Technology Expands Field Ops Organization with World-Class Software Sales Executives06 November 2017

UBA Is Just Getting Warmed Up

October 30, 2017

Anyone who has worked long enough in the data analytics and high-tech industries will have a favorite story about some new technology that was subjected to a degree of hype so great it could never measure up.

Typically, these technologies flame out quickly (fuzzy logic or Google Glass, anyone?). Others, like artificial intelligence (AI), have had seesawing fortunes spanning decades — initially subject to the loftiest expectations only to be followed by severe disillusionment as physical, technical or other limitations became apparent.

Within the sub-domain of AI for security, a collection of technologies known as user behavior analytics (UBA) is now enjoying its own moment of high expectations, much as security information and event management (SIEM) systems did about a decade ago.

UBA differs from SIEM in not just aggregating and correlating alerts from different network events but by using a combination of AI and analytical approaches — including rules-based, pattern-matching and statistical methods, plus supervised and unsupervised machine learning — to establish baselines of how systems, networks and devices typically behave, and then to detect significant anomalies in their behavior and send alerts to security teams for further investigation.

Gartner industry analysts in particular have spent lots of time thinking about UBA. They note that UBA tools hold several key advantages over SIEM for applications like insider threat detection, credential abuse, account takeovers and IP/data loss prevention. First, they detect threats better (and detect ‘better’ threats) than SIEM tools; second, they analytically decide what matters, then boost those signals while minimizing the ‘noise’; and third, they solve some security problems with less expert labor.

That said, analysts from Gartner as well as from Forrester Research and Enterprise Security Group (ESG) also are mindful of lingering UBA weaknesses, including:

  • There are some so-called ‘black swan’ events that a UBA system won’t find because they don’t resemble past events.
  • AI-based UBA approaches are good at detecting anomalous behavior, but they also spot lots of other things that analysts need to spend time chasing down, only to discover they were not actual threats but ‘false positives.’
  • Not all organizations have in place the kinds of human expertise required to run a UBA system properly; in particular, many lack data scientists.
  • Network data is not enough to find insider threats and other malicious actors; businesses need additional context from non-IT data sources like personnel files, travel records and employment histories.
  • Obtaining all that new data and getting it cleaned and integrated properly is not easy, for a variety of organizational and technical reasons.

These firms are in general agreement that UBA won’t replace human analysts any time soon — instead, it should be seen as making them more effective and less prone to alert fatigue. They also tend to agree that SIEM is not going away, and in many cases should be viewed as complementary to UBA. The best UBA systems, one analyst notes, make SIEM ‘smarter’ by focusing on analyzing streaming and batch data rather than on rules.

They do differ, though, on the issue of whether UBA is a passing fad. Some think UBA will be dead as a standalone market category in five years, transformed into next-gen SIEM or folded into adjacent security markets such as endpoint security, identity and access management and data loss prevention, where advanced analytics and behavioral profiling will help these products lower alert volumes while producing more accurate and actionable high-priority alerts.

My experience tells me that the UBA market, like that for SIEM and other technologies before it, won’t die but will certainly evolve as time goes by. (One ESG analyst called this progression “innovative flux.”) I’m not talking only about inevitable industry churn prompted by corporate bankruptcies and acquisitions (which is already starting to happen), or newly coined buzzwords, but a progression of new techniques and technologies as well.

It also matters that user behavior analytics has already produced successes against some of the security community’s toughest challenges. For instance, encoding whole-person behavior into probabilistic models and then running a diverse array of network- and non network-related data sets through the model nodes is a UBA approach that has been proven to drastically reduce alert fatigue while prioritizing real risks to an organization, easing the strain on the already overworked SOC analysts and letting them focus on the risks that really matter. And it also overcomes most of the other UBA weaknesses that I listed above.

There’s always room for improvement, of course, but if we prematurely write UBA’s obituary I believe we run the risk of overlooking some very real existing achievements — and others that are not too far over the horizon.

#  #  #

Note: A version of this article first appeared in CSO Online on September 28, 2017.

 

Related posts