The Haystax Analytics Platform · 2020-03-24 · The Haystax Analytics Platform Platform Design and...

The Haystax Analytics PlatformProactive security risk mitigation through AI-driven awareness, analysis and inference

WH

ITE

PAPE

R

2 8251 Greensboro Drive, Suite 1000, McLean, VA 22102 | 571-297-3800 | [email protected] | www.haystax.com

Today’s security professionals live in challenging times. Malicious threats are evolving at a rapid clip, natural disasters are getting more severe and the once-sharp line between physical and cyber incidents is blurring.

Conventional tools and approaches used to mitigate these complex risks are no longer up to the task:

• Guards, guns and gates may be effective against physical threats, but they can’t prevent a cyber-attack.

• Counter-terrorism measures won’t protect the supply chain against natural hazards.

• Perimeter cyber-defenses are useless against sabotage or theft — or even an unwitting error — from a trusted insider.

Even more advanced software solutions based on artificial intelligence techniques have failed to deliver on the promise of enhanced enterprise security. Most machine-learning and rules-based systems, for example, create huge volumes of false-positive alerts that overwhelm analysts and thus prevent them from discerning their biggest threats. Moreover, most advanced persistent threats have no identifiable precedent and are therefore extremely difficult to detect using these systems.

At Haystax we believe that technology should serve security leaders and their teams, not the other way around. Our flagship Haystax Analytics Platform brings together in one seamlessly integrated

environment all the diverse data sources, analytic power and workflow tools an organization needs for all-hazard risk preparedness, prevention, response and recovery. Haystax developers hold five patents related to our pioneering risk-based approach.

The platform enables decision-makers to achieve the fundamental goal of risk management: understanding their most likely cyber and physical threats and biggest vulnerabilities, as well as the consequences of an adverse event, regardless of whether the risk is man-made intentional or accidental or the result of a natural hazard.

A fully operational Haystax system starts by providing detailed information about an organization’s most valued assets: the people, data and intellectual property, facilities, IT systems and supply chains that make the enterprise successful. It then generates deeper insights concerning the dynamic threat environment in and around these assets. And finally it uses probabilistic inference to predictively alert decision-makers to their highest-priority threats, detecting critical signals while filtering out virtually all of the insignificant noise generated by other systems.

This white paper describes how Haystax’s unique information-insights-inference approach to security analytics (table below) enables private-sector and government agencies alike to proactively mitigate their risks and respond quickly and with confidence, in time to avert a crisis.

Introduction

Knowledge Level Information Insights Inference

App/Capability Assets, Assessments

Incidents, Field Reports, Events, Threat Streams, Dashboard, Map, Timeline

Model, NLP, Sentiment Analysis, Named-Entity Recognition

User Outcome Know Your Assets Understand Your Threats Anticipate Your Risks

38251 Greensboro Drive, Suite 1000, McLean, VA 22102 | 571-297-3800 | [email protected] | www.haystax.com

The Haystax Analytics Platform

Platform Design and ArchitectureThe multi-tenant, multi-app Haystax Analytics Platform was designed to address all threats and hazards across the enterprise, deployed in a secure software-as-a-service (SaaS) environment available 24/7 to our users. The platform can be quickly configured for a specific customer mission and then deployed via the Amazon Web Services cloud, with an option for on-premises delivery.

The central component of the platform is an analytics hub that fuses multiple artificial intelligence (AI) techniques and analytic tools to prioritize risk from any threat or hazard. One tool is an analytics engine to process and score incoming data streams. Another is a probabilistic model that analyzes and ‘reasons’ on complex problems by ingesting processed data as evidence. It is the model — known as a Bayesian inference network — that gives the Haystax platform its powerful predictive capabilities and sets our system apart from every other AI-based security analytics solution.

A second component is a data connector system that allows a huge volume and variety of user-specified data to be extracted and loaded into the platform for further processing and analysis. All

data and operations are accessed through open application programming interfaces (APIs).

The extracted and processed data is stored as objects in a MongoDB database for subsequent retrieval and further processing. In order to support high data volumes and speeds — including large message sizes and rapid arrival rates — the Haystax Analytics Platform is built with a completely parallelizable, componentized and scalable architecture. In this way, the pipeline from data connection through processing and storage provides guaranteed processing and very low latency, and allows the system to ‘flex’ as threats expand and evolve.

The third platform component is an interface containing a series of mission-focused applications that help users to manage their daily security responsibilities. The interface allows users to submit information, interact with analytic results, compile custom reports and communicate with other users in their tenants.

The architecture diagram below highlights key details within each of the three constituent parts of the Haystax platform.

The Haystax platform consists of data connectors, an analytics processing engine (incorporating a Bayesian model) and a user interface.


A wide array of data sources can be deployed in our insider threat solution. The number and type can vary significantly between customers.

Sourcing DataHaystax integrates data from numerous sources and combines it with existing data generated by the native Haystax apps, to create an aggregated and fully contextualized view of each particular security domain. The data can be structured or unstructured, dynamic or static and in any currently accepted digital format.

Our platform includes a set of configurable connectors and an API layer to support integrations with static sources like databases or text files, streaming sources such as camera and sensor feeds

and frequently updated digital media sources like news/RSS feeds.

Data can come from an organization’s internal repositories, open-source/publicly available information or third-party data providers. A government insider threat program manager may decide to source data from personnel files, network logs, SF-86 forms and travel and expense records (table below). In a major investigative case these sources could be augmented with publicly available data, such as financial or criminal records.

A corporate director of physical security may alternately choose to rely primarily on incident,

Platform Functionality and BenefitsThe Haystax Analytics Platform is an ‘ecosystem’ that integrates data sources with the model, supports model reasoning and provides an intuitive way for users to understand the results and share key insights with other stakeholders.

It can be configured for a range of risk-mitigation missions, from exposing insider threats and managing security for major national events to protecting critical infrastructure and responding to natural disasters. Users range from leading financial institutions and U.S. defense and intelligence agencies to state and local public safety agencies and school districts.

Each step in the analytic process, from extracting data to reasoning on evidence to displaying results, is done in an intuitive way that mirrors commonly accepted workflows and risk-management best practices in each mission area.

What follows is a deeper look at how the three main Haystax platform components — data import, analytics and the user interface — interoperate.



scheduled-event and suspicious-activity alerts generated from the in-built Haystax mobile apps, augmented by continuously updated threat analysis of digital media plus real-time traffic and weather feeds — all of it geo-located on a map display in relation to the organization’s critical assets and supply-chain routes.

Designated data sources are continuously monitored for updates so the new information can be extracted, processed and applied to the analytics as it becomes available. And Haystax makes it easy for additional information sources to be identified and mapped to the system very quickly.

AI-Based AnalyticsOnce data is integrated, the Haystax platform’s analytic hub continuously transforms, processes and augments the information, using a series of rules to ingest the data as evidence and apply it to various nodes in the Bayesian network in order to update the model’s ‘beliefs’ about the risk environment.

The stream processing engine uses natural-language processing, sentiment analysis and named-entity recognition, as well as other machine-learning and rules-based AI techniques, to transform and augment the data. This process can resolve ambiguities between data sources, establish norms for the user and even generate new events. Augmentation is particularly useful for detecting anomalies and discrepancies in an individual’s regular behavior — for example unusual network, badge or printer activity — which then can be applied as evidence to the model. The augmentation process additionally allows for factoring in temporal growth and decay, for instance ensuring that a misdemeanor from 20 years ago has a far weaker influence on an employee’s level of trustworthiness than one from 20 days ago.

The Bayesian network (sidebar right) takes the analytics a major step further by using inference to anticipate emerging threats in the user’s environment. In building each model, Haystax data scientists define the problem and then work with subject-matter experts and reference materials to capture the high-level concepts and supporting

Bayesian Models: A Primer Haystax employs a type of probabilistic model known as a Bayesian inference network, which is able to efficiently represent expert knowledge about a complex problem domain and then use that knowledge to reason intelligently inside that domain under conditions of uncertain, incomplete or even contradictory data.

Bayesian models are ideally suited to any complex and rapidly evolving domain where:

• The event being predicted has never before occurred (or has occurred, but only very infrequently), and thus can’t be ‘learned’ from past data.

• Experts disagree about the root causes of an event, or about the most effective responses.

• The supporting data is missing, incomplete and/or inconsistent.

• The analytic process must be transparent, showing causality and also the chain of reasoning between evidence and inference that led to each result.

• The results must be consistent, repeatable and analytically defensible.

A Bayesian network captures a set of concepts from the problem domain, the relationships between the concepts and the strength of the relationships between the concepts. It encodes our knowledge about how knowing one concept influences our belief in another concept. When concepts and their influences are connected together, the Bayesian network can reflect multiple levels of influence and thus has the ability to express the relationships and dependencies of many related concepts.

In order to use a Bayesian network as a model, analysts apply data (‘beliefs’) to the model to set the belief states of some of the random variables and then apply the Bayesian network update algorithm to propagate the beliefs to all other nodes of the model. This can be done every time new data becomes available.


sub-concepts within each domain and their interrelationships. Individual nodes of the model break down each concept into smaller and smaller sub-concepts until they become causal indicators that are measurable in data.

Once the model is built, we work with our users to identify the data that will be applied to that model as evidence to produce prioritized indicators of personnel, IT and infrastructure risk over time.

Because no single Bayesian network will work for every security mission, Haystax builds individual models that are optimized for each mission, whether it may be to prevent terrorism, mitigate insider threats, fight cyber-crime or close security gaps.

While their structure may be the same, the composition of the model nodes and the strengths and polarities of their influences will be unique from one model to the next. For example:

• In our insider threat model, the high-level concept is that a person is trustworthy; sub-concepts include reliability, conscientiousness, a stable personal life and steady professional trajectory. Contributing factors can include criminal activity, financial stressors (image above) and addictive behaviors. Data sources are described in the previous section.

• In our terrorism model, the high-level concept scores the risk to an asset or group of assets from an attack. Sub-concepts include threat likelihood (based on type of asset, location, etc.), vulnerability and consequence — with the latter further broken down into human, economic, mission and psychological. Data sources can include news reports, terrorism databases, vulnerability assessments, statistical analyses of consequences and expert studies.

Haystax has perfected the art and science of agile model development. Each model is built in logical segments using our proprietary natural markup language, and then assembled into an integrated whole. Models are tested with synthetic or real data and then tuned using our internally developed model editor. The model markup language and editor are unique tools; they ensure that a model can be deployed to a Haystax customer in weeks rather than months or years, and without the need for a roomful of PhDs.

The model confers one other advantage, too: it provides a structure for identifying up front the data that will be applied to the model. In this way users can select the data they need (and pinpoint their most critical data gaps) while ignoring the data that’s unlikely to be useful.

Closeup image of selected insider-threat model nodes relating to the sub-concept of ‘Under financial stress.’



The Haystax User Experience System users can enter, manipulate, view and share data in the system via a series of applications that correspond to existing threat analysis and investigation workflows and security best practices.

The apps, fully integrated under the covers, perform functions that likewise are common across all risk management missions. Each app (image below) has a mobile counterpart, packaged into a Haystax for Mobile suite that operates on both iOS and Android devices.

What follows is a detailed look at how each app functions in operational settings.

Know Your Assets (Information)In the risk management world, an asset is anything that has value to an organization. Most often it is a person or a physical facility. In the Haystax environment it can be either, or both. Or it can be a vehicle, an IT system or any other valued item subject to targeting by an adversary, harm from an accidental breach or damage or destruction from a natural hazard.

At its most basic level, the Haystax platform enables users to understand everything there is to know about their critical assets.

AssetsOur Assets app catalogs all critical information about each asset — such as address, key contacts, aerial photos, etc. in the case of facilities, and contact details, title, employment history and the like for individuals.

Customers who use our insider threat mitigation solution have entered data on millions of employees, managers and even vendors and contractors as assets in the system. Our public safety solution is loaded with hundreds of thousands of offices, schools, factories, ports and other key infrastructure assets.

On the back end, asset data is shared among the other Haystax apps and relevant data from the other apps can appear on an assets page. This means that an individual’s risk score generated from the Bayesian trustworthiness model can be monitored there; incidents and events related to a particular facility likewise will be displayed within the facility’s asset page (image next page).

Sample landing page, showing nine Haystax apps. The red badges denote new entries since the last user login.


Assets page from our enterprise security solution.

Assessments can be any length, and users can attach observations and other comments, as well as photos.

AssessmentsSafety and security assessments, like asset data management, have long be a critical tool for security risk professionals. Buildings are assessed for their biggest vulnerabilities, and most likely threats and hazards. Personnel can be evaluated via supervisor interviews, reference checks, personal conduct investigations and performance reviews, among other assessments.

The Assessments app provides a means of storing and accessing blank assessment forms and for conducting assessments either within the web application, as is typical for personnel security assessments, or on tablets or other mobile devices in the field, as is common for building safety assessments.

Haystax is able to build custom assessment templates for any customer, and also offers a library of ready-made facility assessment forms for police and fire departments, schools (image right) and hazmat teams, as well as personnel

assessment forms for supervisors, HR departments, investigations teams and the like.

Once assessment data is captured, it can be turned into printed reports. Data from multiple assessments can also exported into a spreadsheet for deeper analysis, such as identifying patterns and trends or justifying new security investments.



Understand Your Threats (Insights)Once our users develop a deep understanding of their critical assets, Haystax provides a means for monitoring and responding to the dynamic threat and hazard environment that surrounds and could potentially impact these assets.

EventsA significant component of domain awareness is knowing what scheduled activities will be taking place that could impact a locale or individual. This can include foreknowledge of a pending corporate layoff that could significantly drive up risk of an insider threat incident (image above); a VIP event during Super Bowl week that could represent a tempting target for terrorists; a semester’s worth of safety drills across a school district; or a large protest scheduled outside a major company headquarters that could pose a risk to its employees.

The Events app is the repository of all known future activities, providing an at-a-glance chronology for preparedness and planning purposes. Events data can be captured from spreadsheets or web calendars and uploaded for easy reference by authorized users, and all events will be displayed with precise geo-coordinates on the Map in proper context with relevant assets and nearby incidents.

Incidents/Field ReportsNot all occurrences can be known in advance. In fact the opposite is true in cases where malicious actors rely upon the element of surprise. The incidents they create are by their very nature extremely difficult to predict, as are accidents caused directly or indirectly by humans.

For awareness of and response to these types of unexpected adverse occurrences, Haystax has developed the Incidents and Field Reports apps, which include preset category menus and also allow for the addition of unstructured text and geo-tagged photos.

There are several ways an incident can be reported into the system: manually into the web app, via mobile app (which allows for the use of a device’s in-built talk-to-text functionality for more rapid alerting) and from the Threat Streams digital media monitoring app described below.

In the public safety realm, it is often the mobile Field Reports app (image left), say in the hands of police patrols or school

resources officers, that generates the most alerts. In the workplace, by contrast, the Incidents app

The Events app is the repository of all known future activities, which can be filtered and sorted by start or end date, venue and event type.

Field Reports app.


serves as a way to record occurrences indicative of potential internal or external threat activity, from data theft, fraud and account compromise to confrontations with colleagues, or misbehavior at company events (image above).

Both apps are able to generate either aggregated reports or more custom reports filtered by time period, importance and/or status, and to export their data into a spreadsheet. In addition, all alerts can be viewed on the Map or Timeline.

Threat StreamsThe Threat Streams app monitors information from a wide array of publicly available digital sources, such as news reports, traffic and weather alerts and even selected feeds from police, fire and other emergency systems via computer-aided dispatch (CAD) networks.

The app (image below) ingests, analyzes and prioritizes this information, then dynamically feeds it into a series of custom channels configured to the specific needs of each user in the system.

The Incidents app serves as a way to record occurrences indicative of potential internal or external threat activity.

The Threat Streams app dynamically feeds information into a series of custom channels.



Threat Streams can reveal what is being said about prominent individuals, companies or specific locations, or to track the movement of a meteorological or seismic event. Detailed views of each alert are displayed on the Map or Timeline, giving decision-makers the ability to get ahead of man-made threats or respond more effectively during natural disasters.

Anticipate Your Risks (Inference)In addition to each individual app environment, Haystax provides three additional ways users can interact with data in the platform, including system-wide geospatial and temporal views as well as a dashboard where aggregated model and analytic results and app-based activity can be viewed.

MapUsed mostly by public safety agencies and corporations, the Map app is a dynamically updated geospatial awareness tool that each user can configure to his or her own specifications. In the school safety configuration (image below), it combines dozens of schools (whose latitude/longitude coordinates are pulled from the Assets

app) with multi-source real-time data showing past and upcoming safety drills, incidents in and around each campus submitted via mobile devices and safety assessments underway or completed.

In addition, local threat data from digital media sources is incorporated in a cascading strip to the right. Rounding out the all-source data mix, users can import a large variety of third-party map feeds as layers, including wildfire and flood locations, traffic, CAD feeds, hazmat locations, social media heatmaps and much more.

TimelineJust as the Map app is a way to see objects in geographic space, the Timeline app is a way to see objects temporally. A timeline shows blocks of activity occurring within the specific start- and end-date range that users choose. Activities can include assessments, events, field reports and/or incidents, also selectable by the user.

The results are displayed in sequential order starting with the future-most upcoming activity at the top (e.g., scheduled safety drills or assessments) all the way down to the oldest past activity at the bottom. Each block displays the date and time of the activity, the name or title, and a photo if

The Map app is a dynamically updated geospatial awareness tool that each user can configure to his or her own specifications.


available. The icon images and colors are consistent not just in the Timeline but across all apps: a blue facility/person for Asset, a purple clock for Event, a red warning triangle for Incident and a green checklist for Assessment.

DashboardSecurity and intelligence analysts are heavy users of the Dashboard app, a single-screen environment displaying high-level statistics, trends and summaries for an organization using model results and other data entered in the Haystax platform.

The Dashboard can highlight specific high-risk individuals, color-coded by risk score and mapped to grids for easy viewing (image below). It is made up of a collection of data boxes, known as cards, that are linked to live data. Clicking on individual data points or links launches detailed views of the data. The ‘Change in Score’ card shows the display of model node belief (from 0 to 1) on the horizontal axis and the change in belief of that same node over the past defined period (30 days). The ‘Scatter Plot’ diagram shows a point of color for each asset in the

system with model results. The two axes represent the belief in particular nodes from 0 to 1. The ‘Top Impacts’ card lists organization-wide event types that most influence key model nodes. There are two columns: one for negative impact and one for positive. The pie wedge indicates the percentage of the population affected. The size of the whole circle indicates relative impact (larger circle is larger impact).

The layout of the Dashboard is flexible, and a user can change each card’s size and position, and show or hide any card. Saved layout changes persist across user sessions until changed again.

The Dashboard can highlight specific high-risk individuals, or provide an enterprise-wide view of security risk.



User ManagementHaystax believes that the more system control we place in the hands of our users, the more effective our solution will be in meeting their mission needs. Accordingly, in addition to being able to manage many types of data in the platform, those users designated as system administrators have extensive control over their users’ experiences as well.

Invitation, Registration and LoginNew user accounts must first be registered. This happens after the user receives an emailed invitation from the system administrator to register with the provided URL. A bulk invitation function (image below) makes inviting dozens or even hundreds of users as easy as pasting in their email addresses and hitting the ‘Send’ button.

Registration involves creating a password. Logging in is with a username (the user’s email address) and password. Haystax also supports Single Sign-On (SSO) authentication, which allows an organization to link up their user account directory to Haystax so that users can log in with their existing credentials. SSO enables more efficient user on-boarding, management and off-boarding.

User Access and PermissionsEvery Haystax solution can be tailored to each individual user’s roles and responsibilities, and it is the system admin’s role to manage these. The system has three different types of access control:

1. Tenant membership, which dictates which tenant the user account belongs to.

2. User roles, which specify which apps users can access and which types of actions they can take in each app.

3. Data groups and sub-groups, which allow the system admin to organize users by work type, location, department, level of access or any other commonly accepted organizational grouping (image next page). At the app level, the admin has fine-grained control over assigning user roles. Each app has selectable permissions for creating an entry; reading an existing entry, which is the most common permission granted; editing an entry; and deleting an entry, which is rarely granted to any user besides the admin.

Dozens of users can be invited and assigned roles at the same time.


Every Haystax solution can be tailored to each individual user’s roles and responsibilities.

System LogsAll users can track activity and progress to date in any operational app using the mini-dashboard at the top of each list page. But there is also a system-wide capability that enables system admins to monitor current and past user activities in the form of Audit

and Activity logs, which are accessed in the same user management app that handles invitations and access-controls capabilities. A separate Status app monitors object and page hits, login activity, API calls and much more (image below).

System administrators can monitor system activity and performance in the Status app.



ConclusionOver the past two decades, Haystax has deployed its analytics platform in dozens of configured solutions to support security analytics, threat intelligence, asset protection and event-security missions across the U.S. and elsewhere. Although the customers and organizations we serve vary greatly, they all share a common trait of providing critical monitoring, analysis and incident-response capabilities in a complex and rapidly evolving threat environment.

Our patented approach blends qualitative model-based expert judgments with quantitative AI techniques to find threat signals buried inside multiple internal and external data sources, producing prioritized indicators of risk and rapidly delivering those indicators as actionable intelligence to analysts and decision-makers.

Among its unique benefits, the Haystax Analytics Platform is optimized to be:

• Holistic, bringing together in one tightly integrated ecosystem the tools and information users need for full domain awareness;

• Predictive, using artificial intelligence to anticipate risk rather than just react;

• Adaptable, providing the ability to add new analytic insights as threats evolve;

• Scalable, flexing to any volume, velocity or variety of incoming data; and

• Customizable, displaying to each user only the information and tools needed to fulfill his or her mission.

Through each operational deployment we have consistently proven the value of a model-driven approach to the analytics, and a fundamental focus on accepted risk management principles as the basis for making informed — and insightful — security decisions. Regardless of the security mission, Haystax is the right solution at the right time.

Further readingPlease visit our website at www.haystax.com and reference our Blog and Resources pages for analysis, white papers, scientific and technical papers, product information and other insights.

The wide variety of operational cases for which customers have relied on the Haystax Analytics Platform illustrates the breadth, depth and power of our company’s proactive approach to risk mitigation. To learn more about individual solutions we have configured using the Haystax platform, please visit the following Solutions pages:

Insider Threat Mitigation: haystax.com/insider-threat-mitigation

Continuous Evaluation: haystax.com/continuous-evaluation

Enterprise Security: haystax.com/enterprise-security

Event Security: haystax.com/event-security

School Safety: haystax.com/school-safety

Law Enforcement: haystax.com/law-enforcement

Fire Safety: haystax.com/fire-safety

Emergency Management: haystax.com/emergency-management

About Haystax Haystax, a wholly-owned subsidiary of Fishtech Group, is a leading security analytics platform provider delivering advanced security analytics and risk management solutions that enable rapid understanding and response to virtually any type of cyber or physical threat.

Based on a patented model-driven approach that applies multiple artificial intelligence techniques, the Haystax Analytics Platform reasons like a team of expert analysts to detect complex threats and prioritize risks in real time at scale. Top federal government agencies and large commercial enterprises, as well as state and local public-safety organizations, rely on Haystax for more effective protection of their critical systems, data, facilities and people.

About Fishtech Group Fishtech Group (www.fishtech.group) is a data-driven cybersecurity solutions provider for any computing platform. The company identifies gaps and solutions to help organizations minimize risk, maintain compliance, and increase efficiency. Besides Haystax, Fishtech Group includes the Security-as-a-Service division CYDERES. Its venture partners include Perch Security and Foresite.

20190601

https://www.haystax.com

https://haystax.com/insider-threat-mitigation/

https://haystax.com/continuous-evaluation/

https://haystax.com/enterprise-security/

https://haystax.com/event-security/

https://haystax.com/school-safety/

https://haystax.com/law-enforcement/

https://haystax.com/fire-safety/

https://haystax.com/emergency-management/

https://www.fishtech.group/

The Haystax Analytics Platform · 2020-03-24 · The Haystax Analytics Platform Platform Design and...

Documents

Transcript of The Haystax Analytics Platform · 2020-03-24 · The Haystax Analytics Platform Platform Design and...