Companies are increasingly worried about insider threats, and Haystax guarantees it can help find those needles
Security analytics is a relatively new industry still, and there are a lot of potential applications for it. Disaster response, event management, and law enforcement all fall within its bounds, but one particular area of note is “insider threats,” that is, internal reviews and monitoring to flag high-risk personnel who could go rogue in any number of ways, from stealing files to workplace violence or letting outside hackers in to ransom or steal data.
In the face of these challenges, Haystax Technology CEO Bryan Ware, who got started at Digital Sandbox in the 1990s, is bringing together the myriad data streams together and then mapping out potential threats, a process that isn’t always doable in real time.
“It’s like we have too much data,” he told DCInno in February. “We can input all these different data streams. But translating it all, and making it actionable, that is the real challenge right now I think.” In order to further develop that capacity, Fishtech Labs has invested $4 million in Haystax, and will be adding Haystax’s Constellation primary security analytics platform, to its “best-in-class” portfolio.
CEO Gary Fish of Fishtech had already sold two other companies, Fishnet Security (later Optiv, now part of KKR) and FireMon, when he founded Fishtech. Fishtech is meant to be a “force multiplier,” according to Ware, an investment partner that will put up capital and a technology accelerator program for Haystax to further grow.
This is Fishtech’s second major investment this year, following a $3 million round in cyber security and compliance firm Foresite. “I’d rather make fewer large investments than a bunch of small ones,” Fish told Startland earlier this year, and in a press release noted, “Haystax Technology will become a go-to partner as we usher organizations through digital transformation.” Based in Missouri, Fishtech Labs has also partnered with RiskIQ, an external threat management monitor, and CrowdStrike, the cyber security firm that’s been contracted to investigate the DNC hacks.
What’s on the inside?
Internal actors were responsible for 43% of all data losses in the event of an internal network breach, but, surprisingly, only half are intentional. The rest are essentially the results of carelessness and accidents, not active planning: GCN describes these individuals are unintentional and exploited insiders, the latter meaning people most often hit with spear phishing attacks by outsiders. There are also “external insiders,” which isn’t an oxymoron but a description of the hundreds of thousands of contractors today who have clearance to go inside sensitive company internals as third-party vendors, and offer hackers another way in. (Yahoo, for example, blames a third-party vendor breach for the theft of 500 million user credentials in 2014.)
“Most of the research and our customer discussions points to negligent threats (online carelessness) being the biggest concern currently,” Ware says, though the company’s models can also search for patterns indicating deliberate (malicious) intrusion and theft.
In the coming months and years, Haystax plans to expanded further data privacy initiatives into healthcare, noting that medical and insurance data is highly-valued by some hackers, with a price tag of $6.2 billion for the industry as a result. “We have had great success with our security analytics platform supporting insider threat programs for government and financial institutions,” Ware says, “and plan to do the same for healthcare providers.”
In the financial realm, Haystax has worked with the National Australia Bank, focusing on both malicious and negligent insiders by looking at “abnormal behavior” from users and “analyzing that Web session at scale,” to identify immediate and future threats.
Monitoring online activity within an office, or intranet usage, are only part of the package. Although we often imagine data being secreted away on CDs and flash drives – probably now more so than ever on account of Chelsea Manning and Edward Snowden – a lot of information is still taken out the old fashioned way: In binders, briefcases, and bags. (The aforementioned Intel report notes 40% of data losses are physical, not digital.) This was made apparent earlier this year with the arrest of Harold T. Martin III, a former NSA contractor who had stolen not just electronic media, but hardcopies of files in bundles over several years. Not once, it seems, was he ever caught out in a bag check or other internal review across multiple employers. Ware told Geektime that, “The Martin case is a clear case of easily knowable data that could have been used to prioritize the monitoring of his activity on the network.”
“Without knowing anything about his activities on the network,” Ware says, the company’s Constellation platform “would have been able to show an increase in risk using just the public records information,” allowing his employers “to go look for other data, or implement appropriate management actions to mitigate the increased risk,” instead of being caught out years later as having employed a compulsive hoarder who routinely broke the law.
On that note, Constellation also powers Haystax’s Carbon platform, so-named, according to former Haystax CEO William Van Vleet III, to remind the people using the platform that “we don’t forget what’s behind the computer,” as some warning signs – stress, alcoholism, penury, dissatisfaction – can’t be caught in cyber space. “Seeing those actions is difficult for large populations, but our risk baseline enables organizations to bring those actions to the surface,” Ware explains.
This is true not just for large companies, but small- and mid-sized ones who may struggle with costs while remaining compliant with federal laws targeting insider threats. Ware believes that Constellation can help reduce the costs of implementing these systems.
Landing security work for Super Bowl 50 was a major deal for Haystax, and the one that really brought the company to the general public’s attention, though it had done work for the Republican National Convention, Americas Cup, and Indy 500 before, as well as tracking the April 2015 Baltimore riots.
At the games, Haystax ran a main operations center, a backup one in its McLean, Virginia headquarters, and its “California Common Operating Picture for Threat Awareness” system that it developed for the state’s Homeland Security initiatives. It’s also developed programs for natural disasters, like digital media monitoring and damage assessments, which saw use during this year’s hurricane season.
Social media monitoring only goes so far
The utility of social media in all of this work comes up frequently in terms of privacy protections. Twitter has cut relationships with Geofeedia and the US government this year, citing user privacy concerns, as have some other social media companies. Constellation, Ware says, “doesn’t rely media for specific insights on individuals, but can provide an overall idea of an increase or decrease in threatening sentiment on social media on social.” While social media can have its users, overall, “there is really just too much noise in social media feeds to be very useful on a micro-scale for pinpointing a threat,” especially an insider one.
“The line between privacy and security in the social media domain is still murky at best,” he adds, and raises the same issues that Twitter and other platforms are continually debating about how to cooperate with law enforcement and intelligence agencies while assuring users some level of privacy and also taking down the worst offenders who make use of the networks “to recruit, communicate and propagate their agendas.”
Like social media, video surveillance can also be a doubled-edged sword. According to Ware, “A very high percentage of video surveillance cameras sold today are now connected to computer networks,” he says, but even though “this easy access to connected video is certainly a big help in situation awareness, it has also opened up yet another source for today’s hackers and cybercriminals” to exploit.
“This is exactly where we can see the need for a convergence of physical security and cyber security,” Ware concludes.