Haystax Threat Analytics: Mitigating Insider Threats Before It’s Too Late

Two men escaped from prison in upstate New York last month with the aid of two employees who provided tools and a cell phone. Their successful getaway shows that no matter how many safety measures an organization or government agency has in place, it’s only as secure as the employees it hires.

Given the salient nature of the insider threat, Haystax Technology, a leading provider of next-generation analytics and cybersecurity solutions, has developed an insider threat detection platform using patented algorithms and sophisticated identity analytics to mitigate the threat that malicious and/or negligent employees pose to their organizations.

The new software, Carbon, was presented at the GEOINT Symposium in June. It works by compiling data from a number of different sources, such as employment records, and using this data to identify a small set of employees that should be monitored more closely by their employers.

“We called the product that is being used in the agency Carbon because so many times when you hear about insider threats, solutions are pointed towards monitoring the network,” Bryan Ware, chief technology officer at Haystax Technology, told Homeland Security Today. “While I believe that that’s very important, it seems like it forgets one thing, and that’s that there’s a person behind the keyboard.”

“Who is this person? What are they thinking? What issues are taking place in their live that are causing them to make bad decisions?” Ware said.

Carbon identifies and prioritizes threats based on risk. Developed with the help of a number of experts, including psychiatrists, the program analyzes data for evidence of risk factors. For example, when examining reliability, the software might look at how stable an employee’s home life and work history is.

The system determines what data is needed for an individual based on their role and risk profile. Most of this data can come from employment records. For example, the SF-86, a document that government employees fill out, asks about family members, friends, past employment, credit ratings and even alcohol and drug use.

Once employers have the risk profiles provided by Carbon, it’s up to them to decide what steps they want to take next.

“One of the primary uses is to identify the small set of people within the organization that you would want to keep under closer scrutiny. That scrutiny doesn’t necessarily have to be a negative thing," Ware said, noting that, “We’re providingan early alert that the agency can use to trigger another action.”

Over the past several years, there have been a number of high profile incidents highlighting the gravity of the insider threat and raising the question of whether a risk-based approach could have prevented them. In 2013, for example, notorious former defense contractor Edward Snowden conducted a massive leak of classified documents, raising awareness of the threat posed by insiders who threaten the security of the sensitive information that US businesses rely on.

Homeland Security Today previously reported that Snowden showed the world it’s often the people you trust most – employees and contractors, the so-called trusted insiders – that can inflict the most damage.

Moreover, after Army Maj. Nidal Hasan shot 13 people at Ford Hood in 2009 and Bradley (now Chelsea) Manning leaked classified documents to WikiLeaks in 2010, the US Army approached Haystax, realizing that they needed a way to identify individuals who could commit similar crimes before they happened.

“The Army came to us, after really studying these two cases, and realizing that they had millions of people, and there’s so much data about these people, that trying to identify risks in that population would be very challenging,” Ware said.

More recently, the escape of Richard Matt and David Sweat from a prison in upstate New York with the aid of prison employees raises the question of whether the escape could have been prevented if risk factors in the employees had been identified beforehand.

Homeland Security Today has reported on numerous occasions that organizations and agencies need to be more proactive in responding to insider threats. Although the insider threat is on the radar for most organizations, many are repeatedly failing to take the necessary steps to prevent an attack, according to a recent report sponsored by SpectorSoft and conducted by the SANS Institute.

Furthermore, a recent study by Ponemon Institute found a whopping 88 percent of respondents recognized the insider threat as a serious issue, but could not easily identify threatening actions by personnel operating within their organizations.

Although the concept of monitoring employees’ risk factors is new, Ware is convinced that it will become increasingly important to the security of companies in the future.

“The human element on the inside is difficult to talk about, definitely controversial, but it’s going to be a big feature with what government agencies and corporations are struggling with,” said Ware. “This whole area is one that people just haven’t’ gotten their heads around yet.”

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply