INSIDER THREAT CORRELATION TOOL
First Claim
1. A computer-readable medium comprising computer-executable instructions that when executed by a processor cause the processor to perform:
- detecting activities associated with a plurality of user accounts involving a plurality of control groups;
determining that a threshold quantity of activities violated at least two controls in the control groups comprising;
detecting that a user account accessed a first storage device;
determining if the user account has permission rights to conduct the access to the first storage device;
wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access;
determining that at least one activity violation has occurred; and
calculating a predictive threat rating for the first user account.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating.
-
Citations
20 Claims
-
1. A computer-readable medium comprising computer-executable instructions that when executed by a processor cause the processor to perform:
-
detecting activities associated with a plurality of user accounts involving a plurality of control groups; determining that a threshold quantity of activities violated at least two controls in the control groups comprising; detecting that a user account accessed a first storage device; determining if the user account has permission rights to conduct the access to the first storage device; wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access; determining that at least one activity violation has occurred; and calculating a predictive threat rating for the first user account. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a processor; a control module configured to detecting activities associated with a plurality of user accounts in regards to a plurality of controls; a computer-readable medium comprising computer-executable instructions that when executed by the processor cause the apparatus to perform; determining that a threshold quantity of activities violated at least two controls in the control groups comprising; detecting that a user account accessed a first storage device; determining if the user account has permission rights to conduct the access to the first storage device; wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access; determining that at least one activity violation has occurred; and calculating a predictive threat rating for the first user account. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium comprising computer-executable instructions that when executed by a processor cause the processor to perform:
-
detecting activities associated with a plurality of user accounts in regards to a plurality of control groups, wherein at least one of the control groups comprises a plurality of targeted communication controls; determining that a threshold quantity of activities violated at least two controls in the control groups comprising; detecting that a user account accessed a first storage device; determining if the user account has permission rights to conduct the access to the first storage device; wherein if the user account does not have permission rights to conduct the access, determining that an activity violation has occurred, wherein if the user account does have permission rights to conduct the access, determining that an authorized access occurred and storing an attribute value of the access; determining that at least one activity violation has occurred; and calculating a predictive threat rating for the first user account. - View Dependent Claims (20)
-
Specification