Insider threat correlation tool
First Claim
1. A computer-implemented method comprising:
- determining, by a system having at least one computing device, a first threat score corresponding to a first time period for a plurality of user accounts comprising at least a first user account, each user account having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, the determined first threat score for each user account being based at least in part on;
receiving, by the system, at least one of an indication of activity through the first network for the presence of a security threat, an ethics threat, or combinations thereof;
receiving, by the system, an indication indicative of any blocked transmissions and non-blocked transmissions through a targeted communication application associated with the user account that meet a predefined criterion, wherein the targeted communication application is selected from the group consisting of;
electronic mail (e-mail), instant messaging (IM), chatting, and combinations thereof; and
determining, by the system, if a transmission through the first network is transmitted or received through an unauthorized protocol;
comparing, by the system, the determined first threat score of the first user account with a second threat score of the same first user account corresponding to a second time period to identify an overall threat score for the first user account and a ranking of the first user account; and
displaying the ranking on a graphical user interface.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.
103 Citations
17 Claims
-
1. A computer-implemented method comprising:
-
determining, by a system having at least one computing device, a first threat score corresponding to a first time period for a plurality of user accounts comprising at least a first user account, each user account having access to a first network and at least a portion of the user accounts having access to a second network that comprises a centralized store of electronic data, the determined first threat score for each user account being based at least in part on; receiving, by the system, at least one of an indication of activity through the first network for the presence of a security threat, an ethics threat, or combinations thereof; receiving, by the system, an indication indicative of any blocked transmissions and non-blocked transmissions through a targeted communication application associated with the user account that meet a predefined criterion, wherein the targeted communication application is selected from the group consisting of;
electronic mail (e-mail), instant messaging (IM), chatting, and combinations thereof; anddetermining, by the system, if a transmission through the first network is transmitted or received through an unauthorized protocol; comparing, by the system, the determined first threat score of the first user account with a second threat score of the same first user account corresponding to a second time period to identify an overall threat score for the first user account and a ranking of the first user account; and displaying the ranking on a graphical user interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method comprising:
-
determining, by a system having at least one computing device, a first threat score corresponding to a first time period for a plurality of user accounts within a first domain, the plurality of user accounts including a first user account assigned to a first individual, wherein each user account is assigned to a particular individual, and only a portion of the user accounts have access to a second network that comprises a centralized store of electronic data internal to the domain, the determined first threat score for each user account is based at least in part on; receiving, by the system, at least one of an indication of activity by the user account through the first network for the presence of a security threat, an ethics threat, or combinations thereof; receiving, by the system, an indication indicative by the user account of any blocked transmissions and non-blocked transmissions through a targeted communication application associated with the user account that meet a predefined criterion, wherein the targeted communication application is configured to permit the first individual to transmit and/or receive electronic information directly with a second account of the plurality of accounts that is associated with a second individual; and determining, by the system, if a transmission by the user account through the first network is transmitted or received through an unauthorized protocol; comparing, by the system, the first threat score of the first user account with a second threat score from the same first user account corresponding to a second time period to create an overall threat score for the first user account and a ranking for the first user account; and displaying the ranking on a graphical user interface. - View Dependent Claims (16, 17)
-
Specification