Insider threat correlation tool
First Claim
1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a processor cause the processor to perform:
- calculating a ranking of a plurality of user accounts within an organization that represent a threat to the organization, wherein the ranking is determined by a predictive threat score for each user account of the plurality of user accounts, wherein the predictive threat score is based on a comparison of a first set of values of at least four controls that are monitored over a first time period to a second set of values of the at least four controls that are monitored over a second time period, and wherein the values of the first set of values and the second set of values for each user account are selected from the group consisting of;
a value corresponding to a quantity of bandwidth utilized by the user account over a network;
a value corresponding to a number of blocked transmissions by the user account over the network;
a value corresponding to a number of blocked communications through a targeted communication application, the targeted communication application allowing a first user to communicate directly with another individual;
a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion;
a value indicating whether at least one security application is associated with the user account;
a value indicating an illegal storage attempt; and
a value indicating whether a communication has been transmitted or received through the network via an unauthorized protocol;
wherein monitoring the at least four controls further includes;
assigning, by the processor, a zero value to an activity characteristic unless it is determined that an activity level of a first user account is over a first threshold level above an average of the plurality of user accounts for a same time period and a first integer to the activity characteristic if it is determined that the activity level of the first user account is over the first threshold level above an average of the plurality of user accounts for the same time period; and
transmitting electronic signals configured to display the ranking of the plurality of user accounts.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.
121 Citations
21 Claims
-
1. A non-transitory computer-readable medium storing computer-executable instructions that when executed by a processor cause the processor to perform:
-
calculating a ranking of a plurality of user accounts within an organization that represent a threat to the organization, wherein the ranking is determined by a predictive threat score for each user account of the plurality of user accounts, wherein the predictive threat score is based on a comparison of a first set of values of at least four controls that are monitored over a first time period to a second set of values of the at least four controls that are monitored over a second time period, and wherein the values of the first set of values and the second set of values for each user account are selected from the group consisting of; a value corresponding to a quantity of bandwidth utilized by the user account over a network; a value corresponding to a number of blocked transmissions by the user account over the network; a value corresponding to a number of blocked communications through a targeted communication application, the targeted communication application allowing a first user to communicate directly with another individual; a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion; a value indicating whether at least one security application is associated with the user account; a value indicating an illegal storage attempt; and a value indicating whether a communication has been transmitted or received through the network via an unauthorized protocol; wherein monitoring the at least four controls further includes; assigning, by the processor, a zero value to an activity characteristic unless it is determined that an activity level of a first user account is over a first threshold level above an average of the plurality of user accounts for a same time period and a first integer to the activity characteristic if it is determined that the activity level of the first user account is over the first threshold level above an average of the plurality of user accounts for the same time period; and transmitting electronic signals configured to display the ranking of the plurality of user accounts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus comprising:
-
a communications module configured to receive data from a plurality of applications, the data relating to a first set of values of at least four controls and a second set of values of the at least four controls associated with each user account of a plurality of user accounts within an organization, wherein the first set of values are monitored over a first time period and the second set of values are monitored over a second time period, and wherein the values of the first set of values and the second set of values for each user account are selected from the group consisting of; a value corresponding to a quantity of bandwidth utilized by the user account over a network; a value corresponding to a number of blocked transmissions by the user account over the network; a value corresponding to a number of blocked communications through a targeted communication application, the targeted communication application allowing a first user to communicate directly with another individual; a value corresponding to a number of non-blocked communications through the targeted communication application that violate at least one predefined criterion; a value indicating whether a communication has been transmitted or received through the network via an unauthorized protocol; an application detection module configured to determine whether at least one security application is associated with at least one of the user accounts; and a processor connected to a memory and configured to respectively calculate a predictive threat score for each user account of the plurality of user accounts based on a comparison of the first set of values to the second of values that are respectively associated with each user account of the plurality of user accounts, wherein monitoring the at least four controls further includes; assigning, by the processor, a zero value to an activity characteristic unless it is determined that an activity level of a first user account is over a first threshold level above an average of the plurality of user accounts for a same time period and a first integer to the activity characteristic if it is determined that the activity level of the first user account is over the first threshold level above an average of the plurality of user accounts for the same time period; and transmit electronic signals configured to display the calculated predictive treat score for each user account of the plurality of user accounts. - View Dependent Claims (18, 19, 20, 21)
-
Specification