INSIDER THREAT CORRELATION TOOL
First Claim
1. A computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
- transmitting electronic signals configured to display a ranking of plurality of user accounts that represent a threat to an organization, wherein the ranking is determined by monitoring values of at least four controls for each of the plurality of user accounts over a first time period, wherein the controls are selected from the group consisting of;
a quantity of bandwidth utilized by a user account over a first network;
blocked transmissions by a user account over the first network;
blocked communication through a targeted communication application;
non-blocked communication through the targeted communication application that violates at least one predefined criterion;
an association of at least one security application with the user account, wherein if a at least one software application is associated with the user account, then;
monitoring illegal storage attempts; and
recording a filename associated with illegal storage attempts; and
determining if communications through the first network are transmitted or received through an unauthorized protocol;
comparing the values of the at least four controls over the first time period with values of the at least four controls over a second time period; and
transmitting electronic signals configured to display a ranking of plurality of user accounts.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.
139 Citations
21 Claims
-
1. A computer-readable medium comprising computer-executable instructions that when executed by a processor perform a method comprising:
-
transmitting electronic signals configured to display a ranking of plurality of user accounts that represent a threat to an organization, wherein the ranking is determined by monitoring values of at least four controls for each of the plurality of user accounts over a first time period, wherein the controls are selected from the group consisting of; a quantity of bandwidth utilized by a user account over a first network; blocked transmissions by a user account over the first network; blocked communication through a targeted communication application; non-blocked communication through the targeted communication application that violates at least one predefined criterion; an association of at least one security application with the user account, wherein if a at least one software application is associated with the user account, then; monitoring illegal storage attempts; and recording a filename associated with illegal storage attempts; and determining if communications through the first network are transmitted or received through an unauthorized protocol; comparing the values of the at least four controls over the first time period with values of the at least four controls over a second time period; and transmitting electronic signals configured to display a ranking of plurality of user accounts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus comprising:
-
a communications module configured to receive data from a plurality of applications, the data relating to values of at least four controls for each of the plurality of user accounts over a first time period, wherein the controls are selected from the group consisting of; a quantity of bandwidth utilized by a user account over a first network; blocked transmissions by a user account over the first network; blocked communication through a targeted communication application; non-blocked communication through the targeted communication application that violates at least one predefined criterion; determining if any communications through the first network is transmitted or received through an unauthorized protocol; an application detection module configured to determine an association of at least one security application with each of the user accounts; and a processor configured to calculate a predictive threat score for a plurality of user accounts that compares the values of the at least four controls over the first time period with values of the at least four controls over a second time period; and - View Dependent Claims (18, 19, 20, 21)
-
Specification