The demands to fully address the analytic demands of insider threat assessment exceed currently fielded solutions and inherent cognitive limitations of Counter-Insider Threat (C-InT) professionals. In contrast to current practice that is largely reactive, a continuous intelligence, behavioral analytic platform is needed to achieve a proactive C-InT solution that analyzes behavioral and technical data to predict potential insider threat risks to inform mitigation efforts to deter or avoid insider threat incidents. Cogynt — an advanced behavioral analytic platform — is well-suited to address the demanding C-InT analytic challenges faced by large enterprises.
- Human in the Loop
- Multiple Simultaneous Data Source Ingestion
- Semantic Analysis to process structured or unstructured data at scale
- Complete Behavioral Modeling Environment with a self-documenting model that may be reviewed and validated by 3rd party experts
- Real-Time Behavioral Analytic to hierarchically process event patterns to yield actionable intelligence
- Real-Time Continuous Risk Assessment to assess behavioral patterns
- Visualizations to present and allow manipulation of complex data and relationships in various contexts (geospatial, link charts, hierarchy charts, graphs and histograms, lists, etc.)
- Case File Management to support workflow
- Audit support to ensure compliance with organizational policies
- Enterprise Dashboard Views to support Business Intelligence to convey risks, hot spots, and trends
- Open Architecture that can be easily integrated with other applications and data stores
- Scalability to the needs of the enterprise and big data to be processed
- Platform is Easy to Install and Manage
Cogynt Continuous Intelligence Behavioral Analytic Platform
The Cogynt platform components and their role within the architecture are:
Users (Data Analyst/Business User/Data Engineer) define event patterns using the Cogynt Authoring Tool and analyze the results in the Analyst workstation and dashboard.
Data Sources (streaming or batched) ingested via Apache Kafka connectors.
Cogynt Authoring Tool is used by the analyst to define/manipulate lexicon, event patterns, computation logic, and risk models.
Cogynt Event Stream Processing and Storage provided via Apache Kafka, Flink and Druid. The analytic results are streamed from Apache Flink to Apache Kafka and Apache Druid for storage. The analytic results are displayed in the Analyst Workstation and the Pivot Dashboard.
Cogynt Analyst Workstation, a dynamic and interactive user interface for viewing analytic results, is used by analysts to review and validate system generated intelligence.
Applications provide a notional interface to any application or system that can consume events generated from Cogynt. Cogynt is an open system, and its data can be shared with any other event driven system or application.
Dashboard interface provides the Cogynt Pivot dashboard and enables access to any other dashboards preferred by the customer, through Cogynt’s open system architecture.
Cogynt Behavioral Analytics and HCEP
The general HCEP concept is represented in Figure 3. The top-level event pattern represents the whole person profile, and the lower-level patterns represent indicators (which are basically the “building blocks” of behavior patterns. The lowest level represents interpreted data, or observations, which are building blocks of indicators. Data or events are processed from the bottom up to infer observations from the real world consisting of people exhibiting sociotechnical behaviors. These observed events are matched to event patterns that may eventually culminate in an insider threat incident. The ability to continuously assess a person’s behavioral profile state and changes in the profile are key to predicting insider threats.
Cogynt Analyst Support
The Workstation provides the means of doing detailed analysis on a given behavioral threshold and building a case file. The Pivot dashboard (Figure 7) is another view—particularly of interest to stakeholders who need to see the big picture of data in the aggregate, or enterprise view. The Pivot dashboard provides the added benefit of allowing users to interact with the data—i.e., the user can inspect an area such as a spike in risk or number of incidents and examine the source of incidents, such as based on the organization or geography.