Introduction

The demands to fully address the analytic demands of insider threat assessment exceed currently fielded solutions and inherent cognitive limitations of Counter-Insider Threat (C-InT) professionals. In contrast to current practice that is largely reactive, a continuous intelligence, behavioral analytic platform is needed to achieve a proactive C-InT solution that analyzes behavioral and technical data to predict potential insider threat risks to inform mitigation efforts to deter or avoid insider threat incidents. Cogynt — an advanced behavioral analytic platform — is well-suited to address the demanding C-InT analytic challenges faced by large enterprises.

Cogynt Capabilities

  1. Human in the Loop
  2. Multiple Simultaneous Data Source Ingestion
  3. Semantic Analysis to process structured or unstructured data at scale
  4. Complete Behavioral Modeling Environment with a self-documenting model that may be reviewed and validated by 3rd party experts
  5. Real-Time Behavioral Analytic to hierarchically process event patterns to yield actionable intelligence
  6. Real-Time Continuous Risk Assessment to assess behavioral patterns
  7. Visualizations to present and allow manipulation of complex data and relationships in various contexts (geospatial, link charts, hierarchy charts, graphs and histograms, lists, etc.)
  8. Case File Management to support workflow
  9. Audit support to ensure compliance with organizational policies
  10. Enterprise Dashboard Views to support Business Intelligence to convey risks, hot spots, and trends
  11. Open Architecture that can be easily integrated with other applications and data stores
  12. Scalability to the needs of the enterprise and big data to be processed
  13. Platform is Easy to Install and Manage

Request a Demo

Background

Insider threats are actions by trusted individuals with access to organizational assets that may harm the organization or its assets—these acts include insider data theft/exfiltration, sabotage, espionage, fraud, maladaptive behavior, workplace violence, and unintentional insider threats.1 With potentially catastrophic consequences, these incidents often are perpetrated by individuals with personal predispositions (psychological factors such as depression or personality traits such as narcissism or anti-social personality disorder) that lead them to react or act-out in response to work- or life-stressors.2
 
Figure 1 is a notional plot of insider threat risk that distinguishes between contributions of technical indicators (online behavior) versus psychosocial/behavioral indicators, demonstrating how the combination of both data sources in a comprehensive C-InT approach can provide early warning, and greater opportunity for proactive mitigation that gets “left of boom”, compared with typical reactive programs that limit analysis to technical data.3 Incorporation of behavioral data monitoring and analytics (deriving from Human Resources, Security, Performance Reviews, Financial, Criminal, etc.) can provide insight about personal predispositions, precipitating events (stressors), or concerning behaviors that reveal higher-risk individuals who show behavioral signs weeks or months prior to the incident.4, 5
Left of Boom Chart
Figure 1. Sociotechnical (behavioral) data enables proactive mitigation to get “left of boom.”
The Federal Insider Threat Program was established in 2012 by Presidential Executive Order (EO) 135876. Following this, the Federal agencies derived their own policies and instructions that define authorities, responsibilities, and relevant constructs—including threat behaviors of concern and definitions of contributing factors or indicators associated with these threats. All entities benefit from such standardization, but each organization may apply its own criteria or priorities, informed by its mission and culture, to implement its Counter-Insider Threat Program (C-InTP).
 
For the DoD, a knowledge base of more than 140 Potential Risk Indicators (PRIs) has been defined by the Defense Counterintelligence and Security Agency (DCSA). This hierarchy of PRIs compares with other knowledge bases that have been developed, such as the Sociotechnical and Organizational Factors for Insider Threat (SOFIT) ontology7 that was developed under a contract with the Intelligence Advanced Research Projects Activity (IARPA). The DAF C-InTP has continued to advance this PRI knowledge base by incorporating concepts described in the SOFIT ontology as well as other frameworks for understanding insider threats—particularly the Critical Pathway to Insider Risk (CPIR) model developed to better understand the role of contributing factors.8 These resources represent valuable guidance to understand and define insider threat behaviors and the basis for these behaviors.

Cogynt Continuous Intelligence Behavioral Analytic Platform

Cogility has developed an advanced, big data, and highly scalable behavioral analytic platform called “Cogynt” that can continuously monitor the behavior of many thousands or millions of entities and continuously assess risk over extended periods of time. The ability to conduct this level of analysis, assuming the data and sufficiently detailed behavioral patterns are defined, allows for organizations and enterprises to conduct insider threat assessments of their employees and alerts C-InT analysts about concerning behavioral trends/potential risks so mitigating actions can be taken prior to a serious incident.
 
A readily configurable and adaptable continuous intelligence platform, Cogynt offers all the essential capabilities needed to augment and support a highly mature and effective C-InTP that meets or exceeds best practices.9 A logical depiction of the Cogynt platform solution architecture is shown in Figure 2.
Cogynt Behavioral Analytic Platform
Figure 2. Cogynt Behavioral Analytic Platform

The Cogynt platform components and their role within the architecture are:

  • Users (Data Analyst/Business User/Data Engineer) define event patterns using the Cogynt Authoring Tool and analyze the results in the Analyst workstation and dashboard.

  • Data Sources (streaming or batched) ingested via Apache Kafka connectors.

  • Cogynt Authoring Tool is used by the analyst to define/manipulate lexicon, event patterns, computation logic, and risk models.

  • Cogynt Event Stream Processing and Storage provided via Apache Kafka, Flink and Druid. The analytic results are streamed from Apache Flink to Apache Kafka and Apache Druid for storage. The analytic results are displayed in the Analyst Workstation and the Pivot Dashboard.

  • Cogynt Analyst Workstation, a dynamic and interactive user interface for viewing analytic results, is used by analysts to review and validate system generated intelligence.

  • Applications provide a notional interface to any application or system that can consume events generated from Cogynt. Cogynt is an open system, and its data can be shared with any other event driven system or application.

  • Dashboard interface provides the Cogynt Pivot dashboard and enables access to any other dashboards preferred by the customer, through Cogynt’s open system architecture.

 

Cogynt Behavioral Analytics and HCEP

The heart of Cogynt contains a patented behavioral analytic called Hierarchical Complex Event Processing (HCEP). The principles of HCEP are rooted in system theory10 and CEP11. For insider threat, Cogynt can model a whole person insider threat profile by defining all the relevant behavioral types that make up an insider threat profile. Within HCEP, the organic component of a behavior is an event pattern, and an event pattern follows the principles of CEP, where an event pattern, if fully matched, creates a new complex event that can trigger a higher-level event pattern. This process continues until it satisfies the full behavioral profile. In addition, HCEP allows for partial event pattern matches, which represents an indicator (or a collection of indicators representing a behavior, but not a complete pattern of a definitive target threat behavior. Cogynt maintains the state of the event patterns over time, which allows analysts to look for trends and changes in behavior.
 

The general HCEP concept is represented in Figure 3. The top-level event pattern represents the whole person profile, and the lower-level patterns represent indicators (which are basically the “building blocks” of behavior patterns. The lowest level represents interpreted data, or observations, which are building blocks of indicators. Data or events are processed from the bottom up to infer observations from the real world consisting of people exhibiting sociotechnical behaviors. These observed events are matched to event patterns that may eventually culminate in an insider threat incident. The ability to continuously assess a person’s behavioral profile state and changes in the profile are key to predicting insider threats.

Hierarchical Complex Event Processing (HCEP)
Figure 3. Hierarchical Complex Event Processing (HCEP)
 
Another critical facet of HCEP is continuous risk assessment of a person’s insider threat profile. Cogynt applies a Bayesian Belief Network12 (BBN) computation method for computing risk based on the hierarchical structure of the event pattern model. This risk assessment allows analysts to weigh the value of one indicator over another based on the risk assessment. Applying BBN allows analysts to not only assess developing behavioral patterns but weigh the importance of one behavior over another as to the risk it poses to the organization.
 
Figure 4 represents an example set of event patterns (A, B, C and D) where event patterns A, B, and C output complex events to event pattern D. The diagram shows data entering at the left as inputs to the event patterns. The diagram shows each of the event patterns where A is fully matched – generating an event O1 as output — and where event patterns B and C contain partial matches. The analyst defines the statistical importance of each element as it relates to risk. Applying BBN computations, Cogynt processes both matched and unmatched statistical event patterns up the hierarchy.
 
For example, in Figure 4, event pattern A is the only pattern providing a factual output. Event patterns B and C provide statistical outputs (O2 and O3) that are inputs to event pattern D. The output O4 from event pattern D consists of one factual and two statistical elements that inform the O4 statistical result. This general approach is how behavioral risk is propagated through the behavioral hierarchies, allowing the analyst to have complete visibility of the state of any given behavior and statistical risk assessment.
Cogynt Notional Event Pattern
Figure 4. Cogynt Notional Event Pattern
Notional C-InT Behavior and Risk Assessment in processing composite behaviors
Figure 5. Notional C-InT Behavior and Risk Assessment in processing composite behaviors
Figure 5 depicts the matching process and continuous risk assessment where multiple threat-behavior types contribute to an individual’s behavioral risk assessment, which is assessed on a continuous basis. The mapping proceeds from PRIs to threat behavior types, with varying strengths of association between PRIs and behavior type. This means that the relationships between PRIs and behaviors are dynamic—research suggests that there are complex, dynamic relationships among PRIs that produce different risk assessments when combined into various patterns.13
The powerful hierarchical complex event processing capabilities of Cogynt provide a unique approach to assessing insider threat risk in this complex environment. Furthermore, the modeling capabilities in Cogynt allow it to capture other dynamic qualities of PRIs, such as decreases in risk over time.
 
This concept of risk decay, which is currently under study in the insider threat research community, suggests that different types of PRIs may be subject to different decay parameters (e.g., those that relate to personality traits may be expected to be stable over time, while others that relate to more transient events such as network activity, may be subjected to more rapid decay in associated risk).14
 
Figure 5 is a notional Cogynt HECP process as applied to insider threat. Data or events are ingested and filtered using lexicons that define a PRI that is associated with a behavior (e.g., Workplace Violence) with an estimated risk weighting reflecting the extent to which the PRI is indicative of the behavior. The accumulation of risk is computed for every person/entity within the organization, and over time, these accumulated risk scores may be compared across the organization to identify individuals who are of greatest concern.
Cogynt Analyst Workstation
Figure 6. Cogynt Analyst Workstation

Cogynt Analyst Support

HCEP is the workhorse that processes the vast amount of data and matches data to event patterns; over time, when a particular behavioral threshold (defined by the analyst) is reached, a notification event is generated with supporting contextual information. However, it still takes a human to interpret the results to ensure the analytic results accurately reflect the concerning behavior. The Cogynt Analyst Workstation (Workstation) is the human interface for Cogynt that allows the analyst to view the data generated from HCEP and decide of its accuracy and instigate a workflow with other analysts and subject matter experts, such as psychologist and law enforcement professionals, to thoroughly review and coordinate a given threshold event and come to an informed conclusion.
 
The Workstation provides a suite of tools or widgets that can be flexibly configured to support any given analyst task. Each widget within Workstation is interoperable with other widgets, so the internal analyst workflow is intuitive and seamless. Workstation also supports the ability to upload files to support case management and export case file data to support external reporting needs.
 
Figure 6 is a screen capture of the Workstation which supports the review and analysis of any published events including an assortment of visualizations such as link charts, maps, event drill down charts (event tree), line charts for risk history which are combined at the preference of the user.
 
Figure 7. Pivot Dashboard

The Workstation provides the means of doing detailed analysis on a given behavioral threshold and building a case file. The Pivot dashboard (Figure 7) is another view—particularly of interest to stakeholders who need to see the big picture of data in the aggregate, or enterprise view. The Pivot dashboard provides the added benefit of allowing users to interact with the data—i.e., the user can inspect an area such as a spike in risk or number of incidents and examine the source of incidents, such as based on the organization or geography.

Conclusion

Insider Threat is a low probability, high consequence risk that organizations face daily. Over the past 10 years, this threat has gained the full attention it deserves to develop better tools for mitigating insider threat risk. An effective C-InT program requires policies, instructions, and procedures on how to manage insider threat risk — an advanced continuous intelligence behavioral analytic platform is needed to do this effectively.
 
The Cogynt platform is uniquely qualified to meet the immense analytic and information-processing challenges faced by insider threat analysts across government and industry.

Ready to get started?

Learn how Cogynt can provide your enterprise with a configurable counter-insider threat platform.

Footnotes

[1] Cappelli, DN, Moore, AP, & Trzeciak RF. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Addison-Wesley.
[2] Shaw, ED & Sellers, L. (2015). Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence 59(2) (Extracts, June 2015)
[3] Greitzer, FL, Purl, J, Leong, YM, and Becker DE. (2018). SOFIT: Sociotechnical and Organizational Factors for Insider Threat. IEEE Symposium on Security and Privacy Workshops, 197-206.
[4] Shaw ED, Fischer L. Ten tales of betrayal: an analysis of attacks on corporate infrastructure by information technology insiders, Vol. 1. Monterrey, CA: Defense Personnel Security Research and Education Center. 2005
[5] Greitzer, FL. (2019). Insider Threats: It’s the HUMAN, Stupid! Proceedings of the Northwest Cybersecurity Symposium, April 8-10, 2019. Article No. 4, pp. 1-8. ACM ISBN 978-1-4503-6614-4/19/04
[6] https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-securityclassified-net
[7] Greitzer, Purl, Leong, Becker (2018)
[8] Shaw and Sellers (2015)
[9] Henderson, J., & Cavalancia, N. (2019). 2019 Insider Threat Program Maturity Model Report. https://cdn2.hubspot.net/hubfs/5260286/PDFs/Whitepapers/insider-threat-maturity-report-2019.pdf
[10] https://en.wikipedia.org/wiki/Systems_theory#:~:text=Systems%20theory%20is%20the%20interdisciplinary,and%20expressed%20through%20its%20functioning.
[11] https://en.wikipedia.org/wiki/Complex_event_processing
[12] https://en.wikipedia.org/wiki/Bayesian_network
[13] Greitzer & Purl (2022)
[14] Greitzer & Purl (2022)