Increasingly, organizations are responsible for protecting individual's confidential and proprietary electronic information. For example, financial institutions collect and retain vast amounts of personal information in electronic format, therefore the storage and distribution of such information must be closely monitored. This is also true for medical organizations that must effectively collect, store and distribute vast amounts of electronic data while complying with HIPPA (Health Insurance Privacy and Portability Act) and other regulations. Regulating access and distribution of electronic confidential information is more difficult than physical data as it is more readily copied and distributed. Thus, organizations with such information must closely monitor their employees and other individuals to ensure the information is protected, not only from disclosure, but inadvertent contamination.
Prior systems attempted to block certain activities, such as visiting certain sites on the Internet or accessing certain storage devices containing confidential information. Unfortunately, however, blocking sites alone does not provide any indication of a threat. Furthermore, while it may be desirable to block transmissions that pose a serious threat to the organization, blocking each transmission that violates any rule could reduce productivity, efficiency, and frustrate both the holder of the blocked user account, the IT department, and/or any third party that needs to receive the transmission, such as time-sensitive material. Additionally, many systems apply a “one size fits all” security policy, which cannot consider the type of user account being monitored.
Current systems don't adequately consider individual characteristics of accounts. For example, certain job responsibilities may require some users to have higher than usual activity levels. Further, an activity by one user may be deemed a threat, while the same action by another user may be the effect of the user fulfilling his/her job responsibilities.
Monitoring multiple data feeds (from one or multiple applications) often leads to multiple reports or data sets. Unfortunately, this may require manual review of duplicate records or data sets. The same may be true of related activities. In this regard, many current systems for collecting and analyzing data from different systems strain valuable resources. Often, the time spent analyzing data exceeds the time available to stop or minimize the threat. Therefore, the lag in data does not present an up-to-date indication of the entity's current threats.
Moreover, current systems do not allow quick analysis of threats that may readily be navigated for more precise information. Often, many systems provide generic solutions that may be deployed across networks among different industries. While having the broad marketability, many systems fail to consider the network the solution is being deployed within. For example, in many networks there will not be common analysis sources for user accounts, network assets are consistently being updated, new assets are being added. Despite these changes, analysts and business personnel alike must quickly determine if any anomalous activity is detected in relation to specific user accounts governed by access rules. Thus, because of one or more shortcomings, current systems may not provide capabilities to readily determine what, if any, action to take. In this regard, may systems provide irrelevant information that could be excluded if prior knowledge and/or analysis were considered. Thus, many systems are providing inefficient, and possibly inaccurate, determinations.
Novel systems and methods that improve upon one or more of these and other deficiencies would be desirable.