Field of the Invention
The present invention relates in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it relates to a method, system and computer-usable medium for implementing a user behavior profile.
Description of the Related Art
Users interact with physical, system, data, content and services resources of all kinds, as well as each other, on a daily basis. Each of these interactions, whether accidental or intended, could pose some degree of security risk to the owner of such resources depending on the behavior of the user. In particular, the actions of a trusted user may become malicious as a result of being subverted, compromised or radicalized due to any number of internal or external factors or stressors. For example, financial pressure, political idealism, irrational thoughts, or other influences may adversely affect a user's intent and/or behavior. Furthermore, such an insider threat may be intimately familiar with how systems operate, how they are protected, and how weaknesses can be exploited.
Both physical and cyber security efforts have traditionally been oriented towards preventing or circumventing external threats. Physical security approaches have typically focused on monitoring and restricting access to tangible resources. Likewise, cyber security approaches have included network access controls, intrusion detection and prevention systems, machine learning, big data analysis, software patch management, and secured routers. Yet little progress has been made in addressing the root cause of security breaches, primarily because the threat landscape is constantly shifting faster than current thinking, which always seems to be one step behind technological change.
In particular, current data loss prevention (DLP) approaches primarily focus on enforcing policies for compliance, privacy, and the protection of intellectual property (IP). Such approaches typically cover data at rest, in motion, and in use, across multiple channels including email, endpoints, networks, mobile devices, and cloud environments. However, the efficacy of such policies typically relies on enforcement of a static set of rules governing what a user can and cannot do with certain data. Various approaches for attempting to detect insider threats are also known. For example, one approach to detecting such threats includes performing user profiling operations to infer the intent of user actions. Another approach is to perform behavioral analysis operations when users are interacting with a system.
Nonetheless, many organizations first turn to technology to address insider threats, which include malicious cyber behavior by individuals who have legitimate rights to access and modify an organization's resources, such as systems, data stores, services and facilities. While the number of malicious users may be small (e.g., less than 0.1% of all users in an organization), they may wreak serious financial and other types of damage. Accordingly, some organizations have implemented various machine learning approaches to identify anomalous or malicious user behavior.
However, human behavior is often unpredictable and valid machine learning training data may be difficult to obtain. Furthermore, identifying an impersonator that appears legitimate can prove problematic, especially if their observed interactions with resources are limited. Likewise, it is often difficult to detect a trusted insider behaving in ways that appear normal but conceal nefarious motives. Human computers users are subject to the normality of life to include, vacations, job detail changes, interpersonal relationship stress and other daily occurrences making traditional behavioral baseline analysis difficult without accounting for intermittent pattern features. Moreover, organizations typically have limited technical resources to devote to an insider threat program and are constrained in the types of data they can proactively collect and analyze.