Cogynt – A Comprehensive Solution for Counter-Insider Threat Analytics
Introduction
Cogynt Capabilities
- Human in the Loop
- Multiple Simultaneous Data Source Ingestion
- Semantic Analysis to process structured or unstructured data at scale
- Complete Behavioral Modeling Environment with a self-documenting model that may be reviewed and validated by 3rd party experts
- Real-Time Behavioral Analytic to hierarchically process event patterns to yield actionable intelligence
- Real-Time Continuous Risk Assessment to assess behavioral patterns
- Visualizations to present and allow manipulation of complex data and relationships in various contexts (geospatial, link charts, hierarchy charts, graphs and histograms, lists, etc.)
- Case File Management to support workflow
- Audit support to ensure compliance with organizational policies
- Enterprise Dashboard Views to support Business Intelligence to convey risks, hot spots, and trends
- Open Architecture that can be easily integrated with other applications and data stores
- Scalability to the needs of the enterprise and big data to be processed
- Platform is Easy to Install and Manage
Background
Insider threats are actions by trusted individuals with access to organizational assets that may harm the organization or its assets—these acts include insider data theft/exfiltration, sabotage, espionage, fraud, maladaptive behavior, workplace violence, and unintentional insider threats.[1] With potentially catastrophic consequences, these incidents often are perpetrated by individuals with personal predispositions (psychological factors such as depression or personality traits such as narcissism or anti-social personality disorder) that lead them to react or act-out in response to work- or life-stressors.[2]
Figure 1 is a notional plot of insider threat risk that distinguishes between contributions of technical indicators (online behavior) versus psychosocial/behavioral indicators, demonstrating how the combination of both data sources in a comprehensive C-InT approach can provide early warning, and greater opportunity for proactive mitigation that gets “left of boom”, compared with typical reactive programs that limit analysis to technical data.[3] Incorporation of behavioral data monitoring and analytics (deriving from Human Resources, Security, Performance Reviews, Financial, Criminal, etc.) can provide insight about personal predispositions, precipitating events (stressors), or concerning behaviors that reveal higher-risk individuals who show behavioral signs weeks or months prior to the incident.[4], [5]

The Federal Insider Threat Program was established in 2012 by Presidential Executive Order (EO) 13587[6]. Following this, the Federal agencies derived their own policies and instructions that define authorities, responsibilities, and relevant constructs—including threat behaviors of concern and definitions of contributing factors or indicators associated with these threats. All entities benefit from such standardization, but each organization may apply its own criteria or priorities, informed by its mission and culture, to implement its Counter-Insider Threat Program (C-InTP).
For the DoD, a knowledge base of more than 140 Potential Risk Indicators (PRIs) has been defined by the Defense Counterintelligence and Security Agency (DCSA). This hierarchy of PRIs compares with other knowledge bases that have been developed, such as the Sociotechnical and Organizational Factors for Insider Threat (SOFIT) ontology[7] that was developed under a contract with the Intelligence Advanced Research Projects Activity (IARPA). The DAF C-InTP has continued to advance this PRI knowledge base by incorporating concepts described in the SOFIT ontology as well as other frameworks for understanding insider threats—particularly the Critical Pathway to Insider Risk (CPIR) model developed to better understand the role of contributing factors.[8] These resources represent valuable guidance to understand and define insider threat behaviors and the basis for these behaviors.
Cogynt Continuous Intelligence Behavioral Analytic Platform
Cogility has developed an advanced, big data, and highly scalable behavioral analytic platform called “Cogynt” that can continuously monitor the behavior of many thousands or millions of entities and continuously assess risk over extended periods of time. The ability to conduct this level of analysis, assuming the data and sufficiently detailed behavioral patterns are defined, allows for organizations and enterprises to conduct insider threat assessments of their employees and alerts C-InT analysts about concerning behavioral trends/potential risks so mitigating actions can be taken prior to a serious incident.
A readily configurable and adaptable continuous intelligence platform, Cogynt offers all the essential capabilities needed to augment and support a highly mature and effective C-InTP that meets or exceeds best practices.[9] A logical depiction of the Cogynt platform solution architecture is shown below.

# | Role | Description |
1 | Data Analyst/Business User/Data Engineer | These are the roles that define event pattens using the Cogynt Authoring Tool. |
2 | Data Sources | Cogynt accepts a wide range of data types and formats by leveraging Apache Kafka connectors. |
3 | Cogynt Authoring Tool | Cogynt Authoring is a tool used for authoring event patterns, computation models and risk modes. The Cogynt Authoring tool deploys these models to Apache Flink for processing. |
4 | Cogynt Event Stream Processing and Storage | This includes the event stream processing software components that provide real-time processing and scalable storage for Cogynt. |
5 | Cogynt Analyst Workstation | A dynamic and interactive user interface for viewing analytic results, this is the primary tool used by analyst to review and validate system generated intelligence. |
6 | Applications | Represents a notional interface to any application or system that can consume events generated from Cogynt. Cogynt is an open system and it’s data can be shared with any other event driven system or application. |
7 | Dashboard | The dashboard can be the Cogynt Pivot dashboard or a different dashboard depending on the customer’s preference. Cogynt is an open system and can stream event data to different types of dashboards at the customer’s discretion. |
Cogynt Behavioral Analytics and HCEP
The heart of Cogynt contains a patented behavioral analytic called Hierarchical Complex Event Processing (HCEP). The principles of HCEP are rooted in system theory[10] and CEP[11]. For insider threat, Cogynt can model a whole person insider threat profile by defining all the relevant behavioral types that make up an insider threat profile. Within HCEP, the organic component of a behavior is an event pattern, and an event pattern follows the principles of CEP, where an event pattern, if fully matched, creates a new complex event that can trigger a higher-level event pattern. This process continues until it satisfies the full behavioral profile. In addition, HCEP allows for partial event pattern matches, which represents an indicator (or a collection of indicators representing a behavior, but not a complete pattern of a definitive target threat behavior. Cogynt maintains the state of the event patterns over time, which allows analysts to look for trends and changes in behavior.
The general HCEP concept is represented in Figure 2. The top-level event pattern represents the whole person profile, and the lower-level patterns represent indicators (which are basically the “building blocks” of behavior patterns. The lowest level represents interpreted data, or observations, which are building blocks of indicators. Data or events are processed from the bottom up to infer observations from the real world consisting of people exhibiting sociotechnical behaviors. These observed events are matched to event patterns that may eventually culminate in an insider threat incident. The ability to continuously assess a person’s behavioral profile state and changes in the profile are key to predicting insider threats.

Another critical facet of HCEP is continuous risk assessment of a person’s insider threat profile. Cogynt applies a Bayesian Belief Network[12] (BBN) computation method for computing risk based on the hierarchical structure of the event pattern model. This risk assessment allows analysts to weigh the value of one indicator over another based on the risk assessment. Applying BBN allows analysts to not only assess developing behavioral patterns but weigh the importance of one behavior over another as to the risk it poses to the organization.
Figure 3 represents an example set of event patterns (A, B, C and D) where event patterns A, B, and C output complex events to event pattern D. The diagram shows data entering at the left as inputs to the event patterns. The diagram shows each of the event patterns where A is fully matched – generating an event O1 as output — and where event patterns B and C contain partial matches. The analyst defines the statistical importance of each element as it relates to risk. Applying BBN computations, Cogynt processes both matched and unmatched statistical event patterns up the hierarchy.
For example, in Figure 3, event pattern A is the only pattern providing a factual output. Event patterns B and C provide statistical outputs (O2 and O3) that are inputs to event pattern D. The output O4 from event pattern D consists of one factual and two statistical elements that inform the O4 statistical result. This general approach is how behavioral risk is propagated through the behavioral hierarchies, allowing the analyst to have complete visibility of the state of any given behavior and statistical risk assessment.


Figure 4 depicts the matching process and continuous risk assessment where multiple threat-behavior types contribute to an individual’s behavioral risk assessment, which is assessed on a continuous basis. The mapping proceeds from PRIs to threat behavior types, with varying strengths of association between PRIs and behavior type. This means that the relationships between PRIs and behaviors are dynamic—research suggests that there are complex, dynamic relationships among PRIs that produce different risk assessments when combined into various patterns.[13] The powerful hierarchical complex event processing capabilities of Cogynt provide a unique approach to assessing insider threat risk in this complex environment. Furthermore, the modeling capabilities in Cogynt allow it to capture other dynamic qualities of PRIs, such as decreases in risk over time.
This concept of risk decay, which is currently under study in the insider threat research community, suggests that different types of PRIs may be subject to different decay parameters (e.g., those that relate to personality traits may be expected to be stable over time, while others that relate to more transient events such as network activity, may be subjected to more rapid decay in associated risk).[14]
Figure 4 is a notional Cogynt HECP process as applied to insider threat. Data or events are ingested and filtered using lexicons that define a PRI that is associated with a behavior (e.g., Workplace Violence) with an estimated risk weighting reflecting the extent to which the PRI is indicative of the behavior. The accumulation of risk is computed for every person/entity within the organization, and over time, these accumulated risk scores may be compared across the organization to identify individuals who are of greatest concern.
Cogynt Analyst Support

The Workstation provides the means of doing detailed analysis on a given behavioral threshold and building a case file. The Pivot dashboard (Figure 6) is another view—particularly of interest to stakeholders who need to see the big picture of data in the aggregate, or enterprise view. The Pivot dashboard provides the added benefit of allowing users to interact with the data—i.e., the user can inspect an area such as a spike in risk or number of incidents and examine the source of incidents, such as based on the organization or geography.

Conclusion
Ready to get started?
See how Cogynt can provide your enterprise with Continuous Intelligence.
Footnotes
[1] Cappelli, DN, Moore, AP, & Trzeciak RF. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Addison-Wesley.
[2]Shaw, ED & Sellers, L. (2015). Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence 59(2) (Extracts, June 2015)
[3] Greitzer, FL, Purl, J, Leong, YM, and Becker DE. (2018). SOFIT: Sociotechnical and Organizational Factors for Insider Threat. IEEE Symposium on Security and Privacy Workshops, 197-206.
[4] Shaw ED, Fischer L. Ten tales of betrayal: an analysis of attacks on corporate infrastructure by information technology insiders, Vol. 1. Monterrey, CA: Defense Personnel Security Research and Education Center. 2005
[5] Greitzer, FL. (2019). Insider Threats: It’s the HUMAN, Stupid! Proceedings of the Northwest Cybersecurity Symposium, April 8-10, 2019. Article No. 4, pp. 1-8. ACM ISBN 978-1-4503-6614-4/19/04
[6] https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-securityclassified-net
[7] Greitzer, Purl, Leong, Becker (2018)
[8] Shaw and Sellers (2015)
[9] Henderson, J., & Cavalancia, N. (2019). 2019 Insider Threat Program Maturity Model Report. https://cdn2.hubspot.net/hubfs/5260286/PDFs/Whitepapers/insider-threat-maturity-report-2019.pdf
[10] https://en.wikipedia.org
/wiki/Systems_theory#:~:text=Systems%20theory%20is%20the%20interdisciplinary,and%20expressed%20through%20its%20functioning.
[11] https://en.wikipedia.org/wiki/Complex_event_processing
[12] https://en.wikipedia.org/wiki/Bayesian_network
[13] Greitzer & Purl (2022)
[14] Greitzer & Purl (2022)