Cogynt – A Comprehensive Solution to Insider Threats

Introduction

The demands of Counter-Insider Threat (C-InT) assessment to fully address the insider threat analysis problem exceeds currently fielded solutions and overwhelm the cognitive limitations of C-InT professionals. In contrast to current practice that is largely reactive, a continuous intelligence, behavioral analytic platform is needed to achieve a comprehensive, proactive C-InT program that can handle the data analytic demands and decision support for C-InT professionals who cannot afford to get it wrong. Analysis of behavioral as well as technical data in a predictive analytics environment will help achieve a proactive C-InT program that helps to predict potential insider threat risks so that risk mitigation efforts can be applied to help deter or avoid insider threat incidents.

Cogynt Capabilities

  1. Human in the Loop
  2. Multiple Simultaneous Data Source Ingestion
  3. Semantic Analysis to process structured or unstructured data at scale
  4. Complete Behavioral Modeling Environment with a self-documenting model that may be reviewed and validated by 3rd party experts
  5. Real-Time Behavioral Analytic to hierarchically process event patterns to yield actionable intelligence
  6. Real-Time Continuous Risk Assessment to assess behavioral patterns
  7. Visualizations to present and allow manipulation of complex data and relationships in various contexts (geospatial, link charts, hierarchy charts, graphs and histograms, lists, etc.)
  8. Case File Management to support workflow
  9. Audit support to ensure compliance with organizational policies
  10. Enterprise Dashboard Views to support Business Intelligence to convey risks, hot spots, and trends
  11. Open Architecture that can be easily integrated with other applications and data stores
  12. Scalability to the needs of the enterprise and big data to be processed
  13. Platform is Easy to Install and Manage
Request a demo

Background

Insider threats are actions by trusted individuals with access to organizational assets that may harm the organization or its assets—these acts include insider data theft/exfiltration, sabotage, espionage, fraud, maladaptive behavior, workplace violence, and unintentional insider threats.[1] With potentially catastrophic consequences, these incidents often are perpetrated by individuals with personal predispositions (psychological factors such as depression or personality traits such as narcissism or anti-social personality disorder) that lead them to react or act-out in response to work- or life-stressors.[2]

Figure 1 is a notional plot of insider threat risk that distinguishes between contributions of technical indicators (online behavior) versus psychosocial/behavioral indicators, demonstrating how the combination of both data sources in a comprehensive C-InT approach can provide early warning, and greater opportunity for proactive mitigation that gets “left of boom”, compared with typical reactive programs that limit analysis to technical data.[3] Incorporation of behavioral data monitoring and analytics (deriving from Human Resources, Security, Performance Reviews, Financial, Criminal, etc.) can provide insight about personal predispositions, precipitating events (stressors), or concerning behaviors that reveal higher-risk individuals who show behavioral signs weeks or months prior to the incident.[4], [5]

Left of Boom Chart
Figure1. Sociotechnical (behavioral) data enables proactive mitigation to get “left of boom.”

The Federal Insider Threat Program was established in 2012 by Presidential Executive Order (EO) 13587[6]. Following this, the Federal agencies derived their own policies and instructions that define authorities, responsibilities, and relevant constructs—including threat behaviors of concern and definitions of contributing factors or indicators associated with these threats. All entities benefit from such standardization, but each organization may apply its own criteria or priorities, informed by its mission and culture, to implement its Counter-Insider Threat Program (C-InTP).

For the DoD, a knowledge base of more than 140 Potential Risk Indicators (PRIs) has been defined by the Defense Counterintelligence and Security Agency (DCSA). This hierarchy of PRIs compares with other knowledge bases that have been developed, such as the Sociotechnical and Organizational Factors for Insider Threat (SOFIT) ontology[7] that was developed under a contract with the Intelligence Advanced Research Projects Activity (IARPA). The DAF C-InTP has continued to advance this PRI knowledge base by incorporating concepts described in the SOFIT ontology as well as other frameworks for understanding insider threats—particularly the Critical Pathway to Insider Risk (CPIR) model developed to better understand the role of contributing factors.[8] These resources represent valuable guidance to understand and define insider threat behaviors and the basis for these behaviors.

Want your own copy?

Click the button below to download the full white paper.

Download PDF

Cogynt Continuous Intelligence Behavioral Analytic Platform

Cogility has developed an advanced, big data, and highly scalable behavioral analytic platform called “Cogynt” that can continuously monitor the behavior of many thousands or millions of entities and continuously assess risk over extended periods of time. The ability to conduct this level of analysis, assuming the data and sufficiently detailed behavioral patterns are defined, allows for organizations and enterprises to conduct insider threat assessments of their employees and alerts C-InT analysts about concerning behavioral trends/potential risks so mitigating actions can be taken prior to a serious incident.

A readily configurable and adaptable continuous intelligence platform, Cogynt offers all the essential capabilities needed to augment and support a highly mature and effective C-InTP that meets or exceeds best practices.[9] A logical depiction of the Cogynt platform solution architecture is shown in Figure 2 below.

Diagram showing how the open source components work within Cogynt.
Figure 2 Cogynt Continuous Intelligence Platform Logical Architecture

1

Data Analyst/Business User/Data Engineer

These are the roles that define event pattens using the Cogynt Authoring Tool.

2

Data Sources

Cogynt accepts a wide range of data types and formats by leveraging Apache Kafka connectors.

3

Cogynt Authoring Tool

Cogynt Authoring is a tool used for authoring event patterns, computation models and risk modes. The Cogynt Authoring tool deploys these models to Apache Flink for processing.

4

Cogynt Event Stream Processing and Storage

This includes the event stream processing software components that provide real-time processing and scalable storage for Cogynt.

5

Cogynt Analyst Workstation

A dynamic and interactive user interface for viewing analytic results, this is the primary tool used by analyst to review and validate system generated intelligence.

6

Applications

Represents a notional interface to any application or system that can consume events generated from Cogynt. Cogynt is an open system and it’s data can be shared with any other event driven system or application.

7

Dashboard

The dashboard can be the Cogynt Pivot dashboard or a different dashboard depending on the customer’s preference. Cogynt is an open system and can stream event data to different types of dashboards at the customer’s  discretion.

Cogynt Behavioral Analytics and HCEP

The heart of Cogynt contains a patented behavioral analytic called Hierarchical Complex Event Processing (HCEP). The principles of HCEP are rooted in system theory[10] and CEP[11]. For insider threat, Cogynt can model a whole person insider threat profile by defining all the relevant behavioral types that make up an insider threat profile. Within HCEP, the organic component of a behavior is an event pattern, and an event pattern follows the principles of CEP, where an event pattern, if fully matched, creates a new complex event that can trigger a higher-level event pattern. This process continues until it satisfies the full behavioral profile. In addition, HCEP allows for partial event pattern matches, which represents an indicator (or a collection of indicators representing a behavior, but not a complete pattern of a definitive target threat behavior. Cogynt maintains the state of the event patterns over time, which allows analysts to look for trends and changes in behavior.

The general HCEP concept is represented in Figure 3. The top-level event pattern represents the whole person profile, and the lower-level patterns represent indicators (which are basically the “building blocks” of behavior patterns. The lowest level represents interpreted data, or observations, which are building blocks of indicators. Data or events are processed from the bottom up to infer observations from the real world consisting of people exhibiting sociotechnical behaviors. These observed events are matched to event patterns that may eventually culminate in an insider threat incident. The ability to continuously assess a person’s behavioral profile state and changes in the profile are key to predicting insider threats.

Logical depiction of Hierarchical Complex Event Processing
Figure 3. Logical depiction of Hierarchical Complex Event Processing

Another critical facet of HCEP is continuous risk assessment of a person’s insider threat profile. Cogynt applies a Bayesian Belief Network[12] (BBN) computation method for computing risk based on the hierarchical structure of the event pattern model. This risk assessment allows analysts to weigh the value of one indicator over another based on the risk assessment. Applying BBN allows analysts to not only assess developing behavioral patterns but weigh the importance of one behavior over another as to the risk it poses to the organization.

Figure 4 represents an example set of event patterns (A, B, C and D) where event patterns A, B, and C output complex events to event pattern D. The diagram shows data entering at the left as inputs to the event patterns. The diagram shows each of the event patterns where A is fully matched – generating an event O1 as output — and where event patterns B and C contain partial matches. The analyst defines the statistical importance of each element as it relates to risk. Applying BBN computations, Cogynt processes both matched and unmatched statistical event patterns up the hierarchy.

For example, in Figure 4, event pattern A is the only pattern providing a factual output. Event patterns B and C provide statistical outputs (O2 and O3) that are inputs to event pattern D. The output O4 from event pattern D consists of one factual and two statistical elements that inform the O4 statistical result. This general approach is how behavioral risk is propagated through the behavioral hierarchies, allowing the analyst to have complete visibility of the state of any given behavior and statistical risk assessment.

Cogynt Notional Event Pattern
Figure 4. Cogynt Notional Event Pattern
Notional C-InT Behavior and Risk Assessment in processing composite behaviors
Figure 5. Notional C-InT Behavior and Risk Assessment in processing composite behaviors

Figure 5 depicts the matching process and continuous risk assessment where multiple threat-behavior types contribute to an individual’s behavioral risk assessment, which is assessed on a continuous basis. The mapping proceeds from PRIs to threat behavior types, with varying strengths of association between PRIs and behavior type. This means that the relationships between PRIs and behaviors are dynamic—research suggests that there are complex, dynamic relationships among PRIs that produce different risk assessments when combined into various patterns.[13] The powerful hierarchical complex event processing capabilities of Cogynt provide a unique approach to assessing insider threat risk in this complex environment. Furthermore, the modeling capabilities in Cogynt allow it to capture other dynamic qualities of PRIs, such as decreases in risk over time.

This concept of risk decay, which is currently under study in the insider threat research community, suggests that different types of PRIs may be subject to different decay parameters (e.g., those that relate to personality traits may be expected to be stable over time, while others that relate to more transient events such as network activity, may be subjected to more rapid decay in associated risk).[14]

Figure 5 is a notional Cogynt HECP process as applied to insider threat. Data or events are ingested and filtered using lexicons that define a PRI that is associated with a behavior (e.g., Workplace Violence) with an estimated risk weighting reflecting the extent to which the PRI is indicative of the behavior. The accumulation of risk is computed for every person/entity within the organization, and over time, these accumulated risk scores may be compared across the organization to identify individuals who are of greatest concern.

Cogynt Analyst Support

HCEP is the workhorse that processes the vast amount of data and matches data to event patterns; over time, when a particular behavioral threshold (defined by the analyst) is reached, a notification event is generated with supporting contextual information. However, it still takes a human to interpret the results to ensure the analytic results accurately reflect the concerning behavior. The Cogynt Analyst Workstation (Workstation) is the human interface for Cogynt that allows the analyst to view the data generated from HCEP and decide of its accuracy and instigate a workflow with other analysts and subject matter experts, such as psychologist and law enforcement professionals, to thoroughly review and coordinate a given threshold event and come to an informed conclusion.

 
The Workstation provides a suite of tools or widgets that can be flexibly configured to support any given analyst task. Each widget within Workstation is interoperable with other widgets, so the internal analyst workflow is intuitive and seamless. Workstation also supports the ability to upload files to support case management and export case file data to support external reporting needs.
 
Figure 6 is a screen capture of the Workstation which supports the review and analysis of any published events including an assortment of visualizations such as link charts, maps, event drill down charts (event tree), line charts for risk history which are combined at the preference of the user.
Image of Cogynt Analyst Workstation interface.
Figure 6. Cogynt Analyst Workstation

The Workstation provides the means of doing detailed analysis on a given behavioral threshold and building a case file. The Superset dashboard (Figure 7) is another view—particularly of interest to stakeholders who need to see the big picture of data in the aggregate, or enterprise view. The Superset dashboard provides the added benefit of allowing users to interact with the data—i.e., the user can inspect an area such as a spike in risk or number of incidents and examine the source of incidents, such as based on the organization or geography.

Pivot Dashboard
Figure 7 Superset Dashboard

Conclusion

Insider Threat is a low probability, high consequence risk that organizations face daily. Over the past 10 years, this threat has gained the full attention it deserves to develop better tools for mitigating insider threat risk. An effective C-InT program requires policies, instructions, and procedures on how to manage insider threat risk — an advanced continuous intelligence behavioral analytic platform is needed to do this effectively.

The Cogynt platform is uniquely qualified to meet the immense analytic and information-processing challenges faced by insider threat analysts across government and industry.

Footnotes

[1] Cappelli, DN, Moore, AP, & Trzeciak RF. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Addison-Wesley.

[2]Shaw, ED & Sellers, L. (2015). Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence 59(2) (Extracts, June 2015)

[3] Greitzer, FL, Purl, J, Leong, YM, and Becker DE. (2018). SOFIT: Sociotechnical and Organizational Factors for Insider Threat. IEEE Symposium on Security and Privacy Workshops, 197-206.

[4] Shaw ED, Fischer L. Ten tales of betrayal: an analysis of attacks on corporate infrastructure by information technology insiders, Vol. 1. Monterrey, CA: Defense Personnel Security Research and Education Center. 2005

[5] Greitzer, FL. (2019). Insider Threats: It’s the HUMAN, Stupid! Proceedings of the Northwest Cybersecurity Symposium, April 8-10, 2019. Article No. 4, pp. 1-8. ACM ISBN 978-1-4503-6614-4/19/04

[6] https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-securityclassified-net

[7] Greitzer, Purl, Leong, Becker (2018)

[8] Shaw and Sellers (2015)

[9] Henderson, J., & Cavalancia, N. (2019). 2019 Insider Threat Program Maturity Model Report. https://cdn2.hubspot.net/hubfs/5260286/PDFs/Whitepapers/insider-threat-maturity-report-2019.pdf

[10] https://en.wikipedia.org
/wiki/Systems_theory#:~:text=Systems%20theory%20is%20the%20interdisciplinary,and%20expressed%20through%20its%20functioning.

[11] https://en.wikipedia.org/wiki/Complex_event_processing

[12] https://en.wikipedia.org/wiki/Bayesian_network

[13] Greitzer & Purl (2022)

[14] Greitzer & Purl (2022)

Get Started

Ready to learn more? Contact us today!
Let's Go