Grant Gelven

and

Shannon Strum

Graph-Based User-Entity Behavior Analytics for Enterprise Insider Threat Detection (pdf, video)

In this talk, we will discuss the use of graph-based user-entity behavior analytics to develop an insider threat detection system at one of the largest private companies in the world. We use raw audit log data from multiple systems which captures point-in-time interactions between people and internal resources. These can be transformed into a heterogenous weighted bipartite graph, reducing user behavior against internal assets to a link prediction problem on the graph of all users and resources. We show that classical matrix factorization techniques can be adapted to generate reliable statistics on the observed and expected behaviors of users which allows for monitoring and detection of anomalous events while also providing a natural way to measure the exposure to insider threat risks due to over-privileged access. We provide a few highlights related to the problem in an enterprise setting, and describe the mathematical framework used for quantifying risk, the methods for modeling individual actions, and reporting of results for use in improving overall security posture.