Job Function Access Pattern Analysis
Definition
Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.
How it works
Peer group analysis identifies functionally similar groups of actors (users or resources) based on categorizations such as job title, organizational hierarchy, or other attribute that indicates similarity of job function. Current user access activity is then compared to the appropriate peer group behavior profile to identify anomalies.
Considerations
Potential for false positives from anomalies that are not associated with malicious activity.
References
The following references were used to develop the Job Function Access Pattern Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Anomaly Detection Using Adaptive Behavioral Profiles
MITRE Comments
The patent describes a technique for detecting anomalous activity within an organization's IT infrastructure to identify threats. Behavioral profiles can be grouped by peer groups that identify functionally similar groups of actors (users or resources) based on their attributes and pre-defined grouping rules. For example, users can be grouped by their job title, organizational hierarchy, or location and can be observed for similarities in access patterns, based on granted access entitlements or actual logged resource access.
Behavioral profiles are created from measurements of events over a time period for example:
- Transaction counts
- Concurrent users per hour
- Daily volume of data
Outlier data values which deviate from behavioral profile by more than a predetermined probability threshold are identified for risk analysis as possible threats.