US 12,273,350 B2
Dynamic grouping of users in an enterprise and watch list generation based on user risk scoring
Adam Blake, Minneapolis, MN (US); and Paul Hutelmyer, Minneapolis, MN (US)
Assigned to Target Brands, Inc., Minneapolis, MN (US)
Filed by Target Brands, Inc., Minneapolis, MN (US)
Filed on Nov. 22, 2022, as Appl. No. 17/992,104.
Claims priority of provisional application 63/301,326, filed on Jan. 20, 2022.
Prior Publication US 2023/0231854 A1, Jul. 20, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/104 (2013.01) [H04L 63/1425 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for identifying users within an enterprise who pose heightened security risks to the enterprise, the method comprising:
receiving, by a computing system, information about users in the enterprise, the information including a unique identifier associated with each user and network events corresponding to activities performed by the users that are detected by one or more network sensors and associated with the unique identifiers of the users, wherein the unique identifiers comprise login credentials for the users;
receiving, by the computing system and from the one or more network sensors, in-network data associated with the network events;
deserializing, by the computing system, the in-network data associated with the network events to generate deserialized data, wherein the deserializing comprises reconfiguring the in-network data for subsequent use by the computing system;
applying, by a decorator pipeline of the computing system, indicators of compromise (IoC) rules that correspond to network security of the enterprise to the deserialized data to identify a subset of the deserialized data that matches the IoC rules;
appending, by the decorator pipeline of the computing system, flags to the subset of the deserialized data, wherein the flags correspond to the matched IoC rules;
grouping, by the computing system, the users into a plurality of groups based on at least one grouping feature and the decorated subset of the deserialized data that corresponds to activities performed by the users, the at least one grouping feature including, for each of the users, at least one of behavior, activity, role, department, region, role-based risk score, event-based risk score, and composite risk score;
identifying, by the computing system and for each of the plurality of groups, normalized behavior of the group, wherein the normalized behavior represents expected behavior of the users in the group;
generating, by the computing system and for each of the users in each of the plurality of groups, a composite risk score based on a deviation of activity in the decorated network events associated with the user from the normalized behavior of the group;
identifying, by the computing system and for each of the plurality of groups, a subset of users in the group to be added to a watch list based on the respective composite risk scores, wherein the watch list is configured to monitor users that do not have casefiles, wherein the casefiles are generated for the users once a threshold amount of the decorated subset of the deserialized data is attributed to the respective users;
adding, by the computing system, the subset of users to the watch list;
storing, by the computing system, the watch list in a data store; and
dynamically updating, by the computing system, the watch list based on removing one or more users from the watch list that are attributed with the threshold amount of the decorated subset of the deserialized data required for generating the casefiles.