Detect and prevent insider threats with real-time data processing and machine learning

Ingestion and data processing from many critical applications, at a fraction of the cost

Gathr enables ingestion from many applications and blends incoming high-speed data with static data sources. It further uses Apache Kafka, that allows the platform to ingest data at a ten times lower infrastructure cost and at a significantly higher speed from tens of thousands of discrete internal systems. For instance, Gathr helped a large bank in the US to ingest data from up to 90% of all its mission-critical applications to detect threats, which was 5x more applications compared to the existing solution, and at 4x the speed of the older technology stack with lower hardware infrastructure cost.

Gathr enables in-memory data transformation and distributed in-memory stateful processing that allows faster data quality scoring, data cleansing, and data enrichment. Gathr enabled the bank with the following capabilities in its insider threat detection journey:

• Real-time data quality scoring and auto-cleansing
• Data deduplication over seven days of history, which helps to curb false positives, narrowing the flags to relevant suspicious behavior and activity
• Enriching event records with employee and application data
• Executing data transformations

Gathr enables the use of machine learning to move away from static rule-based alerts to dynamic models. These models periodically learn normal baseline behavior and detect anomalies based on both dynamic and static factors such as identities, roles, and access permissions; correlated with log and event data.

Models developed using built-in machine learning operators in Gathr include self-learning and training behavioral profile algorithms, which help in processing new transactions in real-time to build risk scores and dynamic thresholds for various risk factors.

Use of machine learning proved highly effective in reducing false positives and highlighting behavior that genuinely accounts for malicious activities.

Appropriate real-time alerts and actions are critical to prevent predicted breaches. The Gathr platform sets up routine rule-based alerts like off-hours activity, multiple-failed logins, multi-station logins, and custom-alerts for ‘suspicious’ activity (based on a complex mix of factors deduced by the machine learning algorithms) which could be manually validated by security experts.

Gathr has helped a large bank to identify and prevent insider information security threats across sensitive applications in its retail banking and wealth management divisions. Gathr boosted insider threat detection by 5x through use of predictive analytics and machine learning on an extensive data set from highly sensitive applications to automatically and effectively detect previously unknown threat scenarios and patterns and raise appropriate alerts and actions to prevent predicted breaches.

To know more about how Gathr helped a large US bank boost threat detection, read this case study.