How Palantir Gotham enables effective audit log analysis

We work with organizations that analyze many different kinds of data from many different sources, each of which is typically governed by its own access control or security policies. Our customers need to be confident that their analysts are handling this sensitive data appropriately, and that their auditors can identify and take action against any data misuse.

We’ve developed two broad sets of capabilities to meet these needs:

  1. Precision access control capabilities that support multi-level security policies. Palantir Gotham enables users with multiple and varying access permissions to interact appropriately with data with multiple and varying access restrictions. Users see only the data they are authorized to see, while operating in a shared, collaborative environment with other users who may have different access permissions.
  2. Audit logging, data integration, and analytic capabilities that support the investigation and monitoring of data use. Palantir Gotham automatically generates an immutable audit log of all user activity, which can then be integrated back into the platform for analysis. By integrating additional data sources pertaining to data use at their organizations—everything from system log-ins to network activity, OS activity, and physical sensors—auditors can investigate potential instances of data misuse and actively monitor for suspicious activity as it occurs.

You can watch a demonstration that highlights access controls here. In this post we will focus on the second set of capabilities, and demonstrate how organizations can use our platform for effective audit log analysis.

Reactive investigations

With Palantir Gotham, an auditor can respond to potential data misuse or security incidents by discovering links between audit events (searches, object loads, data exports, etc.), user profiles, and administrator actions within the system. Even when dealing with low signal-to-noise data like audit logs, auditors using Palantir Gotham can find answers to their most important questions. Who has seen data X and when? What has user Y seen? Has user Y seen data X? Once this information has been surfaced, auditors can explore answers to subtler questions like: What was user Y’s intention in investigation X?

In this video*, the platform is used to trace the source of a sensitive information leak. An auditor can investigate the source by looking at audit events related to the leaked information (in this case, the “William Haynes” object). By using various search and analysis tools, the auditor can then rapidly focus his investigation on audit events that seem suspicious (e.g., those occurring outside normal business hours, or involving abnormal interactions with the leaked information). By cross-referencing these events with other information like badge swipe data, the auditor can discover which particular user profiles are implicated in the leak.

In this second video*, an auditor investigates data use by a particular user and finds evidence of unauthorized data access. He knows the user isn’t authorized to access information on US citizens, but finds evidence that the user has both accessed and edited data relating to a US citizen. He traces the cause of this unauthorized access to an administrator who made changes to the access controls governing the data.

Whether the investigation begins with a particular user or with a particular piece of data, Palantir Gotham supplies the audit logging, data integration, and analysis capabilities that auditors need to find the root causes of data misuse.

Proactive monitoring

Being able to track down the origins of past incidents of data misuse is crucial to maintaining user accountability and oversight, but it would be even better if auditors could stop data misuse as it happens, in real time. Palantir Gotham also provides a set of monitoring capabilities that enable auditors to rapidly detect and shut down suspicious data use. Search feeds and lead-generating algorithms turn massive-scale audit logs into actionable intelligence—information that can be used to mitigate potential threats quickly, before they can do great harm.

Ensuring appropriate data use

We are committed to building products that make our users better at the most important work they do. Palantir Gotham empowers administrators and auditors with tools to enforce compliance with applicable data protection policies. But these safeguards are only effective if they are put to good use, which is why we are also committed to working with our customers to help set up access controls and implement audit practices that can ensure appropriate data use at their organizations.

*While these video demonstrations are based on typical investigation workflows, the data is simulated and names were randomly generated. Any resemblance to real people or entities is coincidental.