Threat detection and prevention for information systems

The invention claimed is: 1. An information security system, comprising: a plurality of network devices, wherein each network device is configured to provide access to data for a plurality of users; and a network analysis device in signal communication with the plurality of network devices, and comprising: a memory operable to store: network security rules, wherein the network security rules map network security threats to network security actions, wherein the network security actions comprise instructions for modifying device settings; and a processor operably coupled to the memory, and configured to: receive user activity information from a network device, wherein the user activity information comprises information about user interactions with the network device for the plurality of users; input the user activity information into a first machine learning model, wherein the first machine learning model is configured to: receive user activity information; and output a set of bad actor candidates based on the user activity information, wherein the set of bad actor candidates identifies one or more users from among the plurality of users; receive the set of bad actor candidates from the first machine learning model; filter the user activity information based on the set of bad actor candidates, wherein filtering the user activity information comprises removing user activity information for users that are not members of the set of bad actor candidates; input the filtered user activity information into a second machine learning model, wherein the second machine learning model is configured to: receive the filtered user activity information; and output system exposure information based on the user activity information, wherein the system exposure information identifies one or more network security threats; identify one or more network security actions within the network security rules based on the one or more network security threats identified in the system exposure information; execute the one or more network security actions; wherein the one or more network security actions are identified using the one or more network security threats as a search token to search the network security rules; wherein the first machine learning model is a multi-layer perception neural network model; and wherein the first machine learning model is stored and trained by a device that is external to the network analysis device. 2. The system of claim 1 , wherein the first machine learning model is configured to identify users that accessed a website from a list of malicious websites as bad actor candidates. 3. The system of claim 1 , wherein the first machine learning model is configured to: identify an average amount of outgoing data for the plurality of users; and identify users that exceed the average amount of data for the plurality of users as bad actor candidates. 4. The system of claim 1 , wherein the first machine learning model is configured to: identify security violations based on the user activity information; and identify users associated with the security violations as bad actor candidates. 5. The system of claim 1 , wherein executing the one or more network security actions comprises: identifying a website from within the filtered user activity information; identifying a user that visited the website from among the set of bad actor candidates; and restrict access to the website for the user. 6. The system of claim 1 , wherein executing the one or more network security actions comprises modifying settings for a user device that is associated with a user, wherein modifying the settings comprises restricting outgoing data for the user. 7. The system of claim 1 , wherein executing the one or more network security actions comprises modifying network settings for a user device that is associated with a user, wherein modifying the network settings comprises restricting access to a second network device. 8. A threat detection method, comprising: receiving user activity information from a network device, wherein the user activity information comprises information about user interactions with the network device for a plurality of users; inputting the user activity information into a first machine learning model, wherein the first machine learning model is configured to: receive user activity information; and output a set of bad actor candidates based on the user activity information, wherein the set of bad actor candidates identifies one or more users from among the plurality of users; receiving the set of bad actor candidates from the first machine learning model; filtering the user activity information based on the set of bad actor candidates, wherein filtering the user activity information comprises removing user activity information for users that are not members of the set of bad actor candidates; inputting the filtered user activity information into a second machine learning model, wherein the second machine learning model is configured to: receive the filtered user activity information; and output system exposure information based on the user activity information, wherein the system exposure information identifies one or more network security threats; identifying one or more network security actions based on the one or more network security threats identified in the system exposure information; wherein the one or more network security actions are identified using the one or more network security threats as a search token to search network security rules wherein the first machine learning model is a multi-layer perception neural network model; and wherein the first machine learning model is stored and trained by an external device. 9. The method of claim 8 , wherein the first machine learning model is configured to identify users that accessed a website from a list of malicious websites as bad actor candidates. 10. The method of claim 8 , wherein the first machine learning model is configured to: identify an average amount of outgoing data for the plurality of users; and identify users that exceed the average amount of data for the plurality of users as bad actor candidates. 11. The method of claim 8 , wherein the first machine learning model is configured to: identify security violations based on the user activity information; and identify users associated with the security violations as bad actor candidates. 12. The method of claim 8 , wherein executing the one or more network security actions comprises: identifying a website from within the filtered user activity information; identifying a user that visited the website from among the set of bad actor candidates; and restrict access to the website for the user. 13. The method of claim 8 , wherein executing the one or more network security actions comprises modifying settings for a user device that is associated with a user, wherein modifying the settings comprises restricting outgoing data for the user. 14. The method of claim 8 , wherein executing the one or more network security actions comprises modifying network settings for a user device that is associated with a user, wherein modifying the network settings comprises restricting access to a second network device. 15. A network analysis device, comprising: a memory operable to store: network security rules, wherein the network security rules map network security threats to network security actions, wherein the network security actions comprise instructions for modifying device settings; and a processor operably coupled to the memory, and configure