Cyber security using one or more models trained on a normal behavior

What is claimed is: 1. A method for detection of a cyber-threat to a computer system, the method arranged to be performed by one or more processing apparatuses, the method comprising: receiving input data that comprises data associated with a first entity related to activity on the computer system and data associated with a second entity; deriving from the received input data metrics representative of characteristics of the received input data; analyzing the derived metrics using a first self-learning model trained on a normal behavior of at least the first entity; analyzing one or more causal links between data associated with the first entity and data associated with the second entity gathered over one or more days, predicting an expected behavior of at least the first entity of the computing system based on the first self-learning model; determining, in accordance with the analyzed derived metrics and the one or more causal links, a cyber-threat risk parameter indicative of a likelihood of the cyber-threat, wherein determining the cyber-threat risk parameter comprises comparing the analyzed, derived metrics with the predicted expected behavior, comparing whether parameters of the analyzed, derived metrics fall outside the parameters set by a threat parameter benchmark, and considering the one or more causal links that include a comparison between a behavior of the first entity based on analyzed, derived metrics associated with the first entity to a behavior of the second entity based on analyzed, derived metrics associated with the second entity, wherein the first entity is a first user and false positives are mitigated by at least considering unusual behavior by the first user as being normal behavior by the first user when similar unusual behavior is observed as being conducted by a second user, and wherein the first self-learning model trained on the normal behavior of at least the first entity develops a pattern of life for the first entity based on data gathered regarding the first entity over time, where the pattern of life for the first entity is dynamically updated as more information is gathered over time of operation of the first self-learning model monitoring the first entity, where what is considered the normal behavior is used as a moving benchmark, allowing a threat detection system to spot behavior for the first entity that seems to fall outside of the normal behavior for the pattern of life, where the threat detection system flags the behavior for the first entity that seems to fall outside of the normal behavior for the pattern of life as anomalous, requiring further investigation, where the use of the first self-learning model trained on the normal behavior of at least the first entity to develop the pattern of life for the first entity based on data gathered regarding the first entity over time combined with the predicting of the expected behavior of the first entity of the computing system based on the first self-learning model trained on normal behavior produces the detection of the cyber-threat to the computer system, where the first self-learning model trained on the normal behavior of at least the first entity is specifically an unsupervised mathematical model used for detecting behavioural change. 2. The method according to claim 1 , further comprising: wherein the modelled behavior in the first model of the first entity includes at least one of detecting a change in a pattern in any of 1) information, 2) activity, or a 3) combination of both information about the first entity and activity of the first entity in order to be able to detect both a change in behavior of the first user a user using the computing system as well as a change in behavior of a device in the computing system, where the first entity is the device in the computing system. 3. The method according to claim 1 , wherein the derived metrics are derived from header analysis on an Internet Layer protocol level of the computer system. 4. The method according to claim 1 , further comprising: flagging the behavior for the first entity that seems to fall outside of the normal behavior for the pattern of life by projecting the behavior on a three-dimensional (3D) graphical user interface that conveys a connection topology corresponding to the computing system. 5. The method according to claim 1 , further comprising: using a second self-learning model trained on a normal behavior of at least the second entity to determine what is normal behavior for at least the second entity, using a third model trained to analyze data for detecting a first type of threat, and using a fourth model trained to analyze data for detecting a second type of threat. 6. The method according to claim 1 , wherein the cyber-threat risk parameter is a probability of the likelihood of a threat determined using a recursive Bayesian estimation. 7. The method according to claim 6 , further comprising: dynamically assigning recurring time cycles to a normal behavior threshold. 8. A non-transitory computer readable medium comprising computer readable code that is configured to be operable, when executed by one or more processing apparatuses in the computer system, in order to instruct a computing device to perform the method of claim 1 . 9. The method according to claim 1 , wherein the entity corresponds to the first user being a first user account and the second entity corresponds to a second user account different from the first user account. 10. A threat detection system, comprising: at least one or more ports configured to receive input data that comprises data associated with a first entity related to activity on a computer system and data associated with a second entity; a non-transitory memory configured to store instructions and data for a first self-learning model trained on a normal behavior of a pattern of life for at least the first entity that is dynamically updated as more information is gathered over time of operation of the first self-learning model monitoring the first entity in an executable format to be executed by one or more processors; and wherein the one or more processors are configured to execute the instructions to perform operations including deriving from the received input data metrics representative of characteristics of the received input data, analyzing the derived metrics using the first self-learning model trained on the normal behavior of at least the first entity, analyzing one or more causal links between data associated with the first entity and data associated with the second entity gathered over one or more days, predicting an expected behavior of the first entity of the computing system based on the first self-learning model, and determining, in accordance with the analyzed derived metrics and the analysis of the one or more causal links, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat, wherein determining the cyber-threat risk parameter comprises comparing the analyzed, derived metrics with the predicted expected behavior, comparing whether parameters of the analyzed, derived metrics fall outside the parameters set by a threat parameter benchmark, and considering the one or more causal links that include a comparison between a behavior of the first entity based on analyzed, derived metrics associated with the first entity to a behavior of the second entity based on analyzed, derived metrics associated with the second entity, wherein the first entity is a first user and false positives are mitigated by at least considering unusual behavior by the first user as being normal behavior by the first user when similar unusual behavior observed as being conducted by a second user, wherein the first