[searchandfilter taxonomies="search"]

5 Types of Insider Threats and How to Detect Them in Your ERP System

While the majority of data breaches are from insider threats—a startling 57% according to the Verizon Insider Threat Report—many organizations overlook these internal dangers. Whether careless or malicious, employee, partner, or contractor, insider threats are difficult to spot and often go undetected in your ERP system for months or years.

Insider threats can be particularly dangerous for organizations using legacy ERP systems, such as SAP, PeopleSoft, and Oracle EBS. The primary issue is that most security teams struggle to determine the difference between regular user activity and anomalous activity indicating an insider attack. What makes insider threats especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.

5 Types of Insider Threats in Your ERP System

First, a quick refresh: An insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. Not all insiders are disgruntled employees, and their motivations, intent, and access levels vary. Regardless of who they are, an insider who is intentionally or unintentionally violating a business or security policy can inflict plenty of damage.

Insider threats come in all shapes and sizes and display different behaviors you can leverage for detection and prevention. Here are five categories of insider threats that our ERP customers are most likely to encounter: The Careless Worker, the Arrogant Insider, the Disgruntled Employee, the Malicious Insider, and the Irresponsible Vendor.

The Careless Worker

These are employees or partners whose actions are inappropriate as opposed to malicious. They will unintentionally break acceptable use policies, mishandle data, and install unauthorized applications, etc. The Careless Worker ignores security awareness training and best practices, making them likely to be the one that falls for a phishing scam and having their account compromised by a hacker.

The Arrogant Insider

Arrogant Insiders are employees who do not act with malicious intent but believe they are exempt from security policies. They will take deliberate and potentially harmful actions, such as using unapproved workarounds or transferring potentially sensitive information to cloud storage accounts for easy access. These actions leave vulnerable data and resources unsecured and vulnerable to hackers.

The Disgruntled Employee

A Disgruntled Employee is not happy or feels disrespected in some way and willfully disregards data privacy and security protocols to commit deliberate sabotage or intellectual property theft. For example, using access to leak executive compensation data and cause negative publicity. Disgruntled Employees are especially dangerous and probably the hardest ones to detect because they have elevated levels of privilege.

The Malicious Insider

The Malicious Insider is an actor with access to corporate assets who uses existing privileges to exfiltrate data or commit other malicious acts with the goal of financial rewards or further personal gains. A Malicious Insider can result from a compromised account caused by a Careless Worker or a Disgruntled Employee who has gone beyond accessing intellectual property and into theft or fraud.

The Irresponsible Contractor

The Irresponsible Contractor compromises security through negligence, misuse, or malicious access to or use of an asset. They are contract workers and temporary employees who are given access like a full-time employee. Sometimes, depending on how an organization assigns roles, they might have more privileges than the job requires.

How to Reduce Insider Threats?

Know Your Users. Know Your Data. When an insider uses a legitimate login profile to move about your ERP system, telling the difference between regular activity and harmful activity often prevents rapid detection. In fact, a recent report from Ponemon indicates that the average time to detect and contain an insider threat incident is 77 days.

The number one way to detect anomalous activity is by closely monitoring user behavior around data access and usage. Put another way; you’re looking to identify the context of the access and usage: the who, what, where, when, how, and, ultimately, the why.

Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of context around how, when, and by whom transactions and data fields are being accessed. To gain this insight, you need an advanced analytics platform specifically designed to display granular levels of ERP data access & usage. Like Appsian360.

Context of User Access and Data Usage with Appsian360

With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan. With Appsian360, you can:

Identify when a Careless Worker falls victim to a phishing attack by setting up a dashboard that tracks location-based access. If a legitimate user account suddenly starts accessing your ERP system from outside the United States, for example, you can begin an investigation into other activity by that account.
Closely monitor the activity around sensitive reports and queries and ensure that data is not being exfiltrated in bulk by unauthorized users or offboarding employees, such as Arrogant Insiders.
Monitor high-risk data activity for unusual behavior. For example, a Disgruntled Employee with access to compensation data needs that ability to their job. However, you can track the number of times a user accesses that data during the day or outside of business hours. Instead of asking “if” a person should have access to that data, you can track how often and when that data is accessed.
Track a variety of user access data points when it comes to detecting a Malicious Insider. Since this is usually a compromised account, you can set dashboards to track after-hours access, mobile phone access, strange IP address access, and access from a foreign country. All signs that a legitimate account has been compromised.
Apply a prefix to the username of any outside Irresponsible Contractor or temporary worker to fully track their data access and usage inside your ERP system.

Close the Visibility Gap to Detect Insider Threats

The unfortunate reality of ERP applications like PeopleSoft and SAP is that they lack the ability to provide actionable insights into user activity, creating many blind spots for detecting insider threat behavior. Fortunately, organizations using Appsian360 can detect and defend against insider threats by monitoring data access and usage at a granular level that was previously unavailable.

Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Securing Business Data in ERP Applications: A Fast Path Guide to Success

With 2020 coming to a close, ensuring business applications are equipped to meet the longterm access demands of 2021 is a critical objective. All around the world, information security and financial risk leaders are being tasked with ensuring the security of business data while remote access (on unknown networks and devices) remains the standard for the foreseeable future. Finding solutions that can quickly and easily secure this data – without requiring an exorbitant amount of time and resources is mission critical.

Data security is proving most challenging for organizations that utilize ERP applications like PeopleSoft, Oracle E-Business Suite, and SAP (ECC/S4HANA.) ERP applications like these were designed with ease-of-access to data as the primary objective. They have the biggest hill to climb when it comes to security, privacy, governance, and compliance.

Fortunately, this challenge is why Appsian (and the Appsian Security Platform) exists! We are here so organizations can fully utilize their investment in legacy ERP technology while scaling to meet present and future data security demands. After all, external and internal threats to business data will always continue to evolve.

Right now, thousands of organizations around the world are currently faced with the same challenges and are likely scoping solutions that solve one or two of these challenges. Here is the comprehensive approach that can serve as the playbook for securing legacy ERP data:

Identify Risks From User Access

The most significant risks to data typically originate from:

Compromised credentials (for example, stolen from phishing attacks)
Unknown networks and devices
Capture and visualize data access

These risks can be an acceptable part of an organization’s relationship with its ERP applications, but they don’t have to be. They should be addressed the way any security threat should – and it doesn’t have to result in overly-restricting access and potentially hindering authorized work. Restricting access to sensitive data can be the instinct when these risks are identified because risk mitigation can feel insurmountable. The truth is, mitigating controls can be implemented that fully align data security objectives with the access requirements of the business.

Apply Dynamic Authorization Policies

Dynamic authorization is the foundation of the principle of least privilege (PoLP), which says users should only have access to what they require. Given the access risks outlined above, it should be noted what someone “needs” (or should have) access to likely changes with each new context of access. For example, does high-privilege access require 100% of those capabilities from an unknown network and/or unmanaged device? How about during off-work hours? Many would say “no.” Applying access policies dynamically gives you this control. This strategy alone makes an enormous impact on an organization’s ability to control access to sensitive data and enable data security, privacy, and governance.

Integrate Authentication Solutions

It goes without saying that single sign-on and multi-factor authentication have become table stakes IAM solutions. Whether you have employed these for many years or only since the beginning of the COVID-19 crisis, it is clear that their value goes way beyond the convenience of not having to remember passwords. With these solutions in place, the job of securing data is not necessarily over. In fact, taking authentication a step further to align with zero-trust (aka. never trust, always verify) requires native integration of SSO and MFA solutions for four very important reasons:

ERP authentication should always align with your enterprise identity and access management strategies
Users falsely authenticate out of habit
Stepped-up authentication should be required for particularly sensitive activity
Using custom code (vs. native integration/configuration) for authentication is NOT a best practice

Capture and Visualize User Behavior

If I told you that most organizations have almost no idea who is accessing sensitive data (at any given time), how and why – would you be surprised? This may be a dirty little secret, but the truth is legacy ERP logging has simply not kept up to meet the demands of security and compliance requirements that must understand data access and usage by users.

What most ERP administrators will tell you is in order to respond to an audit or investigate an incident, they must pull multiple logs manually triangulate them. Only then does a foggy picture of what may have happened come into view. The problem is, a foggy picture of anything related to a forensic investigation or helping align with information security policies is simply not good enough.

Further investment is needed to enhance the granularity of native ERP logging, along with analytics and visualization tools in order to add context to the data, aggregate it and then visualize it so the insights can be actionable. Only then is the logging data that you are alrighty getting out of your ERP truly useful for security and compliance purposes.

Partner with Appsian Security

For over 10 years, Appsian Security has watched organizations struggle with many of the same ERP security and compliance issues. Mostly originating from the fact that their applications were not natively designed to do what they need them to do – i.e., secure data. This end result is the natural progression of security and compliance threats evolving while native ERP security features stay the same.

ERP applications are built with static, role-based controls and logging/alerts designed for system troubleshooting. The idea that many of these legacy applications would be exposed to the internet with only a username, password and maybe a VPN standing between malicious actors and your business data is the definition of risky. Some organizations have accepted that risk – but they don’t have to.

Appsian has designed the world-leading security platform designed to provide holistic, end-to-end data security (along with application security), giving legacy ERP customers complete control and visibility over their ERP data.

We know that every organization is unique, which is why we want you to put our security platform to the test! Request a demonstration today, and let us show you how Appsian can tailor a solution to your organization’s unique requirements.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why the California Privacy Rights Act (CPRA) Presents Challenges for Legacy ERP Customers

While nearly everyone was focusing on the results of the 2020 Presidential race, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) (full text here). You might be wondering if this is a new privacy law that will replace the 2018 California Consumer Privacy Act (CCPA), which went into effect earlier this year. The CPRA provides additional context to the CCPA and attempts to close some of the loopholes and ambiguity found in the original. The CPRA gives additional rights to consumers and places additional obligations on businesses.

While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Like the run-up to the launch of CCPA, companies will have time to prepare for the new requirements.

A Quick Summary of the California Privacy Rights Act

In scope, the CPRA retains the same basic structure as the CCPA. It includes establishing a dedicated enforcement agency for consumers, tripling fines against companies that violate kids’ data privacy, and making it harder to weaken privacy laws in the future.

A couple of the more notable additions in the CPRA are that the law expands the right to opt-out of sharing of information and establishes new rights to limit how businesses use “sensitive personal information,” a new term defined broadly to include, among other things: information about health conditions, genetic data, race and ethnicity, sexual orientation, precise geolocation, and more.

ERP applications already store an abundance of personally identifiable information, such as Social Security numbers, driver’s licenses, or passport numbers. This new data classification adds to the effort of identifying and classifying information necessary to remain in compliance.

The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications

The CCPA and CPRA require organizations to implement appropriate security measures around personal data privacy and satisfy consumer requests to opt-out of “sharing” and “selling” of their information. That means businesses must know what personal data they collect and how that data is accessed and used. However, companies using PeopleSoft, SAP ECC, S/4HANA, and Oracle E-Business Suite are likely facing significant compliance challenges due to inherent limitations that plague legacy ERP systems. Traditional ERP application logs do not produce the required level of granularity into how data is accessed.

How Appsian360 Enables CCPA/CPRA Compliance

Successful organizations will invest in technologies that monitor user behavior around data access and usage. This is where Appsian360 becomes an essential tool for compliance, as it expands native ERP logging capabilities to capture contextual details like what data was accessed, where it was accessed from, user IDs, IP addresses, pages accessed, actions performed, and more – information that is paramount for compliance reporting.

More Data Privacy Acts Likely on the Horizon

With the CPRA, Californians will likely have the most robust online privacy rights in the world. And it probably won’t be the last. The original passage of the CCPA incentivized other states to draft their own privacy bills. There’s been activity at the federal level as well. So, while the pandemic rightfully slowed down state and federal activity, there’s a good chance we’ll see additional privacy bills in 2021.

There’s no better time than the present to press forward with your compliance efforts, whether it’s for CCPA, GDPA, and now CRPA. Contact us to learn how Appsian can fast track your CCPA and CRPA compliance efforts by enhancing your visibility into data access and usage.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

How to Detect Insider Threats in Your ERP System

Insider Threats Are Becoming More Frequent and More Costly to Organizations. Especially Those Using Legacy ERP Systems. Here’s How You Can Proactively Prevent the Risk of Insiders Compromising Data

While data breaches caused by hacking/phishing/ransomware tend to grab the most headlines, most data security incidents are from trusted insiders with access to sensitive data and systems. Thus, making insider threats one of the most common, yet elusive, risks to manage.

When you hear the term “insider threats,” most people reflexively think about a greedy or disgruntled employee abusing their access for revenge or financial gain. But there’s more to the definition than the angry employee out for revenge. An insider can be a current or former employee, contractor, or business partner with legitimate access to the organization’s network, systems, or data. The insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. So assuming all insider threats are disgruntled employees is false – an insider who is unintentionally violating a business policy can inflect plenty of damage.

Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems?

The number one issue for security teams when it comes to detecting an insider threat is the user in question has authorized access to the ERP system. It’s the malicious intent or individual violation amongst the rest of the legitimate access that makes it difficult to tell the difference between a user’s regular activity and possible malicious activity. What makes them especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.

Insider threats are among the most common causes of data breaches worldwide, and they can often be among the costliest. According to the 2020 Insider Threat Report (Cybersecurity Insiders), 68% of organizations observed that insider attacks have become more frequent over the last 12 months. Moreover, 70% have experienced one or more insider attacks during that same period. Ponemon calculates that the average cost per insider incident is $11.45 million in 2020, increasing by 31% from 2018.

The increase in attack frequency shouldn’t surprise anyone thanks to the COVID-induced necessity for remote access to ERP systems and data. While security teams were likely focusing their cybersecurity efforts and budgets on securing the perimeter, cybercriminals found new ways to target user accounts with phishing and social-engineering attacks.

The good news is that organizations using ERP systems can detect and defend against insider threats with a combination of data-centric security measures and monitoring data access and usage.

Detecting Insider Threats by Monitoring ERP Data Access and Usage

Detecting an insider threat as quickly as possible is essential to limiting the amount of damage, financial or otherwise, this insider can cause. However, how can you tell the difference between regular activity and harmful activity? With an insider using a legitimate login profile, there aren’t obvious warning signs when malicious behavior takes place.

Monitoring user behavior around data access and usage can highlight internal access misuse and credential theft. And continuously monitoring for outlier and anomalous behavior patterns provides visibility into how high-privilege users interact with sensitive data. This monitoring helps security teams identify a possible malicious insider or if an external attacker has compromised an employee’s credentials. For example:

Monitoring user activity during remote access down to the transaction level
Monitoring data access and usage by users with high privileges
Monitoring query attempts to download information onto unauthorized devices
Monitoring exactly who is accessing highly sensitive data fields

Without advanced analytics and data monitoring, keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs from your ERP system need to be manually checked, and each event studied—often after an insider threat has already occurred. No wonder the average time to identify and contain an insider threat incident is 77 days (Ponemon).

When security teams monitor data access and usage, they can be proactively alerted to potential insider threats by identifying anomalous activity with actionable insights into what was accessed and by whom. Now organizations can quickly respond with a full forensic investigation and a rapid and thorough response.

Preventing Insider Attacks with Dynamic, Data-Centric Security

Although security professionals recognize the value of continuously monitoring data access and usage to detect insider threats, companies should also adopt a layered, data-centric security model to improve the likelihood of preventing an insider threat from attacking.

Enhance Access Controls with Dynamic Authorization Policies
Organizations should start by incorporating dynamic authorization strategies that use contextually aware access controls. Dynamic authorization gives organizations a way to leverage the contextual attributes of access such as geolocation, time of day, and IP address to better control the resources users access, how they access it, and from where they access it. For example, you can prevent an insider threat who has legitimate credentials from accessing sensitive data because they accessed the ERP system from a foreign IP address and outside of established business hours.

Expand the Use of Data Masking
You’re likely already masking the obvious data fields with personal information, like social security numbers, bank account information, national ID number, passport number, driver’s license number, etc. However, now that insider threats are increasing, organizations should expand the use of data masking to all fields that could be considered personally identifiable, giving you greater control over who can see what data and when. And deploying data masking based on dynamic authorization policies, like location, device, and time of day allows a more secure-and flexible-access to data.

Enable Stepped-Up Multi-Factor User Authentication
Using stepped-up multi-factor authentication is an important tool for preventing insiders from doing stuff they shouldn’t. When it comes to performing transactions with sensitive information, adding multi-factor at the transaction level as well as the perimeter ensures that users are not only authorized to access and view the data but perform the actual transaction.

Take A Proactive Approach to Detecting and Preventing Insider Threats

When it comes to insider threats, most security teams live in a murky gray middle zone struggling to determine the difference between regular user activity and anomalous activity indicating an insider attack. Organizations can help their IT security teams take a clear, proactive approach to detecting and preventing insider threats and attacks by applying a data-centric security approach combined with continuous monitoring of data access and usage.

Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Using Advanced Analytics to Improve ERP System Performance

Improve ERP System Performance with Real-Time Data Access & Usage Visibility

Your ERP system is a complex ecosystem with multiple deployments, serving hundreds to thousands of users. All of which are processing batch jobs, completing transactions, and performing daily functions that are the lifeblood for operations. Sitting at the center of this ecosystem is your system administrators, who oversee monitoring and maintaining the ERP system’s overall health and performance.

Factors Driving up Administration Complexity

In many ERP deployments, integrations with application and web servers, along with other external systems are common. Further increasing complexity is that each has its own set of monitoring tools to determine the quality of service they are delivering. This fragmented approach can make it challenging to identify and resolve ERP system performance issues. Now there’s a tool that allows you to focus exclusively on the health of your ERP system: Appsian360.

How Appsian360 Reduces Complexity

Appsian360 focuses squarely on ERP-specific performance metrics that allow you to quickly isolate and identify performance issues:

Average Page Load Time
Top 10 Components Accessed
Average Page Load Time by Application
Pages Accessed by Device Type
Page Access Count and Average Page Load Time
Top 10 Underperforming Pages

Appsian360 is also capturing real-time data access and usage information that provide a clear narrative around how user traffic is affecting system performance. It can also be used to combat security threats or uncover fraud.

Organization-Wide ERP System Performance at a Glance

Now you have information at your fingertips that allow you to become proactive about system degradation, rather than reactive and relying on users to report the issues to you. Fixing slowness issues ahead of time might also prevent more serious problems like data corruption, which lead to time lost across the whole enterprise.

You can also focus on application performance across office locations and by hardware. For example:

Average Page Load Time by Country
Average Page Load Time by Location (looks like office locations)
Average Page Load Time by IP [Address]
Average Page Load Time by Web Server
Average Page Load Time by App Server

If your offices are spread across the globe, for example, in America, India, and New Zealand, you can examine the Average Page Load Time by Country. Just by looking at a map, you can see that maybe one of the offices in India is running slow while the other is performing within normal speeds. You can contact the appropriate IT team in that office to investigate.

Resolving Individual Issues Within Minutes

Raise your hand if a user has ever contacted you with, “Oh, the system is really slow today.” It’s a common yet frustrating reality for sys admins because it lacks context. Is the performance slow just for that one person or for everybody? Is the performance issue for a single component or an entire application?

Without Appsian360, your team has few resources to resolve this issue. For example, the resources available to you might include:

The user description of the problem
You can try to replicate what the user was accessing or viewing
You might need to even visit the user’s office location and check the device
Maybe it’s related to a time of day, etc.
Based on this information, you can try to replicate the issue.
Finally, you might have access to database monitoring tools to give you an idea of how individual queries are performing. However, this is a piecemeal approach and lacks insight into the actual ERP system performance as a whole.

Resolving these system performance issues manually could take hours or days to resolve. With Appsian360, you can drill into a particular IP address and get details on a user’s individual access in the system, and you can drill-down into the context you need to create actionable insights. For example, you can view the user’s Average Page Load Time by Application. Now you can holistically look at those transaction sets together to see how they’re affecting your system and the users working within the system.

Drilling down a bit further, you can look at the Top 10 Underperforming Pages. Now you’re getting more granular with your detective work to see if a specific page is performing slowly. In a matter of minutes and just a few clicks, a system admin can diagnose a system performance issue and put into place an action plan to resolve the issue.

The Proactive Approach to ERP System Performance

The regular duties of an ERP system administrator include making sure that the system is performing to its maximum ability and resolving any issues and problems the users might have. They’re also trying to resolve system performance issues before people complain there is a problem. Because when the ERP system performance deteriorates, productivity suffers, employee morale declines, and the company’s bottom line is negatively impacted.

Contact us today to learn how Appsian360 can transform your IT team into proactive ERP application administrators and keep your ERP system running at peak performance levels.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

How IT Can Use ERP Data to Become a Hero to their Business Stakeholders

When business stakeholders come to you looking for answers, having visibility and context around ERP data access and usage gives you the actionable insight necessary to provide value.

As a leader of Enterprise Applications, customizing legacy ERP applications like PeopleSoft, SAP ECC, Oracle EBS, etc., to meet your business’ exact process specifications can leave you between a rock and a hard place. The more customized your ERP applications get, the more your business stakeholders love it, but the complexity around application support and maintenance also increases. That being said, accepting more complexity is just part of the job, because after all, your most important role (in the eyes of others) is providing timely and accurate resolution to inquiries or incidents from your business stakeholders.

You know the drill: members from various business units come to you requesting help for a particular incident or an anomaly they spotted. It’s up to your team to provide a resolution in a timely manner. And that’s where the trouble begins. Many incidents require hours, weeks, and even months to research and resolve. It’s hard to provide excellent customer service to the lines of business when your team is facing major obstacles to resolving incidents in a timely manner.

What if I told you there’s a way to enable your team to spend less time researching an issue (or no time at all) and produce faster results while providing better value for the various business leaders and their teams?

Three Major Obstacles to Timely ERP Incident Resolution

You’re the last person who wants to hear or say, “well, that’s just [insert ERP app name here].” But that’s one way you can sum up the limitations and obstacles your team will immediately encounter.

Here’s a simplified view of that process from the perspective of PeopleSoft. Somebody from a line of business will contact a member of your Sys Admin team and say, “Hey, this user’s account was updated (i.e., maybe they didn’t get their paycheck), or there was some sort of anomaly in the execution of a typical business transaction (i.e., vendor didn’t get paid, etc.). We don’t know what it is, and the functional user(s) say it wasn’t them. We’re not sure what happened. Can you guys look into this? That would be great.”

This incident kicks off your process flow to find a resolution. Then come the obstacles:

Obstacle 1: Legacy ERP Logs Can’t Tell You About Data Access

Experience says that most people who use an ERP application like PeopleSoft don’t know who’s doing what (specifically), who’s accessing what information, or most importantly – why. You probably first need to work out if this is something that the user did themselves or a hacker was able to gain access to the system – and also work out if this is an inside job or an external attack.

And while the logs can point you in the right direction, the legacy ERP logs are not designed to provide detailed information on who accessed what or even, in most cases, viewed something sensitive. This leads to major obstacle number two…

Obstacle 2: ERP Logs are Disparate and Not Correlated

ERP logs were designed for troubleshooting, not granular activity logging, which contributes to organizations and business units not knowing what their employees are doing inside the applications. When it’s time to go under the application hood and examine the native logs, another metaphor comes to mind: looking for a needle in the haystack. Here’s an example of all the native logs you might find in your instance of PeopleSoft:

App Server
PIA (Web Server)
Database
Process Scheduler
Load Balancer
Identity Provider (SAML, LDAP, ADFS)
Host O/S Logs
Firewall

Your organization likely has more than one of these servers where these logs reside. You might have four application servers, eight web servers, and so on. Now you’re looking at finding a needle in multiple haystacks. And that data is not correlated, so there is little relative context that can enable your investigation.

Here’s a nerdy example using the App Server and Web Server logs. On the Web Server, you cannot identify the person who logged in because you don’t know the OPRID. All you have are an IP address and a timestamp. You need to go to the App Server and review the OPRID, timestamp, and IP address on login or log out and attempt to correlate that information with similar information on the Web Server.

Obstacle 3: Log Data is Not Enriched with Any Context That Makes It Actionable

Once your team has collected data from the logs and assembled material from other sources, the final step is to interpret everything and make a best guess so an action item can be established. How actionable is having a collection of raw data such as IP addresses, user IDs, location of devices, completed transaction, etc., if you’re not able to place that data into a human context?

Let’s take the example of “Jim” and the incident involving him not receiving a paycheck. The raw ERP data shows that Jim’s credentials accessed pages containing personal information and bank account information several times over a period of time. Jim, the human, denies that he made any changes to the data on those pages, so the paycheck should have been routed to his usual bank account. Maybe you change Jim’s username and password and cut him another check. Was Jim trying to defraud the company and get an extra check, or was Jim’s account compromised in some way? Could a hacker have accessed Jim’s payroll data, changed the account number, received the funds, then changed the number back – getting away without a trace? Absolutely! It happens every day. If you cut Jim a new check, you fix Jim’s immediate problem, but do you understand what’s happening in your system?

Why Appsian360 Immediately Makes You a Hero to Your Organization

You’ve been waiting in suspense to know when IT becomes the hero – well, here it is. When the business comes to you looking for answers related to a specific incident, Appsian360 provides the quick, actionable insight necessary to provide the company with the understanding of what happened with their ERP data.

How? Appsian360 logs granular user access to data, correlates existing ERP logs, enriches the data with contextual attributes (who, when, where, what device, etc.), and visualizes the ERP data’s access and usage on dashboards. Now your team can easily look at data access by IP addresses, user IDs, location of devices, pages accessed, etc., and very quickly understand the facts behind an incident.

Let’s go back to Jim’s situation. With just a handful of clicks in Appsian360, you confirm that “Jim’s credentials” did indeed access and edit his personal information. Additionally, you discover that “Jim” was logging in after-hours using a foreign IP address based in another country. With a few more clicks, it’s clear that the IP address is responsible for other compromised user accounts. You didn’t just discover Jim’s breach, you now have a clear picture and a direction to fix the actual security issue – one that was growing in urgency by the day!

Without context, you lack insight. Context around data access and usage creates actionable insights. Actionable insights support the company and provide value to key stakeholders.

Understanding user activity and data usage are precisely what the business needs – and without Appsian360, ERP logs lack insight. You can buck that trend with Appsian360.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Are Advanced Persistent Threats (APT) Haunting Your ERP Applications?

Halloween 2020 (the day, not another movie) is right around the corner. Usually, I’m thinking about spirits and haunted houses and candy. Now that I’m working for a company that helps organizations defend their ERP data, my mind wanders to a more sinister “spirit” that might be haunting the halls of your legacy ERP system: the advanced persistent threat (APT). These technological poltergeists work hard to remain undetected as they quietly take possession of the very soul of your company: your data. Let’s look at how you can find out if you have one and what you can do about it.

What Is An Advanced Persistent Threat?

TechTarget defines an advanced persistent threat (APT) as a “prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.” APT attacks are typically aimed at organizations in sectors such as national defense, manufacturing, and the financial industry due to their high-value information.

While your company may not be the type of organization to draw the attention of well-organized and well-funded hacker groups or rogue nation-states, you must remember that the attacker’s primary focus is to steal data rather than cause damage to the network. That means an APT can be a malicious outsider or an insider. And the last thing they want is for you to detect their presence and cast them out.

Signs that You May Be Haunted by An Advanced Persistent Threat

Haunted house movies typically start the same way: the residents of the house begin to notice slight anomalies that indicate something out of the norm is happening. Let’s take a look at some spooky behavior that can indicate the presence of a figurative ghost in the ERP system.

Payroll Theft is Most Commonly a Result of an APT

Perhaps your payroll department notices irregularities: different direct deposits getting wired to the same account, employees who opted for paper paychecks instead of direct deposit report they are no longer receiving their mail. Or, perhaps during a routine security audit, you notice the sudden creation of high-privileged user accounts, yet there are no entries in the logs that show who requested or approved them. Finally, you might wonder why, and how, Fred from procurement is logging into the HRIS and frequently accessing executive payroll information. Is it actually Fred or Fred’s login credentials?

The Context of Access Can be a Sign of an APT

There are other signs of paranormal activity in your ERP system, such as after-hours activity by normal accounts, excessive login failures, and suspicious access from overseas locations and unknown IP addresses. Regardless of the signs, your next step is to begin an investigation. The advanced persistent threat is counting on your inactivity to stay hidden.

Using Layered Security to ‘Ghost Proof’ Your ERP

When abnormal behavior reveals itself, companies using legacy ERP systems are often left in the dark. These systems lack the granular visibility into data access and usage essential to locating and removing malicious spirits.

Appsian empowers companies to adopt a layered security approach that features dynamic controls for authentication & authorization, along with real-time monitoring that provides transparency over what data is accessed and by whom. Appsian adds these extra layers of security WITHIN your ERP system to help ensure that data is still protected even if it is being haunted by an APT (ex. valid login credential stolen by a phishing attack.)

Who You Gonna Call?

Every organization, regardless of size or industry, is susceptible to advanced persistent threats, in addition to all the other cybersecurity threats that go bump in the night. Prevention and early detection are your best defenses against these ghosts and spooks accessing and stealing your company’s data.

Contact us today to learn how the Appsian can help you establish a multi-layered security solution and increase your visibility into data access and usage.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Data Breaches Are Going Up, While Cybersecurity Training is… Going Down?

According to a recent Shred-It survey, both senior leaders and employees indicated data breaches doubling in frequency in the last few years. Consequently, these same groups also reported modest but still peculiar decreases in cybersecurity training commonly used to identify tactics like phishing, ransomware, or other malicious software. Senior leaders saw a 6% drop, and employees saw a 7% drop from 2019-2020. While not eye-popping numbers by themselves, it begs the question – if data breaches are going up, why is cybersecurity training going down?

You could argue that a top theme of 2020 would be the dramatic rise in data breaches, so it’s worth wondering if a downward trend in training is likely to continue, or will it reverse course in 2021?

Cybersecurity Training for Employees May No Longer Be Relevant?

This is a controversial and over-simplified statement, but the downward trends point to this attitude within organizations. If cyberattacks are evolving in sophistication each day, then how can organizations keep up? At what point do you accept the fact that attacks are likely to be successful, and you need to invest your resources in risk management and mitigation? The truth is, information security professionals are constantly playing behind the 8-ball when it comes to combatting employee-targeted cybercrime. Spoofed landing pages and emails that mimic corporate branding can be created in a matter of minutes – while LinkedIn, along with countless databases, have made it simple to discover and exploit org charts. If cybercriminals are always one step ahead, is cybersecurity training constantly obsolete?

Is Employee-Targeted Cybercrime Becoming Too Hard for Employees to Spot?

As the head of a department myself, who reports directly to the CEO, I cannot begin to tell you how many emails I’ve received “from” my CEO, disguised to send money, reports, or some information that a hacker would use maliciously. It’s not magic. The hacker found my CEO, worked their way backward to assume who the direct reports were, created a perfect replica of my company’s email signature, sent it around, and hoped for the best! The only reason it didn’t work is because I scrutinized the nature of the request – not the email used to make the request. The email was flawless.

Let’s apply this enterprise-wide. Heading into end-of-year, countless employees will be asked up update information in their ERP applications. All for many reasons – benefits open enrollment, updating personal information so tax documents or bonuses can be received. Spoofed “update your password” emails and landing pages that are designed to steal login credentials are the #1 cause of identity theft and payroll diversion. Why are they so effective? Because if you have the ERP login credential, you have the power! Primarily relying on a password security model means employees must correctly scrutinize those spoofed emails and landing pages, then choose NOT to comply with what this spoofed “corporate email” is telling them to do. How effective do you think that will be throughout an entire organization?

It is challenging to teach scrutiny, but organizations are trying. The lesson always is – never open attachments from outside email addresses, never send personal information, etc. However, in the age of remote work and ubiquitous mobile device usage, relying on this level of scrutiny is extremely difficult. And the hackers know this! Detecting spoofed emails and landing pages is tough enough on a desktop, but it’s extremely hard on a mobile device.

What’s a More Effective Way of Preventing Cybercrime?

Simple. Using software to analyze email links and attachments (which most companies are already doing) and making the data that the hackers want more difficult to obtain (ex. employee PII from ERP applications.) Information security teams use these solutions to fail-proof an employee’s lack of scrutiny. As these solutions become more sophisticated, it makes sense for these to be your primary areas of protection. Leaving good ole’ employee training in the dust.

Is Cybersecurity Training for Employees Still Relevant?

Short answer, yes! Employees should always be doing their part to protect their personal data, along with business data. However, the inverse trend in data breaches and training is simply a reflection of a re-allocation of resources. Or, as my dad would say, “the juice is not worth the squeeze.” Training a workforce is extremely complicated and expensive. As technology evolves to the point where it can do the scrutinizing for employees, we’re likely to see the downward trend in training continue.

How Can I Protect Legacy ERP Data Since Data Breaches are Going Up?

Another short answer, invest in ERP data security! Like I discussed above, solutions that provide risk-aware controls reinforce authentication protocols (ex. multi-factor authentication) and enable data access & usage monitoring are available. However, organizations must be aware that not all applications are created equally when it comes to control and visibility.

Legacy ERP applications like SAP ECC, PeopleSoft, and Oracle EBS require additional sophisticated solutions to enable control and visibility because their native security features have an antiquated focus. Their native security features rely solely on usernames and passwords, static governance policies (role-based access controls), and system logging designed to troubleshoot application errors – not monitor data access.

This is where Appsian has helped hundreds of legacy ERP customers – and can help you as well. Contact us today, and we’ll show you how you can enable a sophisticated data security model (for legacy ERP data) in a matter of weeks!

And whether you decide to do more or less cybersecurity training for employees, know that Appsian is here to protect your data no matter what tactics malicious attackers try to use!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

SAP Access Control: A Beginner’s Guide to SAP Dynamic Authorization

As your company’s digital footprint grows, you can enhance your security posture by complementing your existing SAP Role-Based Access Controls (RBAC) with dynamic, Attribute-Based Access Controls (ABAC) to strengthen authentication and authorization. Both RBAC and ABAC are ways that organizations can control authentication and authorization, but they perform different functions across an enterprise IT stack.

Understanding SAP Access Control Using Roles

Functionally, a role is a collection of permissions using sets, relations, and mapping that align access needs to resources based and limit access on a “need to know” basis.

RBAC involves three basic principles:

Role assignment: Only users with the right login can gain access to and interact with a system or application.
Role authorization: When combined with role assignment, administrators authorize a set of credentials that can gain access to and interact with a system.
Transaction authorization: A user can only interact with a resource to which she is authorized through her role memberships while also limited on a “need to know basis.”

RBAC has since evolved to include “hierarchies.” Hierarchies assign different roles different levels of access. For example, a Chief Executive Officer (CEO) needs to have a lot of access to sensitive information. Therefore, the CEO role has access that also encompasses the type of access provided to the Vice President’s, line of business managers, and standard employees. However, since a standard employee is at the “bottom” of the hierarchy, RBAC prevents her from accessing the sensitive information that the CEO can access.

Enhancing RBAC by Using Dynamic Authorizations in SAP

RBAC provides a strong foundation for setting access controls. However, digital transformation changes the way people interact with data resources. Since RBAC was intended for on-premises data repositories, it creates a very strict, static set of permissions. You either have access or you don’t.

Dynamic authorization – also known as attribute-based access controls (ABAC) – enhances RBAC by taking into account different “attributes.” Attributes are the adjectives of the access control world because they incorporate an additional description of either the user or resource.

Examples of user attributes:

Department within the organization
Management level
Citizenship / Residency
Security Clearance

Examples of action attributes:

Read
Write
Transfer (money)

Examples of resource attributes:

Data Classification
Transaction Code
Document Number
Plant Code

Example of environment attributes:

Time
Geographic location
Device type
Connection type

By incorporating these attributes, organizations can control user access more precisely, and with the flexibility of dynamic authorizations, better balance business and security requirements.

Achieving Dynamic Access by Using Attributes

Roles act as the foundation for providing access. If you think about it like a sentence, RBAC is the subject and verb. An IT admin has what we call “superuser” access. A simple RBAC sentence might look like this:

IT administrators can read and edit all information.

Based on RBAC, this sentence provides so much access that an IT administrator could be a data breach risk. Whether maliciously stealing sensitive information or accidentally sharing private information, the unrestricted access means organizations struggle to restrict IT administrator access while still providing enough access for the employee to do their job.

However, if we add attributes, or additional descriptors about how/when/where IT administrators can use their access, we limit the risk. By creating an “if-then” statement, we apply restrictions based on the defined characteristics.

If IT administrators are accessing the database (resource attribute)
from their homes (environment attribute) then
they can read (action attribute) the information.

By adding these attributes, we can prevent IT administrators from making changes to databases while they are at home.

Furthermore, we can use attributes to grant access as well. Taking the same statement, let’s incorporate time of day as an additional attribute.

If IT administrators are accessing the database (resource attribute)
from their homes (environment attribute) then
they can read (action attribute) the information,
but if they access the database
between 8 AM and 10 AM (environment attribute 2),
they can edit user data (action attribute 2).

By adding the additional environment and action attributes, you’re creating a scenario that allows IT administrators to work from home while also reducing the risk. You have created a time-bound restriction that requires them to only make user data changes during the hours of 8 AM and 10 AM if they are at home while at all other times, they can only read the database information.

The more attributes you can incorporate, the more precisely you can define what, how, and when a user or group of users can access data.

Creating a Robust Data Security Strategy Using a Hybrid SAP Access Control Model

As organizations accelerate their digital transformation initiatives and allow more remote access to data and transactions, they need a way to configure a layered defense using a hybrid approach to SAP access control. Starting with RBAC, organizations set the foundation of their access policies. However, by incorporating different attributes such as user, resource, action, and environment characteristics, you can more appropriately limit access to and within your SAP data.

Without a solution like Appsian, the closest and organization can come to granting dynamic access to SAP is through customization or adding roles to a user for each attribute. Both options are costly and ultimately unmanageable in the long run.

Contact us to learn how Appsian can help you extend and enhance your existing SAP access controls and improve your reporting and auditing capabilities.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Request a Demo

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others

Platforms

Features

Register for an Upcoming Webinar

SAP

PeopleSoft

Appsian360

Review

Webinars

Persona

Register for an Upcoming Webinar

Customers

Video Testimonials

Featured Case Studies

Why Appsian

Management Team

Careers

Press Releases

Partners

Contact Us

Customers

Partners

Home / Blog / 5 Types of Insider Threats and How to Detect Them in Your ERP System

5 Types of Insider Threats and How to Detect Them in Your ERP System

5 Types of Insider Threats in Your ERP System

How to Reduce Insider Threats?

Context of User Access and Data Usage with Appsian360

Close the Visibility Gap to Detect Insider Threats

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Securing Business Data in ERP Applications: A Fast Path Guide to Success

Securing Business Data in ERP Applications: A Fast Path Guide to Success

Identify Risks From User Access

Apply Dynamic Authorization Policies

Integrate Authentication Solutions

Capture and Visualize User Behavior

Partner with Appsian Security

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Why the California Privacy Rights Act (CPRA) Presents Challenges for Legacy ERP Customers

Why the California Privacy Rights Act (CPRA) Presents Challenges for Legacy ERP Customers

A Quick Summary of the California Privacy Rights Act

The CPRA Signals Organizations Must Get Serious About Enhancing Data Access and Usage Visibility – Especially for Legacy ERP Applications

How Appsian360 Enables CCPA/CPRA Compliance

More Data Privacy Acts Likely on the Horizon

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / How to Detect Insider Threats in Your ERP System

How to Detect Insider Threats in Your ERP System

Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems?

Detecting Insider Threats by Monitoring ERP Data Access and Usage

Preventing Insider Attacks with Dynamic, Data-Centric Security

Take A Proactive Approach to Detecting and Preventing Insider Threats

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Using Advanced Analytics to Improve ERP System Performance

Using Advanced Analytics to Improve ERP System Performance

Factors Driving up Administration Complexity

How Appsian360 Reduces Complexity

Organization-Wide ERP System Performance at a Glance

Resolving Individual Issues Within Minutes

The Proactive Approach to ERP System Performance

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / How IT Can Use ERP Data to Become a Hero to their Business Stakeholders

How IT Can Use ERP Data to Become a Hero to their Business Stakeholders

Three Major Obstacles to Timely ERP Incident Resolution

Why Appsian360 Immediately Makes You a Hero to Your Organization

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Are Advanced Persistent Threats (APT) Haunting Your ERP Applications?

Are Advanced Persistent Threats (APT) Haunting Your ERP Applications?

What Is An Advanced Persistent Threat?

Signs that You May Be Haunted by An Advanced Persistent Threat

Payroll Theft is Most Commonly a Result of an APT

The Context of Access Can be a Sign of an APT

Using Layered Security to ‘Ghost Proof’ Your ERP

Who You Gonna Call?

Related Articles.

Put the Appsian Security Platform to the Test

Home / Blog / Data Breaches Are Going Up, While Cybersecurity Training is… Going Down?

Register
for an Upcoming
Webinar

Register
for an Upcoming
Webinar