Privileged user accounts are hacker magnets. With cyberattacks getting more targeted and sophisticated, intruders can easily bypass traditional authentication measures. So it’s no wonder that 74% of data breaches stem from privileged account abuse by external hackers and insiders with elevated privilege (according to the 2021 Verizon Data Breach Investigations Report).

Why Compromised Account Activity Is Difficult To Detect In PeopleSoft

PeopleSoft applications usually offer limited monitoring and logging capabilities. Once a user is authenticated at the front door, it is difficult to track their activities within the system. This creates blind spots that allow the bad actors to stay undetected for months or years. A viable solution is to continuously monitor user activity around data access and usage inside PeopleSoft.

6 Warning Signs Of Privileged Account Misuse

When companies monitor outlier behavior patterns, they are more likely to detect compromised accounts or possible malicious activities. This reduces the discovery and containment time and cost. Here are six key signs to monitor that could indicate privilege account misuse in PeopleSoft.

1. Questionable Login Patterns

Always watch out for privileged users trying to log in to PeopleSoft applications outside their working hours. For example, a system admin logging in at 3:00 AM on a Sunday should trigger an alert. Additionally, sudden changes in IP address, location, device, etc., could be possible indicators of privilege account misuse.

2. Deviation From Normal Activities

Let’s say Paula from the HR department needs access to an employee’s payroll information to do her job. You find her trying to access the data outside of her login hours from a suspicious IP address. This could be a sign of privilege misuse.

3. Unusually Long Or Short Session Length

Privileged PeopleSoft users typically have a fixed set of activities. This means the duration a particular application or session is active and a specific credential is logged in could indicate malicious activities. Granular details with logs that capture employee session lengths can differentiate between normal and malicious activities.

4. Unauthorized Changes To Master Data

PeopleSoft applications often have large volumes of sensitive master data stored across multiple siloes. Any changes to master data, such as adjusting a PO amount beyond limits and direct deposit changes, need to be investigated.

5. Unusual Data Downloads And Query Running

Running queries and downloading sensitive PeopleSoft data to unauthorized devices, outside of business hours, and from unknown locations are a few warning signs of privilege abuse. In addition, an employee using unapproved workarounds for transferring data to cloud storage accounts for easy access often leaves critical data and PII vulnerable to attackers.

6. Frequently Failed Attempts At Logging Into Critical Applications

You would typically flag failed password attempts by an external user. Similar attempts by internal privileged users, however, do not raise eyebrows. PeopleSoft passwords being inherently weak, usually become the targets for attack. Erratic behaviors indicating compromised privileged accounts should always generate alerts.

How to Detect and Prevent Privileged Account Misuse in PeopleSoft

Attackers always try to make anomalous behavior appear routine and normal. To protect your PeopleSoft applications, begin with monitoring your privileged user accounts to uncover hidden business risks and data security threats in real-time. Appsian Real-Time Analytics offers the following capabilities to mitigate privileged user risk across your PeopleSoft ecosystem:

• Continuously monitoring privileged user activity and behavior at a granular level provides visibility into what they do with their access and how they engage with data.
• Detailed logs to capture granular transaction details like discounting, PO amount increases, recurring purchases, etc.
• Track all the user access data points with dashboards to track off-peak access, strange IP address access, and access from unknown locations.

The next step is to prevent improper activity by adopting a layered, data-centric security model that includes –

• Enhanced access controls with dynamic authorization policies
• Expanded use of data masking to all fields considered personally identifiable
• Stepped-Up Multi-Factor Authentication to prevent unauthorized access

Schedule a demo with our security experts to mitigate privileged user risk across your PeopleSoft ecosystem. 

Organizations that use ERP applications like SAP, PeopleSoft, Oracle EBS, etc., manage thousands of users. Most of these users have limited roles that only allow them to perform their job-related tasks. But there exists a subset of users/accounts who are granted a wide spectrum of authorizations because their role entails managing the application itself: privileged users.

From an operations point of view, these roles are essential for the day-to-day functioning of the application to support the business. However, from a security perspective, the level of access and authorization granted to these privileged user accounts increases the overall risk exponentially. In fact, Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates.

Who are Privileged Users?

Privileged users are users who are assigned roles and authorizations to perform functions that go beyond regular business transactions. These users include database administrators, network engineers, application developers, or third-party consultants. Their user accounts possess enhanced permissions that allow them to access sensitive data or modify key system functions. Also referred to as Superusers, some of the overarching privileges extended to them include:

• Full authorization to read, write and execute
• Creation or installation of files or software
• Modification of files and settings
• Deletion of users and data

Security Implications of Privileged User Accounts

Privileged users have a high level of access which means they will always be a target for attackers. If these accounts are compromised, it will lead to attackers gaining the same level of access.

Once inside, attackers can move from system to system undetected without leaving any digital footprint, making it harder to detect and stop. In addition, the attackers could gain access to an organization’s sensitive and confidential data, including company trade secrets.

If misused, either because of an error or with malicious intent, privileged user accounts can also inflict grave damage to a system or organization. Companies may have adequate security to prevent external threats, but privileged users are already inside the system. They can create backdoors, delete or modify data, override security settings, and more without detection.

According to the IBM 2020 Cost of Insider Threat Report, the average cost of an insider threat almost triples from $3M to $8.7M if the incident involves an imposter or thief who steals credentials and the costliest type of credential theft involves the theft of privileged users’ credentials.

Mitigating Privileged User Risk

Privileged users are granted greater access rights for a reason. They maintain and update applications that are critical for business operations. They are also responsible for a range of functions that require access to multiple servers, modules, and/or databases. This access also significantly increases the organization’s overall risk. However, this “privilege” can be counterbalanced with security measures that do not overly restrict them from performing their tasks.

Enforce Least Privilege Access

Many ERP applications provide role-based access controls and role-based authorizations. This means any user who logs in with valid credentials is granted all roles and authorizations assigned to that account. Thus, when a privileged user’s credentials are compromised, the attacker essentially becomes a privileged user giving them unchecked access.

However, by implementing attribute-based access controls (ABAC) through a dynamic policy engine, access can be allowed based on contextual attributes like location, time range, days, security clearance level, IP address, and more. For example, restricting privileged users to access only via your secure network ensures attackers cannot log in through an unknown network – significantly mitigating your risk while alerting you to failed access attempts.

Enforce Segregation of Duties (SoD)

Privileged user roles and authorizations should be regularly audited to ensure that they only have authorizations that are needed to perform their jobs. If the privileged user has not utilized a particular role within a specific timeframe, organizations should consider removing those privileges from the user. Since the user has never performed such functions before, they would not miss those privileges.

Even in cases where special privileges have been granted to perform specific tasks, a time limit should be set after which access is automatically revoked. These steps ensure that privileged users only have the necessary access at any given time and limit the organization’s overall risk.

Implement Step-Up MFA For Privileged Users

While your organization may have MFA at the login level, deploying step-up authentication for sensitive transactions at the page and data field level ensures that access to data and transactions is allowed only after the user has re-authenticated themselves.

Adding additional layers of authentication not only improves your security posture but also creates logs that can be monitored for suspicious activities. For example, a privileged user who is authorizing payment transactions can be easily identified during an audit since the user does not belong to the payroll or procurement team.

Behavior-based Profiling

Monitoring administrator accounts can help identify when one is compromised. However, large organizations may have hundreds of privileged users, and manual monitoring is virtually impossible. This is why Appsian Security’s unique algorithm combines multiple data sources to create a joint profile for each employee, including privileged users. The solution uses this business profile as the basis for optimization and as the behavior baseline.

This method is subsequently used to analyze irregular behavior, unused activities and authorizations, recommended authorizations for roles, and unoptimized license types. Privileged users who deviate from their normal usage can be easily monitored. For example, an anomaly is created when an SAP administrator who never accessed the customer database before tries to access it. Even though the user has the authorization to access the database, a deviation in behavior can be an indication of compromised credentials, giving security teams an impetus to check user behavior.

The IBM 2020 Cost of Insider Threat Report states that 29 percent of all credential thefts involve the theft of privileged users’ credentials. This proves that privileged users are primary targets for attackers because of their access privileges. Appsian Security mitigates the risk of high privilege credentials and sessions being exploited by bad actors by enabling you to implement multiple security measures like attribute-based access controls, step-up authentication for sensitive transactions, segregation of duties, and behavior-based profiling.

Schedule a demo with our security experts to find out how privileged user risk can be mitigated across your ERP ecosystem.

We are in the midst of a perfect storm of ERP security calamity: the greatest work from home experiment colliding with historic levels of employee churn and unemployment. Hackers are exploiting the situation by launching phishing, spear-phishing, and other social engineering attacks at remote workers to gain access to privileged user accounts and email passwords.   

The increased threat surface and hacker activity mandate that companies deploy a strong security posture at the identity perimeter, using tools such as virtual private networks (VPN) and adaptable multi-factor authentication (MFA). However, limiting security to user access and authentication can leave organizations at risk of malicious activity when, not if, a privileged user account is compromised.   

Unfortunately, today’s legacy on-premise SAP and PeopleSoft systems simply do not provide organizations the granular visibility and context of user access and data usage they need in real-time to make proactive and strategic decisions. This lack of visibility and reliance on static controls to ensure your most critical data isn’t compromised means that many organizations are flying blind.  

Monitoring Privileged User Activity Must Be Part of a Strong Security Posture   

The issue with traditional ERP logging and analytics is that it focuses on troubleshooting errors and scanning for broad system vulnerabilities. They were not designed for understanding user behavior, data access, and usage. In addition to ensuring a strict authentication process, companies need to layer in the ability to monitor privileged user activity continuously.   

Using a layered-defense approach, organizations can proactively mitigate many of the risks associated with the increased interest in corporate networks and user accounts. A strict authentication process on its own is no longer acceptable. Actively monitoring privileged account activity is a critical way of identifying that an external threat has entered the network, compromised an account, and is ultimately engaged in fraud or theft.   

Granular Privileged User Activity to Monitor  

Organizations can set fine-grained access controls all day long. For example, organizations may be able to apply time-based ABAC for standard users, since the general human resources employee likely works during daytime hours, and you have visibility into which user accessed an application. Unfortunately, if you do not have a granular-level view into precisely what a user accessed, then you are missing a significant part of the data security puzzle.  

I’m sure you can think of a list of all Tier 1, highly sensitive data fields you want to watch closely. A shortlist includes C-suite salary information, social security numbers, bank account information, national ID number, passport number, visa permit number, driver’s license number, etc.   

Continuously monitoring privileged user activity and behavior at the granular level provides valuable visibility into how users engage with data and what they do with their access. For example, application-level logging can’t track or show you if a hacker or malicious insider changes employee direct deposit information to route that week’s payroll run into an offshore account. Only field-level logging can show you how much “over access” users may have or if they are engaged in irregular activity.  

With this information, organizations can review whether a certain activity was necessary and document the findings. By tracking the activity back to the user, the organization proves governance and proactively protects data.  

Appsian360: Monitor ERP Activity for High Privilege Users  

Using Appsian360 to monitor privileged user activity, you get a 360-degree view of what is happening around your ERP data as well as full visibility into exactly how your ERP data is being accessed – by whom, from where, on what, and why. From there, you can map out a targeted incident response before damages become catastrophic.   

Your organization needs to be in a constant and vigilant state of security when it comes to monitoring privileged user account activity, especially in these times of excessive employee churn and remote access. Unfortunately, doing so in your ERP system is a manual process that needs to be addressed frequently.  

Request a demo of Appsian360 to see for yourself how your organization can actively monitor privileged user activity and mitigate the risks associated with a compromised account or malicious insider. 

While some organizations believe hacks come from only external sources, these companies may be missing an even larger threat: internal, privileged users. According to the study, titled Ponemon Institute’s Survey on Data Security Breaches, sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. While some attacks can be unintentional, to protect your organization from internal aggravators, there are a couple of steps your business can take.

Start by defining the policy

High-privileged users by definition have access to the most sensitive information within the organization. Their access is coveted by both external hackers and malicious internal users. Safeguarding your company requires an in-depth look at current security policies and how they could be improved. There should be guidelines put in place detailing what access each member receives, as well as strict account management practices. This can include requiring privileged users to change their passwords biweekly or bimonthly to ensure important data is always secured or implementing a least privilege arrangement. This practice gives users the bare minimum for their positions’ needs when it comes to access.

In addition, your company could eradicate “all powerful” accounts that allow entitled users access to almost all information in a business’s system. Instead, delegate access to particular data to different people, using a specific identification password or username that can be tied to that person. Certain actions within the system would then be accessible by only people who have been granted that permission. Multifactor authentication would limit and verify which privileged users are able to complete specific behaviors within the system.

Multifactor authentication can prevent malicious insiders from hacking into secure data.

Add extra security measures

Users with great power, also comes great responsibility.  Our security survey results show greater than 80% of respondents expect high-privileged users to utilize  increased security measures such as multi-factor authentication.  Privileged users with particular leverage should still have to meet and pass certain security requirements for access to data and functions. To keep company information as secure as possible, it is important to increase protection by implementing specific protocols, including data masking.

Data masking is a smart backup for multifactor authentication. If a user is able to make it through one level of security but cannot view other data, the system hides secure information. Only the most basic, non-harmful data is visible. Continued failed login attempts at every level of authentication would result in increased masking of secure materials.

Log employee actions

The phone rings, the caller accuses someone of changing their data because their paycheck was not deposited into their account – now the response has to begin.  It’s vital to monitor users’ conduct within the system at every level. Specifics are necessary to audit people’s access as well as perform incident response. High-privileged users impact and influence on company data must be tracked within the overall data security solution. Although this security measure is difficult to complete, it can be done with the correct logging software. With a firewall that includes analysis of a user’s record and behaviors within the portal, companies can have a better idea of what secure information is misused.

High-privileged users can wreak just as much havoc on a system as external hackers. In fact, 25 percent of respondents said a malicious insider was the cause of a company breach in the past year, according to Forrester Research. To avoid system intrusions, whether vengeful or not, it’s vital for your company to have a security policy in place to monitor users. Multifactor authentication, data masking and logging analysis are all beneficial tools to protect your organization’s critical information.