The investigation and resolution of many ERP incidents takes a long time. As workers face major obstacles in addressing incidents in a timely manner, it is challenging to provide business lines with outstanding customer service.
The timely resolution of ERP incidents has three major obstacles.
1: Legacy ERP logs don’t inform you about access to data
Most individuals using an ERP software such as PeopleSoft do not know who does what, who accesses what information, or, most importantly, why. You probably need to find out first if this is something the user did or if hackers got access to the computer, and you will need to figure out whether this is an internal job or an external attack.
And whereas the logs can show you the right way, in most instances, the legacy ERP logs are not intended to provide detailed information about who accessed or even viewed something confidential. This results in the second hurdle.
2: Disparate ERP logs
ERP logs are intended for troubleshooting, not tracking granular tasks, leading to the failure of corporations and company departments to realize what their employees are doing inside the applications. In PeopleSoft, here’s an example of all the native logs you may find:
1. App Server
2. Database
3. PIA (Web Server)
4. Identity Provider (SAML, LDAP, ADFS)
5. Process Scheduler
6. Load Balancer
7. Firewall
8. Host O/S Logs
There is probably more than one of these servers in your business where these logs reside. For the program, you might have many computers, web servers, and so on. And there is no connection between that data, so you have little relative background to start your investigation.
Here is an example of logs being used for the App Server and Web Server. Since you do not know the OPRID on the Web server, you are unable to identify the person who signed in. All you have is the IP address and a timestamp. You need to visit the App Server and check the login or log-out of your OPRID, timestamp, and IP address and try to match that information with similar Web Server information.
3: Log data that lacks context
When the team has gathered data from the logs and assembled information from other sources, the final step is to evaluate it and make a best guess so that an action item can be generated. How actionable and useful is a list of raw data, such as IP addresses, user IDs, device locations, completed transactions, etc., if you are unable to bring the data into a human context?
The Solution
Clear, actionable insight is needed to provide the organization with an understanding of what happened to their ERP data. Data protection and analytics applications that log granular user data access compare existing ERP logs, enrich data with contextual attributes (who, where, when, what device, etc.), and display access and usage of ERP data on the dashboard are available. Now, security teams can easily look at data access from user IDs, IP addresses, locations of machines, accessed websites, etc., and very quickly understand the truth behind an incident. Without background, you lack insight. Context presents actionable insights on access to and use of data. The organization is backed by actionable insights and gives value to key stakeholders.
