Using Erp Data For Quick Incident Response

By Author: Appsian
Total Articles: 115
Comment this article

Using ERP Data For Quick Incident Response

Several ERP incidents take a long time to investigate and resolve. When the staff faces significant challenges in resolving incidents in a timely manner, it is difficult to offer exemplary customer support to the business lines.

There are three big barriers to the timely resolution of ERP incidents.

1: Legacy ERP Logs Can't Inform You About Data Access

Most people who use an ERP program such as PeopleSoft do not know who does what, who accesses what data, or most importantly, why. You probably need to find out first whether this is something the user did, or hackers were able to gain access to the device, and whether this is an internal job or an external attack, you also need to figure out.

And while the logs can show you the right direction, the legacy ERP logs are not meant to provide accurate details on who accessed anything confidential or even viewed it in most cases. This leads to the second hurdle.

2: Disparate ERP Logs

ERP logs are meant for troubleshooting, not recording granular activities, which leads to the inability of companies ...
... and business divisions to know what their workers are doing within the apps. Here's an instance of all the native logs you could find in your PeopleSoft example:

App Server

PIA (Web Server)

Process Scheduler

Database

Identity Provider (SAML, LDAP, ADFS)

Load Balancer

Firewall

Host O/S Logs

There is possibly more than one of these servers where these logs live in your company. You could have four servers for the application, eight web servers, and so on. You are looking at having a needle in some haystacks now. And there is no correlation between that data, so there is little relative context that can allow your investigation.

Here is an example of App Server and Web Server logs being used. On the Web server, since you do not know the OPRID, you cannot recognize the person who signed in. An IP address and a timestamp are all you have. You need to go to the App Server and check the OPRID, timestamp, and IP address login or log-out and attempt to compare that information with similar Web Server information.

3: Log Data Lacks Context

When the team has obtained data from other sources from the logs and assembled information, the final step is to analyze it and make a best guess so that it is possible to create an action item. If you are unable to bring your data into a human context, how actionable is a list of raw data such as IP addresses, user IDs, computer locations, completed transactions, etc.?

Solution

To provide the company with an understanding of what happened with their ERP data, simple, actionable insight is required. Data security and analytics solutions are available that log granular data access for users, compare current ERP logs, enrich data with contextual attributes (who, where, when what device, etc.), and show access and usage of ERP data on dashboards. Your team can now easily look at data access from IP addresses, user IDs, computer locations, pages accessed, etc., and understand the truth behind an incident very quickly.

You lack perspective without context. Context provides actionable perspectives about data access and use. The business is supported by actionable perspectives and provides value for key stakeholders.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.