Analytics, Security

5 Types of Insider Threats and How to Detect Them in Your ERP System

By Michael Cunningham • December 9, 2020

While the majority of data breaches are from insider threats—a startling 57% according to the Verizon Insider Threat Report—many organizations overlook these internal dangers. Whether careless or malicious, employee, partner, or contractor, insider threats are difficult to spot and often go undetected in your ERP system for months or years. 

Insider threats can be particularly dangerous for organizations using legacy ERP systems, such as SAP, PeopleSoft, and Oracle EBS. The primary issue is that most security teams struggle to determine the difference between regular user activity and anomalous activity indicating an insider attack. What makes insider threats especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account. 

5 Types of Insider Threats in Your ERP System

First, a quick refresh: An insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. Not all insiders are disgruntled employees, and their motivations, intent, and access levels vary. Regardless of who they are, an insider who is intentionally or unintentionally violating a business or security policy can inflict plenty of damage. 

Insider threats come in all shapes and sizes and display different behaviors you can leverage for detection and preventionHere are five categories of insider threats that our ERP customers are most likely to encounter: The Careless Worker, the Arrogant Insider, the Disgruntled Employee, the Malicious Insider, and the Irresponsible Vendor.  

The Careless Worker 

These are employees or partners whose actions are inappropriate as opposed to malicious. They will unintentionally break acceptable use policies, mishandle data, and install unauthorized applications, etc. The Careless Worker ignores security awareness training and best practices, making them likely to be the one that falls for a phishing scam and having their account compromised by a hacker.  

The Arrogant Insider 

Arrogant Insiders are employees who do not act with malicious intent but believe they are exempt from security policies. They will take deliberate and potentially harmful actions, such as using unapproved workarounds or transferring potentially sensitive information to cloud storage accounts for easy access. These actions leave vulnerable data and resources unserved and vulnerable to hackers. 

The Disgruntled Employee 

Disgruntled Employee is not happy or feels disrespected in some way and willfully disregards data privacy and security protocols to commit deliberate sabotage or intellectual property theft. For example, using access to leak executive compensation data and cause negative publicity. Disgruntled Employees are especially dangerous and probably the hardest ones to detect because they have elevated levels of privilege.    

The Malicious Insider 

The Malicious Insider is an actor with access to corporate assets who uses existing privileges to exfiltrate data or commit other malicious acts with the goal of financial rewards or further personal gainsA Malicious Insider can result from a compromised account caused by a Careless Worker or a Disgruntled Employee who has gone beyond accessing intellectual property and into theft or fraud.   

The Irresponsible Contractor 

The Irresponsible Contractor compromises security through negligence, misuse, or malicious access to or use of an asset. They are contract workers and temporary employees who are given access like a full-time employee. Sometimes, depending on how an organization assigns roles, they might have more privileges than the job requires. 

How to Detect Insider Threats: Know Your Users. Know Your Data.  

When an insider uses a legitimate login profile to move about your ERP system, telling the difference between regular activity and harmful activity often prevents rapid detection. In fact, a recent report from Ponemon indicates that the average time to detect and contain an insider threat incident is 77 days.  

The number one way to detect anomalous activity is by closely monitoring user behavior around data access and usage. Put another way; you’re looking to identify the context of the access and usage: the who, what, where, when, how, and, ultimately, the why.  

Far too often, user behavior is a mystery, resulting in security, fraud, theft, and business policy violations. Specifically, a lack of context around how, when, and by whom transactions and data fields are being accessed. To gain this insight, you need an advanced analytics platform specifically designed to display granular levels of ERP data access & usage. Like Appsian360 

Context of User Access and Data Usage with Appsian360 

With Appsian360, security and compliance leaders can drill into specific data access and know exactly who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan. With Appsian360, you can: 

  • Identify when a Careless Worker falls victim to a phishing attack by setting up a dashboard that tracks location-based access. If a legitimate user account suddenly starts accessing your ERP system from outside the United States, for example, you can begin an investigation into other activity by that account. 
  • Closely monitor the activity around sensitive reports and queries and ensure that data is not being exfiltrated in bulk by unauthorized users or offboarding employees, such as Arrogant Insiders.  
  • Monitor high-risk data activity for unusual behavior. For example, a Disgruntled Employee with access to compensation data needs that ability to their job. However, you can track the number of times a user accesses that data during the day or outside of business hours. Instead of asking “if” a person should have access to that data, you can track how often and when that data is accessed. 
  • Track a variety of user access data points when it comes to detecting a Malicious Insider. Since this is usually a compromised account, you can set dashboards to track after-hours access, mobile phone access, strange IP address access, and access from a foreign country. All signs that a legitimate account has been compromised. 
  • Apply a prefix to the username of any outside Irresponsible Contractor or temporary worker to fully track their data access and usage inside your ERP system.  

Close the Visibility Gap to Detect Insider Threats 

The unfortunate reality of ERP applications like PeopleSoft and SAP is that they lack the ability to provide actionable insights into user activity, creating many blind spots for detecting insider threat behavior. Fortunately, organizations using Appsian360 can detect and defend against insider threats by monitoring data access and usage at a granular level that was previously unavailable.  

Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today. 

Stay Updated

Security

How to Detect Insider Threats in Your ERP System

By Michael Cunningham • November 16, 2020

Insider Threats Are Becoming More Frequent and More Costly to Organizations. Especially Those Using Legacy ERP Systems. Here’s How You Can Proactively Prevent the Risk of Insiders Compromising Data 

While data breaches caused by hacking/phishing/ransomware tend to grab the most headlines, most data security incidents are from trusted insiders with access to sensitive data and systems. Thus, making insider threats one of the most common, yet elusive, risks to manage.

When you hear the term “insider threats,” most people reflexively think about a greedy or disgruntled employee abusing their access for revenge or financial gain. But there’s more to the definition than the angry employee out for revenge. An insider can be a current or former employee, contractor, or business partner with legitimate access to the organization’s network, systems, or data. The insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. So assuming all insider threats are disgruntled employees is false – an insider who is unintentionally violating a business policy can inflect plenty of damage.

Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems? 

The number one issue for security teams when it comes to detecting an insider threat is the user in question has authorized access to the ERP system. It’s the malicious intent or individual violation amongst the rest of the legitimate access that makes it difficult to tell the difference between a user’s regular activity and possible malicious activity. What makes them especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.  

Insider threats are among the most common causes of data breaches worldwide, and they can often be among the costliest. According to the 2020 Insider Threat Report (Cybersecurity Insiders), 68% of organizations observed that insider attacks have become more frequent over the last 12 months. Moreover, 70% have experienced one or more insider attacks during that same period. Ponemon calculates that the average cost per insider incident is $11.45 million in 2020, increasing by 31% from 2018.  

The increase in attack frequency shouldn’t surprise anyone thanks to the COVID-induced necessity for remote access to ERP systems and data. While security teams were likely focusing their cybersecurity efforts and budgets on securing the perimeter, cybercriminals found new ways to target user accounts with phishing and social-engineering attacks. 

The good news is that organizations using ERP systems can detect and defend against insider threats with a combination of data-centric security measures and monitoring data access and usage.  

Detecting Insider Threats by Monitoring ERP Data Access and Usage 

Detecting an insider threat as quickly as possible is essential to limiting the amount of damage, financial or otherwise, this insider can cause. However, how can you tell the difference between regular activity and harmful activity? With an insider using a legitimate login profile, there aren’t obvious warning signs when malicious behavior takes place.  

Monitoring user behavior around data access and usage can highlight internal access misuse and credential theft. And continuously monitoring for outlier and anomalous behavior patterns provides visibility into how high-privilege users interact with sensitive data. This monitoring helps security teams identify a possible malicious insider or if an external attacker has compromised an employee’s credentials. For example: 

  • Monitoring user activity during remote access down to the transaction level 
  • Monitoring data access and usage by users with high privileges 
  • Monitoring query attempts to download information onto unauthorized devices 
  • Monitoring exactly who is accessing highly sensitive data fields 

Without advanced analytics and data monitoring, keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs from your ERP system need to be manually checked, and each event studied—often after an insider threat has already occurred. No wonder the average time to identify and contain an insider threat incident is 77 days (Ponemon).  

When security teams monitor data access and usage, they can be proactively alerted to potential insider threats by identifying anomalous activity with actionable insights into what was accessed and by whom. Now organizations can quickly respond with a full forensic investigation and a rapid and thorough response. 

Preventing Insider Attacks with Dynamic, Data-Centric Security 

Although security professionals recognize the value of continuously monitoring data access and usage to detect insider threats, companies should also adopt a layered, data-centric security model to improve the likelihood of preventing an insider threat from attacking. 

Enhance Access Controls with Dynamic Authorization Policies 
Organizations should start by incorporating dynamic authorization strategies that use contextually aware access controls. Dynamic authorization gives organizations a way to leverage the contextual attributes of access such as geolocation, time of day, and IP address to better control the resources users access, how they access it, and from where they access it. For example, you can prevent an insider threat who has legitimate credentials from accessing sensitive data because they accessed the ERP system from a foreign IP address and outside of established business hours.  

Expand the Use of Data Masking  
You’re likely already masking the obvious data fields with personal information, like social security numbers, bank account information, national ID number, passport number, driver’s license number, etc. However, now that insider threats are increasing, organizations should expand the use of data masking to all fields that could be considered personally identifiable, giving you greater control over who can see what data and when. And deploying data masking based on dynamic authorization policies, like location, device, and time of day allows a more secure-and flexible-access to data.  

Enable Stepped-Up Multi-Factor User Authentication  
Using stepped-up multi-factor authentication is an important tool for preventing insiders from doing stuff they shouldn’t. When it comes to performing transactions with sensitive information, adding multi-factor at the transaction level as well as the perimeter ensures that users are not only authorized to access and view the data but perform the actual transaction.  

Take A Proactive Approach to Detecting and Preventing Insider Threats 

When it comes to insider threats, most security teams live in a murky gray middle zone struggling to determine the difference between regular user activity and anomalous activity indicating an insider attack. Organizations can help their IT security teams take a clear, proactive approach to detecting and preventing insider threats and attacks by applying a data-centric security approach combined with continuous monitoring of data access and usage. 

Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today. 

Stay Updated

Security

CYBERSECURITY PRIORITIES SHIFT TO INSIDER THREATS

By Hendrix Bodden • January 7, 2015

The Sony breach – and virally every other recent high profile breach – has finally driven home what GreyHeller has been saying for some time – that the insider threat vector is as dangerous as the perimeter threat vector.

This survey of Federal IT managers in both civilian and defense sectors supports our view: Survey Cybersecurity priorities-shift insider threats

Security concerns from the survey:

  • Cyber hygiene
  • Phishing
  • Malware
  • Spam tactics

Interestingly, data breaches and cyber espionage were further down the list. Really??!! We couldn’t agree less – data breach (leakage, unintentional disclosure, spillage) – is as serious a threat vector as any.

Finding ways to mitigate and remediate after a breach have got to be on the top of any organization’s cybersecurity priority list.

Stay Updated

Security

GreyHeller January Security Webinar Series

By Hendrix Bodden • January 6, 2015

January 5, 2015 – San Ramon, CA – GreyHeller today announced an Insider Threat Security Webinar Series focused on helping organizations protect their ERP sensitive data from malicious and inadvertent insider threats.

The Insider Threat Series will use recent, high profile breaches at Sony and higher education institutions as examples of what could have been done to prevent insider threat attacks.

“Cyber security priorities have shifted in recent years to insider threats as the top attack vector,” said Greg Wendt, GreyHeller’s Executive Director of Security Solutions. “These types of breaches can be mitigated with rigorous ERP system Credentials Management, strict employee training and implementing two-factor authentication, logging and analytics.”

The Insider Threat Security Webinar Series is part of GreyHeller’s commitment to educate users of major ERP systems on how to fight cyber crime and prevent their organizations from becoming the next news headline.

GreyHeller will deep dive into:

  • Two-Factor Authentication
  • REN-ISEC Recommendations for HCM
  • Logging and Analysis
  • Data Masking
  • Location Based Security

Each webinar is an hour long and begins at 11:00am PST. For more information and to register, click here.

Insider Threat Security Webinar Series

About GreyHeller

GreyHeller’s software solutions help nearly 100 global organizations secure their ERP sensitive data from cyber crime. For more information about GreyHeller, please visit www.greyheller.com.

Stay Updated