Why SAP systems are a worrying security blind spot
SAP systems carry the lifeblood of the business. Used by 23 in every 25 enterprises in the Forbes Global 2000 index, 87% of global commerce is generated in SAP systems that store 70% of all corporate data globally and touch 77% of the world's transactional revenue. But the business-critical nature of these systems, unfortunately, presents a challenge to security teams.
Driving everything from digital enterprise resource planning (ERP) and human capital management operations to sales, stakeholder relationship management (SRM) and customer relationship management (CRM) processes, SAP systems store highly valuable digital assets. These central pillars for business planning, product lifecycle management and business intelligence have applications that house vital datasets, including intellectual property, customer data, employee data, financial details, and other sensitive information. And that makes them a prime target for threat actors.
Indeed, any attacker that is successful in breaking into SAP systems will be able to sweep the rug from under the company's feet in several ways. Whether they wish to steal company secrets, carry out financial fraud or disrupt operations, the enterprise will, more often than not, be improperly protected and at their mercy.
The pros and cons of SAP ETD
It is of little surprise, therefore, that threat actors have ramped up their efforts to find and exploit vulnerabilities in SAP.
In recent times, we've seen them homing in on SAP proprietary protocols to then perform operating system commands with the privileges of the SAP administrator. We've also seen adversaries creating backdoor users in the SAP J2EE User Management Engine that are then used to obtain access to SAP Portals and Process Integration platforms.
It is critical that organisations combat new and evolving threats such as these. However, this continues to be a challenge for many, but not because security is overlooked by SAP itself. Since March 2015, the solutions provider has ramped up its own protective efforts for its customers, having released SAP Enterprise Threat Detection (ETD). In essence, this is a security information and event management (SIEM) platform built into SAP itself, providing customers with the means of detecting and responding to attacks targeting its applications.
Like many SIEMs, ETD uses log data to offer insights into suspicious activities taking place in SAP systems, enabling threats to be addressed at speed before any serious damage is done – and it has continued to evolve over time. Recent updates have allowed the platform to use contextual data such as the role or location of a system where a suspected attack has occurred to make analysis and assessment more accurate and remediation faster, for example.
In this sense, the SAP application-specific SIEM serves a sound purpose. However, over-reliance upon this siloed tool can equally lure security teams into a false sense of security, with several broader challenges stemming from use of SAP ETD.
Contrary to popular belief, SAP systems are not black-box systems. They are interconnected and connect to suppliers' and customers' systems, internal and external employees, mobile devices, SAP Technical Support and various other networks.
The crux of the issue lies in the fact that the platform may only monitor SAP-related security information. In other words, it is unable to compare, contrast and correlate SAP-related security events with other information collected by central SIEM systems.
What's more, matters are complicated further by the fact that many of SAP's individual products also have their own distinct security nomenclature and rulesets.
From ERP Central Component to Business Warehouse to Human Capital Management, SAP systems are complex, multifaceted and tailored to each of the specific purposes they serve, leading to a lack of standardisation or universal data structure. While one application captures security-relevant information in one way, another may take an alternative approach.
Ultimately, these nuances make it difficult for central SIEM systems to interpret the logs and data captured and recorded by SAP ETD. And where security teams often don't have the time, knowledge or resources to translate these differentiated logs across, SAP security is often siloed, meaning it is unable to tap into crucial, contextual security information from the surrounding IT infrastructure.
A concerning situation
Companies for which this is the case typically find themselves with a split security strategy that prevents security teams from viewing their organisation's defensive strategy through a holistic lens. While security teams may have complete visibility on one side of the fence, they will often not have a good grasp of what is happening on the other.
This presents several problems. Unable to see the way SAP systems are performing, security teams can't head off issues, and patching SAP can be time-consuming and stop production, causing many organisations to avoid it despite the security risk.
The creation of inefficiencies is also an additional burden to bear for increasingly pressurised security teams. And the lack of visibility and correlation between systems can also create operational challenges. Consider a sale – if the placement of an order isn't communicated between one SAP system and another, then a company's entire production chain may be subjected to bottlenecks, delays, cancelled orders, losses and reputational damages.
The issues are clear and numerous, stretching across several frontiers. However, what is particularly concerning is the lack of awareness and action regarding the implementation of solutions.
In a recent Twitter poll, we found that four in 10 (40%) of respondents admitted that their organisation doesn't include business-critical systems such as SAP in their cybersecurity monitoring, while a further quarter (27%) were unsure if it was included in their cybersecurity monitoring at all.
When asked how they review SAP logs for cybersecurity events or cyber threat activity, three in 10 (30%) respondents revealed they did not review SAP logs in any way, while another three in ten (30%) said they didn't know if these were monitored.
Securing SAP with BCS
These statistics are highly concerning. Not including key SAP-related security information in centralised security monitoring strategies leaves firms blindsided of the potential threats, risks and attacks facing business-critical applications.
Bridging these gaps and breaking down potential siloes to integrate SAP systems is, therefore, imperative. Indeed, in correlating SAP data with that of the wider security setup, it becomes possible to monitor events across the entire enterprise landscape. But how exactly can this be achieved without putting security teams under immense stress?
Enter Business Critical Security (BCS) – a solution designed to incorporate business-critical applications into IT security strategies, ensuring key software applications are monitored thoroughly and centrally, while aligning people, processes and technologies to bolster visibility of all activities.
With BCS, organisations are provided with complete threat visibility at a glance. Actionable dashboards empower security teams to more easily track key metrics and receive contextualised insights, operating as a single-point-of-truth. Not only does this unified overview help security teams better navigate data, but it equally improves security response protocols and distinguishes potential risks from critical vulnerabilities that could be exploited.
Able to continually monitor changes to critical business objects, access to sensitive employee information, user-logins, and exfiltration of sensitive data, BCS can quickly and effectively alert security teams to key incidents to accelerate their response times.
Furthermore, where SAP stores a wealth of personal and sensitive data, protecting this against misuse is essential to meeting the compliance regulations and data privacy laws. Here, BCS will readily develop audit trails instantly and automatically, easing compliance burdens associated with GDPR, CCPA and other data privacy standards.
Looking at SAP specifically, perhaps the most unique and useful solution BCS offers is the ability to break down the log-centric language barriers, ensuring all information is all automatically collated in a standardised manner through easy integration with any SIEM. When this is achieved, security teams can, in turn, position their business-critical systems to tap into key security solutions beyond SIEM, such as Security Orchestration, Automation, and Response (SOAR) and User and Entity Behaviour Analytics (UEBA) and unlock transformative threat insights.
With these additional technologies, the SOC can bring automated threat detection, investigation and response capabilities, as well as accurate risk-based analytics, to SAP applications.
In the case of UEBA, baseline parameters of 'normal' behaviour that are tailored to each individual user of business-critical applications can be established, with suspicious or potentially malicious actions being automatically flagged. Here, an example might be the flagging of a highly privileged SAP account executing an unusual financial transaction within permissible limits.
Bridging the gap between such solutions ensures that all security toolsets and professionals are pulling in the same protective direction. Given the increasing focus of on SAP systems by threat actors, businesses must seek to establish visibility, detection and response capabilities to eliminate potential blind spots if they are to effectively mitigate modern threats.