Why SAP systems need to be brought into the cybersecurity fold
SAP’s status as a leading business process management software provider is undeniable. Today, the company serves over 230 million cloud users and 99 of the top 100 companies in the world with the largest cloud portfolio of any provider, comprising more than 100 solutions covering all business functions. Touching 77% of all transactions and thought to store 70% of all corporate data, SAP systems are a fundamental digital cog in the global economy.
But SAP systems also pose several security challenges.
Many of its applications are designed to meet specific departmental needs. SAP SCM, for example, is built to support supply chain management specialists with solutions in planning, logistics, manufacturing, and product lifecycle management.
In meeting the unique requirements of individual departments, these applications can end up siloed in small pockets of the organization away from central security strategies, making it difficult to monitor, patch and maintain them, let alone spot suspicious or malicious activity.
SAP systems are highly attractive targets for threat actors, storing highly valuable information such as personal data, financial data, and business-critical intellectual property. And, unfortunately, cybercriminals are all too aware of the fact that SAP systems often reside outside central security strategies.
A recent part-owned SAP report revealed that for every 1,500 cyberattacks on SAP systems recorded between mid-2020 and March 2021, 300 were successful, with threat actors leveraging faults in unsecured applications to commit financial fraud, deploy ransomware and disrupt business operations.
In this sense, SAP’s greatest strengths are in many ways its Achilles’ heel. With so many organizations reliant on the firm’s applications, any nefarious actor able to exploit them stands a strong chance of exploiting potential victims.
The threats facing SAP
The problem is exacerbated by the variety of attack vectors that cybercriminals are leveraging to target mission critical SAP systems, with applications often remaining vulnerable for extended periods due to security patches not being applied in a timely manner.
In February we saw the Cybersecurity and Infrastructure Security Agency (CISA) urge admins to patch SAP NetWeaver against a critical vulnerability that could facilitate a range of attacks and even lead to operational shutdown. In the very same month, of the 22 security notes or updates issued by SAP, eight were deemed “Hot News”. Four were updates but of the remainder, three had a maximum CVSS score of 10 and the fourth 9.1.
SAP is prolific in its patching. However, patches cannot be applied directly to productive systems, requiring downtime which is often not an option for mission-critical systems. Even when a business upgrades to SAP S/4HANA, the pressure to go-live can see security side-lined.
Resultantly, threat actors continue to wait in the wings to capitalize on this.
Indeed, the earlier mentioned report reveals that exploits are attempted within 72 hours of SAP publicly announcing patches, while new SAP environments are being identified and attacked online within as little as three hours. This highlights the criticality of organizations both promptly implementing patches and ensuring that applications are configured correctly and protected adequately at roll-out.
A variety of attack methods have been witnessed, such as the use of brute-force attacks on privileged accounts. Here, attackers have been known to attempt to use default passwords that may have remained unchanged following installation.
Customer and supplier portal attacks are a second example, with threat actors having created backdoor users in the SAP J2EE User Management Engine to obtain access to SAP Portals and Process Integration platforms. Attacks through SAP proprietary protocols are also executed using operating system commands with the privileges of the SAP administrator.
CVSS scores of 10 on threats such as these are of no coincidence. Any vulnerability in SAP is highly concerning owing to its impact potential – should SAP systems be attacked, the consequences can be catastrophic, cascading across multiple risk areas.
The loss of intellectual property is one such example. Trade secrets are the defining features of many businesses, setting them aside from their competitors. Should they be stolen or made public, this can lead to disrupted innovation cycles and irreversible reputational damages.
If sensitive information such as customer or financial data is stolen, organizations may also be subject to regulatory sanctions and hefty penalties. For instance, in the case of GDPR, entities may be fined up to 4% of their annual turnover if they aren’t compliant, and if third-party data is compromised, the Copyright Act expressly provides cause for potentially massive claims for imposed damages.
Additionally, there are several operational risks associated with the improper protection of SAP systems. Given their central role in the data landscape, SAP applications are subjected to annual audits to determine the effectiveness of controls underpinning data integrity and security. Should organizations fail an audit, applications can be taken offline, resulting in major disruptions and costly remediation expenses.
Understanding the complexity of SAP systems
Despite this impact potential, the security practices and protocols associated with SAP systems often leave a lot to be desired.
In a recent Twitter poll targeted at cybersecurity and IT professionals in both the US and UK, it was found that 40% of organizations don’t include business-critical systems such as SAP in their cybersecurity monitoring, while a further 27% were unsure if it was included in their cybersecurity monitoring at all. Further, 30% admitted that they do not currently review SAP logs for cybersecurity events or cyberthreat activity, while 30% said they were unsure as to whether this monitoring was occurring.
Such statistics are concerning. Failing to monitor SAP logs for security threats creates blind spots, hampering abilities to detect and respond to attacks and leaving organizations vulnerable. However, the simple reality is that may organizations struggle to bridge the gap between SAP systems and security.
Much of this stems from the complexity of SAP systems. Be it ERP Central Component, Business Warehouse, Human Capital Management or another of SAP’s extensive suite of products, each application has its own distinct nomenclature and rulesets.
The logs created by each SAP application in capturing security-relevant events are presented in differing formats with a distinct lack of standardization, making it incredibly difficult for security teams and SIEM systems to make any sense of SAP log data.
How can businesses better protect their business-critical applications?
To be successful, businesses need to work towards building an integrated security operations platform that monitors all IT infrastructure and provides complete visibility into SAP systems to massively reduce current security risks and provide logs to aid any audit processes.
Here, they should work to incorporate SIEM technologies to benefit from coordinated threat detection and response as well as automated monitoring, alerts and remediation. Fortunately, the market is beginning to lean more heavily this way with complementary technologies and solutions emerging as businesses continue to build out their cloud presence.
By converging SIEM solutions with Security Orchestration, Automation and Response (SOAR) and User and entity behavior analytics (UEBA), organizations can benefit from automated threat detection, investigation, and response capabilities as well as accurate, risk-based analytics, guiding security teams to combat advanced threats.
Thankfully, there are all-in-one solutions on the market capable of providing this comprehensive suite of solutions, with many specifically designed to solve the challenge of SIEM-SAP separation.
Such solutions can standardize the complex data in SAP system(s) to ensure readability in the SIEM, enabling real-time analysis of internal SAP activity while also allowing firms to correlate SAP data with other events in the IT network.
Of course, not all SaaS solutions are made equal. With SAP rolling out its new flagship product S/4HANA as an improvement on its existing ERP Central Component software, organizations should look for a solution that is compatible with both versions to support seamless migration strategies.
Further, advanced security solutions such as these will require security professionals with competencies in SAP – skills that entities will need to focus on developing, attracting, and retaining to be successful.
However, between the current threats facing SAP systems and the criticality of such applications to organizations, breaking down the siloes between operating departments and security setups must be prioritized. Not only will security be vastly improved, but the operational benefits will equally be transformative.