Christoph Aschauer, Director, LogPoint for SAP

SAP is a market leader in enterprise application software and is used by 92% of Forbes Global 2000 companies. This includes organizations distributing 78% of the world’s food and 82% of the world’s medical devices. SAP systems hold large amounts of sensitive personal data in Enterprise Resource Planning, Human Capital Management, Sales, SRM, and CRM, and other modules of the system.

In many ways, an SAP system could be described as the carrier of intellectual property and the secrets of success to an organization, which are foundational for delivering its products and services. SAP is also a vital tool in business planning, manufacturing in ERP, Product Lifecycle Management, Business Intelligence, Material Management, and more. This stresses the need to protect SAP systems from cyberattacks and cybercriminals.

Due to the widespread use of SAP around the globe, and the sensitive data it manages for organizations across industries, it is an attractive target. Analyzing SAP threat vectors and the associated threat actor landscape, It’s clear that significant SAP-specific domain knowledge is available, allowing cybercriminals to attack SAP systems in very sophisticated ways. Targeting the crown jewels of large organizations and potentially disrupting critical Infrastructures.

To protect organizations using SAP, it is essential to understand the basics of SAP security, Its weaknesses, and how to apply a 360 degree, holistic approach to security, including a Modern SAP SIEM.

SAP security basics

SAP Security has vast offerings spanning organizations, processes, applications, underlying systems and IT/OT environment. Therefore, awareness for SAP security is essential, as well as the establishment of security governance. This helps establish the foundation of strategies, policies, and standards for SAP.  When discussing SAP Security, data protection and data privacy are critical topics. They are essential to protecting an organization’s intellectual property and the fulfillment of audit requirements and regulatory compliance like GDPR.

And of course, SAP Security covers capabilities like user and identity management, access control and authorizations, code security, network security, OS security, database security, and endpoint/client security.  Additionally, another element that needs to be established when discussing SAP security is topics like the hardening of SAP systems. For a deeper Introduction to SAP security basics, see my blog post on SAP security fundamentals.

To properly protect SAP systems, a holistic approach is required. This means starting with assessing and establishing an SAP security governance strategy that includes creating policies and risk management. Additionally, policies and segregation of duties concepts and compliance need to be monitored based on reports and in real-time. Finally, the monitoring of access to essential data like an organization’s intellectual property or access to personal data is critical as security concepts can be bypassed at any time.

SAP itself provides the most common SAP security tools: the SAP Solution Manager and SAP Governance Risk and Compliance (SAP GRC). Larger SAP environments are typically managed using the SAP Focused Run. SAP has also released SAP Enterprise Threat Detection, promoted as the “SAP SIEM” to satisfy the requirement to monitor SAP security events and activity in near real-time.

The team’s gap

Historically SAP security is based on the tools provided by SAP itself. This is because SAP security has mainly been centered around identity management, access control, and authorizations managed by the SAP department. The SAP department is often a part of the Financial organization or IT operations department. SAP security is rarely a collaborative effort with the Cybersecurity team, managing security in the wider company infrastructure.

Organizations often fail to join the forces of those two key departments in defending their most valuable and vulnerable assets. While Cybersecurity departments lack knowledge in SAP security, SAP departments often have a profound lack of fundamental cybersecurity knowledge. This fundamental flaw is amplified because most SAP customers continue to rely on basic SAP security tools and are not deploying SAP Enterprise Threat Detection.

SAP Enterprise Threat Detection supports the much-needed monitoring of SAP systems in terms of compliance, system settings, and system activity in near real-time. Still, it only serves to widen the gap between SAP security and cybersecurity.

The cybersecurity gap

A SIEM solution, as deployed by many Cybersecurity teams, is the single system where all kinds of security-relevant information are collected and analyzed In real-time. It’s designed to receive and analyze millions of events per day and identify threats based on predefined rules and anomalies in user behavior. A SIEM collects data from all sorts of network devices, identity and access management systems, endpoints, servers and databases, IT infrastructure, operating systems, and applications.

In contrast, SAP Enterprise Threat Detection focuses solely on the monitoring of SAP security information. It does not support the correlation of SAP data and events with the data collected by the SIEM in the cybersecurity team. This isolates SAP security on an “Island of Its own” creating a gap between SAP security and cybersecurity, failing to utilize the crucial, contextual security Information from the surrounding IT Infrastructure, and failing to take advantage of the competencies in the cybersecurity team.

The siloed security information structure is a significant roadblock in taking a holistic, 360 degree approach to security. The gap slows down detection and response to cybersecurity incidents and leaves SAP systems vulnerable to cybercriminals that are taking advantage of the gap to penetrate SAP systems. To bridge the gap and support a holistic view on security, modern SAP SIEM solutions are required.

The Modern SAP SIEM

The modern approach to SAP security is based on the combination of SAP security information with the contextual security Information from the surrounding IT Infrastructure held in the SIEM.  SAP security data combines with this data and the competencies of the cybersecurity team to bridge the gap, improving and speeding up detection and response to incidents.

It allows SAP security teams to take advantage of the advanced analytics in SIEM platforms, including User and Entity Behavior Analytics (UEBA), supplementing the standard rule-based approach (known threats) with the capability to detect unknown threats and unknown suspicious behavior. For example a highly privileged SAP account executing an unusual financial transaction within permissible limits as a result of a phishing attack.

The question might come up as to how a SIEM analyst in the cybersecurity team is able to work with SAP security information? The next-generation SAP SIEM supports mapping identified threats to the standard to the MITRE ATT&CK framework, helping the cybersecurity analyst to clearly understand and remedy the attack. Also, the next-generation SAP SIEM supports playbooks for the response to Incidents, formalizing response processes and allowing remediation to be automated.

That being said, new skillsets will be required, combining the expertise in SAP security and cybersecurity. But the integration of SAP in a SIEM is the only place where SAP security and cybersecurity can meet to create a holistic view and more cybersecurity efficiency. While advanced analytics, MITRE ATT&CK mapping, and automation will help, there is no doubt that human skills In SAP and Cybersecurity will be a very sought skill in the future. Now Is the time to get started.