By Jay Thoden van Velzen, Technical Advisor, Office of the CSO
The scale and impact of cyber attacks on companies and government institutions is increasing continuously. Protecting and responding to threats and attacks are therefore key components of defending critical business operations these days.
SAP strives to provide customers with secure software and services through the Secure Development and Operations Lifecycle (SDOL) and provides security guides and configuration maps. Meanwhile, penetration tests and issues found by external security researchers lead to product improvements and security patches. SAP also runs a bug bounty program and secure vulnerability disclosure program that helps us in continuously uplifting and improving our products and recognizes outside contributors. But that is only the start in running production SAP systems securely and manage the threats and security incidents they may be subjected to.
When customers run SAP systems on premise, they are responsible for the secure configuration and operations of the solution, including the entire technical stack it runs on: servers, databases and networking infrastructure. That also includes threat detection and security incident response for the full stack. For organizations running SAP solutions on premise, attacks on enterprise IT and corporate credentials can spill over into SAP systems. For instance, if a customer experienced a ransomware incident in their own enterprise infrastructure any SAP systems hosted there could also be impacted by the event.
In addition, managing threats against SAP systems requires monitoring the secure configuration of the solutions themselves, as well as secure configuration of the business processes the solution supports. Threats include:
Many customers choose to move to the cloud for security and compliance reasons. However, even when using cloud services, key responsibilities remain on the customer end for threat detection and incident response. The Shared Responsibility Model for security doesn’t only separate responsibilities, it also established strict privacy boundaries. This model is illustrated in the diagram below. You can also find a variant in this white paper specifically for RISE with SAP Private Edition.
SAP protects, monitors and responds to threats in cloud infrastructure and control plane, networks and server infrastructure, data stores and cloud operations. For SaaS cloud solutions, that also includes deployment of SAP security patches before they are released on Patch Tuesday every month.
But SAP has no access to the secure configuration and transactions of customer applications. Customers provision users and authorizations, the configuration of business processes, and who has access to what data and functionality in the system. SAP doesn’t have user access to customer systems, outside of support cases, for instance, where customers grant the users access into their system. Therefore, SAP can’t monitor or respond to threats at those levels within the application on behalf of customers.
Many cyber threats target core IT infrastructure, rather than specialized applications like ERP systems. Research published by Onapsis and Flashpoint in August 2024, though, indicates a rising threat of malware specifically targeting SAP solutions – rather than the underlying operating system, for instance. They also report a dramatic rise in chatter by adversaries discussing SAP vulnerabilities and exploits. Whether running on-premise or in the cloud, such SAP-specific malware targets the areas in the model customers are responsible for.
Beyond SAP’s own responsibilities to secure our products and cloud solutions, we consider it important to support customers to run securely, as well. SAP Solution Manager, Cloud ALM, and solutions in the GRC suite support customers to configure their landscapes correctly.
When it comes to threat detection and integration of SAP security events into customers’ detection and incident response processes, there are several options available. SAP offers Enterprise Threat Detection, while several partners offer solutions on the SAP Store. Many customers don’t have SAP expertise on their cybersecurity teams. These offerings help bridge gaps between cybersecurity and SAP teams with security alerts specific to SAP solutions that can be investigated and addressed together.
Of course, we hope that it never happens. But despite your efforts to securely configure the landscape and address threats before they become a problem, you may encounter security alerts that indicate a security incident is in progress or has occurred. If SAP teams notice it first, they should alert their cybersecurity counterparts. If the security incident response team raised the incident ticket, they should involve their SAP team colleagues to triage and respond to the incident. Customers should report security issues to SAP. However, given the constraints mentioned before, there are limits potentially to what our security incident response team can do.
The incident may exceed the expertise of your in-house teams and require specialist outside help. Onapsis Research Labs provides direct customer support to customers going through an SAP security incident. Through this service, customers can get assistance from experienced professionals that have worked through many such incidents before. They conduct threat intelligence and are familiar with tactics and techniques used by adversaries targeting SAP systems. The service offering is listed on the SAP Store and you can find more information as well in Onapsis’s blog.
This service offering is an important addition to support customers in their SAP security programs across all the functions of the NIST Cyber Security Framework.
There are several previous blogs that cover the theme of business and cyber resilience, and building bridges between customer SAP teams and cyber security teams. Please find their links below:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.