SAP systems are treated differently than many other enterprise applications from a cybersecurity perspective. Most SAP security teams are siloed and left to meet security objectives on their own. Since SAP is so integral to organizations, it is unusual for SAP security objectives to not be on the radar of an existing 24/7 cybersecurity team executing response actions for Linux or Microsoft environments. SAP teams must be integrated with other cybersecurity groups within an organization to empower them with a security approach that unifies the entire enterprise landscape.
Closing the SAP Security Gap
SAP is a unique application that requires the security apparatus to be SAP-aware. It is considered a type of black box. It has a separate communication protocol and messaging bus. All cybersecurity teams need to be aware of this to close security gaps and stop threats from persisting in the enterprise environment. Closing the SAP security gap requires several steps:
- Apply SAP-aware network security at the perimeter for north-south inspection and critical points such as SAP routers and external gateways.
- Apply internal segmentation for east-west inspection. User connections must be segmented from direct database access, messaging servers and between application servers and other enterprise landscapes.
- Ensure preproduction and production environments within the Security Identifiers (a unique and unchallengeable identifier with a variable length used to appoint or identify a trustee).
Closing the SAP gap also means becoming aware of how IT security events impact transaction times, since SAP is transactional and latency-sensitive. As such, cybersecurity teams may not be able to rely on databases such as SAP’s High Performance Analytic Appliance (HANA) for every single inspection. They need to manage inspections in a thoughtful and low-latency manner. In addition, cyberprofessionals should have a good understanding of SAP protocols to be able to recognize whether there is communication with a thick client or with a Dynamic Information and Action Gateway (DIAG) protocol. A DIAG is a proprietary protocol that supports client-server communication and links the presentation (e.g., SAP graphical user interface [GUI]) and application (e.g., NetWeaver) layer in SAP systems.
Adequately addressing the SAP cybersecurity gap also entails becoming aware of the vulnerability cycle1 and knowing what needs to be done and when. Managing the vulnerability cycle requires a holistic approach to SAP security (i.e., going beyond formal authorization and access management controls).
There are 3 pillars for addressing the vulnerability cycle:
- Harden systems—Ensure that configurations are validated, enforce the baseline and secure the custom-code base.
- Establish continued monitoring—Security teams must be alerted whenever an event deviates from a preset baseline and regularly update the detection signatures.2
- Embed patching into the regular release cycle—At a minimum, patching must be performed monthly.
Patching is critical and should be performed routinely (e.g,. implementing security notes and upgrading vulnerable components on a monthly basis), even if patching is done virtually. Virtual patching involves keeping signatures up to date and understanding common vulnerability exposures (CVEs) for SAP. It provides a means to mitigate vectors in unpatched systems based on the vulnerability type actively reporting threats. Virtual patching can be conducted inline while a transaction is happening, triggered by either an intrusion prevention system or an intrusion detection system.
Having accurate user information readily available is critical; every second counts between incident identification and incident response.
In addition, SAP security alerts3 must be delivered in a universal format. When a cybersecurity operator receives an alert from SAP, it should be comprehensible without requiring intervention from someone with SAP expertise. Every alert needs to be relevant and actionable, or receiving SAP alerts will quickly result in security fatigue and monitoring will be reduced to a checkmark against compliance processes. Security alerts must also be associated with the correct contact. For example, a SAP user created through standard support channels is very different from a critical user injected into the system by an unknown source. All cybersecurity personnel must have access to correct contact information in the SAP database, because every user event is associated with the person responsible. Having accurate user information readily available is critical; every second counts between incident identification and incident response.
Real-World Case Study
As is the case with many cybersecurity challenges, security teams should consider any human factors in addition to the technical controls. A security incident can range from a person making an honest mistake and inadvertently exposing enterprise data, to a malicious insider attack by a disgruntled employee who intends to leak critical security-related information.
SAP can help enterprises pay attention to the human element of cybersecurity. For example, a human resources (HR) operations center was once the target of a social engineering attack designed to change personal employee bank account credentials. The goal of the malicious cyberactor was to intercept employees’ direct deposit payments and send those funds to another account. Unfortunately, this incident was not reported until employee paychecks went missing.
Analyzing the threat revealed that the bank account information was stored in SAP. To help address the situation, cybersecurity personnel leveraged SAP to focus on a specific employee field within the database. If the field changes, an email is sent to the employee notifying them of the bank account change and asking them to confirm or deny that they initiated the change. If denied, a response team will immediately address the issue. Using SAP labels to crowdsource a user community for incident response services creates a tripwire response to overcome a technological hurdle for direct employee response.
Conclusion
A chief information security officer (CISO) has many priorities, but when it comes to SAP environments, CISOs must fully understand how SAP applies to the IT enterprise and organizational environment to help them achieve all security goals. In addition, CISOs need to know their SAP team members personally so they can integrate them rather than contain them in silos.
Finally, SAP must be secured to the same degree as other enterprise applications. When there is a Linux, Microsoft, or even a hybrid cloud incident, cybersecurity teams have a detailed plan of action upon which they are ready to act. SAP requires high-level consideration, or critical elements of the business will be vulnerable to malicious cyberactors—with no apparent response.
Endnotes
1 SecurityBridge, “Automate and Simplify Vulnerability Management for SAP Applications and Custom Code”
2 SecurityBridge, “Interface Traffic Monitor”
3 SecurityBridge, “SAP Threat Monitoring”
Ivan Mans
Is an experienced SAP technology consultant who has worked in the SAP space since 1997. In 2012, he cofounded SecurityBridge. In his current role as chief technology officer (CTO), he is a motivated driver who inspires people and pushes technology, contributing to the continuous innovation of the SecurityBridge Platform. In recent years, Mans has been a regular speaker at SAP events where he evangelizes about SAP security.