Roadshow Recap: SAP Cybersecurity Continues to be Top of Mind for F1000

Onapsis has just completed its first annual North American Roadshow Series including stops in the Bay Area, Houston, Minneapolis and in New York. With over 100 attendees from Oil & Gas, Utilities, Retail, Manufacturing, Banking, Technology, Life Sciences and the Government industries, these events were a huge success for our customers. Representatives from the top 30 F1000 companies brought a unique perspective on how they are planning to, or have already implemented an SAP cybersecurity strategy with Onapsis at the core of their programs.

Even with different industries represented, I found several common problems that everyone is grappling with:

  1. The SAP Cybersecurity Gap: Many organizations have different teams working in silos. Management often has a false sense of confidence that they have SAP covered, while cybersecurity teams feel they have little to no visibility into SAP. It was also apparent in our Customer Advisory Board meeting that the SAP cyber-security gap is becoming more ambiguous because of asset mapping issues - where an organization’s IP lives and how these systems that house the “crown jewels” are being secured on a daily basis.
  2. The SAP Patch Management Debacle: On average all companies are working with an 18-month window of vulnerability timeline. This window starts with the time a vulnerability is found to when a patch is issued by SAP and finally deployed by the organization itself. We’ve found that deployment is still the biggest problem organizations face. In fact - SAP has issued over 3300 patches in total with 391 issued in 2014 alone. That is 30+ per month on average. With approximately 46% of patches ranked as “critical” it’s difficult for an organization to prioritize their patches without disruption to the business.

  3. Misconfigurations Are Causing Major Security Issues: Companies are having a very difficult time keeping track of how systems are configured let alone understanding their entire SAP landscape. An organization’s “Crown Jewels” reside within SAP and misconfigured SAP systems and portals are open targets for any adversary. Even if systems have the latest patch installed, a misconfiguration will allow hackers to access key information and business processes. In most cases, an attacker’s presence will go unnoticed for months.
  4. HANA and IoT is Top of Mind: Organizations are moving to the new de-facto database server HANA for new SAP solutions. This changes everything as organizations cannot view SAP as a “legacy” system. Organizations have also been told that with HANA they will be more secure, however the fact is that our Onapsis Research Labs were the first to find and continue to uncover critical security threats and vulnerabilities on HANA-based platforms. Since 2014 there’s been a 450% increase in new security patches and with 82% considered “high priority”. Additionally as organizations continue to advance their SAP systems with rapid application development, mobile deployments and connecting a multitude of different devices (think vending machines, water meters, etc) to SAP via open APIs an organization’s SAP attack surface is expanding at a rapid pace let alone the complexity of managing security risks.

With such common areas of concern we had lengthy discussions on how to best approach these key challenges. We also had great presentations from key clients ranging from “SAP Security Hygiene” to “Explaining the ‘why’ in SAP Cybersecurity”. Each presentation mapped out an SAP strategy that aligns to the maturity of their Infosec organization and the appetite of their CIO/CISO and Board.

The biggest question I personally received from organizations looking to implement an SAP cybersecurity strategy was “what do we do when we get back to our offices on Monday morning?” To that question I responded with the following steps:

  1. Map Your SAP Landscape and Terrain: Through asset discovery, find out if you have 1 or 100 SAP systems and their interfaces. Then work to understand the business processes that each system supports and the information that each system houses.
  2. Understand the Risks and Impact:
    • Economic - Understand the value chain that SAP systems and applications support. Also calculate the dollars that the SAP platform manages at your organization.
    • Compliance - Map Policies with an SAP security lens (i.e. SAP Security Guidelines) as well as authoritative sources (SOX, PCI) and perform assessments to identify critical compliance gaps.
    • Context - Prioritize risk by severity against assets (TOP-10, don’t boil the ocean), likelihood and timing of the risks and the potential business impact.
  3. Add SAP cybersecurity to your strategy and roadmap. This is complex and you will need specialized expertise and monitoring capabilities in order to gain insight into the past, current and future vulnerabilities that can impact the business. Continuously monitor systems to ensure both security and compliance issues remain low. Incorporate SAP into your risk, compliance and vulnerability management program. Respond to new threats, attacks, or user behavioral anomalies as indicators of compromise. Incorporate SAP into your Incident Response program.

With the incredible response, participation and discussions for our roadshows it appears that SAP cybersecurity is now top of mind to leading security organizations. A final thought on another key industry element that Onapsis is working on is SAP threat intelligence. Onapsis already provides deep expertise and research on key SAP cybersecurity trends and our customers are definitely seeing the value of integrating SAP threat intelligence feeds into their existing security operations centers, SIEM solutions and operational risk solutions. As the Onapsis community continues to work together throughout the year I look forward to seeing how together we solve one of the biggest cybersecurity issues facing organizations today. I also look forward to seeing our customer’s progress, and to watch security organizations transform their approach to SAP cybersecurity.

Leave a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Subscribe to our monthly newsletter, the Defender's Digest!