Tips for mining SAP data for operational insights

Oct. 14, 2022
Risk managers need to consider how vital SAP data can add to a holistic company assessment

Today’s business threats are increasingly cyber-related. But does this pose a threat to a company’s SAP systems?

On February 8, 2022, SAP released security updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommended organizations immediately apply the necessary patches. In situations where patches cannot be applied, CISA recommends “closely monitoring your SAP NetWeaver AS for anomalous activity.”

Most cybersecurity attention is focused on networking hardware (servers, routers, IoT devices, etc.). Given the increasing nature of hackers targeting SAP systems and the fact that these systems hold an immense amount of organizational data, it makes sense that an integrated risk management approach is required to help analyze potential events that may negatively impact company individuals and assets.

3-Dimensions For Assessing SAP Security Risks

Threat Detection and Monitoring -- SAP systems need to be safeguarded to protect company information and processes by managing the access of internal and external entities. Although the servers, security logs, and system communications help secure data, it’s still vital to monitor and track every movement within the system. Out-of-the-box SAP tools do not allow for efficient monitoring and looking for anomalies on your own is a tedious process that requires a great deal of experience. To assist customers, SAP has created SAP Enterprise Threat Detection, an in-house add-on solution. But it’s also too large for many customers’ needs.

SAP is trying to solve its Enterprise Threat Detection issues with a Monitoring-as-a-Service solution. However, there are third parties who have developed better algorithms that support anomaly behavior throughout the SAP system. These third-party solutions allow less experienced IT personnel to achieve the same–if not better–threat monitoring results.

It’s important to note customers should not forget that SAP systems can only be protected against the threat of cyberattacks if all attack vectors have been hardened; SAP Solution Manager and the integrated configuration validation are used for this purpose. Using these two solutions enables companies to monitor instance configurations across their entire SAP landscape to detect any deviations from the standard.

Users need to be aware that SAP vulnerability management cannot easily be achieved using the SAP Solution Manager for the following reasons:

●      Lack of User Friendliness - Securing SAP systems is an additional task for customers; it needs to be intuitive and as easy to implement as possible.

●       Tedious Setup and Maintenance - The required SAP functions are only available after an extensive implementation is completed, with additional maintenance efforts.

●       High Number of False Positives - The number of false positives (security violations that do not exist), is too high. Users do not trust the SAP Solution Manager results and ignore the time-consuming checks necessary to validate or disprove notifications.

SAP Patches -- A company’s SAP security team is one of the stalwarts of defense against internal and external security threats, particularly as many business practices continue to go digital. By controlling and monitoring access to SAP systems, companies can better protect confidential information and maintain the integrity of their business.

Cyber criminals’ techniques are increasingly sophisticated, and risk managers should anticipate new threats in advance. To keep these systems updated, security patches are being launched monthly by SAP, for businesses to integrate with their existing programs. Speed-to-security is essential for an up-to-date SAP security system. It’s important to note that cybercriminals quickly weaponize SAP bugs; businesses need to download SAP patches as soon as they become available to prevent breaches.

Hardening the SAP application stack in a timely fashion is necessary to ensure security, but difficult because determining the relevant SAP patches from dozens or more recommended monthly is another tedious process. To prolong the agony, a Windows-like upgrade process to implement SAP patches will not be forthcoming, even though it has been strongly suggested by the German-speaking SAP user group (DSAG). It is also important to note that implementing the necessary patches is not a panacea; real-time monitoring is still an essential defense.

Don’t Overlook the ABAP/4 Code -- Finally, in order to ensure cybersecurity, SAP users must not neglect their ABAP/4 program code. The application code base is massive, with many different components spinning different invoices to partners and manufacturers. If not maintained, it could have a snowball effect in terms of vulnerability. The customer-written ABAP/4 code must be constantly checked for vulnerabilities and appropriate bug fixes to achieve the desired level of efficiency.

Building An Effective SAP Security Strategy -- Obtaining visibility into SAP opens the door for risk managers to assess and monitor a wide range of potential vulnerabilities. It enables them to track risk violations to their company’s data while feeding managers constant information for their organizational strategies and compliance processes. However, building the security strategy for SAP is not a task for risk managers only. It requires knowledge about the SAP system architecture, business processes, data classification, interfaces, and even the SAP team structure. Risk managers need to work closely with SAP teams to share vital information on where, who, and what is happening. This process promotes active SAP roles, profile monitoring and assimilating information into a holistic risk assessment. Other pertinent SAP information that can be monitored includes:

●      Assignment of critical authorization and cover-up identification.

●      Critical remote function calls.

●      Access to password hashes.

●      Tracking debug actions.

●      Logins.

●       Custom codes and security.

This wealth of information empowers risk managers with visibility across the organization’s SAP processes, encompassing most business functions and monitoring the controls that can be implemented across each process function.

Conclusion

SAP security is not only about roles and profiles. Risk managers need to consider how this vital application can add to a holistic company assessment. However, there are so many data variables that managing all this information via a single department can be overwhelming; IT, InfoSec and risk management teams need to manage this in a joint and automated fashion. Many organizations leverage automated monitoring tools to keep track of SAP attack vectors such as mishandled SSL configurations, missing security patches, code vulnerabilities, and security audit logs.

Sound decisions must be made on effective risk-adjustment priorities. Companies that align SAP strategies with existing risk management principles will improve security focus and decision-making.

About the author:Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge a global SAP security provider, serving many of the world's leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as an SAP technology consultant at Adidas and Audi.