SAP is one of the most widely used enterprise application software systems worldwide. It is utilized by 92% of Forbes Global 2000 companies, including organizations distributing 78% of the world’s food and 82% of the world’s medical devices. SAP also is arguably the most important application in an organization, responsible for managing and protecting intellectual property which is foundational for delivering its products and services. These systems are often siloed within the centralized cybersecurity monitoring of a business, leaving an open door for threat actors.
An attack on SAP systems can have a devastating impact on business operations, greatly affecting finances and reputation, with the average cost of a cyberattack of being approximately $5 million. Despite this, many organizations do not sufficiently invest in protecting against cyberattacks or they rely exclusively on ERP vendor tools, making systems like SAP a prime target for adversaries.
As we have seen with ransomware groups such as BlackMatter, REvil and Conti, threat actors are constantly evolving. Organizations need to keep pace with a modern and holistic approach to SAP security, which can be achieved by integrating security information and event management, or SIEM, to monitor all IT infrastructure for complete insight.
SIEM aggregates data from multiple systems and analyzes it to detect abnormal behavior or potential cyberattacks. These tools aggregate data from different locations across the network making it easier to monitor and respond to threats within IT infrastructure in real-time.
There are four ways to increase the security posture of their SAP environment. They include: ensuring the proper configuration of system settings, continuously monitoring authorizations, properly coding and patching and the integration of SIEM.
1. Properly configure system settings
With seemingly endless individualization settings, the basic security of an SAP system relies on correct configuration, including compliance with rules for system settings, proper program authorization permissions, and SAP system communication dictations. The operating system, database and application layers require careful attention, including the configuration of the RFC Gateway to avoid unauthorized remote access from systems and applications. To ensure configuration is correctly updated, organizations should refer to guidelines provided by SAP user groups such as USAG for security-oriented settings, test catalogs and general best practices.
2. Actively monitor authorizations
SAP automatically delivers necessary authorizations, allowing essential permissions to be assigned. Operators must carefully examine and vet permissions and combinations of authorizations because even if three key principles are undermined by the assignment of necessary permissions, there is a large risk of exploitation or fraud. This type of monitoring is particularly important since many critical transactions and functional modules are available remotely.
An important component to this supervision, and SAP security as a whole, includes the correct control of security logs. Test logs like segregation of duty (SOD) checks are carried out according to SAP roles and users who may violate a so-called SOD conflict by assigning several roles. In addition to users’ evaluation, it is essential to know which roles ultimately trigger the conflict in combination. The most critical logs to prioritize are the Change Logs (SCU3), Change Documents of users and business objects (SCDO) and SAP Security Audit Log (SM20), which must be synced. The SAP Security Audit log should be prioritized since it contains a set of security and audit-relevant events. The SAP RFC Gateway Log SMGW contains various other logs including the RFC Gateway, and the SAP Internet Communication Manager, in addition to the Web Dispatcher.
Many security logs are also essential in meeting the compliance needs set under the California Privacy Rights Act or the EU Data Protection Regulation (GDPR or DS-GVO). The SAP Read Access Logs contain accessibility information for specific fields of transactions, reports, or programs. The configuration and assessment of this log is a fundamental constituent of SAP security monitoring as it allows greater visibility and control of the entire SAP system.
3. Patch and (de)code the unknown
SAP is increasingly vulnerable to security breaches because attacks on these systems often successfully expose a large surface area. Threats that are currently being handled in traditional cybersecurity are also valid for SAP systems. The challenge faced by most organizations running SAP is not lack of awareness of needed patches, but in keeping patches updated and continuously applying them. Since this is a strenuous process, a significant amount of SAP systems remain unpatched for long periods of time, further increasing the risk for a possible breach. Patching is essential, as is the detection of exploited vulnerabilities, so-called “zero-day exploits.”
Code security is another key component of establishing a secure SAP network. Since code security is left in the hands of developers, coding is developed and transferred from the development systems to the production systems, usually without sufficient examination. This process enables hackers to interject, undetected and manipulate urgent transports at runtime, meaning code inspection tools or modules are critical in protecting the overall security from attackers. Ensuring timely patches and proper code security can prevent extensive damage.
4. SAP’s Pièce de resistance: SIEM
Once the basics of SAP security are covered, then organizations can integrate SIEM, to go beyond basic compliance and increase security. Most vendors’ SAP systems and traditional cybersecurity monitoring tools like SIEM are separate entities, creating a blind spot in protection and escalating opportunities for threat actors. Integrating SAP security monitoring to a centralized SIEM offers a holistic approach to protection, adding valuable insights into cybersecurity, IT operations, system compliance, and business analytics across an organization’s network. This combination allows for continuous monitoring for the detection and automation of threat responses for SAP systems, so attackers cannot slip through the cracks.
By ensuring system settings are properly configured, permissions and authorizations are continuously reviewed, patching and coding remains updated, and SAP is integrated into SIEM, organizations can significantly increase their level of preparedness against a range of cyber threats that inevitably come their way.