More and more customers are aware that their mission-critical SAP systems need better protection than in the past. It’s a trend we see for some years now. Thankfully, not only the largest enterprise customers of SAP realise that having a proper SOD matrix in place is not all there is to SAP Security. But improving SAP Security is not always that easy and often questions arise such as: Where to start? What strategy to choose? etc.
We don’t claim that there are easy answers to those questions (as this is a complex topic) and yes, the situation differs from customers to customer. But there is some common ground for most customers as all customers are somehow limited in budget, skilled employees, time and they all want to lower risk as cost-efficient as possible. So let’s look at some strategies customers work with. In the SAP world, traditionally, we see customers choose a Reactive or a Proactive approach, or a combination of both.
A Reactive approach focuses on “if they come, we will respond”. This approach in practice can be translated to, for example, customers connecting their SAP systems to a SOC and have some form of threat detection in place. From there, they try to detect active attacks aimed towards their SAP systems and respond and act on those events. This approach has a clear benefit as it can be set up relatively easy with proper tooling in place. It can also help detect real-time risks that can threaten the security of your SAP landscape. When set up properly, it can definitely be a great help in keeping your systems safe and secure.
However, in our view, the above approach should only be the ‘next step’ in your SAP Security strategy, after having at least a properly hardened SAP landscape in place. We believe that from the “Prevention Is Better Than Cure” perspective, you need to have at least a minimum level of basic SAP Security in place before the above approach will bring you any value, as it’s a band-aid solution.
A Proactive approach means ‘before they come, we will be ready’. And while in general it takes more time to be prepared and might seem more costly, there are actually many benefits to start with this approach first. For a long term strategy, you cannot go around prevention and hardening, for example, every penny spent on hardening your SAP landscape is a penny only spent once. Where in the Reactive scenario you might get multiple alerts more often if the source of that alert is not properly mitigated or remediated. Also, in terms of liability and compliance, there are simply minimal standards you must comply with. Negligence to comply with these standards can result in fines and you cannot get away with it by saying that you were ‘able to detect them’. The Proactive approach looks less ‘sexy’ compared to fancy SIEM solutions, but from a risk-based approach, it is often chosen by customers to focus on first.
From the above, it might seem that the two mentioned approaches conflict with each other. However, a combination of the two can strengthen the overall security of your SAP systems. Think of a scenario to start with a Reactive approach for the real short term, while in parallel you work on your Proactive approach, by making sure your patch management, configuration management and other hardening is put in place.
There is no best practice that works for every business in every scenario; but for the above-given reasons, our vision is that customers are getting more value (meaning less risk) by starting with proper vulnerability management via the Proactive approach. Then only when a certain level of maturity is reached, adding the Reactive measures to that can raise the total responsiveness and SAP Security of your organisation even more.
With Protect4S, our SAP Security solution, we currently provide around 2000 checks on the SAP level and on the Operating System and Database level to make sure there is insight into your SAP Vulnerability management, Patch management and Configuration management. A SIEM integration is included and additional Connection Maps can provide good insight into risk in the connections between your SAP systems. The SAP Threat Detection will be launched in H2 of 2022 as a valuable addition to Protect4S.
Contact us to find out more about our software and get a quotation!
