Make it as hard as possible
In modern IT landscapes and for organizations running SAP, security plays an important role to try and minimize risks for the business. Companies invest heavily in defensive measures to try and keep malicious actors out of their networks. Think for example of:
- Network security (Firewalls, IDS / IPS, Web Application Firewalls, etc)
- Operating System and Database security
- Endpoint and Interface Security
- SAP Authorizations / GRC
All these technologies are deployed to keep out the bad guys, and while they certainly have their value, we still see daily headlines of organizations worldwide getting breached. And that’s not strange, since there are numerous ways for malicious actors to gain access to corporate networks. To name a few:
- Technical vulnerabilities in software (SAP alone released over 200 SAP Security patches in the past 12 months)
- Phishing or other social engineering attacks against your employees
- Using stolen accounts, Credential theft
Once an attacker has access to the corporate network, often there is not much standing in the way of your business-critical SAP environment. Containing sensitive customer data, intellectual property, competition-sensitive data and other business-critical data, SAP systems typically contain the crown jewels of an organization.
Traditional generic security solutions (like Nessus, Qualys, etc) do not work on the SAP application layer and SAP authorizations and GRC solutions only minimize risks once a malicious actor is already inside your SAP application.
The above stresses the importance of the last line of defence, specifically aimed at securing the SAP application layer. For that purpose, our Protect4S Vulnerability Management and Threat Detection solutions are developed to be able to detect attacks on the SAP application level and to proactively scan your SAP systems for important misconfigurations, missing patches, authorization-related risks and risks in system connections.
We still see many SAP systems being deployed in flat networks, installed years ago with insecure defaults, with no clear responsibilities for SAP platform security and not being regularly patched or being part of a vulnerability management process. It’s therefore that our SAP penetration tests performed over the past 10+ years have a high success rate in breaching SAP systems, ranging from the breach of just one system to taking over complete SAP landscapes and getting full access to critical SAP data. Our SAP Security research in the past 15 years underlines that SAP systems are not immune to vulnerabilities. By reporting over 100 zero-day vulnerabilities to SAP, we think it is fair to say that SAP systems, like any other software, need proper Vulnerability Management, Patch Management and other SAP-specific protection.
Our observation after being in this industry for over a decade is that most of the SAP-running organizations have a large backlog of SAP Security hardening and remediation activities to catch up with. This is often a tedious job, especially in the SAP world, with its own technologies, terminology, a large number of systems and high complexity. The good news is that there are solutions available. We help customers by automating the scanning of over 2000 vulnerabilities in their SAP environment.
Protect4S Vulnerability Management gives you much-needed insight into the security status of your SAP systems and getting in control was never easier. Next to that, Protect4S Threat Detection makes it possible to spot attackers in your SAP environment and bring you the much-needed actionable insight to get- and stay in control of the security of your business-critical SAP environment.
Interested to learn more? We are happy to tell you more about our SAP Vulnerability Management and Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!