The path to SAP cyber resilience

There is a lack of sufficient resilience

All too often, successful cyber attacks on IT infrastructure and SAP applications in the recent past have shown that there is a lack of sufficient resilience. IT organizations are therefore increasingly reviewing their established processes for effectiveness and from an economic perspective.

The problem is that the threat landscape is constantly changing. Criminals are constantly developing new methods of exploitation or discovering previously unknown vulnerabilities. This becomes possible because the settings of the SAP system itself are constantly changing. So to establish SAP cyber resilience, you need to develop procedures that capture every change in the threat and security situation, analyze their security impact, and enable immediate upgrades. 

In the SAP area, occasional reviews as part of IT security audits are often taken as an opportunity to adjust the hardening of SAP systems and question the fundamental security architecture. However, a one-off assessment is unlikely to help solve the problem in the long term. The next audit at the latest will reveal that new vulnerabilities or problems have emerged.

Active management of security measures for SAP applications is therefore necessary.
To this end, the IT landscape and configuration of the SAP systems must be regularly validated and user management and authorization assignments evaluated. Any deviations from the defined security baseline identified in the process can then be immediately translated into adequate responses. The first step toward SAP cyber resilience has been taken.

A security and compliance management of an SAP security platform supports the definition of security policies for all relevant SAP system parameters, critical authorizations and access control lists (ACL). At the same time, it checks whether the configuration complies with the standard.

However, one essential building block is still missing - if you want to implement an effective security monitoring program to detect cyberattacks, you need to track all transactions performed in the SAP application. A real-world example illustrates why regular controls and real-time monitoring are so important: The attacker exploits an unpatched vulnerability in the SAP transport management system (STMS) to put an account he has access to into god mode (for example, SAP_ALL). Once the malicious transport is imported and the credentials are active, it gains access and opens the system's modifiability. Now the attacker creates persistence by changing some system parameters that can be set dynamically, and this without leaving any corresponding log entries!

If the attacked systems had been immune to SAP cyberattacks, such an attack could not have taken place in this form. Because then the vulnerability in SAP STMS, which was fixed in October 2021, would have already been patched. Even if the attacker had been able to exploit the vulnerability, the security platform would have detected the unauthorized granting of administration rights as an anomaly in real-time monitoring and, if activated, removed it by automatic rule. 

However, if the criminals managed to infiltrate the system and even disable relevant security protocols, things could get tricky. They might have installed a "backdoor" to achieve persistence, i.e. created a way to return at a later time. But even if an attacker has managed to find and eliminate a vulnerability, regular vulnerability analysis increases the likelihood that security settings and the custom code base will be tested. SAP cyber resilience thus also protects against backdoor attacks.