Protecting Your SAP Environment with SIEM, EDR, and DAST
What is SAP Security and Why is it Important?
SAP security is typically an isolated, high-priority silo within an organization’s centralized cybersecurity monitoring. SAP security should safeguard the business-critical infrastructure that organizations depend on to carry out their business efficiently.
Typical use cases of SAP security are:
- Avoiding fraud and exploitation
- Maintaining data integrity
- Discovering unauthorized access
- Automated and continuous audits
- Isolating data leaks
- Centralized security monitoring
An attack on SAP systems may have a lasting impact on an organization’s operations, resulting in reputational and financial loss. To ensure confidentiality, integrity, and availability, you should safeguard these systems against external and internal cyber threats.
However, many organizations don’t make SAP systems available for security teams, or depend solely on ERP vendor tools, increasing the likelihood of attacks and making ERP systems, including SAP, a target for bad actors.
Security within SAP Solutions
SAP offers various business applications founded on distinct architectures: BusinessObjects, NetWeaver AS ABAP and Java, SAP HANA, and cloud-based applications, including SAP Ariba or SAP SuccessFactors.
The initial line of defense for all of these solutions are the system backends, where administrators can define roles, implement security, develop access requirements, and configure the concepts seen above. More security functionality is present within the solutions themselves. For instance, on-site solutions have different security requirements from cloud-based applications.
However, beyond security functionality within SAP systems, SAP provides several dedicated security products that can help you secure your environment:
- SAP Cloud Identity Access Governance—a cloud-based tool for administrators to use to streamline governance processes. Functionality involves preconfigured audit reporting, user assignment optimization, continuous access analysis, and more.
- SAP Code Vulnerability Analyzer—also called SAP NetWeaver AS Code Vulnerability Analysis (CVA). The Code Vulnerability Analyzer is an ABAP add-on that examines source code and protects it from possible attacks before delivering the application to the end-user.
- SAP Enterprise Threat Detection—a tool that uses SAP HANA to process sizable amounts of security events in real-time. It provides insight into managing attacks and discovering damage or anomalies in the system landscape after an intrusion.
- SAP Governance, Risk, and Compliance—a suite of solutions that oversee elements in an organization’s security process such as audit management, access control, and business integrity screening to identify fraud and screen business partners.
Protecting SAP Environment with SIEM, EDR, and DAST
In most cases, built-in SAP tools will not offer enough protection for your environment. Let’s look at three technology solutions that may help you secure mission-critical SAP infrastructure.
SIEM (Security Information and Event Management) is, at its base, a central database for security events. It pulls data from security tools and IT systems across the organization, processes it, and generates actionable alerts for security teams. It also enables in-depth security investigation, providing rich historical data.
SIEM systems are highly customizable and can be integrated with any system that produces logs or system events. You can integrate a SIEM with SAP solutions running in your environment. Define rules to ensure that the SIEM records all security-relevant events, alerting security teams and administrators when they happen.
Remember that SAP systems tend to operate at a large scale, process large data volumes and generate large amounts of log data. Make sure your SIEM can scale sufficiently to process SAP data in real-time.
Keep in mind that SAP provides its own SIEM solution, SAP Enterprise Threat Detection (ETD). ETD collects and analyzes events from SAP HANA Databases and connected SAP applications. It is pre-integrated with the SAP application layer and understands the semantics of events created by SAP HANA databases. However, the downside is that it has limited ability to process data from other parts of the IT environment.
Endpoint detection and response (EDR) is a vendor-specific security threat detection and incident response tool, which is deployed on endpoints in the network. In the case of a SAP system, the endpoints are SAP servers and workstations used by employees.
In a hypothetical attack example, where SAP HR is the target, the cybercriminal could try to gain access to the system, leaving behind a series of clues on the endpoint. Security teams need to be aware that this is taking place. However, they often don’t know about the activity, because they do not have direct access to SAP systems and cannot perform forensic investigation.
EDR can help security teams understand there is a security issue on the endpoint, gain direct access to it, and investigate it using rich data from the endpoint operating system. They can then use the EDR system to take immediate action, such as isolating the endpoint, and in extreme cases, wiping and re-imaging it.
When developing web applications that rely on a SAP back-end, or web interfaces based on SAP technology such as SAP UI or SAP Fiori, it is important to perform live testing of the application at runtime. Live testing can identify if the application has exploitable vulnerabilities. Remember that any application that communicates with SAP systems at the back end is a potential entry point for attackers.
Dynamic Application Security Testing (DAST) tools can help you perform black-box testing on a web application, trying to exploit it as a hacker would. DAST goes beyond identifying vulnerabilities—it can attempt exploitation of these vulnerabilities to see their impact and severity. DAST tools use techniques like crawling and fuzzing to execute unexpected paths in the application workflow and see if they have security weaknesses.
Using DAST during the development and testing stages can help you catch vulnerabilities early—before you release new versions of web applications to the public. It is also valuable to run DAST scans on production applications to identify vulnerabilities before attackers use them to breach the application. Modern task tools are easy to integrate into a CI/CD pipeline and run automatically with every build.
In this article I explained the basics of SAP security, including security technologies and tools offered within SAP solutions. In addition, I showed how you can use modern security technologies to secure SAP deployments:
- SIEM – helps collect data from SAP deployments, correlate it with other security events, and generate actionable alerts for security teams.
- EDR – helps gain direct access to an endpoint in the SAP environment, investigate incidents and respond to them by performing actions directly on the endpoint.
- DAST – helps test web applications for vulnerabilities and provides remediation feedback for developers.
I hope this will be of help as you improve the security and resiliency of your mission critical SAP environment.