Skip to content

Why CISA strongly recommends monitoring SAP?

Security Operation Center

On July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287. Due to the severity of this vulnerability and the importance of SAP systems in holding a company’s most vital data assets, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches, and in situations where patches cannot be applied, CISA recommends “closely monitoring your SAP NetWeaver AS for anomalous activity”.

I’d like to add two more certainties to death and taxes, and they’re these: that SAP systems hold an organization’s most valuable data, and that those systems are often vulnerable to attack. Apologies, there’s another certainty, and it’s that hackers know this, and are fully aware of the SAP patches and how to exploit them, as CISA states “because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems”.

Although this is a recent event, it is another example of the challenges that SAP users face on a regular basis. SAP itself is very helpful with tools to patch and harden known vulnerabilities, and Patch Day Tuesday with updates on the latest vulnerabilities, but immediate patching can often be impossible, and that leaves a very wide door open for all sorts of risk. Even in an ideal world, no SAP environment will be fully hardened 100% of the time. It’s too big a task and too fast-moving a target. Zero-day vulnerability such as the one mentioned above 2934135 (Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)) are not the only risks. What about the whole raft of unknown vulnerabilities in your custom code, or the disgruntled insider, or the unthinkable, SAP_ALL in unscrupulous hands?

To make matters worse, SAP logging is often turned off by security teams as it often generates too much unintelligible data, and cannot be efficiently exported to a SIEM. Additionally, even if the Security Audit Log is enabled, it is often filtered to reduce the size of the logs and in doing so it creates gaps and hides vulnerabilities.

So although It makes sense then, as CISA suggests, to closely monitor your systems, it’s not easy. As a solution, many SAP clients are turning to technology to provide threat detection, but in the past, the use of traditional cybersecurity tools has been met with mixed success. Some of the criticisms raised has been that these tools produce results that can’t be relied upon, creating more work for the already over-stretched Basis team who are then naturally frustrated with wasting time on false-positives. Another failing is the noise around implementing a tool, the extra hardware, the massive maintenance involved, which often requires additional dedicated resources. Aren’t these tools supposed to reduce resources not add to them? Then there’s the cost, the often eye-wateringly high cost, not just of the software but the ownership that can often dwarf the actual cost of running the applications.

SecurityBridge is a modern SAP Security Platform, natively build in SAP.  It uses an ABAP based Intrusion Detection System (IDS) to guard your SAP landscape 24/7. Its frontend is build with Fiori, which provides you an intelligent insight on the security posture of your ABAP, Java and HANA based systems.

Avoid common pitfalls

To avoid these pitfalls in selecting a security platform there are four key factors to consider.

  1. Accuracy of the threat interpretation is of the utmost importance. If your SOC team cannot rely on the results produced and cannot trust the data, then you may as well just use SAP’s EarlyWatch. In order to ensure accuracy, the cyber-solution should be powered by advanced technology such as anomaly detection, (again recommended by CISA) so that it knows what is normal for your organization and is then agile enough to adapt to new attack vectors, and unknown signatures.

  2. Near real-time monitoring is essential, so that threats can be detected and responded to, as soon as they happen, if necessary. Attackers rely on dwell-time, the lapse after an attack where they work out where to inflict the most harm. Attackers also know that most SOC teams take on average 43 days to detect a threat. Real-time threat monitoring removes dwell-time and allows the SOC team to prioritize resources the most effectively. You should target to reduce the “time-to-detection” from days to hours or even minutes.

  3. Patching and compliance are typically a major undertaking. Security audits are a time consuming, but necessary part of running a security team. Selecting a platform that enables and facilitates compliance will save time and money and ensure that compliance is achieved without expending significant effort.

  4. SIEM integration needs to be seamless and effortless. There’s no point loading a SIEM with massive amounts of data, there needs to be out-of-the box use cases that non-SAP security people can readily understand.  

Finally, implement a robust trial of any security tool and if possible run your own PEN test. To learn more about getting a complementary Security Assessment of SecurityBridge please contact us here :

By submitting the form, you acknowledge that you have read and agreed to our Privacy Policy.

Posted by

Ivan Mans
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.