Skip to content

How can AI help improve your SAP Security posture?

AI

This blog explores AI’s role in SAP Security, highlighting some SAP security platform challenges and the importance of system hardening against exploit chains within SAP vulnerabilities.

Since the rise of ChatGPT, we have seen new use cases for artificial intelligence (AI) in today’s operations almost every day. This trend is certainly also impacting the cybersecurity domain as IT threats are increasing in alignment with the number of cyberattacks. However, the frequency of attacks not only increased, but the attack strategies have also become more sophisticated as the recent MGM Grand/Caesar’s breach revealed. The question is, how do we protect IT systems against such threats, and how can AI support us in this case?

AI-driven SAP Security?

The SAP Security community is also seeking answers to this question. As an obvious first step, AI can support SIEM and other monitoring systems by finding critical activity patterns in the giant amount of event logs created every minute in today’s SAP environments. However, not every critical activity is malicious. SAP Security teams must have a good understanding of their normal state within their specific landscape, including custom development, to establish a strict regime for leveraging superuser rights and privileged user access in SAP applications. Only then can they lower the “background noise” of accepted critical events to an extent that creates a realistic chance for identifying malicious activities. 

SAP system’s resilience is often quite low

However, we at SecurityBridge experienced a different situation when implementing our security platform for SAP customers. As our key platform modules “Threat Detection” and “Security & Compliance” are shipped with predefined security baselines and monitoring templates, we are often surprised to see how many critical alerts and findings are popping up right after initializing the event monitoring, vulnerability scan of the SAP system and custom code. As many customers are also challenged with monthly system patching, which causes red alerts in our “Patch Management” module, our SAP security experts must often diagnose quite a low resilience level of the SAP system. In such cases, even simple attack scenarios would have a good chance of being successful, or worse, remain undetected.  

The combination of a low resilience level and a high amount of critical monitoring events even during normal operations, makes it almost impossible for SOC teams to respond to cyberattacks promptly. Even with the usage of an AI-based approach, the number of false positives would be too high in a system landscape with such a wide attack surface like SAP, making it a challenge to be in control of the situation. Due to the complexity of underlying technologies and the variety of customizations, an SAP system is impossible to defend if not properly hardened. Therefore, we recommend system hardening as a prerequisite for any AI-driven SAP Security strategy.  

AI for detecting SAP vulnerability exploit chains

A Threat Detection solution for SAP powered by AI can be very powerful, especially for detecting cyberattacks that are chaining multiple medium or low SAP vulnerabilities. As most security remediation strategies prioritize the high and very high vulnerabilities due to resource constraints, successful attacks often exploit a chain of “leftovers”.  AI can help detect these SAP Security threats, but it only can unfold its full power within a hardened SAP system and SAP Operations that embrace the principle of least user authorizations.  

Are you interested in learning how we can help you harden your SAP landscape? Contact us and we will be happy to tell you more about our guided approach to SAP Security excellence. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!  

Posted by 

Holger Huegel

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.