In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP
How can AI help improve your SAP Security posture?
Since the rise of ChatGPT, we have seen new use cases for artificial intelligence (AI) in today’s operations almost every day. This trend is certainly also impacting the cybersecurity domain as IT threats are increasing in alignment with the number of cyberattacks. However, the frequency of attacks not only increased, but the attack strategies have also become more sophisticated as the recent MGM Grand/Caesar’s breach revealed. The question is, how do we protect IT systems against such threats, and how can AI support us in this case?
AI-driven SAP Security?
The SAP Security community is also seeking answers to this question. As an obvious first step, AI can support SIEM and other monitoring systems by finding critical activity patterns in the giant amount of event logs created every minute in today’s SAP environments. However, not every critical activity is malicious. SAP Security teams must have a good understanding of their normal state within their specific landscape, including custom development, to establish a strict regime for leveraging superuser rights and privileged user access in SAP applications. Only then can they lower the “background noise” of accepted critical events to an extent that creates a realistic chance for identifying malicious activities.
SAP system’s resilience is often quite low
However, we at SecurityBridge experienced a different situation when implementing our security platform for SAP customers. As our key platform modules “Threat Detection” and “Security & Compliance” are shipped with predefined security baselines and monitoring templates, we are often surprised to see how many critical alerts and findings are popping up right after initializing the event monitoring, vulnerability scan of the SAP system and custom code. As many customers are also challenged with monthly system patching, which causes red alerts in our “Patch Management” module, our SAP security experts must often diagnose quite a low resilience level of the SAP system. In such cases, even simple attack scenarios would have a good chance of being successful, or worse, remain undetected.
The combination of a low resilience level and a high amount of critical monitoring events even during normal operations, makes it almost impossible for SOC teams to respond to cyberattacks promptly. Even with the usage of an AI-based approach, the number of false positives would be too high in a system landscape with such a wide attack surface like SAP, making it a challenge to be in control of the situation. Due to the complexity of underlying technologies and the variety of customizations, an SAP system is impossible to defend if not properly hardened. Therefore, we recommend system hardening as a prerequisite for any AI-driven SAP Security strategy.
AI for detecting SAP vulnerability exploit chains
A Threat Detection solution for SAP powered by AI can be very powerful, especially for detecting cyberattacks that are chaining multiple medium or low SAP vulnerabilities. As most security remediation strategies prioritize the high and very high vulnerabilities due to resource constraints, successful attacks often exploit a chain of “leftovers”. AI can help detect these SAP Security threats, but it only can unfold its full power within a hardened SAP system and SAP Operations that embrace the principle of least user authorizations.
Are you interested in learning how we can help you harden your SAP landscape? Contact us and we will be happy to tell you more about our guided approach to SAP Security excellence. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Find recent Security Advisories for SAP©
Leiter des Forschungslabors ist Joris Van De Vis, Director of Security Research bei SecurityBridge und Mitgründer des SAP-Sicherheits-Spezialisten Protect4S, der seit September 2013 zu SecurityBridge