Skip to content

NIST CSF 2.0: A Winning Framework for Vulnerability Management

NIST 2.0

Let’s be brutally honest: No one really cares about Vulnerability Management… Until someone is impacted by a vulnerability exploit! We are always personally affected when an exploit negatively influences our finances, privacy, jobs, careers, or even the size of our future paychecks.  

Do you agree? You know you do! This is part of our DNA – It is called “self-preservation”. 

When it comes to Vulnerability Management, how do we rise above our ‘Base Self’ and work together for the greater good of our families, our communities, our companies, and our countries? 

By reading this far, I hope you agree that Vulnerability Management is a serious topic – And for businesses, it needs to be a defined budget item. Now, let’s tie this subject matter to the SAP systems that facilitate MOST of the supply chain and transactions in the global economies. When we combine these pivotal factors, we get what is called “SAPCyberSecurity”. 


Agreed. We cannot just highlight a problem and not present a way to solve the problem. 

What are the common struggles?

First, let’s define a couple of challenges. Then, we will lay out a framework for successfully managing the vulnerabilities in your SAP systems. Do these affirmations sound familiar to you? 

  1. We have no idea where to start.
  2. We cannot cope with the pace of change that we see coming from SAP. We are barely keeping up with the Hot News and Critical Vulnerabilities that SAP announces monthly. 
  3. We need some form of automation to do Vulnerability Management. We can’t dedicate a team member full-time to perform all what needs to be completed manually. 
  4. We need a “Concept of Operations” (aka ConOps) to be able to work on Vulnerability Management tasks. 


These are all valid struggles and can be addressed through a framework that works for SAP Vulnerability Management. I recommend starting with the Cybersecurity Framework (CSF) from the USA National Institute of Standards (NIST).   

NIST CSF 2.0: The Six Phases

The NIST CSF works through five phases of a cycle: Identify –> Protect –> Detect –> Respond –> Recover. Now with NIST CSF 2.0, we bring that cycle back to the core of Govern. 

And yes, you need some tools that are already tuned to perform these steps: Let’s break it down for Vulnerability Management: 

1. Identify

Think of “Identify” in two levels:  

  • First, identify each of your SAP environments that are “in scope” for Vulnerability Management
  • Then, perform an automated Vulnerability Scan on each of these in-scope SAP environments. This way you identify the specific vulnerabilities in each system. 


2. Protect

I recommend protecting on 2 fronts: 

  • First, FIX the FINDINGS! If you run a report and it comes back with a list of things that need to get fixed, the only sensible thing to do is set up a Remediation Team. This team will prioritize and triage the findings and get to work. This team needs permission from upper management to potentially get priority over other ongoing projects so that they “get stuff fixed.” Otherwise, the Vulnerability Scanning just becomes a sad TRAGEDY where the same report gets run each week and nothing is ever improved. 
  • Second, Threat Detection is a layered technique for protecting your SAP environments. How does this work? Think of Threat Detection as a “Mitigating Control”. It’s different from remediating vulnerabilities. However, in the case of a vulnerability that is not remediated, Threat Detection protects that vulnerable area of your environment by monitoring it for any exploitation activity. 


3. Detect 

Both in the Vulnerabilities Scanning and in the Exploit Monitoring:  

  • Detect changes in the trending results of your scheduled scans. The ideal trend is to see a regular reduction in the number and overall criticality of the findings. Trending is also impacted by NEW findings. This is commonly associated with the SAP Security Patch Day announcements each month. So, to summarize, watching the trendline of vulnerability findings is a form of detection against new findings, but also to monitor that the numbers of old findings continue to drop over time. 
  • In SAP Cybersecurity, the detective part of CSF is typically relegated to SAP Threat Detection. In technology environments such as ABAP, Java, and HANA databases, the technique of identifying threats is accomplished by constant monitoring of the Logs and other key data sources. This mission is beyond what could reasonably be assigned to a human because the volume of information that must be processed from the logs is overwhelming and constantly high. 


4. Respond 

Through Vulnerability Remediation and Integration to SIEM partners:

  • Respond by having an active and involved Triage Team that will accept your Vulnerability Scan reports, prioritize the list of findings, and harmonize the remediation work with the ongoing SAP/IT projects that are also in flight. Over time, this team must diligently work the list down until all critical findings are remediated. 
  • Respond by integrating your Threat Detection Events into a Security Information and Event Monitor (SIEM) solution. Out of the SIEM, you can have Response Playbooks that dictate both the method and the individuals responsible for addressing different event profiles. 


5. Recover 

Spans across your Risk Posture, Cyber Insurance, and Backup/Archive Strategies: 

  • Restore your company’s Risk Posture to a healthy posture. Realize that Vulnerability Findings give you a “risk health score.” To improve that score, do the obvious thing: remediate the findings. 
  • Find out if your company utilizes Cyber Insurance. This is a relatively new category of insurance. This Area of Responsibility will typically fall to your company’s Chief Risk Officer. 
  • Your company’s Chief Data Officer should have policies, processes, and procedures in place to act on to make sure that your environments have active backup and restore processes and procedures. Some of the recent cybersecurity attacks and exploits can certainly be considered disasters. So, be sure that you have plans in place to handle Disaster Recovery 


6. Govern 

Operate from within a Risk Management team and utilize a vendor-provided best-of-breed solution:

  • Set up a Risk Management team within your SAP and IT org structure. This team can be primarily responsible for the Scanning, Monitoring, and Reporting tasks. It might also be responsible for interacting with a vendor of choice such as SecurityBridge. 
  • Operate a vendor solution so that your team can leverage Automation and Best Practices. Utilize a solution that has passed the test of time and is already providing documented value to other SAP Customers. Of course, the solution I recommend is built IN SAP, FOR SAP, and BY SAP Experts… the SecurityBridge Platform.  


Do you want to discuss setting up the SecurityBridge Platform as the primary Governance solution for Cybersecurity in your SAP environments? Follow us or just reach out – I am easy to find on Linkedin. 

Posted by 

Barry Snow

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Sales & Partner Manager APAC Singapore
We are expanding our operation in the APAC region and are looking for an experienced Sales & Partner Manager to join our team in Singapore. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, or cybersecurity.
Pre-Sales Consultant APAC Singapore
As a Pre-Sales Consultant at SecurityBridge, you will be instrumental in our rapid expansion within the APAC region. You will directly contribute to the growth of our innovative SAP security solution, SecurityBridge.