Skip to content

Threat Intelligence in the context of SAP


Threat Itelligence is currently trending in IT-Security. It involves putting data on known malware, vulnerabilities and attack vectors into context to enable a more effective response against threats. Unfortunately, as is often the case in IT security, threat intelligence is usually limited to the infrastructure. Business-critical applications are left out. Take SAP systems as an example.

SAP systems contain the most sensitive data of every company and are therefore worthwhile targets for attackers. The organized cyber criminals have recognized this, and attacks on SAP systems are becoming more frequent as well as more professional.

Since Mid-August 2020 the independent bug bounty trader Zerodium is looking for zero-days with pre-auth remote code execution, authentication bypass, or data disclosure for SAP NetWeaver.

Zerodium - SAP NetWeaver

Unfortunately, SAP systems are very specific and thus are often not covered from regular security solutions, as is the case when it comes to Threat Intelligence solutions. One of the reasons is the fundamentally different technology used by the software manufacturer from Walldorf. Historically SAP systems have been separated from the rest of the IT (the gallian village of IT), which lead to the situation that the security department was not familiar with the technology.

SAP security is becoming increasingly important

In recent years, this has changed significantly and the importance of securing SAP systems is now widely recognized. It is worth taking a closer look at the term “Threat Intelligence” in this context. In reality, attacks are often orchestrated and prepared long in advance. If you want to use an analogy: Hacker attacks rarely resemble the classic bank robbery, where a masked robber waves a pistol and leaves the bank with a bag full of money after only a few minutes. A more fitting comparison would be a film like “Oceans Eleven”, in which sophisticated preparation precedes the actual clou.

Detect possible attacks from anomalies

In IT systems – and thus also valid for SAP landscapes – this preparation can be recognized by certain hints. If these hints are correlated with other conspicuous activities, a possible attack may be happening. The indications pointing to an attack usually do not cluster but are rather spread among time and different log files. It is therefore not necessary to be able to evaluate the logs down to the second. More important is a correlation analysis, which detects possible threats spot on.

To be able to carry out such an analysis, two things in particular are necessary: SAP-specific knowledge to be able to detect unusual activities in the first place. Secondly, this data must be collected in the first place.

Continuous monitoring is important

For a comprehensive and seamless monitoring of SAP landscapes, a solution is required that takes over the tasks of continuous monitoring for SAP systems. Thus, all processes within the SAP systems must be continuously monitored in the background to be able to recognize conspicuous processes at any time. These processes must then be correlated with each other. This requires an SAP-specific set of rules that also continuously analyzes user behavior. Furthermore, this information must not only be forwarded to the security department or to a connected SIEM system, but it must also be prepared in such a way that it does not require SAP know-how to immediately recognize possible threats as such.



One integrated Platform to allow a 360° insight on threats and vulnerabilities.

This is where SAP-specific Threat Intelligence comes into play. SAP systems are extremely complex; most SAP landscapes consist of dozens or even hundreds of individual systems. Accordingly, it is important to know all weak points within the SAP landscape. This includes system parameters, potentially unsecured interfaces or – especially in the SAP area – applications developed by customers themselves. Identifying and securing these potential vulnerabilities is a challenge not only because of the complexity of SAP systems. The settings are also highly dynamic due to ongoing changes to the system.

All SAP areas should be covered

In order to identify the weak points in the above mentioned areas at an early stage, a scanner is required which checks all areas for possible security and compliance problems. Due to the high complexity of even a single SAP system, two things should be given special attention when selecting such a vulnerability management solution: Firstly, an audit should be as comprehensive as possible. The security guidelines of SAP itself as well as the DSAG audit guidelines provide a good starting point. On the other hand, such a scanner should be integrated into the real-time monitoring as seamlessly as possible so that changes to the system can be detected early and forwarded to the responsible parties.

Accordingly, Threat Intelligence in the SAP environment consists of several steps: weak points must first be identified, the systems must be protected by hardening them and continuous monitoring must be able to detect and classify anomalies.

No context, no intelligence

For Threat Intelligence to work in an SAP context, it is crucial that these separate steps are placed in an application-specific context. It is not enough to maintain a database of standardized vulnerabilities in an SAP system. Instead, this data must be correlated with each other, taking into account the approach used by attackers.

SecurityBridge, the only holistic security platform for SAP systems, offers the two key factors necessary for Threat Intelligence in an SAP context: For the identification and elimination of vulnerabilities, a comprehensive catalog of tests is an integral part of SecurityBridge, based on established standards. For the analysis of activities, in turn, an intelligent correlation engine provides insight into SAP specific attack vectors which can be used by the SOC or security department. In other words, SecurityBridge pulls the needle in a haystack with a magnet rather than operates a database that examines each blade of grass separately.

Detecting a threat using intelligence literally, Threat Intelligence.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

DSAG Jahreskongress 2023
Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.