Skip to content

Threat Intelligence in the context of SAP

Threat Itelligence is currently trending in IT-Security. It involves putting data on known malware, vulnerabilities and attack vectors into context to enable a more effective response against threats. Unfortunately, as is often the case in IT security, threat intelligence is usually limited to the infrastructure. Business-critical applications are left out. Take SAP systems as an example.

SAP systems contain the most sensitive data of every company and are therefore worthwhile targets for attackers. The organized cyber criminals have recognized this, and attacks on SAP systems are becoming more frequent as well as more professional.

Since Mid-August 2020 the independent bug bounty trader Zerodium is looking for zero-days with pre-auth remote code execution, authentication bypass, or data disclosure for SAP NetWeaver.

Zerodium - SAP NetWeaver

Unfortunately, SAP systems are very specific and thus are often not covered from regular security solutions, as is the case when it comes to Threat Intelligence solutions. One of the reasons is the fundamentally different technology used by the software manufacturer from Walldorf. Historically SAP systems have been separated from the rest of the IT (the gallian village of IT), which lead to the situation that the security department was not familiar with the technology.

SAP security is becoming increasingly important

In recent years, this has changed significantly and the importance of securing SAP systems is now widely recognized. It is worth taking a closer look at the term “Threat Intelligence” in this context. In reality, attacks are often orchestrated and prepared long in advance. If you want to use an analogy: Hacker attacks rarely resemble the classic bank robbery, where a masked robber waves a pistol and leaves the bank with a bag full of money after only a few minutes. A more fitting comparison would be a film like “Oceans Eleven”, in which sophisticated preparation precedes the actual clou.

Detect possible attacks from anomalies

In IT systems – and thus also valid for SAP landscapes – this preparation can be recognized by certain hints. If these hints are correlated with other conspicuous activities, a possible attack may be happening. The indications pointing to an attack usually do not cluster but are rather spread among time and different log files. It is therefore not necessary to be able to evaluate the logs down to the second. More important is a correlation analysis, which detects possible threats spot on.

To be able to carry out such an analysis, two things in particular are necessary: SAP-specific knowledge to be able to detect unusual activities in the first place. Secondly, this data must be collected in the first place.

Continuous monitoring is important

For a comprehensive and seamless monitoring of SAP landscapes, a solution is required that takes over the tasks of continuous monitoring for SAP systems. Thus, all processes within the SAP systems must be continuously monitored in the background to be able to recognize conspicuous processes at any time. These processes must then be correlated with each other. This requires an SAP-specific set of rules that also continuously analyzes user behavior. Furthermore, this information must not only be forwarded to the security department or to a connected SIEM system, but it must also be prepared in such a way that it does not require SAP know-how to immediately recognize possible threats as such.



One integrated Platform to allow a 360° insight on threats and vulnerabilities.

This is where SAP-specific Threat Intelligence comes into play. SAP systems are extremely complex; most SAP landscapes consist of dozens or even hundreds of individual systems. Accordingly, it is important to know all weak points within the SAP landscape. This includes system parameters, potentially unsecured interfaces or – especially in the SAP area – applications developed by customers themselves. Identifying and securing these potential vulnerabilities is a challenge not only because of the complexity of SAP systems. The settings are also highly dynamic due to ongoing changes to the system.

All SAP areas should be covered

In order to identify the weak points in the above mentioned areas at an early stage, a scanner is required which checks all areas for possible security and compliance problems. Due to the high complexity of even a single SAP system, two things should be given special attention when selecting such a vulnerability management solution: Firstly, an audit should be as comprehensive as possible. The security guidelines of SAP itself as well as the DSAG audit guidelines provide a good starting point. On the other hand, such a scanner should be integrated into the real-time monitoring as seamlessly as possible so that changes to the system can be detected early and forwarded to the responsible parties.

Accordingly, Threat Intelligence in the SAP environment consists of several steps: weak points must first be identified, the systems must be protected by hardening them and continuous monitoring must be able to detect and classify anomalies.

No context, no intelligence

For Threat Intelligence to work in an SAP context, it is crucial that these separate steps are placed in an application-specific context. It is not enough to maintain a database of standardized vulnerabilities in an SAP system. Instead, this data must be correlated with each other, taking into account the approach used by attackers.

SecurityBridge, the only holistic security platform for SAP systems, offers the two key factors necessary for Threat Intelligence in an SAP context: For the identification and elimination of vulnerabilities, a comprehensive catalog of tests is an integral part of SecurityBridge, based on established standards. For the analysis of activities, in turn, an intelligent correlation engine provides insight into SAP specific attack vectors which can be used by the SOC or security department. In other words, SecurityBridge pulls the needle in a haystack with a magnet rather than operates a database that examines each blade of grass separately.

Detecting a threat using intelligence literally, Threat Intelligence.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.