Skip to content

3 Reasons to start monitoring SAP

monitoring SAP

There appears to be a new trend for companies to centralize their log sources into Security Information and Event Management (SIEM) solutions. The time has come to look at SAP. This article explains why.

SIEM solutions were created out of the necessity to deal with a flood of alerts coming from various sources within the company network and Intrusion Protection and Intrusion Detection Systems. Since Gartner coined the term “SIEM” (for Security Information and Event Management), these solutions have evolved into information platforms. They not only collect logs from firewalls and other devices but can also correlate events using patterns and machine learning. Security teams use these insights to develop an understand for their baseline to detect anomalies and to support their tactics of defense. The goal being to detecting attacks almost in real-time and therefore being able to react before significant damage can occur.

SIEM systems, however, have traditionally focused on infrastructure components, such as firewalls and networks – applications were until recently not within their usual focus. SAP systems are particularly hard to integrate, as their logs are not available in the standardized syslog format. In other words, SIEM solutions pretty much excluded SAP systems – and no one seemed to notice for quite a while. Only recently, solutions such as our SecurityBridge Cybersecurity Platform, have been able to close the information gap and connect SAP systems, their events and information, to SIEM solutions.

But why monitor SAP system at all? Isn’t it enough to focus on the infrastructure? The answer is simple: definitely not. Here are three reasons why SAP landscapes should be monitored for security risks

First Reason

SAP systems contain your most valuable data. 

So, let’s say you have a house and you want an early intruder-detection system. Would you buy surveillance cameras for the garage, where you keep all the long-forgotten stuff? Or would you rather place it close to your safe where all the important and valuable assets are located? You might argue that the garage is a good place to monitor, as this is likely where the intruder can get in. True – and this is what SIEM systems do. Would you go without watching the safe, then? Probably not.

Second Reason

Infrastructure can be bypassed when SAP systems are connected to the network. 

Let’s stick with the analogy of the house for a second. You are monitoring your garage – but there’s another door that leads directly into your house where the safe is located. This door can only be opened by authorized users. But some users have a general key, that’s worked since the safe was built, and no one has bothered to change their keys. Additionally, this door is somewhat more unstable than the garage door. Better keep a watch on it, too. While this analogy seems a bit obvious at first glance, it unfortunately passes most reality checks – SAP systems are often less secure than other systems, sometimes because the security department doesn’t see the SAP landscape within their responsibility, and sometimes due to the complexity of SAP systems, which are 6-7 times more complex than a given operating system.

Third Reason

SAP systems are complex

As mentioned above, SAP systems are increasingly complex, while or because most business transactions are passed through them. The complexity doesn’t stop at mostly static security relevant settings, however, quite the contrary, SAP systems also record quite a few security relevant events. Although SAP events are buried under tons of business logs within change documents, system logs, and access logs contain the information needed to detect an ongoing cyberattack. Digging them out, is not enough. Events need to be put into context in order to be able to decide whether any given behavior can be considered “normal”. Managing this complexity not only requires technology – it mainly necessitates expert knowledge on SAP processes. This might be one reason why regular SIEM providers shy away from including SAP systems in their portfolio – they simply don’t know enough to interpret SAP products.

As with the technology infrastructure, SAP systems generate more and more data, owing to a higher amount of business processes added to the ERP infrastructure, and an increasing demand for connectivity to the outside world and more users accessing those systems. This openness demands a comprehensive security solution which not only focuses on static security challenges such as hardening systems or securing custom applications. It calls for a comprehensive security solution that combines real-time monitoring with intelligent threat analysis. For SAP systems, which more often than not contain the business secrets and privacy information for every company, ensuring continuous monitoring for potential risks becomes imperative.

SecurityBridge is a modern SAP Security Platform, natively build in SAP.  It uses an ABAP based Intrusion Detection System (IDS) to guard your SAP landscape 24/7. Its frontend is build with Fiori, which provides you an intelligent insight on the security posture of your ABAP, Java and HANA based systems.

Contact us to learn how SecurityBridge enables intelligent, continuous real-time monitoring of SAP systems.

By submitting the form, you acknowledge that you have read and agreed to our Privacy Policy.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

DSAG Jahreskongress 2023
Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.