SAP Cybersecurity Beyond Authorizations
Watch the webinar on-demand at any time to learn what „holistic“ really means in the context of SAP security…
- July 14, 2021
Demystify ransomware in the context of SAP
Key Takeaways
- Understand how ransomware impacts SAP customers.
- Learn why traditional cybersecurity is not enough.
- Existing SAP vulnerabilities may be used as attack vectors.
“Ransomware attack”, it’s probably the most commonly used despairing words of 2020 after “you’re on mute’. The focus of late however appears to be very much targeted at striking at the core of a business’s mission-critical systems, key applications that will cause substantial damage to the production systems of global enterprises. Take for example meat processor JBS being extorted, and REvil targeting the COOP indirectly. For JBS, the impact of loss of production is catastrophic as it processes perishable goods.
Attack scenario
To demystify ransomware in the context of SAP we need to look at the attack scenario. While traditional ransomware hits the victim on the operating system level, the SAP technology stack is only impacted if the server platform was successfully attacked. Luckily for SAP installations, the majority of today’s ransomware variants target Windows operation systems, while SAP systems prefer to run on Unix. So if SAP is hardly impacted, then why bother?
Entrance door SAP; an attacker may exploit the SAP application layer to introduce malicious files and trigger their execution to start spreading ransomware within the customer’s network. Network traffic sent from SAP to clients is typically not blocked or inspected, leading to an increased likelihood of a successful attack.
Traditional cyber-security is not enough
Unfortunately, many organizations don’t realize that network security is penetrable and it’s imperative to constantly monitor your SAP applications in real-time to secure them. It requires a more holistic approach to securing your business-critical applications, including things that we would classify as “good security hygiene.” In our recent online seminar “How to implement and enforce a Security baseline for SAP” we demonstrated that threat actors are very aware of how to exploit unprotected mission-critical applications, and are, in fact, actively doing so.
For example, in a recent high-profile attack, the organization was subjected to a ransomware attack on their ERP applications.
Despite implementing good security hygiene such as regular back-ups, their operations were brought to a stand-still. This lapse in productivity can last for days and the damage to reputation and costs are substantial. Attackers simply bypassed the endpoint detection and response (EDR) software by accessing the data through the application. EDR is a crucial component, but the application level still remains a blind spot, and a vulnerability. The attackers, in this example, used that application layer, which was not being directly monitored, in order to compromise the business-critical assets.
Of course, traditional cyber-security is in place at many companies, but when the attack is a Trojan Horse it’s hard to detect. With SAP systems this issue becomes even more critical with access to a company’s mission-critical production systems the impact would be devastating.
So, what is needed to protect your organization’s business-critical applications from the inevitability of an attempt at ransomware? That is exactly the question we will address in this blog post as an SAP Certified Application Development Partner with our focus on securing the SAP technology platform. Traditional security tends to focus on endpoint, network, and back-ups. All of which are essential components in security, but as is clearly evident, are not adequate in preventing successful attacks.
SAP is a challenging environment that requires constant patching and often contains custom code for which there are no known patches. Attackers are all too aware of this and evidence shows that known vulnerabilities are being targeted because these systems are business-critical and are inter-connected with substantial complexity.
Vulnerabilities such as RECON, and PayDay allow threat actors to take full control of applications through the application layer itself, and, once in, go down to the operating system level. In addition to essential vulnerability management and efficient patching, the solution to this challenge is to start by having robust accurate real-time threat monitoring powered by advanced technology such as anomaly detection so that no matter how much these threat actors change their attack vectors, the anomaly is detected and reported and triaged in real-time. Gartner fully endorses this strategy, that organizations should “implement a risk-based vulnerability management process that includes threat intelligence. Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as these vulnerabilities are exploited by attackers.”
This will stop a successful attack:
- Real-time threat monitoring so that attacks can be detected and remediated before harm is done.
- Actionable intelligence. Having results that produce false positives is frustrating and time-wasting when time is a vital ally.
- Effective Hardening of Business-Critical Applications and guidance on how and where to patch.
- A unified Platform Approach where custom-code and applications are scanned simultaneously.
- Integration with a Security Information Event Management (SIEM) so that the wider security team outside of SAP can have instant access to hundreds of use-cases.
- Corporate commitment to compliance and governance in securing mission-critical applications and code.
SAP delivers security updates through support packages, and, publishes security notes with the latest security corrections and recommendations. SecurityBridge provides patching advisories and guidance through what can be an overly complicated challenge to understand how and where to patch.
Summary
Ransomware is a different animal to most attacks in that it is very lucrative and increasingly easy for nefarious actors to be successful with impunity. Add to this that the opportunities for attacks have vastly increased with remote working due to Covid, and the complexities of custom code, cloud deployments, and a strain on InfoSec resources. While these factors might make ransomware attacks more likely, it does not necessarily mean they will lead to a successful attack. With SecurityBridge, you can always be one step ahead of the attackers, being alerted in real-time as to what the level of threat actually is, and being able to remediate where appropriate before the attacker has time to execute the threat.
Automate patch management processes with SecurityBridge™
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.
SAP Sicherheit auf dem Prüfstand – Ein ganzheitlicher Ansatz
#ITOK21 | IT-Onlinekonferenz.de | Helge Sanden und Christoph Nagy
Ständig hört man von Cyberangriffen und die meisten Unternehmen haben bereits …
Ständig hört man von Cyberangriffen und die meisten Unternehmen haben bereits …
SAP Patchday
On 13th of July 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 3 updates to previously released Security Notes.
Press coverage
Ingolstadt 28th June 2021. SecurityBridge has announced a strategic partnership with regional value-added reseller PASàPAS, located in France.
Ingolstadt, Germany: June 21, 2021, SecurityBridge, today announced the appointment of Dr. Markus Schumacher, to its Board of Advisors.
SAP Patchday
On Tuesday, 8th June 2021, SAP held the sixth SAP Security Patch Day of the year. The security experts of SAP SE have released 17 new SAP security patches.