What is SAP Threat Intelligence? 

SAP Threat Intelligence

In this article, we will look at the prerequisites for SAP Threat Intelligence – and how it could look like. The generally accepted definition of Threat Intelligence is as follows: Threat intelligence is evidence-based information about cyber-attacks organized and analyzed by cyber security experts. This is also valid for SAP but must be specifically refined. 

Let’s start with an example. In December 2021, the log4j vulnerability shocked the IT divisions and prevented them from enjoying a relaxing Christmas time. The CVSS 10 Vulnerability for Log4j, a widely used component, does not have an easy fix. Instead, the IT and security experts had to search for the use of the component before delivering the fixing strategy. SAP customers had to rely on the immediate actions of the security team of SAP SE to provide a fix.  

The Log4j incident can be an example to illustrate how little insight companies usually have on which components they use.  

The missing piece:

Not knowing can be a benefit, but not when it comes to SAP security. The foundation for any form of intelligence is data, or in other words, the transparency that should be applied in the area of intelligence.  

This is an important aspect, the missing piece for Threat Intelligence for SAP is often the lack of understanding of threats and attack vectors. Companies are in the dark about missing security patches for specific components. Similarly, there is a lack of visibility into an insecure configuration actively exploited in their SAP NetWeaver application. Let us look at: What data for SAP Threat Intelligence is needed?  

Foundation for Threat Intelligence:

Often, securing the SAP systems is pushed to the end of the task list because special dependencies need to be considered. These dependencies tend to make an already complex topic even more. Furthermore, the dependencies between, for example, system configuration and customer-specific application development increase the coordination effort between the departments. To create the basis for threat intelligence concerning SAP applications, the following areas must be analyzed:  

1. System configuration: 
All security-relevant parameters and their current setting must be filed and known. At first, no dependency among the individual parameters must be known. This needs to be considered later. Each vulnerability should be classified according to exploitation risk and effort of remediation. 

2. Custom code security: 
Furthermore, there are almost always vulnerabilities in the customer’s programming in addition to SAP standard product vulnerabilities that get fixed by regular security updates. The program code needs checking for backdoors or SQL injection vulnerabilities. All vulnerabilities should be recorded and sorted according to severity.  

3. Missing security patches:  
Security patches are released on a monthly cycle by the SAP Security Response Teams. Since there is no central overview of the missing security updates for SAP systems, it is very time-consuming to collect this information. Unfortunately, this is an essential part of Threat Detection for SAP. 

4. Interface landscape:
Especially for SAP security, it is important to take a detailed look at the integration landscape and the ways of integration. SAP systems communicate via Remote Function Calls (RFC). RFC connections are set up for this purpose, which if configured incorrectly, can easily be misused by attackers.  

 5. Log collection and triaging:  
SAP systems record almost all important information required to detect attacks in various logs. For some details, a separate query, like one of the SAP user masters, must be made. The information must be freed from transactional content and reduced to security-relevant content.  

What does SAP Threat Intelligence look like?

Threat Intelligence can be applied only when data is available. It is possible to establish the actual threat intelligence through data mining, pattern recognition, and dependency matrices. We have not only implemented the methods mentioned above in our SecurityBridge but also include the statistical detection of anomalies. Through a bird-eye view, intelligent conclusions can be made that can even trigger automatic actions. Unfortunately, the threat scenario is constantly changing. Therefore, the once established catalog of use cases on the customer side has to be continuously adapted.   

Posted by

Ivan Mans
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SecurityBridge joins NTT Data’s Cybersecurity for SAP Webinar

Whether your business critical SAP landscape is traditional on-prem, in one or more clouds, or even the latest RISE with SAP, you are accountable for ensuring it is secured against rapidly increasing cyber threats. Join this webinar to learn why SAP application security is critical and how you can stay in control and protect your business.

Meet us at SAPINSIDER 2022 – in Las Vegas

June 19-21, 2022 the US team of SecurityBridge will be at the SAPinsider Event in Las Vegas. You will find our booth in the Cybersecurity area.
SAP security Patch day
August 9, 2022, is the time for the SAP Security Patch Day, this time in parallel to the black 2022 cyber security conference, the SAP Response team has released 7 patches this Tuesday.
SAP Security Solutions
Security News
The application security market is obscure and holds one or two surprises for those looking for an SAP security solution. Cybersecurity solutions for SAP help customers understand the ever-growing threat landscape and protect themselves effectively. In this article, we would like to discuss some points you should focus on when looking for a security solution for SAP.
SAP Debugger
The SAP Debugger, also known as the ABAP Debugger, is one of the most important development tools offered by SAP. An ABAP developer or a technical SAP consultant uses it to analyze problems or to simulate program flows. Usually, the debugger is simply used to understand a certain behavior in SAP ERP and to identify or understand customizing options.
cbs and securitybridge for SAP
cbs Corporate Business Solutions, a premium management consultancy, and cloud services provider with a focus on the manufacturing industry, and SecurityBridge, the leading provider of an SAP Security platform solution, have announced a partnership to meet the growing demand for comprehensive and reliable service offerings in the field of SAP Security for international SAP clients.
Be a Hero

360° Cybersecurity
for SAP

Help your company protect their digital backbone

SecurityBridge

PLATFORM

One SAP Security Platform that lives within the SAP application to address all security needs. Implementation in hours leading to actionable insights.

Incident & Response

Gain visibility into SAP security, custom code risks, and vulnerabilities.

Learn more in our brochure about the SecurityBridge platform and how it can help protecting your company.

SecurityBridge

Customers around the Globe rely on us

“We selected SecurityBridge as the platform most comprehensive in functionality that is completely and seamlessly integrated within the SAP technology stack. SecurityBridge’s agile and holistic approach enable us to transition very quickly and smoothly.”

Stéphane Peteytas, Head of SAP Cybersecurity at Sanofi

SecurityBridge​

PARTNERs & ALLIANCES

“The expansion of our partnership with SecurityBridge is an important step in complementing our portfolio. It will help us strengthen our position in a dynamic market environment and underpin our leading role as SAP Partner.”

Nicolaj Vang Jessen

EVP, Global Innovation & IP, Global SAP Alliances & Region NEE
NTT DATA Business Solutions AG

BUSINESS CASE CALCULATOR

How much can you save?

Calculate an individual business case for SecurityBridge usage and related improvement.

CYBER SECURITY

Customer Security Story

Reinforcing the security of the global organization.

Press

Resilience, security, and responsiveness are your core operational requirements. Our solutions help you to deliver your…

alliance

How to detect SAP Attacks?

SecurityBridge integrates with Fortinet’s FortiGate a NextGen Firewall to increase the accuracy of detecting attacks on SAP applications.

Recent Highlights

The Platform receives frequent updates of attack detection patterns, compliance rules, and SAP security features. In our publications, we also inform you about active threats or security trends for SAP customers.

SAP security Patch day
SAP Security Patch Day

SAP Security Patch Day – August 2022

August 9, 2022, is the time for the SAP Security Patch Day, this time in parallel to the black 2022 cyber security conference, the SAP Response team has released 7 patches this Tuesday.

SAP Security Solutions
Security News

SAP Security Solutions

The application security market is obscure and holds one or two surprises for those looking for an SAP security solution. Cybersecurity solutions for SAP help customers understand the ever-growing threat landscape and protect themselves effectively. In this article, we would like to discuss some points you should focus on when looking for a security solution for SAP.

cybersecurity for SAP webinar
Events

SecurityBridge joins NTT Data’s Cybersecurity for SAP Webinar

Whether your business critical SAP landscape is traditional on-prem, in one or more clouds, or even the latest RISE with SAP, you are accountable for ensuring it is secured against rapidly increasing cyber threats. Join this webinar to learn why SAP application security is critical and how you can stay in control and protect your business.

SAP Debugger
Security News

SAP Debugger, powerful yet dangerous! 

The SAP Debugger, also known as the ABAP Debugger, is one of the most important development tools offered by SAP. An ABAP developer or a technical SAP consultant uses it to analyze problems or to simulate program flows. Usually, the debugger is simply used to understand a certain behavior in SAP ERP and to identify or understand customizing options.

cbs and securitybridge for SAP
Press coverage

cbs Corporate Business Solutions and SecurityBridge Offer Built-in Managed Security to SAP Clients 

cbs Corporate Business Solutions, a premium management consultancy, and cloud services provider with a focus on the manufacturing industry, and SecurityBridge, the leading provider of an SAP Security platform solution, have announced a partnership to meet the growing demand for comprehensive and reliable service offerings in the field of SAP Security for international SAP clients.

Microsoft Azure for SAP
Security News

3 reasons why Microsoft Azure is attractive for SAP customers

Azure is a hyper-scaler like Amazon AWS or Google Cloud. These big three have recognized the opportunity to offer computing power for the computer-intensive business applications of SAP. SAP virtualization is now easier in the cloud than in your own data center.

ONE-STOP SHOP PLATFORM FOR SAP SECURITY

ABAP, HANA, JAVA – We cover it all