Skip to content

What is SAP Threat Intelligence? 

SAP Threat Intelligence

In this article, we will look at the prerequisites for SAP Threat Intelligence – and how it could look like. The generally accepted definition of Threat Intelligence is as follows: Threat intelligence is evidence-based information about cyber-attacks organized and analyzed by cyber security experts. This is also valid for SAP but must be specifically refined. 

Let’s start with an example. In December 2021, the log4j vulnerability shocked the IT divisions and prevented them from enjoying a relaxing Christmas time. The CVSS 10 Vulnerability for Log4j, a widely used component, does not have an easy fix. Instead, the IT and security experts had to search for the use of the component before delivering the fixing strategy. SAP customers had to rely on the immediate actions of the security team of SAP SE to provide a fix.  

The Log4j incident can be an example to illustrate how little insight companies usually have on which components they use.  

The missing piece:

Not knowing can be a benefit, but not when it comes to SAP security. The foundation for any form of intelligence is data, or in other words, the transparency that should be applied in the area of intelligence.  

This is an important aspect, the missing piece for Threat Intelligence for SAP is often the lack of understanding of threats and attack vectors. Companies are in the dark about missing security patches for specific components. Similarly, there is a lack of visibility into an insecure configuration actively exploited in their SAP NetWeaver application. Let us look at: What data for SAP Threat Intelligence is needed?  

Foundation for Threat Intelligence:

Often, securing the SAP systems is pushed to the end of the task list because special dependencies need to be considered. These dependencies tend to make an already complex topic even more. Furthermore, the dependencies between, for example, system configuration and customer-specific application development increase the coordination effort between the departments. To create the basis for threat intelligence concerning SAP applications, the following areas must be analyzed:  

1. System configuration: 
All security-relevant parameters and their current setting must be filed and known. At first, no dependency among the individual parameters must be known. This needs to be considered later. Each vulnerability should be classified according to exploitation risk and effort of remediation. 

2. Custom code security: 
Furthermore, there are almost always vulnerabilities in the customer’s programming in addition to SAP standard product vulnerabilities that get fixed by regular security updates. The program code needs checking for backdoors or SQL injection vulnerabilities. All vulnerabilities should be recorded and sorted according to severity.  

3. Missing security patches:  
Security patches are released on a monthly cycle by the SAP Security Response Teams. Since there is no central overview of the missing security updates for SAP systems, it is very time-consuming to collect this information. Unfortunately, this is an essential part of Threat Detection for SAP. 

4. Interface landscape:
Especially for SAP security, it is important to take a detailed look at the integration landscape and the ways of integration. SAP systems communicate via Remote Function Calls (RFC). RFC connections are set up for this purpose, which if configured incorrectly, can easily be misused by attackers.  

 5. Log collection and triaging:  
SAP systems record almost all important information required to detect attacks in various logs. For some details, a separate query, like one of the SAP user masters, must be made. The information must be freed from transactional content and reduced to security-relevant content.  

What does SAP Threat Intelligence look like?

Threat Intelligence can be applied only when data is available. It is possible to establish the actual threat intelligence through data mining, pattern recognition, and dependency matrices. We have not only implemented the methods mentioned above in our SecurityBridge but also include the statistical detection of anomalies. Through a bird-eye view, intelligent conclusions can be made that can even trigger automatic actions. Unfortunately, the threat scenario is constantly changing. Therefore, the once established catalog of use cases on the customer side has to be continuously adapted.   

Posted by

Ivan Mans
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.

SecurityBridge at the DSAG22: How to protect SAP systems during these times

Together with its partner, Fortinet, the SAP Security specialist company will present how to close the gap between SAP and network security in Leipzig.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.
Be a Hero

360° Cybersecurity
for SAP

Help your company protect their digital backbone

Webinar

Why SAP Security Patching isn't like Windows updates

SecurityBridge

PLATFORM

One SAP Security Platform that lives within the SAP application to address all security needs. Implementation in hours leading to actionable insights.

Incident & Response

Gain visibility into SAP security, custom code risks, and vulnerabilities.

Learn more in our brochure about the SecurityBridge platform and how it can help protecting your company.

SecurityBridge

Customers around the Globe rely on us

“We selected SecurityBridge as the platform most comprehensive in functionality that is completely and seamlessly integrated within the SAP technology stack. SecurityBridge’s agile and holistic approach enable us to transition very quickly and smoothly.”

Stéphane Peteytas, Head of SAP Cybersecurity at Sanofi

SecurityBridge​

PARTNERs & ALLIANCES

“The expansion of our partnership with SecurityBridge is an important step in complementing our portfolio. It will help us strengthen our position in a dynamic market environment and underpin our leading role as SAP Partner.”

Nicolaj Vang Jessen

EVP, Global Innovation & IP, Global SAP Alliances & Region NEE
NTT DATA Business Solutions AG

BUSINESS CASE CALCULATOR

How much can you save?

Calculate an individual business case for SecurityBridge usage and related improvement.

CYBER SECURITY

Customer Security Story

Reinforcing the security of the global organization.

Press

Resilience, security, and responsiveness are your core operational requirements. Our solutions help you to deliver your…

alliance

How to detect SAP Attacks?

SecurityBridge integrates with Fortinet’s FortiGate a NextGen Firewall to increase the accuracy of detecting attacks on SAP applications.

Recent Highlights

The Platform receives frequent updates of attack detection patterns, compliance rules, and SAP security features. In our publications, we also inform you about active threats or security trends for SAP customers.

SAP Security Services
SAP Cybersecurity

Game changer: Managed SAP Security Services

Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams’ workload or due to the employee’s level of knowledge.

However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.

Patch Management
Press coverage

SecurityBridge Releases New One-Click SAP Patch Automation 

SAP security provider SecurityBridge—now
operating in the U.S.—today announced the full integration of its SAP Security Platform with
the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform
and its membership to MISA. SecurityBridge was nominated to MISA because of the integration
of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data
Adapter that significantly simplifies security monitoring of critical and highly specific business
applications.

Angriffserkennung für SAP
SAP Cybersecurity

IT-SiG 2.0 – Angriffserkennung für SAP ab 1. Mai 2023 ein muss 

Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.

SAP Cybersecurity Risks
SAP Cybersecurity

External vs. Internal SAP Cybersecurity Risks: The differences

Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.

SAP BTP security considerations
SAP Cybersecurity

SAP Business Technology Platform (SAP BTP) Security Considerations

Certainly, inspired by the many conversations we had at this year’s DSAG Annual Congress 2022, it is time to give some insights into the SAP Business Technology Platform. As a software vendor with a core focus on SAP security, it is our job to look at the security concerns of new SAP technology. Our approach is to understand our customers’ concerns and integrate effective and efficient solutions into our cybersecurity solution for SAP. The SAP Business Technology Platform is the talk of the town and seems to be SAP’s new winning concept.

ONE-STOP SHOP PLATFORM FOR SAP SECURITY

ABAP, HANA, JAVA – We cover it all