In this article, we will look at the prerequisites for SAP Threat Intelligence – and how it could look like. The generally accepted definition of Threat Intelligence is as follows: Threat intelligence is evidence-based information about cyber-attacks organized and analyzed by cyber security experts. This is also valid for SAP but must be specifically refined.
Let’s start with an example. In December 2021, the log4j vulnerability shocked the IT divisions and prevented them from enjoying a relaxing Christmas time. The CVSS 10 Vulnerability for Log4j, a widely used component, does not have an easy fix. Instead, the IT and security experts had to search for the use of the component before delivering the fixing strategy. SAP customers had to rely on the immediate actions of the security team of SAP SE to provide a fix.
The Log4j incident can be an example to illustrate how little insight companies usually have on which components they use.
Not knowing can be a benefit, but not when it comes to SAP security. The foundation for any form of intelligence is data, or in other words, the transparency that should be applied in the area of intelligence.
This is an important aspect, the missing piece for Threat Intelligence for SAP is often the lack of understanding of threats and attack vectors. Companies are in the dark about missing security patches for specific components. Similarly, there is a lack of visibility into an insecure configuration actively exploited in their SAP NetWeaver application. Let us look at: What data for SAP Threat Intelligence is needed?
Often, securing the SAP systems is pushed to the end of the task list because special dependencies need to be considered. These dependencies tend to make an already complex topic even more. Furthermore, the dependencies between, for example, system configuration and customer-specific application development increase the coordination effort between the departments. To create the basis for threat intelligence concerning SAP applications, the following areas must be analyzed:
1. System configuration:
All security-relevant parameters and their current setting must be filed and known. At first, no dependency among the individual parameters must be known. This needs to be considered later. Each vulnerability should be classified according to exploitation risk and effort of remediation.
2. Custom code security:
Furthermore, there are almost always vulnerabilities in the customer’s programming in addition to SAP standard product vulnerabilities that get fixed by regular security updates. The program code needs checking for backdoors or SQL injection vulnerabilities. All vulnerabilities should be recorded and sorted according to severity.
3. Missing security patches:
Security patches are released on a monthly cycle by the SAP Security Response Teams. Since there is no central overview of the missing security updates for SAP systems, it is very time-consuming to collect this information. Unfortunately, this is an essential part of Threat Detection for SAP.
4. Interface landscape:
Especially for SAP security, it is important to take a detailed look at the integration landscape and the ways of integration. SAP systems communicate via Remote Function Calls (RFC). RFC connections are set up for this purpose, which if configured incorrectly, can easily be misused by attackers.
5. Log collection and triaging:
SAP systems record almost all important information required to detect attacks in various logs. For some details, a separate query, like one of the SAP user masters, must be made. The information must be freed from transactional content and reduced to security-relevant content.
Threat Intelligence can be applied only when data is available. It is possible to establish the actual threat intelligence through data mining, pattern recognition, and dependency matrices. We have not only implemented the methods mentioned above in our SecurityBridge but also include the statistical detection of anomalies. Through a bird-eye view, intelligent conclusions can be made that can even trigger automatic actions. Unfortunately, the threat scenario is constantly changing. Therefore, the once established catalog of use cases on the customer side has to be continuously adapted.
Posted by
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.
Protect your SAP applications with our comprehensive SAP security solution that addresses all your security needs. Our platform seamlessly integrates within your SAP environment and provides actionable insights in hours. Reduce the risk of data breaches and compliance violations with our trusted solution.
“We selected SecurityBridge as the platform most comprehensive in functionality that is completely and seamlessly integrated within the SAP technology stack. SecurityBridge’s agile and holistic approach enable us to transition very quickly and smoothly.”
“The expansion of our partnership with SecurityBridge is an important step in complementing our portfolio. It will help us strengthen our position in a dynamic market environment and underpin our leading role as SAP Partner.”
EVP, Global Innovation & IP, Global SAP Alliances & Region NEE
NTT DATA Business Solutions AG
Introducing the first and only holistic, natively integrated SAP security product that addresses all aspects necessary to protect organizations against cyber threats. The SecurityBridge Platform identifies SAP vulnerabilities and risks, providing mitigation measures to safeguard your organization’s critical assets. With our product, you can rest assured that your business is protected against potential security breaches.
Fast implementation, rapid discovery, actionable insights. Advanced SAP security technology includes anomaly detection for identifying sophisticated threats.
Eliminate false positives, optimize Security Analyst’s effort with a specialized Security Operation Center (SOC) integration for SAP.
Experience truly integrated real-time threat monitoring with SecurityBridge for SAP Threat Detection. Evolving results increase awareness of your organization’s threat posture.
Streamline your SOC team’s focus with SecurityBridge, the easy-to-maintain, deploy, and install SAP security solution.
Experience a unified platform with SecurityBridge. Our open architecture enables intelligent sharing of findings across all modules.
Streamline your security operations with the SAP SIEM connector. Our platform offers seamless, out-of-the-box integration with leading SIEM products.
Automate Patch detection with SecurityBridge. Our platform detects missing patches, including SNotes and SAP Kernel Patches, for a timely implementation.
Get a single source of truth with our Dashboard, providing comprehensive insights in one place.
Report security incidents with one click, document risk acceptance inline, and access the integrated knowledge base.
Ready to meet security like never before?
Calculate an individual business case for SecurityBridge usage and related improvement.
Resilience, security, and responsiveness are your core operational requirements. Our solutions help you to deliver your…
SecurityBridge integrates with Fortinet’s FortiGate a NextGen Firewall to increase the accuracy of detecting attacks on SAP applications.
The Platform receives frequent updates of attack detection patterns, compliance rules, and SAP security features. In our publications, we also inform you about active threats or security trends for SAP customers.
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought.
SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
With the recent increase in attention to SAP security from auditors, we decided to investigate SAP baselines. We took a closer look into what SAP baselines are, how they can help you, and how to survive an audit.
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user’s click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security.
The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.
This article is part of our series that aims to provide SAP users with an overview of the most common vulnerability types in the SAP technology stack. Unless successfully prevented, SAP is impacted by Clickjacking Vulnerability, particularly in the SAP NetWeaver Application Server Java, Enterprise Portal (EP).
If an application is susceptible to clickjacking, an attacker may execute the clickjacking attacks against users of the platform. A clickjacking attack in the SAP framework could make it possible for an attacker to inject malicious code into SAP applications and hijack user clicks. Once an attacker has gained control of a user’s click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
ONE-STOP SHOP PLATFORM FOR SAP SECURITY
ABAP, HANA, JAVA, SAP CLOUD – We cover it all
