Security Orchestration Automation and Response (SOAR) for SAP

Key Takeaways

  • What is SOAR for SAP?
  • Is SOAR a new security trend?
  • Key benefits of security automation for SAP
  • We share our conclusion

Irrespective of whether you’re going to start your career in information security or if you have years of experience in this field, you might realize that you are part of an unfair game. Why is that? An army of attackers, including kids, organized crime, and nation-state hackers, stands against you, while you need retort with a limited budget and a handful of resources. It’s no surprise therefore that automation becomes an important weapon in the game to protect your enterprise organization against this rising threat. Solution providers such as SecurityBridge and Fortinet, have combined to support you with advanced cybersecurity solutions.

Particularly complex and enterprise-critical applications such as SAP need to be protected. Accepting that an SAP system transacts thousands of actions per second it’s an enormous challenge to detect anomalies in real-time. Additionally, once an incident has been detected it’s easy to generate an automated response. In this article, we look at how SOAR for SAP can enhance your response process with security automation and automated response.

Is it a new security trend?

The subject of security automation isn’t new. Gartner has estimated that by 2022, 30% of security teams with more than five people will be leveraging SOAR products in some capacity. Primarily, the orchestration component makes SOAR very efficient. Security technology like SOAR is a central component of an organization’s SOC to provide analysts with a comprehensive enterprise view of the security posture.

What is SOAR for SAP?

The abbreviation SOAR stands for Security orchestration, automation and response. SOAR solutions supplement rather than replace a SIEM. It helps to coordinate, execute and automate tasks between involved parties (people and tools). Similarly, for Business Process Management (BPM) or Industry 4.0 the SOAR tools help you to evolve your security operation. FortiSOAR as an example aggregates and enriches alerts from a wide range of security products to enable rapid response and automated alert triage. Enhanced SOAR products embed easily within your security landscape. They use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.

A series of actions conducted by an account and/or terminal in SAP NetWeaver may trigger a detection pattern to execute an automated action within your SOC.

Benefits of security automation for SAP

In a 2020 survey, 42% of responders reported suffering from cybersecurity fatigue, and 93% of those individuals were experiencing 5,000 or more alerts per day. As Attacks are becoming more sophisticated and complex, this number will grow. In addition, each company must fight with the complexity of various business applications and more complex infrastructure solutions within the Datacenter and Cloud environments.

SOAR can help provide the appropriate response at the right time, avoiding cybersecurity fatigue. With a SOAR solution such as FortiSOAR, security operations teams can automate the tedious and repetitive elements of workflows while maintaining human authority. SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity, or the critical nature of the threatened business functions.

Steps Manual SOAR
Isolate affected devices
10 minutes
1 minute
Enrich artifacts to identify indicator of compromise (IOC)
45 to 60 minutes
3 minutes
Submit a file to the detonation engine
1 to 6 hours
1 minute

Providing an orchestration and automated alert response does not only lowering the time, analysts will have to invest working on incidents and alerts – it will also boost the return of investment (ROI) considerably. FortiSOAR for example also provides a broad portfolio of integrations which allows you to integrate directly with your existing security infrastructure like Firewalls, SIEM, Microsoft Active Directory, etc. This also dramatically lowers the operational complexity.

How could SOAR for SAP look like?

A SOAR Solution can be used in many different ways to simplify and automate security actions within SAP environments. With more than 300 connectors to various products and solutions and more than 150 predefined playbooks, FortiSOAR provides a broad portfolio of integrations and actions which can be used “out of the box” to automate security tasks.

If, for example, SecurityBridge Threat Detection detects a malicious activity within an SAP System, FortiSOAR would send an E-Mail to the corresponding user and inform them about their activities. SOAR’s could also perform more invasive activities as a playbook and could look like the following:

  1. Email to inform the user and/or supervisor
  2. End SAP Session for user (logoff)
  3. Lock user account within active directory and reset password to avoid reuse of possible compromised accounts
  4. Quarantine Client at Firewall Level to avoid further malicious activities

There are many possibilities as to how such a response could look like. SecurityBridge itself provides some easy-to-use capabilities as “first response” actions.

  • Terminate user session
  • Lock account
  • Deprovision authorization
  • Display SAP GUI information popup during user session.


Although covering “Identify” and “Detect” gets the highest priority in many organizations, the logical next step is to take care of “Response” and “Recover”. SecurityBridge creates a connection by enabling SAP customers to bridge SIEM and SOAR solutions using normalized, and context enhanced events.

As security processes mature, the requirement for orchestration, standardization, and automation also increases. Implementing SOAR with the intention of securing SAP may not make sense for some customers, although for small security teams the need for security automation is clearly evident. The standardization of responses and the predefined playbooks in solutions such as FortiSOAR make a significant contribution to success in the fight against cyberattacks.

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

In collaboration with

Julian Petersohn

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SecurityBridge at the DSAG Annual Congress 2022: How to protect SAP systems during these times

Together with its partner, Fortinet, the SAP Security specialist company will present how to close the gap between SAP and network security in Leipzig.

Know Your Attacker Surface

Log4j, ICM,… An jedem SAP Patch Tuesday steigt bei vielen SAP Security Verantwortlichen der Blutdruck. Mit ihm beginnt oft das Wettrennen der SAP-Verantwortlichen gegen potentielle Hacker. Doch wie kann man diesem Aktionismus strategisch sinnvoll begegnen?
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.