Security Orchestration Automation and Response (SOAR) for SAP

Key Takeaways

  • What is SOAR for SAP?
  • Is SOAR a new security trend?
  • Key benefits of security automation for SAP
  • We share our conclusion

Irrespective of whether you’re going to start your career in information security or if you have years of experience in this field, you might realize that you are part of an unfair game. Why is that? An army of attackers, including kids, organized crime, and nation-state hackers, stands against you, while you need retort with a limited budget and a handful of resources. It’s no surprise therefore that automation becomes an important weapon in the game to protect your enterprise organization against this rising threat. Solution providers such as SecurityBridge and Fortinet, have combined to support you with advanced cybersecurity solutions.

Particularly complex and enterprise-critical applications such as SAP need to be protected. Accepting that an SAP system transacts thousands of actions per second it’s an enormous challenge to detect anomalies in real-time. Additionally, once an incident has been detected it’s easy to generate an automated response. In this article, we look at how SOAR for SAP can enhance your response process with security automation and automated response.

Is SOAR a new security trend?

The subject of security automation isn’t new. Gartner has estimated that by 2022, 30% of security teams with more than five people will be leveraging SOAR products in some capacity. Primarily, the orchestration component makes SOAR very efficient. Security technology like SOAR is a central component of an organization’s SOC to provide analysts with a comprehensive enterprise view of the security posture.

What is SOAR for SAP?

The abbreviation SOAR stands for Security orchestration, automation and response. SOAR solutions supplement rather than replace a SIEM. It helps to coordinate, execute and automate tasks between involved parties (people and tools). Similarly, for Business Process Management (BPM) or Industry 4.0 the SOAR tools help you to evolve your security operation. FortiSOAR as an example aggregates and enriches alerts from a wide range of security products to enable rapid response and automated alert triage. Enhanced SOAR products embed easily within your security landscape. They use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.

A series of actions conducted by an account and/or terminal in SAP NetWeaver may trigger a detection pattern to execute an automated action within your SOC.

Benefits of security automation for SAP

In a 2020 survey, 42% of responders reported suffering from cybersecurity fatigue, and 93% of those individuals were experiencing 5,000 or more alerts per day. As Attacks are becoming more sophisticated and complex, this number will grow. In addition, each company must fight with the complexity of various business applications and more complex infrastructure solutions within the Datacenter and Cloud environments.

SOAR can help provide the appropriate response at the right time, avoiding cybersecurity fatigue. With a SOAR solution such as FortiSOAR, security operations teams can automate the tedious and repetitive elements of workflows while maintaining human authority. SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity, or the critical nature of the threatened business functions.

Steps Manual SOAR
Isolate affected devices
10 minutes
1 minute
Enrich artifacts to identify indicator of compromise (IOC)
45 to 60 minutes
3 minutes
Submit a file to the detonation engine
1 to 6 hours
1 minute

Providing an orchestration and automated alert response does not only lowering the time, analysts will have to invest working on incidents and alerts – it will also boost the return of investment (ROI) considerably. FortiSOAR for example also provides a broad portfolio of integrations which allows you to integrate directly with your existing security infrastructure like Firewalls, SIEM, Microsoft Active Directory, etc. This also dramatically lowers the operational complexity.

How could SOAR for SAP look like?

A SOAR Solution can be used in many different ways to simplify and automate security actions within SAP environments. With more than 300 connectors to various products and solutions and more than 150 predefined playbooks, FortiSOAR provides a broad portfolio of integrations and actions which can be used “out of the box” to automate security tasks.

If, for example, SecurityBridge Threat Detection detects a malicious activity within an SAP System, FortiSOAR would send an E-Mail to the corresponding user and inform them about their activities. SOAR’s could also perform more invasive activities as a playbook and could look like the following:

  1. Email to inform the user and/or supervisor
  2. End SAP Session for user (logoff)
  3. Lock user account within active directory and reset password to avoid reuse of possible compromised accounts
  4. Quarantine Client at Firewall Level to avoid further malicious activities

There are many possibilities as to how such a response could look like. SecurityBridge itself provides some easy-to-use capabilities as “first response” actions.

  • Terminate user session
  • Lock account
  • Deprovision authorization
  • Display SAP GUI information popup during user session.

Conclusion

Although covering “Identify” and “Detect” gets the highest priority in many organizations, the logical next step is to take care of “Response” and “Recover”. SecurityBridge creates a connection by enabling SAP customers to bridge SIEM and SOAR solutions using normalized, and context enhanced events.

As security processes mature, the requirement for orchestration, standardization, and automation also increases. Implementing SOAR with the intention of securing SAP may not make sense for some customers, although for small security teams the need for security automation is clearly evident. The standardization of responses and the predefined playbooks in solutions such as FortiSOAR make a significant contribution to success in the fight against cyberattacks.

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

In collaboration with

Julian Petersohn

Fortinet
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

How to accelerate SAP Security?

Watch the webinar recording to learn how you can accelerate your SAP security initiatives. Special Guest, Sanofi’s SAP Security Leader speaking about their journey …

SAP and Cybersecurity – What you can do to protect yourself

Join IBM and SecurityBridge to hear exclusive content from SAP cybersecurity experts who will share invaluable insight into the best practices and upcoming strategies for SAP cybersecurity.
SAP Patchday
Like every second Tuesday of the month, it’s again SAP Patch day! Today, 12th October 2021, SAP again released security patches for its vast product portfolio.
story-of-a-ciso
With the push for zero-trust, primarily due to the cloud trend, IT security teams must focus more on application security. This is usually done by focusing on the most critical applications first. And that's where SAP almost always comes to the top of the list.