Story of a CISO – My Journey into SAP Cybersecurity

Key Takeaways

  • Although storing the “crown jewels” most SAP systems are still not properly secured 
  • Securing SAP is a big challenge – even for an experienced CISO
  • Bridging the gap between SAP engineers and the cybersecurity team is crucial

Getting started

When I initially started my journey into SAP cybersecurity, I already had many years of experience leading information security across various government organizations and large, multinational companies. Throughout this time, I met with many different CISOs and I started noticing a trend where SAP platforms were not protected to the level of other enterprise systems. In general, there was no focus on SAP security. Although for all those companies, SAP was one of the top few critical applications supporting some of the most critical business processes and holding some of the most sensitive data. So, I was wondering why is that the case? Why are so many companies neglecting something so important? I first decided to get my team to onboard SAP log sources to our SIEM and build correlation use cases so we could at least effectively monitor the “crown jewels” with our Security Operations Center (SOC). 

SAP security requires deep application knowledge

After developing only a few basic use cases, we decided that the deep application knowledge required, and the lack of context in individual SAP log sources, made this effort much more complex than initially envisioned. And that project would have only covered the monitoring part! That’s when I went out looking for a commercial solution to close the SAP security gap at my company. I wanted a solution that would seamlessly integrate SAP landscape visibility into my existing security technology stack, and program, in a way that took the burden of deep SAP knowledge off the cybersecurity team. 

A lot of information security experts I talk too, that have not fully explored SAP, assume it’s just a standard application with a database. But there is a complex architecture, and more than a dozen log sources behind the scenes that need to be fully understood in order to apply adequate security controls. Then, you have the concept of clients to separate the individual business areas from each other and a unique way of interfacing to exchange sensitive data. Overall, SAP is a technical landscape like no other in the enterprise, that requires deep expertise to properly secure. Moreover, there is a distinct language barrier between SAP engineers and cybersecurity engineers where it is often difficult to even describe security controls in the same way as you would for the more traditional IT environment.

Software must be more than just a technical bridge

When I started to implement solutions for SAP cybersecurity using only my internal team, I was going purely after threat detection. However, after getting more experience with SAP, I realized that there were many other areas I needed to address such as preventative controls and compliance requirements. 

Security onion-layer digramm
Security layer diagram SAP

This was simply more than the security team could keep up-to-date and implement on their own. Also, the integration of just SAP security audit logs to the SIEM did not even solve the monitoring part of the problem. They just do not provide enough information to detect or action on incidents, and there are too many logs left that you would need to correlate to build use-cases. I would say any security team that has tried to work with log management understands that it’s a very high volume and high friction situation to store all logs while typically only a small subset of that is relevant to SAP security. During that phase I spoke to the SAP teams and learned that most of SAP’s logs are filled with verbose business transactional information. We realized that those business transaction logs were often of low-security value, but at the same time provided some very important insights that were needed to fully understand entries in the primary security log: SAP Security Audit Log.   

What we needed was a solution that helps us highlight findings and alerts with context, enrichment and normalization to get valuable information. A big part of cyber defense is the finding the so-called needle in the haystack and obviously the bigger the haystack, the harder it is to find the needle. So, any time we have a technology that’s able to really zoom-in into the focus area we need to investigate an incident, the better.

Finally, I came across the SecurityBridge platform and it provided all the primary security controls we were looking for, including incident detection, patch management, code analysis, and things that we could use for compliance and internal audit as well.

Posted by

Branden Newman
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Watch Your SAP go phishing – SAP Live Hack

Join our webinar, to learn how to identify and prevent an SAP cyber-attack. You will sit in the first row to watch cybersecurity expert Holger Stumm demonstrate a live Phishing Attack targeting SAP.

How to accelerate SAP Security?

Watch the webinar recording to learn how you can accelerate your SAP security initiatives. Special Guest, Sanofi’s SAP Security Leader speaking about their journey …
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.
SAP Expert Search
SAP Patch Management- Security News- Security Patches
After many years in the SAP eco-system, I know many good and bad practices exist in the IT Departments of – to be frank – every organization on this planet. Initiated by the SAP Security Patch Day in September 2022, our team has nudged me to share some knowledge. In this short how-to description, we want to explain the correct usage of the SAP Launchpad Expert Search to get the most accurate result looking for SAP Security Notes. If you want to find out how this powerful tool works, keep on reading.