SAP cyber resilience is not a one-and-done procedure

IT organizations are currently undergoing a shift in which established processes and measures are evaluated for efficiency and effectiveness, focusing on cost-effectiveness. Cyberattacks often trigger this shift in corporate infrastructure and enterprise applications, highlighting the inefficiency of current security measures. To achieve system analysis program (SAP) cyber resilience, a closer examination of existing processes and measurements is necessary to identify and address areas of weakness.

To achieve proper SAP cyber resilience, IT professionals must recognize that the threat landscape is constantly evolving — with attackers continuously developing new exploitation methods and discovering new vulnerabilities. As a result, the SAP system settings are frequently in flux, even when these changes are part of the change management process. Therefore, it is necessary to establish procedures to capture changes, analyze the security impact and facilitate prompt adaption to address this constant evolution. In addition, establishing good security procedures will ensure a timely response to changes in the threat situation and the overall security posture.

Regarding SAP, performing occasional IT security audits to check and adjust the hardening of SAP systems — and reviewing the basic security architecture — needs to be revised to ensure safety. It’s important to note that a single assessment of the SAP application's security posture may not resolve or identify all issues. A change of this paradigm is needed. Frequent, ideally automated, standardized SAP security baseline checks will inevitably reveal new vulnerabilities or unresolved problems during additional audits. To reach the next level in the cybersecurity game, it is essential to have a continuous process for monitoring and addressing security issues within the SAP systems — aside from the standard SAP security features.

Active cybersecurity management is required

To achieve resilience against cyberattacks on SAP applications, active management of the critical application's security posture must be established. Managing security postures includes frequently evaluating the IT landscape, the configuration (thousands of system and profile parameters) of SAP systems, user management, authorization assignments and much more. Identifying deviations from the designated security baseline allows for prompt action.

Continued compliance with security requirements is a crucial first step in achieving SAP cyber resilience. Third-party SAP security solutions will often assist in defining a security policy for all relevant SAP system parameters, critical authorizations and access control lists (ACLs) and will continuously verify compliance with the standard.

Implementing an effective security monitoring program to detect cyberattacks is essential to track all transactions performed within the SAP application. This sounds easier than it is. Given the high number of users, processes and interfaces, SAP systems can process between 1,000 and several million transactions per minute. Therefore, to effectively monitor these transactions, it can be beneficial to use detection patterns that filter irrelevant transaction noise and reveal malicious activities.

Real-life SAP attack example

A real-life example demonstrates that periodic checks and real-time monitoring are crucial for maintaining SAP cyber resilience. Without providing specific details, the attacker exploited an unpatched vulnerability in the SAP transport management system (STMS) to elevate an account to which they had access, such as SAP_ALL, to "God-Mode." After importing the malicious transport and activating the credentials, the attacker gained access and opened the system’s changeability. Simultaneously, the attacker disabled security audit logging. Disabling the security audit logging allowed the attacker to create persistence by changing some system parameters dynamically without leaving any traceable log entries.

The attack described would not have been possible if the targeted systems were better protected from SAP cyberattacks. In this case, the vulnerability in SAP STMS, fixed in October 2021, would have been patched. In addition, even if the attacker could exploit the vulnerability, the unauthorized allocation of administration rights would have been detected as an anomaly by real-time monitoring and removed automatically, preventing the attack or allowing for a quick response.

However, if the attacker had managed to modify the system and disable relevant logs, it could have become more challenging to detect. Then the attacker could have installed a backdoor to return later, underscoring the importance of systematic vulnerability analysis. Finally, even if the attacker has achieved persistence, testing security settings and the custom code base increases the likelihood of detecting and eliminating vulnerable configurations or code adjustments.

Ensuring security

Performing occasional IT security audits to check and adjust the hardening of SAP systems and reviewing the basic security architecture must be revised to ensure safety. Therefore, a continuous process for monitoring and addressing security issues within the SAP systems is essential. In addition, active management of security postures is also required, which includes frequently evaluating the IT landscape, the configuration of SAP systems and user management and authorization assignments.