Threat Intelligence in SAP

Threat Intelligence is currently trending in IT-Security. It involves putting data on known malware, vulnerabilities and attack vectors into context to enable a more effective response against threats. Unfortunately, as is often the case in IT security, threat intelligence is usually limited to the infrastructure. Business-critical applications are left out. Take SAP systems as an example.

SAP systems contain the most sensitive data of every company and are therefore worthwhile targets for attackers. The hacker community has recognized this, and attacks on SAP systems are becoming more frequent as well as more professional.

Unfortunately, SAP systems are often excluded from regular security solutions, as is the case when it comes to Threat Intelligence solutions. One of the reasons is the fundamentally different technology used by the software manufacturer from Walldorf, and historically SAP systems have been separated from the rest of the IT – which often means that the security department is not familiar with the specifics of the technology, let alone able to detect attacks.

SAP security is becoming increasingly important

In recent years, this has changed significantly and the  importance of securing SAP systems is now widely recognized. It is worth taking a closer look at the term “Threat Intelligence” in this context. In reality, attacks are often orchestrated and prepared long in advance. If you want to use an analogy: Hacker attacks rarely resemble the classic bank robbery, where a masked robber waves a pistol and leaves the bank with a bag full of money after only a few minutes. A more fitting comparison would be a film like “Oceans Eleven”, in which sophisticated preparation precedes the actual clou.

Detect possible attacks from anomalies

In IT systems – and thus also valid for SAP landscapes – this preparation can be recognized by certain hints. If these hints are correlated with other conspicuous activities, a possible attack may be happening. The indications pointing to an attack usually do not cluster, but are rather spread among time and different log files. It is therefore not necessary to be able to evaluate the logs down to the second. More important is a correlation analysis, which detects possible threats spot on. 

To be able to carry out such an analysis, two things in particular are necessary: SAP-specific knowledge to be able to detect unusual activities in the first place. Secondly, this data must be collected in the first place.

Continuous monitoring is important

For a comprehensive and seamless monitoring of SAP landscapes, a solution is required that takes over the tasks of continuous monitoring for SAP systems. Thus, all processes within the SAP systems must be continuously monitored in the background to be able to recognize conspicuous processes at any time. These processes must then be correlated with each other. This requires an SAP-specific set of rules that also continuously analyzes user behavior. Furthermore, this information must not only be forwarded to the security department or to a connected SIEM system, but it must also be prepared in such a way that it does not require SAP know-how to immediately recognize possible threats as such.

This is where SAP-specific Threat Intelligence comes into play. SAP systems are extremely complex; most SAP landscapes consist of dozens or even hundreds of individual systems. Accordingly, it is important to know all weak points within the SAP landscape. This includes system parameters, potentially unsecured interfaces or – especially in the SAP area – applications developed by customers themselves. Identifying and securing these potential vulnerabilities is a challenge not only because of the complexity of SAP systems. The settings are also highly dynamic due to ongoing changes to the system.

All SAP areas should be covered

In order to identify the weak points in the above mentioned areas at an early stage, a scanner is required which checks all areas for possible security and compliance problems. Due to the high complexity of even a single SAP system, two things should be given special attention when selecting such a vulnerability management solution: Firstly, an audit should be as comprehensive as possible. The security guidelines of SAP itself as well as the DSAG audit guidelines provide a good starting point. On the other hand, such a scanner should be integrated into the real-time monitoring as seamlessly as possible so that changes to the system can be detected early and forwarded to the responsible parties.

Accordingly, Threat Intelligence in the SAP environment consists of several steps: weak points must first be identified, the systems must be protected by hardening them and continuous monitoring must be able to detect and classify anomalies.

No context, no intelligence

For Threat Intelligence to work in an SAP context, it is crucial that these separate steps are placed in an application-specific context. It is not enough to maintain a database of standardized vulnerabilities in an SAP system. Instead, this data must be correlated with each other, taking into account the approach used by attackers.

When selecting such a solution, two criteria should be in the foreground. For the identification and elimination of vulnerabilities, a comprehensive catalog of checks should be available, based on established standards. For the analysis of activities, in turn, an intelligent correlation solution is more important than a solution that promises an evaluation of log files accurate to the second. In other words, it is smarter to pull out the needle in a haystack with a magnet than to operate a database that examines each blade of grass separately.