Since the rise of ChatGPT,ย weย have seenย new use cases for artificial intelligence (AI) in todayโs operationsย almost everyย day. This trend isย certainlyย alsoย impactingย the cybersecurity domain as IT threats areย increasing in alignment with theย number of cyberattacks.ย However,ย the frequency of attacksย not onlyย increased,ย but the attackย strategiesย haveย also becomeย more sophisticatedย asย the recentย MGM Grand/Caesarโs breachย revealed. The question is,ย howย doย weย protect IT systems against such threats, and howย canย AIย support us in this case?
The SAP Security community is also seeking answers to this question. As an obvious first step, AI can support SIEM and other monitoring systems by finding critical activity patterns in the giant amount of event logs created every minute in todayโs SAP environments. However, not every critical activity is malicious. SAP Security teams must have a good understanding of their normal state within their specific landscape, including custom development, to establish a strict regime for leveraging superuser rights and privileged user access in SAP applications. Only then can they lower the โbackground noiseโ of accepted critical events to an extent that creates a realistic chance for identifying malicious activities.
SAP Systemโs Resilience Is Often Quite Low
However, I experienced a different situation when implementingย SAPย securityย for customers. I am often surprised to see how many critical alerts and findings are popping up right after initializing event monitoring, vulnerability scan of theย SAPย system and custom code. As many customers are also challenged with monthly system patching, which causes red alerts, ourย SAPย securityย experts must often diagnose quite a low resilience level of theย SAPย system. In such cases, even simple attack scenarios would have a good chance of being successful, or worse, remain undetected.
The combination of a low resilience level and a high amount of critical monitoring events even during normal operations, makes it almost impossible for SOC teams to respond to cyberattacks promptly. Even with the usage of an AI-based approach, the number of false positives would be too high in a system landscape with such a wide attack surface like SAP, making it a challenge to be in control of the situation. Due to the complexity of underlying technologies and the variety of customizations, an SAP system is impossible to defend if not properly hardened. Therefore, I recommend system hardening as a prerequisite for any AI-driven SAP Security strategy.
AI for Detecting SAP Vulnerability Exploit Chains
A Threat Detection solution forย SAPย powered byย AIย canย be very powerful, especially for detecting cyberattacks that areย chaining multiple medium or lowย SAPย vulnerabilities. As most security remediation strategies prioritize the high and very high vulnerabilities due to resource constraints, successful attacks often exploit a chain of โleftoversโ.ย ย AI can help detect these SAP security threats, but it only can unfold its full power within a hardened SAP system and SAP Operations that embrace the principle of least user authorizations.
From SecurityBridge
