Since the rise of ChatGPT, we have seen new use cases for artificial intelligence (AI) in today’s operations almost every day. This trend is certainly also impacting the cybersecurity domain as IT threats are increasing in alignment with the number of cyberattacks. However, the frequency of attacks not only increased, but the attack strategies have also become more sophisticated as the recent MGM Grand/Caesar’s breach revealed. The question is, how do we protect IT systems against such threats, and how can AI support us in this case?

The SAP Security community is also seeking answers to this question. As an obvious first step, AI can support SIEM and other monitoring systems by finding critical activity patterns in the giant amount of event logs created every minute in today’s SAP environments. However, not every critical activity is malicious. SAP Security teams must have a good understanding of their normal state within their specific landscape, including custom development, to establish a strict regime for leveraging superuser rights and privileged user access in SAP applications. Only then can they lower the “background noise” of accepted critical events to an extent that creates a realistic chance for identifying malicious activities.

SAP System’s Resilience Is Often Quite Low

However, I experienced a different situation when implementing SAP security for customers. I am often surprised to see how many critical alerts and findings are popping up right after initializing event monitoring, vulnerability scan of the SAP system and custom code. As many customers are also challenged with monthly system patching, which causes red alerts, our SAP security experts must often diagnose quite a low resilience level of the SAP system. In such cases, even simple attack scenarios would have a good chance of being successful, or worse, remain undetected.

The combination of a low resilience level and a high amount of critical monitoring events even during normal operations, makes it almost impossible for SOC teams to respond to cyberattacks promptly. Even with the usage of an AI-based approach, the number of false positives would be too high in a system landscape with such a wide attack surface like SAP, making it a challenge to be in control of the situation. Due to the complexity of underlying technologies and the variety of customizations, an SAP system is impossible to defend if not properly hardened. Therefore, I recommend system hardening as a prerequisite for any AI-driven SAP Security strategy.

AI for Detecting SAP Vulnerability Exploit Chains

A Threat Detection solution for SAP powered by AI can be very powerful, especially for detecting cyberattacks that are chaining multiple medium or low SAP vulnerabilities. As most security remediation strategies prioritize the high and very high vulnerabilities due to resource constraints, successful attacks often exploit a chain of “leftovers”.  AI can help detect these SAP security threats, but it only can unfold its full power within a hardened SAP system and SAP Operations that embrace the principle of least user authorizations.

From SecurityBridge