When looking at a large and complex SAP landscape, some might think that implementing an effective security posture for such an environment is a big and long-term project. We see a lot of tools in the market that provide security for SAP as a service and show results within a day or less.

However, this quick implementation turnaround often comes with a limited scope of monitoring standard SAP logs and mainly processing easily accessible APIs. Unfortunately, raw SAP logs are difficult to understand and require a lot of additional information from the depths of an SAP technology stack to translate them into decision-enabling event messages. Additionally, SAP teams must be aware that SAP security is not just about monitoring but also entails system hardening through patching, secure configurations and custom coding.

Only an SAP security approach that covers all necessary topics gives SAP teams the mandatory response capabilities to current cyberattacks. Such an approach might require additional organizational and process changes which take time. However, SAP security teams can kick-start a comprehensive security program and gain significant improvements already within a day. What they need is a holistic platform and a guided approach to SAP Security.

Here are 5 steps to accomplish this:

1. Get access to a comprehensive SAP security knowledge base.

This is an important initial step that is often forgotten. Even with the best SIEM tools, you need to know what to do in case of an event and the recommended mitigations. It is challenging for SAP administrators to be on top of all kinds of SAP security-related insights, but an up-to-date SAP security knowledge base puts them in the driver’s seat, where everything known about SAP security is added.

2. Activate a security shield around your SAP environment based on a template of pre-configured rules that leverage this comprehensive SAP Security knowledge.

Whether your SAP security monitoring is rule-based or AI-based, its foundation is always a full set of expertise. The difference lies in the way it is turned into an automated monitoring solution. With this, you can be sure that you are always alerted in case of a cyberattack, enabling you to focus on your daily tasks within SAP operations.  SAP threat detection solutions can offer hundreds of configured and active out-of-the-box listeners to detect known attack vectors and malicious activities. They can also leverage an anomaly detection engine to identify more sophisticated threats and receive instant updates on new critical SAP vulnerabilities.

3. Let your SAP users become your companions for SAP Security.

Most cyberattacks misuse highjacked user accounts to get access to the SAP system. The easiest way to detect this misuse is to inform the account owner whenever application logins are performed from other devices or IP addresses different from the usual ones. This is common practice in all cloud services to protect user accounts, so why not leverage the same approach for SAP?

SAP security solutions use an automated self-learning approach to create user profiles with valid accounts and access points. Whenever a new endpoint or client device is used, the SAP user is notified and can respond in the event of a malicious attempt. A SAP security action framework can then trigger automated mitigation steps, such as temporarily blocking the account.

4. Turn on a security dashboard for SAP that provides instant access to all necessary information about the current state of your SAP security.

Ideally, this security dashboard comprises all SAP security topics, including not only the monitoring status but also the system vulnerability rating, the patching status of landscapes, and a summary of critical code vulnerabilities in your custom applications. Such a dashboard keeps SAP administrators on top of the security issues in their landscape and is the starting point for detailed analyses, forensics, and mitigating actions.  This security dashboard should provide out-of-the-box widgets for all SAP security topics, that you can adapt, filter the data, and structure the views you need for the various SOC roles.

5. Build your security roadmap starting with low-hanging fruits for hardening your SAP systems and landscape.

Only SAP security teams that have an automated security shield around their SAP environment and have access to a comprehensive SAP security knowledge base have the capacity to continuously harden their systems and are on top of their SAP security posture state. However, as there are thousands of settings, having a list of those that matter most and are easy to fix is a very efficient way to improve the overall resistance of SAP systems to cyberattacks.

Look for an SAP security that provides compliance checks that not only lower the exploitation risk of a vulnerability but also the resolution complexity associated with it. Your compliance roadmap should leverage this information to create a sorted, always up-to-date list for the most efficient remediation approach, with critical issues that are easy to solve on top of this list. And trend reports can automatically show the progress of the hardening work.

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.