By Christoph Nagy, SecurityBridge

Once you know how to efficiently secure the SAP environment,  the next step should be to learn how to maintain that security and continuously improve your SAP Security posture. SAP landscapes are quite dynamic and, as they need to be flexible to support business processes, are also frequently subject to change. Therefore, SAP teams must establish ongoing processes that ensure changes to the SAP systems do not impact the security level, whether those changes are due to new business requirements or administrative actions.

However, the security level of an SAP system can also be impacted by malicious activities or cyberattacks. As attackers are constantly improving their skills and capabilities, SAP Security needs to constantly adapt to meet these challenges. Continuously improving the efficiency of the Threat Detection and Response process is as important as developing capabilities for forensic analysis to detect even the most sophisticated attack vectors.

Some organizations might already be aligned with the NIST framework to improve their cybersecurity posture. In general, we see this as a good starting point, but we would like to highlight some specific recommendations for SAP Security processes in this article.

Recommended processes to stay secure with SAP:

1. Threat response process for SAP 

Monitoring security and audit logs in SAP environments is an essential first step for ramping up your SAP Security posture. During the kick-start phase, you should use the monitoring templates available in your Threat Detection solution. It is the fastest path to establish a best-practice security shield around your SAP systems. Over time, you can fine-tune the monitoring rules and listeners, gaining a more tailored solution for detecting SAP threats. The last stage, however, is the response process to those SAP threats. You need a good understanding of the various attack vectors, ideally by leveraging a built-in knowledge base with recommended actions. An automated framework integrated with your security monitoring and incident management (as part of ITSM) will also help you respond to threats with predefined actions, including notifications to the appropriate members of your SAP operations or security team. Sending decision-enabling messages with all necessary information to the recipients ensures an efficient threat response process.

2. SIEM for SAP

We see many organizations start their SAP Security journey by sending the raw SAP audit logs directly to their existing enterprise SIEM or SOC team. As SAP applications are different and more complex compared to their underlying IT infrastructure, this approach is likely to set the stage for failure. In most cases, it just creates an event flood in the SIEM database with meaningless information and no recommended actions for the SOC team. A better approach is to establish a SIEM for SAP which acts on top of the SAP Threat Detection system (see also point #1). By forwarding only relevant events enriched with decision-enabling and meaningful messages to the SOC team, you put them into the driver’s seat, allowing them to respond effectively to the threat. Ideally, a SIEM for SAP bridges the gap between a mature SAP Threat Detection and Response process at the SAP operations level and the overall IT security process at an enterprise level.

3. Security forensics for SAP 

To support an efficient and powerful SAP Threat Detection and Response process, organizations should consider adopting forensic analysis capabilities too. Security monitoring leverages sophisticated rule engines, including AI-driven approaches for filtering critical and malicious activities out of the giant pool of security audit log records. On the other hand, the forensic team needs the entire data set with all the event details for identifying anomalies and threat chains. A powerful forensic tool for SAP provides data not only after the critical fact but also before. This is crucial for revealing malicious patterns even within a chain of less critical activities. Ideally, SAP Security teams have a solution that can balance event filtering and detailed logging (HyperLogging) without impacting the performance and response time of the SAP system.

4. Security gateway within SAP Application Lifecycle Management (ALM)

The key part of the “get secure” phase is the continuous reduction of vulnerabilities in your SAP landscape, either caused by unsecured configurations, missing patches or security issues in the ABAP custom code. During this entire process, you want to make sure that no new vulnerabilities are introduced by changes to your SAP application. The SAP ALM is the process that controls those changes, and it should have a security gateway in place. This means that any code change is also validated against best practices for secure ABAP coding. This gateway should at least be implemented at the SAP transport level, so that only secure code is imported into your test system and later into production. Optimally, security code checks should already be part of the ABAP development process to support SAP developers in creating secure code and streamlining the entire application change process.

5. Privileged Access Management for SAP  

Balancing between event filtering, required by security monitoring or SIEM, and detailed logging, necessary for security forensics, is quite challenging even with the best tools. A Privileged Access Management (PAM) process for SAP complements Threat Detection and Forensics by reducing the number of critical events that require the SOC’s attention or further investigations. Following the least privilege principle, SAP administrators should use elevated user rights only on demand through a simple authorization request and automated approval process. As critical activities are now only performed within this controlled process with detailed logging for each PAM session, they can easily be distinguished from the other activities. Preferably, your audit logs should not show critical user actions that are not part of a PAM session. If you see them, they are likely to be malicious.

 Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member, and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.