Threat intelligence in an SAP context
Threat Intelligence is currently trending in IT-Security. It involves putting data on known malware, vulnerabilities and attack vectors into context to enable a more effective response against threats. Unfortunately, as is often the case in IT security, threat intelligence is usually limited to the infrastructure. Business-critical applications are left out. Take SAP systems as an example.
SAP systems contain the most sensitive data of every company and are therefore worthwhile targets for attackers. The organized cyber criminals have recognized this, and attacks on SAP systems are becoming more frequent as well as more professional. Since Mid-August 2020 the independent bug bounty trader Zerodium is looking for zero-days with pre-auth remote code execution, authentication bypass, or data disclosure for SAP NetWeaver.
Unfortunately, SAP systems are very specific and thus are often not covered from regular security solutions, as is the case when it comes to Threat Intelligence solutions. One of the reasons is the fundamentally different technology used by the software manufacturer from Walldorf. Historically SAP systems have been separated from the rest of the IT (the gallian village of IT), which lead to the situation that the security department was not familiar with the technology.
SAP security is becoming increasingly important
In recent years, this has changed significantly and the importance of securing SAP systems is now widely recognized. It is worth taking a closer look at the term «Threat Intelligence» in this context. In reality, attacks are often orchestrated and prepared long in advance. If you want to use an analogy: Hacker attacks rarely resemble the classic bank robbery, where a masked robber waves a pistol and leaves the bank with a bag full of money after only a few minutes. A more fitting comparison would be a film like «Oceans Eleven», in which sophisticated preparation precedes the actual clou.
Detect possible attacks from anomalies
In IT systems – and thus also valid for SAP landscapes – this preparation can be recognized by certain hints. If these hints are correlated with other conspicuous activities, a possible attack may be happening. The indications pointing to an attack usually do not cluster but are rather spread among time and different log files. It is therefore not necessary to be able to evaluate the logs down to the second. More important is a correlation analysis, which detects possible threats spot on.
To be able to carry out such an analysis, two things in particular are necessary: SAP-specific knowledge to be able to detect unusual activities in the first place. Secondly, this data must be collected in the first place.
Continuous monitoring is important
For a comprehensive and seamless monitoring of SAP landscapes, a solution is required that takes over the tasks of continuous monitoring for SAP systems. Thus, all processes within the SAP systems must be continuously monitored in the background to be able to recognize conspicuous processes at any time. These processes must then be correlated with each other. This requires an SAP-specific set of rules that also continuously analyzes user behavior. Furthermore, this information must not only be forwarded to the security department or to a connected SIEM system, but it must also be prepared in such a way that it does not require SAP know-how to immediately recognize possible threats as such.
This is where SAP-specific Threat Intelligence comes into play. SAP systems are extremely complex; most SAP landscapes consist of dozens or even hundreds of individual systems. Accordingly, it is important to know all weak points within the SAP landscape. This includes system parameters, potentially unsecured interfaces or – especially in the SAP area – applications developed by customers themselves. Identifying and securing these potential vulnerabilities is a challenge not only because of the complexity of SAP systems. The settings are also highly dynamic due to ongoing changes to the system.
All SAP areas should be covered
In order to identify the weak points in the above mentioned areas at an early stage, a scanner is required which checks all areas for possible security and compliance problems. Due to the high complexity of even a single SAP system, two things should be given special attention when selecting such a vulnerability management solution: Firstly, an audit should be as comprehensive as possible. The security guidelines of SAP itself as well as the DSAG audit guidelines provide a good starting point. On the other hand, such a scanner should be integrated into the real-time monitoring as seamlessly as possible so that changes to the system can be detected early and forwarded to the responsible parties.
Accordingly, Threat Intelligence in the SAP environment consists of several steps: weak points must first be identified, the systems must be protected by hardening them and continuous monitoring must be able to detect and classify anomalies.
No context, no intelligence
For Threat Intelligence to work in an SAP context, it is crucial that these separate steps are placed in an application-specific context. It is not enough to maintain a database of standardized vulnerabilities in an SAP system. Instead, this data must be correlated with each other, taking into account the approach used by attackers.
SecurityBridge, the only holistic security platform for SAP systems, offers the two key factors necessary for Treat Intelligence in an SAP context: For the identification and elimination of vulnerabilities, a comprehensive catalog of tests is integral part of SecurityBridge, based on established standards. For the analysis of activities, in turn, an intelligent correlation engine provides insight into SAP specific attack vectors which can be used by the SOC or security department. In other words, SecurityBridge pulls the needle in a haystack with a magnet rather than operates a database that examines each blade of grass separately. Detecting a threat using intelligence literally, Threat Intelligence.