Build a Strong SAP Security Strategy With the NIST Framework
Originally published by Onapsis.
Written by JP Perez-Etchegoyen, CTO, Onapsis.
Business applications like SAP are responsible for running the enterprise, powering operations and fueling the global economy. Considering 77% of the world’s transactional revenue touches an SAP system and 92% of the Forbes Global 2000 uses SAP, a successful attack on unprotected SAP applications could have an impact on business processes. However, traditional defense-in depth security models don't sufficiently protect the application layer. This means that applications like SAP are often excluded from existing cybersecurity programs. Traditionally, security and IT teams believed business applications to be “safe” from threat actors due to being on-premises, behind network protection, and therefore out of reach for attackers. That is no longer the case. Research from SAP and The Onapsis Research Labs shows threat actors are increasingly targeting the application layer directly. These cybercriminals have the motivation, means, and expertise to identify and exploit unprotected business-critical SAP applications—and are actively doing so.
Strong Business Application Security Starts With Alignment to a Cybersecurity Framework
Alignment to a cybersecurity framework can help organizations assess and improve their ability to prevent, detect, and respond to cyberattacks. There are a number of different cybersecurity frameworks used by organizations around the world, each one of them a foundational set of best practices, standards, and guidelines to follow in order to better manage risk in an organization’s environment. National Institute of Standards and Technology (NIST) developed the NIST Cybersecurity Framework, one of the most comprehensive and adaptable cybersecurity frameworks to date. The goal of the NIST framework is to use business drivers to guide cybersecurity activities as well as consider and include cybersecurity risks as part of the organization’s overall risk management process.
An important part of the NIST Cybersecurity Framework is the focus on the application security layer, which, as noted above, has become a target for attackers. Based on this, SAP created the SAP Secure Operations Map, to provide SAP customers with a toolkit for creating a comprehensive security strategy that meets their unique needs. Securing business applications is an essential component of implementing that larger strategy of defending against threats and better managing risk across an organization.
It's important to focus on securing the application layer found within these cybersecurity frameworks. With that in mind, we have identified four best practices to align your SAP applications with the NIST Framework that are outlined below:
Four Best Practices to Align Your SAP Applications With the NIST Framework
Leveraging the NIST Framework best practices can help teams eliminate blind spots and have a more secure, compliant environment for SAP systems.
1. Treat SAP applications like operational technology critical infrastructure
For many organizations, current approaches and tools don’t adequately support the application layer, making it difficult to build successful programs for these applications like they have done for other enterprise systems. Business-critical applications like SAP keep the business running, so it's essential that they are treated with the same level of urgency as other operational technology. This means having processes in place in three key areas: vulnerability management, threat detection and response, and application security testing.
2. Be thorough with SAP security hardening and patch management
Given the frequency and volume of patch releases, complexity of the patching process, and size of application landscapes, organizations have the potential to face a growing backlog of patches. A manual patch management process can have organizations stuck in a continuous loop of relying on manual efforts to identify which systems are missing which patches, which missing patches to prioritize, and whether or not patches were applied. Our recent threat intelligence report found critical SAP vulnerabilities being weaponized less than 72 hours after a patch was released. But, the time from when a vulnerability is found to when a patch is deployed is a lot longer; the average time to apply, test, and fully deploy a patch is 97 days. Having an automated patch management process can minimize the risk of critical vulnerabilities and protect the business’ most important assets.
3. Incorporate SAP applications completely into your vulnerability management program
Traditional vulnerability management tools don’t sufficiently support business-critical SAP applications, resulting in reliance on manual security reviews and potentially rushing or skipping security due diligence all together. Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical SAP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your SAP environment. The right application-based vulnerability management solution can provide organizations with deep visibility into the application landscape, automate assessments, and reduce remediation times for teams to achieve a greater risk reduction with less effort.
4. Build SAP security into your software development process to get ahead of introducing new vulnerabilities and risk
Application security testing enables organizations to build security into development processes to find and fix issues as quickly as possible. Fixing issues before they hit production is typically easier and less expensive, and helps avoid negative impacts to SAP system security, compliance, performance, or availability. An application security testing tool that supports SAP systems can help narrow the gap between developers and the security team and provide visibility and security into the development lifecycle.
Watch my on-demand session on how security frameworks can help lay a strong foundational SAP security strategy.
 The Third Annual Study on the State of Endpoint Security Risk Ponemon Institute LLC Publication Date: January 2020
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.