Watch out for SAP silos in your cybersecurity

ERP is central to business operations, with 27 percent of employees using ERP systems regularly to perform their daily tasks. This means unplanned, unmanaged downtime of business-critical applications can cause daily operations to grind to a halt, resulting in significant financial losses, productivity deficiencies and damage to brand authority and customer trust. 

Given the potentially destructive implications, protecting ERP software and ensuring continuity of service is vital but as of today, our security measures cannot keep up with the pace of development in businesses. 80 percent of business leaders acknowledge that digitally fuelled innovation is being introduced faster than organisations’ abilities to secure it against cyberattacks, with companies experiencing 270 attacks on average in 2021 – a rise of 31 percent in 2020. 

Many threat groups are now sophisticated nation-state actors. Backed by immense resources, enabling them to continually advance their arsenal of attack methods, they are increasingly engineering their techniques in order to infiltrate business-critical applications. 

Without question, breaking into a business-critical application is like hitting a jackpot for an attacker. Yet, unfortunately, these malicious endeavours are all too often unobstructed, enabling threat actors to carry out truly devastating attacks with little to no resistance.

Cyber side-lined

A recent McKinsey paper explains that while many organisations have hardened their systems, they are still vulnerable to attack. This is because of a lack of understanding about these threats and how best to protect their business-critical applications. Cloud migration comes first, side-lining cyber. However, even when organisations do understand the risks, they fail to secure the ERP systems properly owing to the sheer size and complexity of the task. 

Business-critical application environments are both intricate and expansive. Not only are they made up of a wide array of elements across process and workflow, master data and data warehouses, underlying computational infrastructure, and large storage networks, but they also comprise dozens if not hundreds of interfaces and integration points with other IT applications inside and outside of the organisation, each of which is a potential vulnerability.

This situation is further exacerbated by the fact that ERP systems are typically monitored separately from other IT infrastructure, prohibiting the necessary correlation of data. Companies are often simply unable to see what’s happening within the ERP and the data passing through to the interfaces present within other systems.

40% admitted their enterprise cybersecurity monitoring does not include business-critical systems

The success of ERPs is often reliant upon integration with other internal applications and external data sources, such as HR systems or logistics databases. However, security gaps emerge when an enterprise finds itself in the position where it has a lack of transparency over these interconnections. 

Such interdependency issues are further compounded where any one ERP is often separate from a company’s other applications and infrastructure teams. Common instances of such separation occur between an operating team within IT and a process-design and process-maintenance team within a business unit such as finance. In such instances, each team is run like a silo within each organisation, creating even more interfaces between the security team and the ERP team.

Take SAP systems as an example. Leveraging something of an independent network that has its own unique rules, SAP applications use multiple logs to capture events relevant to security. However, not only do these use varied formats and structures, but the company also uses its own specific vocabulary to describe IT network equipment. 

This lack of conformity with the security market at large makes it incredibly difficult for SAP to be part of an organisation’s central security strategy. While SAP does manage some of its own defences with an internal security information and event management (SIEM) solution, the key danger lies in the fact that it often remains siloed from a company’s wider security architecture, limiting the ability of security teams to monitor attack patterns effectively.

Blind spots

Concerningly, a recent Twitter poll saw 40 percent of respondents admitting that their enterprise does not include business-critical systems such as SAP in their cybersecurity monitoring. In addition, 27 percent were unsure if it was included in their cybersecurity monitoring at all.

Further, when asked how they currently review SAP logs for cybersecurity events or cyber threat activity, almost 30 percent of respondents admitted to not reviewing SAP logs in any way, and again, nearly 30 percent said they didn’t know if this was being monitored.

Given that SAP serves as the core business-critical application solution for many organisations, this is highly concerning. Indeed, not including this in the centralised security monitoring solution leaves organisations vulnerable and exposed to the risk of cyber threats.

Few companies recognise the importance of looking for divergent user behaviour in ERPs, making them a blind spot, with many executives simply unsure of where true ownership of business-critical applications lies.

Breaking down the silos and integrating business-critical applications as part of the central monitoring solution is therefore vital to improving ERP security. 

By correlating SAP data with infrastructure data, it becomes possible to monitor events across the entire enterprise landscape. This holistic approach strengthens threat detection, enabling the organisation to respond to incidents at speed across various applications, protecting the SAP system from unnecessary damage. 

Adopting BCAS

Fortunately, there are solutions capable of bridging this gap. A new raft of business-critical application security (BCAS) solutions are emerging, which mitigate threats quicker by incorporating business critical applications with IT security. These are designed to ensure critical software applications are monitored thoroughly and centrally, aligning people, processes and technologies to bolster visibility of all activities. 

Not only can BCAS bring critical application activity under the central security monitoring of SIEM, but equally they are able to automate compliance monitoring of critical applications and unlock time efficiencies thanks to ready-to-use controls, checks, dashboards and comprehensive reports. 

In the case of SAP, some BCAS solutions have been designed specifically to solve the language barrier, efficiently and effectively integrating SAP data into any SIEM system. When this divide between ERP and security is broken down, BCAs become empowered to benefit from an arsenal of solutions including SIEM, security orchestration, automation and response (SOAR) and user and entity behaviour analytics (UEBA), helping to unlock transformative threat insights. 

By tapping into the respective benefits of each of these solutions, security teams are empowered to focus on important tasks, prioritising incidents to help analysts identify and resolve incidents fast and keep businesses safe.

Indeed, such technologies provide automated threat detection, investigation and response capabilities as well as accurate, risk-based analytics, assisting security teams in stamping out the threat of advanced attacks. Armed with this insight, the business is then in a position to respond much more effectively to, and mitigate threats, protecting ERP systems from avoidable damage.   

Tim Wallen is regional director UK&I at Logpoint