Automation releases us from our false sense of SAP security
January 2021 by John Appleby, CEO, Avantra
When it comes to the protection of our most vital devices and systems, we could be forgiven for being lulled into a false sense of security. After all, the Apples and Microsofts of this world come to us, not even when there’s a problem, but just to check-in. To update us. To add that layer of reassurance even when our minds are elsewhere.
In the corporate world, that notion is elevated by a more urgent need, of course. The vast majority of enterprise devices are well protected on a day-to-day basis and we again let our thoughts roam across other areas of operations in the knowledge that either the device manufacturer or our IT departments have everything in hand.
This is not always the case when it comes to SAP, however.
As much as 96% of the world’s GDP goes through SAP. Governments, universities, core manufacturing, utilities, consumer goods, oil & gas, transport… the list is endless. If Microsoft was attacked, Linux and Xenix would still run. If SAP environments were taken down globally, that same globe would genuinely come to a grinding halt. Not just business, but the very fabric of society.
This isn’t a SITREP designed to shock. More calmly it’s an exclamation of surprise that there haven’t been more large-scale, public SAP hacks to date, considering the lure of dramatic repercussions for cyber-criminals. It’s also therefore a reminder that what we take for granted in terms of our infrastructure security, still has room for heightened vigilance, improvement, and – critically - automation.
A hidden - but susceptible - gem
As recently as July, a vulnerability named RECON exposed the vulnerability of more than 40,000 SAP systems as evidence of the risk that does lurk. SAP quickly responded with a patch but RECON’s 10 out of 10 common vulnerability scoring system (CVSS) score demonstrated the threat that was posed to people’s personal data and applications.
This is rare, however. Reasons why there hasn’t been a high-profile SAP incident until now are threefold, at a glance. Unlike firewalls, routers and web servers, SAP systems are not edge systems – in the majority of cases, they are core systems.
Further, because they are difficult to patch and not on the edge, businesses tend to install a layer in front of their SAP system. This serves as both protection and also a distraction, as hackers are faced with potentially lower hanging fruit earlier in the process. And finally, SAP’s status as something of a specialised enigma gives it ‘security through obscurity’.
It’s essentially being guarded undercover as a hidden, unattainable gem, when in reality it is still susceptible, as proven by RECON.
It is susceptible because of the way organisations address its protection. For most, a strategy is in place where they run an on-premise private cloud, hyper-scaler, version of R3 Business Suite, or S/4 HANA, and are expected to take care of that internally. They subsequently turn to outsourced service providers who scan systems, identify issues and provide a list of actions to be conducted – again – internally.
This is consultancy, not protection. What if you find a zero-day vulnerability? You pass that on to SAP and wait until those issues are patched knowing you’re compromised for that duration. All 100, 200, 300 of your systems could be jeopardised in an area that’s crucial to you, your operations, your supply chain, and your revenues. And you’re really not in control of fixing the situation.
Replicating the Patch Tuesday model
There is an absolute necessity to change the SAP security mindset from periodic scanning and reaction, to embedded real-time automation of detection and response.
At present, the world’s most colossal industry heavyweight, Apple, places so much emphasis on SAP protection that it conducts updates in China. No internet equals no chance of hacking.
Naturally, the majority of enterprises simply don’t have those kinds of resources. SAP protection for most therefore becomes too expensive to do consistently and manually. But also too important not to do given the threat and ramifications at hand.
The answer in-between those two polarising challenges, is automation.
By forming a partnership with an AIOps provider, companies are afforded the ability to carry out vital functions that they’re currently not feasibly able to do. The theory is one of regular, tactical updates and patching, which simply can’t be done manually.
Microsoft already has a similar function on ‘Patch Tuesdays’, compounded by assessments and actions around larger systems every third Tuesday of the month.