I'd like to welcome my two panelists for today, which are highly required in myopes and reason Accenture for you want give a very quick sort of bio of yourself and then
Yeah, sure. Thanks a lot, Martin. So I'm chief technical evangelist at Innopsis. I'm driving innovation within the company. And in my previous role, I was leading the professional services. So my background is roughly 15 years of penetration testing and security architecture in the SAP environment. Okay.
Her name? Yeah.
Yeah. My name is Dr.
RI I'm now working since roughly 20 years in the it, and especially also in the SAP and security business and currently leading the sub security business in Europe for Accenture.
Okay, great. So the topic for today is mastering today's SAP's threat landscape and SAP, and SIS recently released the joint analyzes about the current threat landscape describing how attackers actively exploit SAP systems.
Frederick, can you elaborate a little on that?
Yeah, thanks a lot for, for, for that question. So what we have been seeing is, and it's a joint release from, from SAP and our side that there's a pervasive threat out there where people with deep knowledge about SAP applications are basically constantly scanning for new vulnerable SAP systems in the internet. We do see automated exploitations of these systems and subsequently even within our, we see hands-on activity on those systems.
We have set up our own, let's say honey net, we call it the threat intelligence cloud, which consists basically of a, a sensor network across globe of different SAP versions with which we are basically able to track what the attackers are doing within those systems. Now, what we have been observing is not related to new zero days, but this is related to existing vulnerability. And also about what happens subsequently after SAP is releasing a patch on our systems.
We have observed more than 300 automated exploitations. I mentioned earlier, we have continuous scanning.
So we can see that for example, systems that we deploy newly in infrastructure as a service environment are skit within hours. And I even exploited also within hours. So the shortest timeframe we could dare observe was three hours after basically having deployed a new SAP system, which is quite surprising because that means that the, the window until such a system is identified, can be really small. And I even personally thought that that that would take way longer, but it was also interesting to, to further analyze what the attackers are doing. One hour systems.
Of course, we have the capabilities to, to read the network traffic, but we are also basically able to record what they are doing. And as part of the post exploitation, we not only see trying to download, let's say critical data, trying to do a lateral movement, trying to do additional exploitation.
Now we could also observe that the attackers were patching, the SAP vulnerabilities themselves. Now this is super interesting. This is not a new, let's say behavior by bad actor. So this is not something new in the windows and links environment.
You see that all the time happening, but it's new for SAP and having evidence in that case, because it tells us that the attackers have a strong knowledge about the SAP systems. They have access to the corresponding software and they have access to the patches. So if the attacker is able to patch the system to avoid that someone else is also compromising the system that tells us a lot about their capabilities, Martin, you,
Yeah. Frederick is, is it really that surprising given that that we've seen the same for whatever water works and all types of systems?
Or is it, is it more that it is maybe that the extent of what is surprising? And, and I think also the interesting question clearly is which data are they really after? So what is the, what do you know about the, the type of attackers and what they want to, to achieve? So we have the traditional mass attacks automated for ransomware. We have targeted attacks against whatever nuclear plants and certain countries, but what are the, a attackers are looking for?
Well, there have been multiple questions in one question, sorry, but no worries. No worries.
So the, the attackers at the moment, what we observe are skilled guys. So for me, it kind of depends on whom you are asking.
Of course, there are not many people out there and, and say, Hey, this is nothing new. But if you go out into, let's say existing to existing SAP customers, I can still see a lot of well known vulnerabilities being exploited. And there are still a lot of people out there who basically think, Hey, I'm running in SAP ecosystem.
You, you also have the challenge that typically the it security department has no clue about the details on, on SAP security. They know about, yeah, we are doing vulnerability management. Maybe we have a similar integration, but the are the SAP systems themselves also part of, of these security controls quite often, it's not the case.
So kind of depends on to, to whom you're talking for me. It's always a good example talking about the echelon program.
Or for example, some people were surprised that the private mobile phone of Ang America contained the bark while other people then said, okay, this has not been surprised. We knew it all the time.
And here, of course, it's all, it's the same case. Some people say, yeah, we have been expecting this. Some others for them, it's, it's surprising. And for me, the good thing is we have now, now proven evidence that, that this is happening. There are also some other similarities we are seeing. So for example, if you would know, or if you remember the early days of windows and those vulnerable vulnerabilities where you would basically put your windows, XP windows, 98 machine to the internet, and within 2030 minutes, it would have been compromised.
It is not as bad as that, but nevertheless, we also have confirmation that the time to patch can be as low as 72 hours. So we observed that for one critical vulnerability, a public exploit was quite quickly being released. And within 72 hours, we had successful exploitations on our system also to emphasize further on the fact that there are guys out there who, who know what they are doing. We also have cases where we see exploitations on our systems for vulnerabilities, for which there wasn't yet a public exploit being released.
And we observed that, for example, related to solution manager, vulnerabilities that we identified and, and, and work together with SAP in order to, to mitigate them and for a solution manager, you, you, you cannot just download the trial software. You need to have access to the software. You need to have the capabilities to set up the solution manager, do the post configuration, do all, all the patch management, and then you can start building the corresponding exploit. So you need a lot of knowledge in order to be able to develop the exploit on your own.
So that's of course, then also a good indicator about the capabilities that those threat actors have.
Do you have indicators where they come from?
So it that's a challenging question because of course we track down the sources and we have at the moment, 18 different unique countries from which we are getting the access. But to be honest, the way how attackers operates that they use relay systems that they use proxy systems, we see compromised VPs systems.
We see tour exit nodes, and we also see differences in how the attackers operate in terms of sometimes the automated exploit happens, for example, from the United States and after one, someone would manually lock on from Russia. So this is distributed.
Also, we have been observing cases where even during the hands on activity, by the attacker, the IP would switch between different countries. Again, this is not something new that the, the, the bad guys out there are using. We are just saying, this is also happening in the SAP environment. And we have proven evidence that this is happening.
Hmm.
Honestly speaking, maybe to, to jump in from, from, from our side, when, when we at Accenture started building up sub security capabilities in a, in a more holistic way, not, not only authorizations back eight years ago, or so this was something honestly speaking expected. So I belonged to one of the guys who are not surprised by this development. I'm a bit surprised that it is one year later than, than at least it was estimated in, in, in the past.
But yeah, however, looking in the future, every time, difficult, long story forward, what we see in the market is definitely some more professional actors. And these are not anymore the, the classic unsatisfied employee I would, I would say, so these are really people who, who own their money with, with it. And for these actors, it's, it's a business case. And with this, having in mind, all of the organizations need, need to adopt.
And yes, most of the AP applications are not sitting directly in the internet. That's sets for sure.
However, it is, you do not need much fantasy to think about to combine this with certain networking attacks and with certain phishing attacks and then getting into the SAP system as well.
So from this point of view, I feed like, like wick. It is good that we now have really the evidence that this is, this is happening and not only told by us,
Of course, sometimes.
Yeah, go ahead. Yeah.
So for me, I mean, I've been also being part in several postmortem analysis and investigations. So incident doing incident response, doing the forensic analysis, and also with this study or with this report that we, I, we have been releasing sometimes there's a question about, Hey, you observed this in the internet is, is my local internet really, really that vulnerable. And then of course it, again, depends on the type of organization you are, if you're multinational organization. And the question is what is your internet? So this is typically distributed across the globe.
You have multiple external entities being connected to that network. You have multiple external partners being connected to that network. You have exit or internet breakouts towards the cloud. And there's always a question where's the internet. And where's the internet in that, in that case also from my perspective, someone just at the moment can take a public exploit downloaded from GitHub, and then you could just execute it. And if people ask me, I, I would just apply for a company, offer my services for a cheap salary. And all of a sudden I have an internal developer account.
And then all those CARSs words that have been built I'm beyond that. So, and then I can operate internally.
So it's, it's not like everything is secure because it's just operated in the inside or belief to be operated.
And, and, and I think, yeah, when we look at the reality of today's it environments, they are connected. And my rule always is once you're connected, you are under attack. And I think what you're telling is, is really proofing that, and it affect all types of systems from the shop floor, from the factory to the business applications, to the end points. And I think this is what we really need to be aware of.
So, so what you're saying is it doesn't matter where your SAP system resides that it's always at risk to, I translate it correctly. Yeah.
I, I agree on that. And you made a very good example when you, when you also introduced the cloud, because maybe customers were until a certain date just operating with on-premise systems, but nowadays it's opened up SAP systems, Earp systems are being shifted into the cloud. Also there are soft services being connected and, and all of a sudden you have a zillion of different connections between the cloud going to on premise. And even if the data is shifted into the cloud, then we see a lot of cloud to cloud communication happening as well.
So data that was formally only accessible, maybe inside an ERP system is all of a sudden copy to Salesforce and from Salesforce, there's Engagio and parted and, and whatsoever, there's so many marketing towards out there where data is being shifted towards to. And then it's a question who has access to what and the same things you see in your on premise environment, high privileged users in order to connect between the cloud solutions to, to shift the data from left to right.
This is also happening there.
So for me, it's also about taking, let's say the right measures, all the security controls that people have been setting up in on-premise environments, Martin, you were mentioning earlier on about tools. This is not only relevant for the on-prem environment, but also for the cloud environment, because many people just rely on, Hey, I have a contract, this is success application. Everything is secure.
No, they are still responsible for their own data. They're still responsible for the business processes and the authorizations they maintain. And if they screw up them authorizations, maybe everyone, maybe even an anonymous user can access that data. And I've seen that multiple times.
Yeah.
And I, I think it's super important to understand talent versus provider responsibility. And maybe you can talk a little bit about how can customers deal with that situation. So maybe also from a technical, but also organizational standpoint, because I think what is happening right now in the SAP environment is something we've seen in other environments before and like Frederick.
And you said, it's, it's spanning the entire it because the network security might be the first point where you learn or there's something going wrong before it happens at SAP, or you see something's going wrong at SAP, what happened in the network? So what, what is your concrete advice for the customers?
Yeah. Maybe what is, what will be not so surprising for, for the audience is that at the moment also SAP has introduced a new version S four and a lot of customers are currently also in the discussion on creating roadmaps. Still 80% of the customers are on ECC.
However, this number is shrinking and especially it, the topics when it comes to the security pro view on this, when we talk about ECC, generally cloud is not playing such a big role. However, what we see is with customers discussing about is for automatically cloud comes in and here then this is one of the, from my point of view, one of the biggest levers to really consider the security architecture, the whole setup and so on and coming to the situation, what we ask.
So what we suggest to clients, the thing is with this multiple cloud solutions outsource, this is not an, this is not an easy task to do so because at the end of the day, we are talking not anymore about in classical ECC up system and all the architecture there in the, also the, the on-prem architectures. Typically they are quite complex. So it is not so that that companies have just one SAP system.
No, they have a finance system. Some, some have not one finance system. They have 3, 4, 5 finance systems, and then they
Have, and 40 HR
And on. So this is the on premise world.
And with, with, with introduction of cloud tools, it's not getting, getting less complex, it's getting more complex because then we have an HR system, but still like the success factors, but still we have an C the HCM system locally as well. So the things are not getting easier to, to put it.
So, and also when it comes to discussions about controls, maybe here's something, what also the, the previous speakers mentioned every time from our point of view, we, we see it similar. So at the end of the day, to having the right security in place, it's a combination of people, tools, technologies, and also the processes. And depending on which cloud tools you are using, for example, you have issues that certain tools are not able to scan this.
So for example, having a classical SAP G Z system and connecting it to certain cloud tools, even in the SAP world, depends on the tool itself is complicated.
Let's put it like said, or even not possible. Technically the other equation in the is our people.
Yeah, the, the market is where we, we have talked before we started here. The, the panel discussions about that, getting the skills in the market are difficult. That's why, for example, Accenture is also heavily investing in, in trainings and educating our people. And last but not least also the processes. And we can argue a bit, which things comes first, the tools process, or people at the end of the day, as it starts matter, everything needs to play together.
And now coming to what, what we typically suggest to the customers at the end of the day, when we look at such a model, it depends where the customer are. They are typically the larger customers.
So the 30, I would say they are in a relatively much setups. There surely there are also a lot of things for what needs to be done that that's clear, but you see that typically a cm system already used, sees their things like system Harding, secure configuration, also security development, and so on. When the customers are getting smaller, often they are not so mature here. And we see it often in the, in the S four roadmaps. So typically I would say 10 years ago, in average agency, the average customer would've would have not even thought about authorizations.
Now, this is definitely something what is popular. Okay.
So, so, so what you're saying, and we are, we are reaching the end for time. We have, unfortunately. So I think we could probably spend another hour or two easily.
It is really time to act. And it's probably also time to shift this topic to a top priority in everything you're doing in the concrete action and in the, in the roadmap, and to keep an eye on how it changes with the ever increase in complexity of the world.
So, as I said, we are, we are unfortunately, already a little over time. Annie Frederick, thank you very much for delivering all that information and to all the, in the audience start acting, he, they are the experts out who really can support you. And if you'd like to, to continue this conversation with and Frederick, then eat us in the networking launch for inspiring discussions and questions.
Yeah. Thanks a lot. And as for transformation is, is a perfect possibility to basically break with old habits and then start freshly and a secure
Start with a roadmap, identify as a topics.
And then
Thanks a lot.
Thank you.
