KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Well, good afternoon. Good morning, ladies and gentlemen, welcome to another ER, call webinar. And the topic for today is the C S O imperative taking control of SAP. Cyber. The speakers for today are myself. My name is Alexei Alexei Balaganski I'm a senior Analyst Analyst Analyst Analyst Analyst at ER call joined today by Alexei Horan, who is a product manager at SIS. And this webinar today is supported by SIS. Before we begin just a few words about co call as a company, we are an Analyst Analyst company based in Europe, in Germany.
What is a global research team spending from us, UK, continental, Europe, Australia, and other APAC region countries. We have three primary areas of services to research services, advisory services, and events, events spending from free online events like this webinar today to real large scale conferences. And the next one I would like to mention are of course, our flagship conference, the European identity client conference, which takes place each year in may. And the next may will be our 10th anniversary. So you are very welcome to attend.
There will be a lot of interesting and unexpected things in our program. And if you're based in Germany or around you are welcome as well to our German language event, next generation cybersecurity, which will take place in about three weeks from now in VBO. We always find information about our events at our website ID slash com.com, sorry, ID minus count.com some guidelines for today's webinar.
You are, I mean, all the time, this are muted centrally. You don't have to do anything about the feature. The webinar is being recorded. We will publish it as a podcast on our website, the latest tomorrow. And we will let everyone know with an email. We will have a questions and answer section at the end of the webinar, but you are kindly asked to submit your questions anytime using the question tool in the go to webinar control panel, we will pick them at the end of the webinar. And the agenda for today is traditionally consistent of reports.
First, I would try to provide a general introduction to the problem area. So to say, to describe the security challenges which modern companies are facing when striving to protect their business critical infrastructures and how traditional tools are not able to keep up with the modern quickly developing enterprise environments.
And the second part Alexei Horon from Ansis will talk more in detail about importance of context, where insight into SAP environments, specifically the new generation of SAP security tools, which are utilize this approach to ensure that you always have the higher ground above hackers and auditors and other Analyst of your critical business applications. And of course at end, you have questions and answers section. So let's begin with a slide, which you would probably, you have probably already seen. If you have attended any of our webinars, this is what modern agile business looks alike.
The term for my colleague Martin Kuro is going to term ABCs, the new ABC agile business connected for the last decades, the, the, to computing Toker, the three largest trends in it. Technology, namely cloud computing, mobile computing, and social computing together have made a profound impact on the way companies operate in the digital world and the way they expose themselves to the digital world.
Of course, the new digital digital enterprise is able to open huge new business models and support a lot of new ways to communicate with the partners and customers and future contacts. But of course it also stretches the scope of information security in a way that traditional tools are simply no longer able to keep up with the way the security was done ago. And one important consequence of this development that innovation is now strictly driven by business demands, and it is no longer.
And the lead just has to keep up with the newest development and they really have to work hard to, to keep up, you know, here in Germany, everyone is currently talking about the industry 4.0, which is kind of the next industrial revolution. However, the term I always come up with when I hear it is Skynet 1.0, which is where we are definitely going to end up without security underlying, or the whole concept of digital innovation. So how is SAP security positioned in this new landscape and why is it critical? That's our first question.
That's kind obvious actually, because SAP products are running are in over 250,000 enterprises worldwide, including the largest and the most, the richest, the most critical companies around the world. They used to store the most sensitive data. They used to run the most critical business process. What is this anywhere in the modern enterprise from E R P to human resources, to business intelligence, to my relationship anywhere SAP products are definitely one of the leading underlying technologies for these business processes.
And of course they are therefore a major target, not just for hackers, but also for auditors. And what about the current state of security?
Well, we know that SAP releases around 30 security pages every month and nearly half of them are high priority purchase, meaning they are addressing the critical vulnerabilities, which can lead to complete disruption of your business processes, however, or as experts indicate currently the average time to deploy such a critical page can be up to 18 months, means that hackers have a lot of time to, to utilize a perfectly known and already theoretically, already pitched vulnerability to get into your system.
Before you even start thinking about deploying that batch and it's already well known that even if you try to avoid all the legacy SAP technologies and only concentrate on the most recent opens, you are still vulnerable cause adding new technologies to the ecosystem only increases the number of vulnerabilities historically SAP in environments and SAP security has been kind of separate from the rest of it. In that regard, it reminds me a lot of the SC industrial control systems.
However, maybe 20 years ago, maybe even 10 years ago, those systems were really properly isolated and hidden behind the impenetrable security parameter of a company. Nowadays it's are simply no longer true. Many SAP systems are directly connected to the internet because they are directly open to customers or online visitors and so on. And they are known to be open for where else exploits. And of course, one less secure system is compromised and thanks to a lot of whereas business and technology communication channels between SAP components.
Attackers can use this exploited system as a starting point for hacking more secure component. And so on the term using the industry is pivoting between SAP systems and this pur team is known to be quite an open way up to the most sensitive and critical components of SAP systems. So why is it complicated or, well, I could probably just simply point and just picture and say C, but well actually, as you can easily see SAP security is not just about securing SAP applications.
It really covers all aspects of enterprise security from the lowest level of the system and network to user and access management to business processes and governance, and many of those processes, of course, aren't SAP specific gain. And of course there is a lot of interconnect channels to other parts of the infrastructure, be some other parts of your business infrastructure or security on the enterprise level like sea and modern, realtime security intelligence systems. So basically SAP security is an integral part of your enterprise, whole holistic approach to security.
And yet we cannot easily say that generic approach and the traditional security tools are always working, always working as expected for SAP security. And why that, why is SAP security different?
Well, first of all, it's based on many different technologies accumulated over decades of using this systems. It's based on many different security concepts. Quite many of them are, can really be considered legacy. And just regard again, this reminds me of SCADA systems where for decades security, wasn't even a concern just like in Scott. You cannot just think in it.
So to say, you really have to understand the business nature of your processes, and you have to learn and understand a lot of SAP specific concepts, be technological concepts or business concepts, or any other approaches, just too many business and contact specific information to take into account an SAP system isn't equal to any other SAP system in your environment. And just too many aspects specific to your company, to your environment. Your infrastructure are hidden in any in each and any component of your SAP infrastructure.
And there is a sheer amount of potential network, which are simply not covered by standard traditional security tools like firewalls at all. And again, was mentioning that the potential business impact of a data breach or sabotage can be disasters again, like in an industrial network. They say that an average cost of data breach for a company in 2015 was 3.8 million that including direct financial losses, litigation, reputation, cost, and so on, of course, for critical SAP infrastructure running your business or manufacturing or any other processes, this could be per minute.
Unfortunately the same disasters result can be achieved with a botched attempt to prevent a breach or a disruption. This is why, or this is actually why it takes so long to deploy a security page for already known and fixed vulnerability on this site. I just listed three more, less randomly selected vulnerabilities. I just Googled and selected three top results.
You can see just this month, critical vulnerability was discounting SAP, extended application services, which means that even if you are only running the most modern generation of SAP tools, you are still vulnerable to the extent that all your data could be modified or deleted by militia theater. Again, there is a pitch already available, but it's a long way for companies to deploy it, to secure their systems. Another example, critical vulnerability in SAP, which is a mobile device management solution, which isn't even a part of a, the core SAP infrastructure in your company probably.
But if you workforce is mostly mobile and if for simple buffer hour flow knocks all your mobile workers offline and prevent them from accessing your business data outside of the, of your office and you are in a very bad luck. And of course, it's also to remember report of, of the last year's breach of United States intelligence services, which was revealed to start to have started by a hack of an SAP E P system of a third party supplier.
So even if a system is not yours, even if it's run by a company, you are occasionally doing business with you are still not completely safe because that system can be used to the pivot into your infrastructure. This is the current state and what could you actually, what can be actually do, how should we react to this? How well I've compiled a short list of recommendations on this slide.
And I would like to refer you to leadership, brief SAP security priorities, which is a document published until our website, which you can download completely free, which provides a deeper, deeper view into this recommendations. And of course you are always welcome to have a look at our other researchers like our reviews of different SAP security and access control and access governments products, including the solutions of our esteemed sponsor, SIS end of us, some of the most important competitors. So what is our list of recommendations?
First of all, you have to understand that your security processes are, are not just about secure SAP security and actually are not just about security.
It has to be an integral part where all relevant stakeholders within your company integrated into one or GRC policy, you have to identify and assess relevant threats in your infrastructure, and you have to assign a risk relevant risk, which is specific for your infrastructure, for your company, for your business requirements and build your security plans on this risk based approach you have of course, to maintain base level security for all components of your infrastructure, including, but not, not just including SAP.
You have to continuously test your security configuration on every level to Sure that it's always top knowledge, that it's always updated to follow the latest experience from specialized security audit or penetration test companies. You of course also have to subscribe to security information services from external sources to always be up to date regarding information about new vulnerabilities, not just from SAP, but from other third party companies as well.
You have always have to aim to the highest possible level of automation to improve efficiency and to host, to reduce the probability of human error. Cause The more manual work your security expert have to do, the more risk is that they overlook something or the more that they Bo their work and they break your system, which was which wasn't actually attacked yet. And of course you have to constantly apply access and security analytics. It's just knowing your vulnerability and just trying to fix them is not enough.
You have always been ready to react to newly previously undiscovered security attacks, and you have to make sure that your analytics is capable to provide targeted insights, not just for your security expert, but for business persons as well.
So your reports, your dashboards, your security are alerts have to be targeted towards non it security persons, even your business have to be able to make a relevant decision and to act quickly on that decision, which is where I think I would like to turn over to Alexei ho and he will be able to provide you with much more detailed insight on the way this recommendations can be implemented with the real world specialized security tools, Alexei, Thanks so much. Thanks Alexei for that introduction and that great kind of description of, of the issue that we're seeing.
I'm gonna go ahead and share out my screen. And while I'm doing that, I want to take the time to, to thank the audience for, for giving us your time today. So as said, I'm gonna kind take, what's been built on there and, and show how we can actually come in and really apply this in an organization.
In fact, I'm, I'm in Germany today, working with people to do just that. How do you take the, the known fact that you SAP systems high risk, the high target and bring them into your security program? And you can see kind of, we we'll talk about some cybersecurity trends, why people are, are recognizing and addressing this issue. Now we'll very quickly talk about, you know, some myths that we hear. So on a kind of some old style of thinking around SAP security, but I'm not hearing them as much anymore. So I don't wanna spend a lot of time on those.
Talk about, you know, the common SAP cyber attacks that we are seeing, and then obviously spend some time on, well, you know, what's the action plan? What should we do about it? And we'll talk a little bit about how our solution can help, but I wanna spend some time saying, you know, why are we talking about this? Why are people asking us to, to help them solve this problem? What's some key trends that we're seeing. And this was already mentioned at the beginning, just that SAP security is, is a volume of security.
So it's not one or two issues, but as was already said, an average of over 30 new security vulnerabilities announced and, and notes corresponding notes released by SAP every month. And roughly half of those are, are ranked as high priority. So things that are recommended to be mitigated and some kind of control from a place as soon as possible.
In fact, this number here, the, the 3,300 security patches is as of the end of 2014. So as you can imagine, this number's only got a lot higher since then. It's an ongoing slew of new vulnerabilities.
We, we saw the, the sta around the average of 18 months to fix and deploy a vulnerability. So that's a long window of opportunity for an attacker to, to take advantage of that risk. And what we are seeing is that it's, it's possible. People are having trouble applying these remediations in any amount of time.
We, we started as a services company. You can see on the screen that in our experience performing SAP security services, well over 95% of the SAP systems that we were asked to perform a security assessment of not only could be compromised to the point where the attacker would have full control over that SAP system, the business processes are running and the data that system has access to, but the attacker would, could do that from starting with no credentials.
So we're not talking about someone with already relatively high level of credentials, getting more, or, or a standard user getting more credentials, but just someone who can come in, connect to a network and then perform this type of attack. And really if they can touch the SAP system, they can gain access to it.
And we, we do a lot around business risk illustrations to help illustrate this to organizations. The fact that SAP by designers designed to be very open, very integrable. And if it's allowed to be in that state without good security configuration, then that can be leveraged and abused. And we're seeing that almost everywhere that we, we perform these assessments, but it's not just us, that's seeing it. So if you go to the media, we, we saw some examples from, from the Google that Alexei did showing some recent reports. And here we're seeing that we're seeing reports in the news since 2012.
So 2012, the Greek ministry of finance was compromised by anonymous and obviously anonymous, publicized this compromised, but they also talked about having SAP zero day exploits that they're gonna use to, to perform other acts of, of activism. In 2013, Microsoft reported, they discovered malware that went compromised. The PC. One of the actions that it took was to look for SAP systems on the network, see if the local system had the SAP gooey client and try and extract credentials and other information about the SAP target systems from that client.
So malware that would actively try and learn about SAP systems in an organization, and then report that home to the command commander control server, moving on to two, 2014. So just last year, a Chinese researcher or hacker published information about a known vulnerability, but they published it with examples of how to exploit this vulnerability. Unfortunately, the examples were directly pointing at a us corporation's SAP, net Weaver.
Porwal showing how to exploit that Porwal and gain admin control of the Porwal obviously very disruptive to that organization required some quick changes and quick service being taken offline, public facing customer facing services, having to go down while they address that issue. And then was reported at the beginning.
S I S the, the, the number of records there compromise is now in the millions. It's a huge breach that breach has been positively reported is originating with an attack against their SAP systems, gaining access to that environment, and then access to the, to the records. There's HR records, the records of the people they had done these background checks for fingerprint information, the seeing still seeing reports of exactly what information was taken and how much information was taken from that when organization. So this is a clear and present problem. It's not becoming smaller.
The risk is growing at the rate of 30 new vulnerability a month. So a lot of people, a lot of CSOs who expected to report to the board are being asked by the board. These SAP systems are business critical applications. They're running very critical processes. They have access and to our critical data, our intellectual property, what steps are we taking to first understand the risk posture of those systems, and then bring that risk posture to something we we're willing to accept now, doing that by understanding what would be the business impact, if those SAP systems will compromise.
And we've got a couple of different examples of the business impact SP is a very common motivation. So stealing data, stealing financial information, customer information, etcetera, but manufacturing plans, intellectual property, avoiding having to do R and D by just stealing the research from other organizations or stealing information about upcoming competitive bids to making sure, you know, my bid is more competitive financial. Fraud's a, a great deal of opportunity for financial fraud.
And this can be done by insiders and outsiders alike, creating a new employee in the HR system, establishing a salary for that employee, and then just quietly collecting that money over time, creating a new vendor, and then issuing POS and, and paying out that vendor all the way through to, to sabotage, but quiet sabotage. And what I describe as loud sabotage.
So quiet sabotage would be quietly manipulating data in the, in the systems data that we know is being used to make business decisions so you can influence and impact the decisions and the direction and organization takes by, by, without their knowledge changing the data, changing the integrity of the data inside of their systems, or getting loud and simply outrageously modifying that data, removing that data and just extracting, and then deleting that data, which we've seen in, in some recent examples, we had one organization take the time to do a risk analysis and a, a cost analysis to their, their organization, not just the SAP systems, but just their systems in general.
So they can better make sure that they're, they're allocating their, their security spend based on the actual impact of lack of security on any given system to the business. And they calculated for their SAP systems. As you can see, they're on the slide who cost them 22 million per initially, if those SAP systems were taken offline, they'd handle a lot of inventory management, production management. And so there's an immediate impact of those systems go offline with this kind of analysis.
They're able to now make a, a very educated decision about how much investment they should put into protecting against that type of catastrophe or that type of deliberate attack to their SAP systems. We're not necessarily saying every company needs to do that same level of analysis, although it does make a lot of business sense to really understand which of my critical systems and what is the direct impact to the organization of those systems go down.
But almost everyone we talk to understands that SAP is a business critical application, that the data is handling the, the, the financial transactions, the different processes it's handling in an automated way are critical to the backbone and the life of the, of the business. So dealing with this problem is of high urgency for an organization. Talk about some myths. So we we'll kind of skim through here. I think a lot of people on the audience really understands that, you know, the, the issue here. So one is around applying SAP patches.
So organizations often have an SAP patch program, but the real reality is, excuse me, that there's a large window of exposure. There's a long time as there's organizations do due diligence, testing the patch, understanding the impact of applying that SAP note or patch to their organization, the impact of the configuration change that leads for a long window of exposure during which time the attacker has time to weaponize that vulnerability and, and tested and make sure it's gonna perform as, as they will.
So organizations, you know, want to make sure that they have that luxury of time rushing out a patch can have negative effects taking too long as we can see can have negative effects as well. You need some way to, to mitigate, to, to ensure that you have the window of time, but safely test the patch in a way that's appropriate for your organization, but still not allow yourself to be exposed to overly high levels of risk for a long period of time.
This is a, a classic one. You know, our SAP systems are on an internal network and therefore the, the safe. So certainly from my point of view, and I've presented about this over the last few years, that there is no internal network, really there's employees have access to the internet. They have access to, to public mail systems, you know, Gmail, Hotmail, Yahoo, all of those systems, they're connecting out and reading news, reading other websites, other social networking, the ability for an attacker to, to push down code onto their machine.
Even if that code only runs for, for a space of a a half an hour, a few hours to establish themselves inside of the network and then extract information with the automated toolkits that are out there is very high. So relying on the fact that my SAP systems are 2, 3, 4 layers deep in my network, really isn't a defense. And then obviously in the case of Porwal, as you can see, you know, with Porwal, it's designed to be public facing, it's used for business to business operations. So your suppliers can come in and review the, the amount of inventory of their products.
So they can automatically deliver new inventory at the right time. And then for customer service management, et cetera. So assuming that SAP systems aren't reachable from the, from the internet is no longer a valid way of assuming security for those systems. If internal people are able to access those systems, then most likely an attacker is able to get that same point of view, and then leverage that point of view. This one is understandable. I can definitely understand why people kind of state this as a reason why they, they're not concerned about SAP security.
So they're saying that we have an SAP security team that, that looks after this. So therefore we're fine. And the problem is that they normally state this because they've looked at the organization chart and there is a group of people labeled SAP security, et cetera.
What I've found in my experience is over 90% of the times that team is charged with segregation of duties, which is an important SAP security aspect, making sure users have just the privileges, they need to do their roles, but not so higher privilege that they can perform fraud either accidentally or deliberately with that organization. It's definitely something that should take place, but it doesn't mean that you have achieved a security SAP system. What it means is your legitimate authenticated users have the right level of access.
What it doesn't mean is that another user, another rogue person, a, an outsider who can get access to, to the internal network is gonna be rebuffed by the SAP systems when they try and exploit known and public vulnerabilities on those systems. So when I talk to people and they say that they have an SAP security team, obviously I'm pleased.
That's a, that's definitely a positive, you know, it means that there is an approach to security, but I, I, I, I wouldn't say challenge them, but, but I push back and ask them, well, talk to that team, ask them either, ask them what their function is or ask them directly. How often are you applying SAP notes and security patches? And as I've said in the incredibly vast majority of the times, the function is segregation of duties, use the roles and rights. They're not looking at the underlying security team.
And if I can go off on a tangent here that actually exposes the gap, the, the traditional security team handling your servers, workstations, et cetera, assumes that this SAP security team is taking care of what they consider SAP security. So the underlying risk posture, vulnerability exposure, and, and, and attack surface of that system. Whereas the SAP security team is taking care of segregation of duties.
And assuming that the network security team is taking care of everything else, so it can expose a blind slot blind spot for an organization, and really reveal that there's a, there's a disconnect and a gap, not only just a gap, but a gap in the, the security of your business, critical infrastructure. So a gap that needs to be addressed quickly. And then we, we heard about this again in the first part of the presentation, you know, we we're, we're migrating to SAP HANA, so we're safe.
So SAP ha obviously has improvements over, over traditional kind of a, a, but it's still not a magic cure to, to security. And for a couple of reasons, one is it's designed to be a very integrated business solution and it's designed to be very flexible. So that means there's a lot of configuration options. More of them are locked down than in previous versions of, of SAP offerings, but there's still an openness to it. It wants to deploy easily. It wants to make it easy to integrate with other systems.
If you can impersonate another system, then you can potentially gain access to that SAP Hannah system and access all the data and processes it runs. And we're also seeing just good old fashioned vulnerabilities in it as well. It's a very complex piece of code or collection of code is coded by humans.
And so therefore, no matter what the intention is, when you have a large group of humans, coding a very complex application, there's gonna be vulnerabilities introduced in the way that different pieces talk to each other and gaps between kind of the disconnect and overlaps of different codes and functions. So we're seeing already, even though it's only been out on the market for a short time, you know, a large number of vulnerabilities that are being announced, which implies there's a large amount of vulnerabilities in the pipeline that's been worked on by SAP.
So simply moving to ha doesn't automatically make you secure. It's still something that requires attention, a security program, and to be addressed and analyzed that at a very frequent basis. And then this kind of stating the obvious a little, you know, almost every organization I speak to is running SAP in the background somewhere, and often it's running something critical. So it's not just some backend system. That's running a, a nice to have some kind of company intranet, et cetera, but is running some critical part of the reason that that organization exists.
And the reason that organization is in business, you know, so we look at manufacturing, you know, without many, without some of those modules listed on the screen, manufacturing client, really ceases to provide value to the organization of your, in the, the food industry. And you need to put a stamp on every, every food item that comes out and is boxed and packaged of, you know, when it was made, you need to be able to log and record it for, for health purposes of that SAP system. That's performing that for you. All of that food has, has to be discarded of your, your supply chain.
Isn't properly management managed. Then at worse, you have just inefficiencies, which means you're not gonna be as competitive against your competitors, who, who have a, a well managed supply chain. And at even worse, you're going to end up just saving financial issues of your overall ordering under ordering supply chain management, just as one of those items there on, on the retail side is a critical backend system. That's run by SAP in a lot of these organizations. So how is this being, you know, abused?
We, we saw earlier that this is a, you know, a, a real threat within real press reports around attacks, et cetera, successful attacks that are being reported publicly. And we, we know the, obviously the ratio between what's reported publicly and what's going on privately. There's a couple of different ways that we see SAP systems being attacked. So the first is, is pivoting is, is abusing trust relationships that exist between SAP systems.
So an in attacker may come in and they may target a development SAP system, an SAP system that the organization wouldn't consider to be as critical, obviously as a production system. And so therefore doesn't have the same focus and attention in terms of maintaining security on that system, executing patching, having a good patching policy for that system. But what SAP systems have is trusted connections.
These RRC destinations between SAP systems that allow for the transfer of code that allow for remote process execution allow for data to be moved around, really that make those systems a lights out system, they can run in an unattended way using these, these hard coded connections. Well, those connections aren't properly secured. Then anyone can leverage those connections. They get access to, to one point or one node in that interconnected system.
And, and we're seeing a lot of that where someone gains access to a system that most people it's not a priority. It's not critical. It's not on our kind of direct critical path. So we are really just gonna let that system run so that it accrues vulnerability debt. It accrues this larger and larger attack surface, but it has a trust relationship. Maybe it's two tier away, but a trust relationship with a, with a critical system. And it can leverage that. Number two, we actually talked about a little was on the, one of the publicized attack is, was against a Porwal.
So portals by definition are often public facing and they can allow for direct access to the Porwal service itself. So the vulnerability that the Chinese hacker slash researcher published, allowed someone who could just gain who just reached the Porwal with no credentials to, to gain administrative access to the SAP Porwal. And then obviously from that point on, they have administrative access. There's no more attacks taking place, but it's simply using and abusing that, that capability that they've granted themselves on that system. And then then attacking SAP configuration itself.
So SAP releases notes, some of those notes are you need to apply this code, this patch, but a lot of it is around the best way to securely configure an SAP system. And that's very hard and complicated to stay up to date with all the different options, all the different new parameters that are added often, it's a, there's a new note that adds a new code and then a new parameter that needs to be enabled. So that secure code is triggered. So we see a lot of times where SAP systems are not updated.
They're not configured well, and therefore anyone can reach out and run these remote services, run these remote commands on those systems. In fact, number three will give someone full access to the SAP database. And we unfortunately see this more often than I'd like that an attacker with, with no access, no credentials, no knowledge really beyond an IP address or the, the server name of the SAP system came from there, get full read, write, create, delete, modify, access to the underlying database and all of the information that resides inside it. So I don't like being a, a, a doom and gloom.
I wanna make sure that we, we take some of the time here to talk about, well, what are the steps that people do that, you know, that the, the CISOs who've identified SAP systems are running their critical data. Who've identified that this is a priority for them and for their organization in order to be competitive, to be healthy from a security point of view, and obviously to justify the boards requirements and the CFOs requirement, that risk be an acceptable level. There's a kind of a three step outline here that the first is obviously discovery. And this is quite a, an interesting exercise.
Often. We don't know, we know we have SAP, but knowing how many SAP systems we have, how many application servers for each system do we have, and, and what connectors are available? What services are they running is, is not an exercise that's been done before. So it can expose older systems that people thought are being the commissions services, SAP service, running services that aren't required, but were either on by default or turned on for a particular project and never turned off.
Once we've done that mapping, we can then understand what is the role that this SAP system plays in my organization? What is the business process that passes through it? And some of them might only have a business process that passes through it at the end of the month at the end of the quarter, maybe even the end of the year, some kind of financial roll up, but understanding what is the process that, that the business process that it was responsible for, or, or has a, has a handed and what is the value and the importance of that process in my organization?
What would it mean if that process didn't run at the appropriate time or wasn't able to run? And also what information does that SAP system have? So what does it have?
My, my formulas for my chemical or the new drug that we're currently researching or doing trials on, does it have intellectual property? Does it have financial information about my customers, about my vendors, et cetera, does it have banking account information? Once we get this very clear and accurate picture of what do I have, then we can take the next steps and start deciding are these adequately protected? What is the security posture and the attack surface of these machines, and is that meet kind of the, the risk tolerance of my organization? So understanding it meets the risk tolerance.
Obviously we have to determine the risk and we can see the, the three areas that we're gonna do this in. So very obvious economic impact.
So, you know, we saw that before for that organization, 22 million per minute, if initially, if those are specific SAP systems, not all of their SAP systems, but a specific SAP system with a specific role, what would the impact be for my organization? And then a big part of, of, of risk for an organization is compliance. We're out of compliance. We face fines.
We, we face some kind of punitive action that, that as an organization we don't wanna receive either of, because it's financial or because it's bad press and it's bad for the, for the share price, etcetera. So once we understand the SAP systems, once we understand the data, they have the processes they perform. Now we can start saying well, because it runs that process because it touches that data. It falls under this particular compliance mandate that we have either a public one or an internal one, we need to understand how does it measure up against that, that compliance standard.
And that's something that's critical to be done, not as a one time exercise, but a reoccurring exercise. It's very easy. If everyone knows that an audit is coming for systems to magically become compliance and then drift out of compliance when the audit's done, and everyone knows there's not gonna be another one for at least 12 months. So make sure this is a regular program that ensures those, the SAP systems are compliant. And as we all know that we enforce security, often compliance comes with it.
So making sure this is part of a, a managed security program for your SAP systems, inevitably things aren't gonna be perfect. It's we've not seen that yet. And so the key is let's be intelligent about what we do, so let's make sure if I only have a, a set amount of SAP security spend, so to speak, I only have so much I can do in order to, to mitigate SAP systems this quarter, this, this half of the year, then let's make sure we're doing it in the right way or the best possible way.
So we have the most effective change to that risk posture and change to the impact of our compliance standing or the potential impact for economic risk is we're addressing those systems that would introduce the largest economic impact if they were to be disrupted. So just doing the, the more critical things first, which requires when we understand the attack surface, when we understand the vulnerability posture, the compliance posture of my SAP systems, we then know which of the more critical ones to address first, and we know how to address those.
And what's the most efficient way that we can address those issues. So we help frame this first through a, a risk illustration approach. So this is something we, we, we work with both clients and, and, and prospects to just better understand, and kind of do that, that initial mapping, like let's understand what is the business risk that we are carrying through these systems. So helping to map out a portion of the SAP environment, helping to understand what is the security pro posture, what is the, the risk posture, or very least the attack surface of that system.
And what does that mean for my organization? You know, is this something we're willing to, to live with? Is this something that I'll be willing to report up to the board and state? This is the, the level of attack surface or by a systems. This is the data they're running, and either we need more funding in order to bring this to an acceptable level, or we need the board to sign off saying that we accept that we're living with this risk. We have these options to mitigate it, but we are choosing just to accept the risk for now.
So providing you with that framework, providing you with that very close to instant visibility into that posture for your organization, and then long term, getting SAP, cyber security into your security strategy and security roadmap.
So, you know, most organizations have a solid strategy and roadmap around the, the underlying service, their desktops, their, their network, it's bringing SAP and treating it at the same level, making sure that there's a comprehensive plan for how SAP systems will be monitored in a continuous basis, not just monitored for vulnerabilities, but monitored for the interactions going on to those SAP systems. How, how are they being interacted with it? Is there malicious activity going on against those systems right now and other right groups within my organization aware of it?
I don't wanna turn this into a software pitch, but obviously we have a solution that, that helps with that and is helping organizations today with that the absolute security platform, which I'm happy to follow up with people on it's an enterprise solution that'll run inside and is running inside of large organizations, performing those continuous assessments of, you know, how we standing from just a pure vulnerability point of view, as you can see on the screen, how compliance am I against those, the internal and the external system compliance policy, sorry that I'm have to adhere to and monitoring that traffic alerting me as soon as any kind of malicious activity takes place on that person.
That being said, I just wanna go through what our proposed action plan is, and it's really straightforward, but often just getting it down on paper and then working through the timetable of it is getting visibility. So seeing what's, what's what is on my network, understanding what could happen then taking those steps to, to prevent and detect that type of leveraging of that risk. And then responding, obviously in a, in an unattended automated way in order to, to reduce the risk and, and ensure that you have a, a complete solution.
We we're understanding the vulnerabilities they're coming out every month, every month. There's 30 new vulnerabilities that a subset of will be relevant for a given network and can be exploited. And we have immediately a compensating control that's watching for those attacks and is alerting the right people while we take the time to test and ensure that patch isn't gonna be disruptive to my organizations. So that being said, I might have gone slightly over time, but I'm gonna hand things back over now to Alexei.
And we'll, we'll go through your question. Thanks everyone. Wow. Thank you very much, Alexei for a very interesting presentation. Let me switch back to myself. Okay. So we are now ready for the Q and a session. We already have a few questions in the queue, but please don't hesitate to submit more. If for some reason we won't be able to answer them during the webinar. We will definitely come back to you or email to address those questions directly. And the first question is it actually came pretty early in the presentation. So it was kind of already answered, but I will still read it out.
So I thought that Hannah was a new technology and so should be a secure option. Could you elaborate why it's not?
Yeah, it's a good question. And I agree. Yes. I came earlier. I touched on it a bit on, on my slides and, you know, it's financial assumption that something that's newer is automatically better, which is often the case and more secure, which is unfortunately very seldom the case.
So, so Hannah is, is, you know, a very powerful solution, but is very complex. And anytime you have complexity, you have the, the possibility of risk.
And, and actually I touched on a slide where we showed the amount of SAP security notes that they've released around hunter itself and the rate of which it's throwing. So just getting Hannah doesn't magically make you secure.
It needs to be treated the same way as any other system, especially a system that's running business, critical applications needs to fall under the security umbrella that needs a regular assessment, both to, to measure the, the risk profile and the, the kind of the level of risk it's bringing to an organization to make sure that's acceptable and to monitor and make sure the interactions that are taking place with that system acceptable and safe and not some kind of attack or some kind of potential breach for the organization.
Well, in fact, if I might add a few words to that as well, it's actually very dangerous assumption to think that sometimes is that's new, it's automatically more secure because the trend we are currently observing is absolutely the opposite. In fact, just because, you know, the digital landscape, so to say's changing so quickly that new, so many new business requirements I appearing all the time, software vendors just are not able to keep up and they're rushing the new product to the market. And more often than not security is, you know, an afterthought in our research.
We actually stumble upon very, very few products where secure, where, where they actually implement the security first principle. And it's always a rare gem, which I'm glad to see, but again, it happens.
So, so, so not often. Okay, next question. We have invested in vulnerability for our server and desktop environment. Can I not leverage that investment for my SAP systems? I can take that as well.
That's a, that's a good question. And, and actually relatively common question.
So the, the, the truth is those, those scanners, those phone scanners are very good at what they do, which is assessing your, your infrastructure. So the underlying servers, the desktops, et cetera within your organization, but they, they don't claim to. And they don't try to understand the, the SAP configuration and the, the internal kind of patching of the SAP systems themselves. But what you can do, if you have those, those, that software inside your organization, then almost likely you also have a vulnerability management program inside your organization.
So you can leverage the time and effort spent creating that program, SLAs around how quickly to fix critical and high and just roll in SAP to that program, and then use the security platform to, to deliver the, the content, to deliver, you know, the latest information about the SAP vulnerabilities within your organization, and then have that same SAP. So that same bond management framework, where that just feeds into that cycle feeds into your SIM feeds into your GRC, feeds into a ticketing system. And there's an SLA things get responded to addressed.
And now you've got a more complete and more encompassing vulnerability management program within your organization. Okay, great. And next question is, my team is independent of the rest of the organization by design. We have no SAP experience and no budget. What would you recommend at the next steps?
That's, that's a good question. Actually. I quite admire that team, you know, it's, I think it's the right way to be, you know, security should be independent to some degree of the organization, so you're not beholden to them. And you can be objective when you describe security challenges and security weaknesses within the, within the organization.
But then, you know, raises exactly the challenge that you brought up, which is, you know, to really, to understand SAP, you need to be an SAP expert. And so to you, don't want to go and ask the, the SAP team necessarily tell me about the problems you have and how you're not doing security, right? Because human nature is they're not gonna be in a hurry to give you a, a fallen, complete answer to that question. So something like the absolute security platform is designed to be to abstract away that kind of deep technical SAP knowledge. It has it all.
And it's designed to be used by, by a business, not by an SAP, you know, 12 years in the making SAP experts. So anyone in the organization be it on a security team, be it on a, be part of the CSO team will be able to use it in order to put in the name or the IP address of the SAP system. And from there on the, the, the platform takes care of everything else to some degree and just starts telling you about the risk posture.
So you need to, to find something that understands kind of business, understand SAP, but prevent presents things back in a way that the organization can understand versus something that the basis team can understand. Okay, great. That's exactly correlates to the list of requirements we have.
I mean, I have listed earlier in the presentation that you have always, ideally your security tools have to be usable for personal, without any it or specifically SAP experience where you have to get a business related question as an input and make a business oriented decision, how to mitigate that particular problem. Okay. Next question. How have other CIS OS communicated to their board? So the need for this type of activity and investment?
Yeah, that's, that's the, the, the big question isn't it is, you know, CSO, especially that they've got constraints on time. They have a, a lot are expected to deliver. They've got to, you know, protect everything to some degree, but the truth is when, when a CSO takes the time and it sounds like this, this person has to understand, you know, what is critical to my organization, these business critical applications, their SAP systems are always gonna bubble to the top. So then it's the case of, well, I know that these are critical.
I need to illustrate to the board the amount of risk we're taking. And so that's where that business risk illustration I talked about can really help quantify and visualize the risk the SAP systems have. And then it's almost a I'm oversimplifying, but it's a straight question to the board. This is the amount of risk we have. This is the value and the criticality of these systems to our organization. We have little or no funding for this. Are you willing to sign off and accept that risk?
Or should we set up a project and allocate funding in order to bring this risk to what is acceptable for our organization?
Obviously it's a little bit more than that, and I'm happy to follow up one on one, but really that's, that's the process I say, quantify the value of the systems, quantify and illustrate the amount of risk, and then ask the appropriate people to either sign off and accept that risk or to, you know, set up a project, set up funding and eliminate, or at least reduce the risk of something that's more acceptable, But isn't there some kind of a tiny vicious circle in that approach.
I mean, you really need specialized tools to be able to reasonably quickly and easily quantify those risks, but you don't have budgets for that software before you actually come up with a plan which already includes those risks. That's a, that's a very good point.
I, I can definitely help with, with a tool for no budget to, to do that quantification of a subset of the systems in a given organization so that we see that obviously all the time and we have ways, and we have things that we can offer people to, to break out that as were, and turn it into a straight line with a very clear and a very, I do not see any further questions in the queue at the moment. That's your really last, last chance to submit one. And in the meantime, let me draw your attention to a list of related research documents, which you will find on our website.
As I mentioned, the leadership brief SAP security priorities can be downloaded for free. Just have to create an account, which takes you a minute and costs you nothing other reports, or are available as a part of a subscription services. Or you can apply for select program where you basically have 30 days of trial access to our report database. So please have a look.
And again, as I do not see any further questions, and the only thing which is left to me is to say, thank you very much for attending this webinar. I'm looking forward to, oops. We actually have a question.
Alexei, Jason, we managed to answer one more. Yeah, no problem at all. Okay. So in your personal point of view, what is the best way to improve your security in SAP? I am logging or taking your SAP solution offline or something else?
Well, I mean, it's a loaded question. My personal opinion, the best way to, to, to improve the security of your SAP systems is the UNAP security platform. But I think it's probably not really the intended answer. So the best way, I mean, I think it's, it's, it's not a, there's not a switch or a single parameter that suddenly makes an SAP system secure. It's the willingness to do it.
So you, as a, as a security person inside an organization, and as an organization needs to have the willingness and the understanding of we need to do this and why it's beneficial for the business, why reducing this risk is, is it positive for the business? And a lot of cases makes the business more efficient or more competitive. And then from there it's, it's, it's not trying to boil the ocean.
That's, that's understand what we have. So we have a clear picture and then let's just pick what are the, what are the appropriate and, and the quickest wins and most valuable wins we can do in the short term. So how can we just incrementally approve, improve on SAP security? It's by no means a, a sprint, this is a kind of a marathon to use a sporting analogy.
And then I would say that the key there is to, to constantly be measuring and remeasuring, to, to be able to provide metrics to the rest of the organization, provide metrics up to the CFO, to the board saying, you know, we, we're not at the, the finish line, but this is how much we've approved in the last month. And the last quarter we, you know, we had this amount of critical risk on these systems, and now we've produced that by this much, but SAP has released 30 new vulnerabilities. So we've also seen an increase. And so we have to address those in the next cycle.
So it's, it's not a one line answer. Unfortunately, it's definitely a, a program and a commitment that an organization needs to make, but given the criticality of these systems, it's hard to understand why an organization wouldn't make that commitment and wouldn't start working on that kind of program. Okay. And with that, we have reached the top of the hour. Thank you very much Alexei for very interesting presentation and a lot of insight for answers to the questions. Thanks to the attendees for being with us during this hour.
I'm looking forward to seeing you again, in our future webinars or our events, please do not hesitate, contact us if you have any questions and have a nice day. Thanks everyone.
