Newsflash: +++ Hackers Stole Over 6.42 Million SHEIN Customers' Data +++ SAP Customer British Airways hacked: Hackers steal financial data in BA website attack +++ The same hacker group who breached Ticketmasters were behind the British Airways attack, using DIGITAL SKIMMING +++

Milky Blog

know what’s going on out there about SAP®

  • Blog
  • Read Our Rules

Dealing with cyber threats in the SAP® / ERP application layer

By Michael Kemmer  - September 18, 2018

Since 2001, the number of cyber attacks is increasing rapidly. In the recent past, corporate solutions such as ERP, CRM, HCM or similar systems have become the focus of cyber crime, see e.g. Gartner in their latest report: "Hype Cycle for Appliance Security, 2017", as of July 2017.

According to VP Distinguished Analyst, Neil MacDonald

"As financially motivated attackers turn their attention 'to the application layer, business applications such as ERP, CRM and human resources are attractive targets. In many organizations, the ERP application is maintained by a completely separate team and security has not been a high priority. As a result, systems are often left unpatched for years in the name of operational availability." Gartner, Hype Cycle for Application Security, 2017, July 2017.

These applications are mission critical! The detection of an attack (see click!) or a failure of one of this systems can be catastrophic, as the example UISIS teaches: USIS, a Service provider of the Department of Homeland Security, was hacked in 2014. 27,000 people were affected. OPM (USIS main customer) then stopped cooperating with USIS.

Complete monitoring of these systems is essential! There must be a 24/7/365 monitor for failures and cyber attacks. Even more so, considering that "77% of the world's transaction revenue touches on SAP-System, 92% of the Forbes Global 2000 run SAP!"

This also makes it clear why corporate solutions such as SAP are becoming the frequent target of cyberattacks. Who now believes that with conventional on board security mechanisms the security is done is subject to a fallacy.

The development of the SAP® system focused on international availability, the mapping of the required functions and the coverage of business processes. At that time, the complex integration possibilities that e-business, IoT or mobile computing entailed were partly still visions. The issue of cybersecurity was therefore hardly or not at all taken into account.

For more than a decade, the vulnerabilities and patches for SAP® have grown steadily. At the time of writing, there are more than 4,000 security patches for security vulnerabilities in SAP® applications (click!).

So much for the initial situation, which can certainly be enriched by many more perspectives.

What about the monetary damage that arises each year?

Here we quote the current report:

"2018 Cost of a Data Breach Study: Global Overview, Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC"

Accordingly, it follows:

Average total cost of data breach: $ 3.86 million

  • Average cost per lost or stolen record: $ 148
  • Average cost savings with an incident response team: $ 14 per record

But for this the damage must first be recognized: The time to identify and limit data breaches has an impact on costs. The faster the data breach can be detected and contained, the lower the costs.

Mean Time to Identification (MTTI) and Mean Time to Contain (MTTC) metrics are used to determine the effectiveness of an organization's incident response and containment processes. The MTTI metric helps companies understand the time needed to detect an incident, and the MTTC metric measures the time it takes for a responder to resolve a situation and ultimately restore service. These times (MTTI and MTTC) have been increasing since last year. In this year's study, the MTTI for our consolidated sample of 477 companies was 197 days. The MTTC was 69 days. MTTI and MTTC were 191 and 66 days last year, respectively. The risk rises and rises!

How do you counter these dangers? How can the backbone of your company be protected and cyber attacks prevented?

Monitoring of the IT environment is typically accomplished by SIEM systems, e.g. Splunk>, which are offered in a variety of ways on the market. SIEM systems fulfill two different tasks:

  1. On the one hand, they provide real-time monitoring functions, correlate events, provide an overview of the security status via their management console and send notifications.
  2. On the other hand, they store the event data over a longer period of time, carry out analyzes, help to comply with compliance regulations as well as forensics and generate reports.

So SIEM systems monitor, security devices, network devices, endpoints, server & databases, applications & logs, email/web gateways, identity management etc. Only the SAP® system is not or only insufficiently integrated. The gateway for cyber attacks remains open! This situation is reinforced by the fact that usually different teams are responsible. The CIO for the subject of SAP®, the CISO for the topic of data protection. Not infrequently runs on this border, a firewall as well.

For a 360 ° view, the SAP® system must be integrated into a SIEM strategy!

agileSI™ fully integrates SAP® compliance and security-related information into centralized monitoring. Once the security-related information is in the SIEM system, the agileSI ™ Security Intelligence packages for SIEM help to integrate and interpret SAP® information such as "any other source of information" for monitoring in SIEM.

CISOs benefit from improved transparency and compliance audits as well as automated reporting and real-time monitoring. Safety engineers at SOC get extracted raw data to correlate and create use cases as they see it. SAP® specialists have the opportunity to monitor data and processes, while at the same time saving time in terms of security.

agileSI ™ is your complete observatory in SAP®!




agileSI ™ offers a wide range of SAP® extractors that feed various types of SAP® data such as database data, system settings, logs and events from various SAP® security sources into SIEM.

Are you convienced that your organization, esspecially your SAP® System is optimally protected against cyber attacks? We offer you our cyber detect test. Curious? We are looking forward to your feedback!

Enroll and receive updates!

Popular posts

We take privacy seriously! This is what happens to your data:

  • Data from forms and website-tracking can be saved for analysis.
  • Data can be evaluated for optimizing the website. This enables us to better understand what our visitors are interested in. We primarily use Hubspot for this tracking. You can find more information on this in our privacy policy linked at the bottom.
  • We do not share your data with third parties. In the context of events in which you want to participate it might be necessary to submit your data to contractors.
  • You have the right to have your personal data corrected, deleted or transfered to you at any time.
  • You can withdraw your consent to any sort of communication with us at any time.

More details about what we do and don't do with your personal data can be found in our privacy policy, or you can directly contact me by e-mail!

Felix Möckel
Data Protection Officer