GRC Tuesdays: Starting on Your Cybersecurity Journey


Why should you care?

Most Cybersecurity blogs start with a few figures on how prominent this issue is, but the observation is simple and the finding without appeal: “ERP systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information, which can be used for cyber espionage, sabotage, and fraud” (Read more in ZDNet)

And yes, I could refer to publications such as Cost of a Data Breach Report pointing out that the average cost of a data breach is over $4m worldwide (and over $9m in the United States), that it increases 10% year over year, or that it takes an average of 287 days to identify and contain a breach. But that wouldn’t help you much. And if you read these blogs, then I am pretty sure you already know all this. So let’s shift gears and see what can be done!

Start with a framework

I hold this principle true whether relating to risk, control, or here, cybersecurity: choosing a framework or adapting an existing one to the precise requirements of your organization will enable a shared understanding across the company, but also will allow leveraging best practices from other organizations.

There are many frameworks available but one that I personally find particularly helpful and illustrative is the MITRE ATT&CK framework that is designed to help organizations of all sizes and industries manage cyber risks:

ATT&CK Matrix for Enterprise

This image might be daunting, especially if your company is still in the design phase for its cybersecurity defense strategy. So the question becomes: where do we start?

First, select and prioritize the threat areas that you want to focus on. No-one is able to tackle everything, regardless of the number of resources that will be allocated to this initiative.

One good option is to go back to the cybersecurity analyst reports and see where, historically, most attacks have come from in your industry, geography, etc. These are definitely areas you want to address first.

Then, and as for internal control (cf. GRC Tuesdays: Fast Track Your Internal Control Project) or fraud detection (cf. GRC Tuesdays: Think Anti-Fraud Programs Are Necessarily Long and Complex? Think Again), leveraging a technical solution for automated monitoring is a good step, but having predefined content that can be activated straight away is what will make the difference for the IT Security teams to be productive rapidly.

In these GRC Tuesdays blogs, I have already referred to SAP Enterprise Threat Detection – SAP’s security information and event management (SIEM) tool that uses real-time intelligence so companies comply with data protection and audit regulations but also detect external and internal cybersecurity threats. This would be the “technical solution for automated monitoring” mentioned in the paragraph just above for IT Security teams to scale.

Nevertheless, I have just realized that I never mentioned the predefined content that comes with it!

To help cybersecurity experts make the most out of this solution and start protecting the business more rapidly, available patterns are delivered out-of-the-box. And, since cyber attackers are not short of creativity, SAP’s Global Security team regularly delivers additional configurable standard content packages with predefined attack detection patterns designed to enhance protection against malicious attacks.

Examples of use cases already covered include:

  • Protecting information disclosure by making sure that no extraction of confidential information takes place
  • Preventing file manipulation
  • Detecting and monitoring suspicious user behaviour (including technical and dialog users)
  • Monitoring SAP security notes
  • Etc.

Each pattern is detailed in the link mentioned above with its name, description of the detection rule being applied, but also the log type consumed (Business Transaction Log, Change Document Log, Gateway Log, System Log, User Change Log, HTTP Server Log, Read Access Log, Security Audit Log).

My recommendation would therefore be to go over this predelivered content, map it against the areas in the framework that you prioritised and roll them out first. Progressively, you can then map more rules to additional threat area or even create your own patterns.

Illustration of a mapping between a threat area in the ATT&CK Matrix and a pattern from SAP Enterprise Threat Detection:

How does it fit within a heterogeneous landscape?

There are various ways through which attacks – including ransomware, could jeopardize an SAP system: through the application layer and through the infrastructure layer (i.e.: operating system, database, network).

For the infrastructure level, there are Security Information and Event Management – or SIEM, solutions that are already in market and are very suitable for this need.

Concerning the application layer, SAP Enterprise Threat Detection is designed in a way to alert the security administrators regarding the security activities happening within the SAP system by analysing the log files. Security analysts will then have a better knowledge about their business environment. This will help them stop ransomware attacks from disrupting their enterprise landscape.

SAP Enterprise Threat Detection can then integrate to the SIEM solutions to provide cyber experts with a full visibility across the landscape.

As highlighted by a KuppingerCole Report: “SAP Enterprise Threat Detection (ETD) is a SAP security offering that can be considered being part of the SIEM market segment, however being targeted at the application layer, and tailored to the needs of securing SAP infrastructure. Thus, it is more complementary to the other solutions”. As KuppingerCole further puts it in the same report: “Partnerships with SIEM vendors allow for building integrated solutions, where the systems exchange relevant information, and SIEM focuses on the layers not covered by ETD (network, operating system, other vendor’s databases), while SAP ETD delivers on the SAP-specific layers of HANA Database and SAP applications.

In line with this, SAP Enterprise Threat Detection offers options to publish alerts (i.e.: detected anomalies) to third-party SIEM solutions to help companies achieve the integration below:

SAP%20Enterprise%20Threat%20Detection%20and%20generic%20SIEM%20systems

SAP Enterprise Threat Detection and generic SIEM systems

I have also listed below some useful blogs on this topic that include more details and illustrations on the integrations:

Don’t have enough resources, or need it ASAP? Then have a look at SAP ETD Cloud

A remaining question that you may still have is as follows: all this sounds great, but we’re starting, need it yesterday and don’t have the resources. What can we do?

For this, I would suggest having a look at SAP Enterprise Threat Detection, Cloud Edition. With this offering, SAP experts take over SAP software security with 24×7 monitoring and provide regular reporting and notification on critical incidents.

Examples of real-life security incidents the SAP Enterprise Threat Detection, Cloud Edition can help detect:

  • Newly published SAP software security vulnerability was exploited two days after SAP software security patch day to access critical data
  • User data tables with weak password hashes were downloaded on the file system
  • A brute force attack was used to access SAP software with superuser permissions
  • A user tried to log on to (all) company SAP software systems using the SAP standard user
  • Identity theft occurred, with a user login in the same timeframe in different locations
  • External consultants disregarded security policies and worked as developers in a productive system
  • Business was interrupted for several days because an external partner deleted an SAP software–based business table
  • A privileged user manipulated their salary
  • Etc.

For more information about this offering, please see the dedicated communication: SAP Enterprise Threat Detection | SAP News Center

What about you, how did your company start its cybersecurity journey? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard