Jochen Fischer: SAP Applications Under Attack! How to Enforce the Three Lines of Defense

Hello. My name is Johan Fisher. I am co-founder and CEO of noon. We founded noon with one goal in mind, enable our customers to learn and understand their risk and implement a consistent SAP security culture.
We believe the best way to upscale security in SAP is by enabling the three lines of defense. We aim to build a strong governance based on responsibilities skills and the support of the sea level, who carries the responsibility in latest consequence. Why is mission critical information within SAP not getting secured appropriately within this session, I'll share insights for more than 10 years of experience with SAP customers worldwide, those are more or less all facing the same challenges when it comes to running SAP secure and compliant, listen carefully because security is nothing where you work against each other. It's a topic where you can learn from each other and share best practices. No monkey has produced a little movie called the inconvenient truth, which reflects the lessons learned out of the past. Spot on an action.
Wait, I'm just looking at it. Where is it? I thought you could tell me, okay. Get everyone together. I'm coming. Let's hope. This is an error. Sorry. Who are you
Your last appointment?
I think I would know. Sorry. I'm in a rush.
It's pointless to place an army in front of the entrance. When the back door is open, please check your calendar. It took 28 key strokes and one email to breach your it system. 15 key strokes to make this appointment 30 key strokes to transfer the hundred 50 million. Next time you could lose more than just money. Please let me show you something.
Ouch. This CEO just realized that his company is missing 150 million as a result of a cyber attack. These attacks are happening every day on SAP systems. They might contain valuable information such as financial data, HR information about employees, production secrets, or real time information about ongoing activities within a company, let's have a closer look at what leads to these unwanted circumstances, different individual perspectives, goals, and KPIs. Let's take a migration to the cloud. As an example, testing efforts are required anyway, as well as a budget to realize the project, but there's always a significant conflict of different stakeholders who all want to safeguard their interests. For example, imagine you are the CIO. Do you want to migrate fast? Sure. Do you want to migrate cheaply? Hell yeah. Do you want to be secure? Yeah. Why not? Oh, but then it won't be fast rather have it as a fast migration, but when it's fast and secure, it won't be cheap to sum it up in a nutshell security costs, time, resources, and money with mostly, no quick return on invest.
Let's take a look on how most companies are organizing their SAP security. They use a common model of the three lines of defense, where theoretically, everything is well organized. Everyone knows his role and tasks. Theoretically, the first line of defense is the operational SAP department, which has the control of risk. The second line of defense is the information security department, which has a strategic overview of control. The third line of defense is the audit department that checks the confirmation of control. They all report to a sea level. Who's in charge of the overall corporate responsibility. Having this in mind, let's come back to our movie and consider a few thoughts from the end, who would you contact first as a sea level in case of an attack against a mission critical SAP system who is responsible for securing SAP and do the people have the skills to fulfill their responsibilities? How many people do you know that understand SAP and information security at the same time, let's see how the CEO is prepared.
Everything is fine. Thank you, Mr. Lee, you will have three
Minutes and you have three problems. An it system contains different applications. Some of them are very complex with their own complex language. And that's at the core of your first security problem. Your three lines of defense, the operations unit applications and languages are the home turf. The security unit monitors, the whole system to spot attacks. The audit unit makes sure everything works the way it should. And here we have the issue. The operations unit is pressured to make everything work simple and fast security becomes an extra mile to safeguard their comfort zone. They keep problems under their heads. Security sees unusual activities in the system, but not within an application. All they should listen to the others, but like security. They don't speak those application languages. So they mostly rely on help from outside. So this is what you call the three lines of defense. But in reality, they are not lines. They're just towers. Each one stands for itself. Silo thinking obsolete processes, which leaves you now, the way they will protect the company is when they work together, connected, communicating along common strategies, operating along common processes.
90%
Of all the attacks are you to human errors. It all starts with the people because security is culture
And
Culture has to be. Do you want to know? The second problem?
Security is culture and culture starts with people and not with technology. We as no monkey. So pretty often that companies are throwing money on a problem. They don't really understand. These investments are most often tools that detect vulnerabilities in code configuration interfaces or change management. But these technologies only make sense when you have the right processes in place and even more important people that understand how and why they need to use a specific technology to achieve security and compliance in SAP. Hope the movie's character uses three wooden monkeys to illustrate these three lines of defense. You can also imagine them as a Delta, including three main attack vectors that attackers can misuse people, processes, and technology. We all know that saying a fool with a tool is still a fool. Only when people learn, they can understand the risk to define the needed processes. Lastly, technology can support the processes and the people, but not vice versa. Let's see which further eyeopening challenges, hope is addressing to the CEO.
Do
The second problem.
You still have one minute.
What you need is a security strategy, not just for the tech, but for the whole company. Now, the second problem is that whoever you ask for help security vendors, it consultants or auditors, they always have one answer and it's never, no. They might advise a product. They might advise the service or both, but their answer isn't tailored to your company's needs. Their answer is tailored to their company's products to their company's services, tailored to their agenda rather than yours. As a result, companies like yours, blindly throw money at the end of the problem. And,
And what's your agenda. Hope,
Excuse me.
We are not secure only a holistic approach, but to change it. But no one offers it so far. I understand, but I don't understand. You stole 150 million and yet you come here in my office telling this let's, what's your agenda. What do you want?
I just want,
Who are you? Really? You hack your own company
For a small employee like me. This was the only way to get to you
By the way,
Money is already backed by lot. My apologies, I had to demonstrate the gravity
Hope is that your real name? You can secure us, but if you can and you are here, what's the third problem
Took 9,700 ones to write. The
Hope is not a strategy.
Your third problem is in real life. This movie would have ended after the phone call.
Okay,
Good, everyone together. I'm coming. Let's hope. This is an error.
Keep in mind. SAP security, defenses United, they stand divided. They fall. As you remove the monkey from each line of defense, you improve knowledge, understanding, communication, and culture within your organization, protect your SAP ecosystem and make sure to have no monkey. Now you understand how we came up with a name. The question is, how do you get rid of the monkeys? No monkey can help you do it. We are an independent authority that focuses on individual customer parameters to define a tailored customer centric strategy, allow our advisory services to come in and to spend some time learning about your current security poster, your risk appetite, your processes, controls and employees, skill sets. The no monkey advisory provides you with important transparency about the existing attack surface to efficiently launch countermeasures, where the need for protection is at the highest urgency. Stop looking for rare individuals who understand SAP from a cybersecurity perspective and start training your own employees to be them.
We offer one hour e-learning courses designed with videos, games, and occasional quizzes to make learning interactive. Whether you are on a train in the office or at home, you can use the time to learn about SAP security or do it in a virtual classroom training with a life instructor, whichever you choose and to make your learning even more efficient. A hands-on training in a real SAP environment is a fundamental part of our learning concepts. Let's take a step back to the Delta to bring the value of engaging with no monkey into context within the no monkey advisory. We develop 10 standardized services that enable you to understand your attack surface. Based on this evidence, the stakeholders within the three lines of defense can address the urgency or need to act to the sea level. The sea level finally has two options except the risk or allocate a dedicated budget to tackle it.
As you can see, we define the different services overall relevant areas that need to be covered to realize a security strategy, covering people, processes, and technology. The no monkey academy provides the training courses that enable the right people to learn the right content in the needed depth to fulfill their responsibility in running SAP, secure and compliant. The valuable outcome of each of these compact projects have three massive advantages. Firstly, the projects can be realized within a short period of time, mostly weeks not month. Secondly, the projects are designed to be lean with your resources. They don't require big budgets, which need to be planned and allocated long before compared to investments in expensive technologies. Thirdly, you can combine the services to get the best possible insights into your SAP. Environment's current security and compliance status. SAP is a highly complex technology universe where you can get lost pretty quickly.
So where is the right point to start your journey in SAP security? When you don't know what to do and where to start, it's always good to locate. Get a compass that leads you your way. This is why we offer the security aptitude assessment. It's the perfect start to understand your corporate aptitude, to protect your SAP environment based on an adaptive survey, which takes less than 30 minutes to complete, you get valuable insights on existing responsibility and skill gaps to secure SAP within your organization. You might even detect essential functions that nobody took ownership of. Yet, as we are a German company based in Heidelberg, you can be sure that all questions comply with the requirements of workers, councils, and GDPR by using anonymization techniques, no monkey empowers organizations to understand their SAP security environment from a dedicated security perspective. As a result, our customers acquire the ability to make more efficient decisions on their organization.
Security poster. As my time is short, I would like to thank you for your patience on would like to suggest you, in case you want to know more about the security aptitude assessment to listen to the interview with Marco Weenk. We had the opportunity to help folks payroll of conducting this service, supporting them with their SAP security strategy on top. My colleague Marco Hamel will later take a deep dive into the procedure of applying a security aptitude assessment. If you are ready to identify your SAP security skill gaps within your organizations, feel free to get in touch at any time and make sure you follow no monkey on LinkedIn to stay updated. To sum it up, please keep in mind. Hope is not a strategy. Understand your risk and what you can do against it before others do see you at the networking launch. And now back to you, Amy.