Event Recording

Marco Hammel: How to Avoid Costly SAP Security Pitfalls. Why to Make Security Start With People and Not With Tools


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Hello. My name is Michael Hummel. I'm one of the co-founders and CTO of Noman. Today. I want to share some of my experience with SAP security pitfalls at different SAP using organizations and how you can avoid them. Moreover, I will show you, what's starting with people actually means, and why doing this can make your initiative more successful. Let's look at some examples of what can happen when you start your journey to securing your SAP environment, the wrong way, SAP security, shelfware commonly loan for software that companies buy because of perceived demand, but never use. This happened to an international British high tech manufacturer. The CSO left the organization shortly after purchasing the SAP vulnerability, scanning and monitoring solution. The SAP security team consisting of just one full-time equivalent, never got the necessary budget to roll out the software nor to buy services from the vendor for enablement, the company continued to pay annual maintenance for four years. Overall, this yield tool loss of 140,000 British pounds with no improvement of their SAP security, lack of governance and communication. A German car manufacturer purchased a specialized SAP security code scanner rolled it out in their whole SAP environment and integrated the scanner in the internal release process so far so good. But software deliveries from third party vendors were not checked. Internal developers were annoyed by longer release times. And this pop-up warning about their development not to have passed certain optional code checks. There was the only communication around the initiative,
All in all 320,000 euros lost. And as a comparison of scan report showed no single vulnerability in their legacy code got fixed.
And all in gas company asked for support implementing detection capabilities into their same process for their SAP applications. During the evaluation, we figured out that some SAP installations were missing security patches for more than two years. This also included misconfiguration exposing them to public available unauthenticated remote code execution exploits. This is like putting cameras on a broken house with no guards. What the customer achieved was no security for over 180,000 us dollars. As you all know, it doesn't have to be this way. Even though we frequently come across such situation, independent of size and budget with better corporate security culture, I have seen organizations still achieve their objectives. Also in SAP, if you want to implement a corporate culture for cybersecurity, including your SAP solutions, we believe and work by the creator that implementing a security culture is a journey that will make us as the advisors redundant. After this journey, your freelance of defense probably might need operational support tools and external services. Still. They have the maturity and are aligned to make the right decisions. Moreover, they have the governance to address your current add upcoming threat situation.
How you can approach the challenges of SAP security more efficiently. There are plenty of technology, agnostic frameworks for information and cybersecurity. However, it's not easy to apply them to SAP. Also SAP made a clear point that they don't see themselves in the lead to ease this pain. Security is something you can learn from each other, but not to compete against each other. That's why it's good not to reinvent the wheel, but to collaborate. Many organizations using SAP are critical for society. Remember 70% of the world's beer production and distribution depends on SAP software. Some regulators have recognized us. For example, the alerts for SAP security clause and breaches are reported by different national certs. I would like to show you an example of one of our productive collaborations, the core business application security project in the open web application, security projects, foundation supports in doing the right things. How by helping organizations to adapt a security roadmap for their core business applications, it is initiated to bring together business application security experts and the organizations using them on a neutral ground. We started this to strengthen people's security posture and leverage security processes on top to enhance the use of security tools by providing a framework and tools that can be tailored to the organization's security needs.
The metrics you can see here applies the relevant subset of the N cybersecurity framework. As a drill down to application security of core business applications like SAP, it sets the defender's playground. We've gone through the 108 subcategories goals, definitions defined their applicability and operational scope. We call it the no monkey security metrics. And as you might notice today, it found some adoption in the SAP ecosystem. And currently including SAP itself with this, you have a simple tool to organize SAP application security, either as part of your cybersecurity framework initiative or independently, you can use it to define your security objectives. Use it for reporting, identifying gaps, weaknesses against the model set areas of responsibility, map competencies, and map solutions and tools and important to know we made it open source.
Remember the SIM project without having a productive baseline in place. When it comes to SAP security, there are plenty of guidelines and checklists. Most of them are very ESE, as we say, and not an information security language. This is good because it's easy to understand for the first line SAP operations, but can your security team deal with it? Remember, these are the ones to make strategic decisions to manage risk by adjusting corporate security standards with the SAP security maturity model, we guide you through implementing an SAP security control framework for SAP, which is aligned with your cybersecurity strategy we are doing without reinventing the wheel, but referring to other SAP specific and agnostic recommendations and best practices. And it's compatible with the no monkey security metrics. It tightly integrates with fewer corporate application of the cybersecurity framework or initiative to get, for example, ISO 27,001 certified.
Again, we made it open source and continue contributing to it, guidance and what to do and how to do it will not by itself, yield to execution. You would also need to determine who does what and what competencies are required to do it properly. For this reason, we have implemented an SAP cyber workforce model that describes roles and their responsibilities and level of competencies. For this purpose, we are reusing and remaining comfortable with the best maintained and most comprehensive cyber workforce model, the national initiative for cyber education short nice by the I S T. But what can you do with those initiatives? See, not people in your organizations are the monkey. The monkeys are reasons and obstacles. They make the free lines do not work as good as possible in the vast majority, your free lines are trying hard to do a good job. So what makes it challenging to get the monkeys out of the way and implement a security culture for SAP?
How can you leverage us to make this more efficiently finding your right way to start is the most challenging part. Each organization is different and requires different approaches and communication to get things moving into the right direction for establishing an SAP security culture, your free lines need to learn. They need to adapt how the organization works and they need to execute the change. But how do you determine firstly, who can and requires what learning about SAP security? Secondly, where and how processes and procedures are to be adapted efficiently. And thirdly, with who support technology or resources that change is executed the best for you. Let's have a look at how no monkey can help you.
We've defined 10 services to support you. We show you where you are in your journey using SAP technology, more securely, depending on where the services are in the Delta, they can help you to get more evidence about the strengths and weaknesses of firstly, the competencies and responsibilities of your freelance workforce. Secondly, the current use of your SAP technology and its integrated free of charge, security tools and capabilities. Thirdly, the maturity and efficiency of SAP security controls of your SAP processes. My colleague Zim wrote a block about the services. You can find the link referenced in the handout as we don't have the time to go through all of them. I would like to take you through the process of conducting an SAP security, aptitude assessment. The idea of the security aptitude assessment rose in penetration tests. I recognized that different professionals in the organizations have already known the vast majority of the most severe findings, but either there was no ownership, no awareness of the risk time or the competence to manage the problem. In fact, the technical assessment only shows you the symptoms, but not the root cause of the problem. What we do in the security aptitude assessment is to leverage what your freelance already know about your organization's strengths and weaknesses to protect SAP just by asking the right questions.
The foundation of the assessment is a standardized adaptive questionnaire that is enhanced and adjusted because of the questionnaires adaptive implementation. Each survey taker will only answer a subset of the questions and complete the survey in less than 30 minutes. The project typically runs through a period of two months, starting with a one hour preparation workshop with the CSO and as head of the SAP department, two aligned timeframes define the scope of the survey takers and exchange information to enhance the survey by us. The survey take us get informed about the objectives and approaches of the survey in a briefing note. The survey face typically runs for about one month after the survey we prepare and conduct the finding workshop with the department leads for about two hours to evaluate root courses, determine the specific severity of issues and to identify the applicability of possible quick lens.
Finally, we create a report including the gap profile by referencing the Noman security metrics, all findings and details of the assessment and a tailored recommendation on which step to take next on your journey to a better SAP security posture. Maybe you want to know more about the security aptitude assessment from a customer perspective, Mr. Al, the CSO of SLO talked about his experience of starting the journey to a better SAP security posture. Today. I encourage you to view the recording. If you haven't had a chance to join his session, consider you can determine the who and the what of your freelance. Our academy is a learning offering, suited to roles and challenges to help them get the monkeys out of the way. How can we help answer the where and the how and the with, with our other services, please get in touch with my team and me. We are looking forward to supporting you on your journey as your independent advisor. Let's sum this up. Start to get monkeys out of the way, by understanding your free lines, strengths and weaknesses. You just learned one possible approach, establish ownership, and enable your workforce with learnings targeted for their roles. For example, by the monkey academy,
SAP is complex and security around SAP as well. Start with a solid baseline to make things measurable and determine your acceptable level of risk as a key result and define objectives to get there. Don't fool yourself with the one thing to buy or to do in order to become secure in SAP. There is no one snake oil helping you in this fast, challenging threat landscape, sorry for this inconvenient truth. Take the chance of your S Farhan transformation to implement an SAP security culture due to the transformation. Your tax surface will increase. Raise the bar for your SAP integrator and get independent advice. When you're in doubt, this all will help to minimize the risk of costly and dangerous SAP security pitfalls. If you want to know more, I'm looking forward to answer your questions in the Qing a or later in the networking load.

Stay Connected

KuppingerCole on social media

Related Videos

Interview

Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

Event Recording

Cyber Warfare - A Reality Check

Cyber Warfare and Disinformation have been heavily weaponized since Russia´s full-scale Invasion of Ukraine and even before, aiming at destabilizing the free part of the world. It is the "synergy of the evil" between cyber warfare and MDM (Misinformation, Disinformation,…

Event Recording

How the Current Crisis could become a Catalyst for Various Transformations

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00