I think the first thing we need to talk about is the need for an SAP SECOPS (security operations) program. A lot of companies that run SAP are still somewhat in denial that this is even needed. The common point I see coming up is that more and more companies say, “Our system infrastructure is monitored by our current SECOPS program. Shouldn’t that cover SAP as well?” And my answer to that is in question form:

• Does your SECOPS team know anything about SAP?
• Is your SECOPS team performing any SAP anomaly event monitoring in SAP?
• Are you logging events and other activities in SAP?
• Are you downloading SAP security events into your SIEM?
• Does your SECOPS team know who to call in the event of an SAP security breach?

After this line of questioning, the conversation pretty much goes off the rails quickly. However, there is always someone in the crowd that makes a statement like, “Has SAP ever been breached? Would the hackers even know what to look for in our SAP system if it was hacked?” Note: This is where the conversation goes from bad to worse. Some of the more “interesting” breaches and vulnerabilities relating to SAP systems that are known to the public include:

• USIS breach, personnel records of federal employees and contractors with access to classified data
• Improper authorization by tampering with transport requests
• Critical SAP Vulnerabilities, CISA (Cybersecurity & Infrastructure Security Agency) suggests swift patching
• From January 2022 through October 2022, SAP has released over 130 security patches—22 of which are classified as “Hot News.” SAP recommends implementation immediately.

Framework

So, at this point in time, we have gone from denial to acceptance. This brings us to the next action, the key elements of an SAP SECOPS program. Before we get into some specifics, I suggest a quick primer on the NIST Cybersecurity framework. The NIST Cybersecurity framework is guidance based on current standards, guidelines, etc., that enables your organization to manage and reduce cybersecurity risk. The framework is broken down into five components:

• Identify
• Protect
• Detect
• Respond
• Recover

All the components are important and must be given adequate resources to be successful. However, for SAP SECOPS programs, the focus will be Protect and Detect. For more information regarding the NIST Cybersecurity framework, please visit Framework Documents | NIST. The four key SAP security components I recommend taking stock in for your SAP SECOPS program are:

Hardening Your SAP Security Position

If you have not already started hardening your SAP Security position, you need to start now. This is more than just who has access to “SAP_ALL”, who can run Profile Generator (PFCG), and what users can create and pay vendors (Segregation of Duties violations). These are very important, and I’m not saying you shouldn’t take things like this into account, but hardening your SAP System is so much more. A few of the many things you should look at are:

• Communication and Channel Security (RFC connections, HTTP connections, etc.)
• Internet Communications Framework
• File Systems Access Security
• Virus Scanning
• Data Storage Security (Encryption)
• Masking Data (Online presentation, Anonymization reporting)

SAP and some third-party vendors have solutions to evaluate and recommend corrective actions. I would also look at the many SAP Security guides that SAP and customer groups publish to get a handle on this. The Security Guide for SAP S/4HANA 2020 is a good starting point.

SAP Patch Management

For those who don’t know, SAP has what we call “Patch Tuesday.” On the second Tuesday of every month, SAP releases Security patches. They break them up into four categories: Hot News, High, Medium, and Low. As of October, SAP has released over 130 security patches for 2022. While it is up for debate on how quickly you need to install these patches. The key is not to leave this to your “Yearly Service Pack install and testing rollout.” I have seen suggestions for the timing to implement Security notes anywhere from 15 days (Hot News – Highest Security impact) to 180 days (Low Security impact). The key is faster the better. Now, some people have told me, “But we monitor our SAP system for events (threats).” While that’s good and you should continue to do that, it’s not a replacement for fixing the problem.

Reviewing Custom Code for Security Defects

Now that we know how SAP fixes code (Patch Management), the question becomes, “How are you going to fix all that custom ABAP you have been doing over the years that have security issues like:”

• SQL Injections
• Missing Authority checks
• Backdoor Injections
• Mass data deletion
• Key SAP Programs/function modules that should not be in Custom code
• Test programs still in production
• Directory Traversal

Now, the first question is, “Are you actually reviewing your custom code for Security defects?” If not (a common response is “What is a Code Scan”?), then you need to start now. SAP does have a one-time service for this. You can also do some Security checks via SAP ABAP Test Cockpit (ATC). There are also a few third-party products that also scan ABAP code for security defects.

Security Monitoring

Monitoring what is happening right now in your SAP systems is something that every organization needs to be doing. You need to look at this from an “I’ve been hacked” perspective. While it’s important to monitor who ran what transactions in SAP and who created what POs, etc. your security team needs to know more about what’s happening in your SAP systems, which includes (but is not limited to):

• Failed Logins from unknown accounts
• Debugging activated (in production systems)
• Security Audit Log changes (turn off, change scope of logging, etc.)
• Download critical tables
• Mass changes to critical tables
• Digital signature error
• RFC Callback rejected
• Suspicious HTTP calls

… and that is just to name a few. SAP and some third parties do have tools to help with this. However, the key is to take that first step and come up with an approach on how your organization wants to go about doing this. Starting with the NIST Cybersecurity framework would not be a bad idea.

Closing

The Global Risk Report 2022 17^th Edition by the World Economic Forum in its research stated that there was a 435% increase in ransomware in 2020. This, along with some of the more well-known SAP hacks, proves there is no more pushing SAP SecOps to the back burner. SAP is the most used ERP system in the world today and thus, more commerce flows through SAP than any other system. All the hackers and bad actors in the world know that as well.