SAP environments have never faced more threats than they do now. In fact, ransomware attacks targeting SAP systems are up 400% since 2021, according to a recent report. And with increasing adoption of the cloud, hackers are finding further opportunity: cloud intrusions are up 75%, per another study.

The sophisticated nature of cyber attacks on SAP are in part due to the sophisticated nature of the environment itself. Because organizations use the platform to manage so many different things—CRM, supply chain, analytics, HR, etc.—SAP environments are heavily customized. But those intricacies often lead to confusion among internal teams as to who’s responsible for what, thereby creating security vulnerabilities.

Those are just a couple of reasons why SAP environments now require specialized security monitoring capabilities. Too many organizations mistakenly believe their traditional IT security is enough to protect their business-critical functions within SAP, which is an extremely expensive error. The average SAP cyber attack costs some $5 million. That’s a risk most organizations can’t afford.

Understanding the SAP Security Monitoring Challenge

Contemporary SAP environments are inherently difficult to secure. For one, many organizations employ several different modules and integrate them throughout their systems. Of course, there are also many different users in a given SAP environment, including those from  the organization. And it’s not uncommon for businesses to integrate legacy interfaces and servers into their SAP.

There’s also the matter of gaps in traditional Security Operations Center (SOC) coverage.

“SOC teams typically don’t know about the specific security traits of the SAP technology, its complexity in the customer’s environment, and its business criticality,” says Marco Hammel, Co-Founder and Chief Technical Officer of NO MONKEY .

That’s an inadequacy organizations simply mustn’t tolerate in today’s day and age, which is why Head of Security Advisory, Waseem Ajrab and his team at NO MONKEY ADVISORY have created an SAP Security SOC Enablement Service.

Essential Components of Effective SAP Security Monitoring

This new offering doesn’t replace traditional SOC service but rather enables those providers, whether internal or external, to onboard SAP technology into their scope of work.

“Our SAP Security SOC Enablement Service provides a more efficient and time- and cost-effective onboarding in comparison to onboarding attempts by a SOC team without the SAP Security SOC Enablement Service,” Hammel says.

NO MONKEY addresses the SAP gaps of traditional SOC coverage through training, workshops between SAP and SOC teams, and practicing attack scenarios and the current level of visibility with adversarial emulation.

Developing Your SAP Security Monitoring Framework

When building the structure of a successful SAP monitoring approach for your organization, there are three key areas NO MONKEY’s SAP Security SOC Enablement Service focuses on.

Assessment and Strategy

  1. Scope: Determine all technology, systems, and processes that need to be onboarded.
  2. Roles and responsibilities: Understand and optimize existing security incident detection and response process duties between your SOC and SAP team.
  3. Communication: Decide if information exchange processes are already in place, whether they’re working, and whether stakeholders involved have all the necessary skills, access, and resources.
  4. Prioritization: Define the most important use cases for detecting and responding to SAP threats within the organization.
  5. Evaluation: How efficient is your existing technology stack with regard to supporting the implementation of priority use cases?

Technical Implementation

The next phase of NO MONKEY’s SAP Security SOC Enablement Service is broken into two main parts.

“Before we start this step, it is important to understand what logs are being pulled from SAP systems and how they are being pulled, says Ajrab. “This part is important because it determines the limitations of the technology being used to pull logs from SAP systems and push them to a SIEM.”

Ajrab goes on to say that “we determine, prioritize, and, if necessary, extend the implementation use cases based on standardized attack techniques for different SAP technology stacks, all according to your threat profile and use of different SAP tech stacks.”

After that, Ajrab says his team analyzes your existing SOC infrastructure to ascertain whether it’s sufficient to implement the given use cases or needs further correlation and tuning. The most common challenges organizations run into here are:

  • Limitations of SOC infrastructure when it comes to collecting certain SAP-specific event information
  • Tuning of alert thresholds due to insufficient or missing security labeling for systems, interfaces, and date assets, as well as missing log sources from the infrastructure level
  • Instilling the skills and knowledge for SOC analysts to effectively triage alerts and exchange the correct information with the SAP team

NO MONKEY also works with organizations to create use cases and incident response playbooks for SAP that integrate with existing SOC workflows. Ajrab points out that understanding each of the different systems’ security objectives in scope and how they implement security controls is critical to the final goal of supporting security analysts in automating these activities when they are properly configured and designed.

“We design based on the available tools and security objectives for the overall strategy,” he says. “For example, when there are indicators that a service user has been compromised, the SOC team shouldn’t lock the user when the system has high availability requirements. That could negatively impact business-critical integrations. Instead, the SOC team would focus on identifying the compromised device or devices and block outbound communication to C2 services, then align with the SAP team on options for a password reset for the user.”

Team Enablement

Another critical juncture of NO MONKEY’s SAP Security SOC Enablement Service comes when transitioning a traditional SOC team to SAP security monitoring. Depending on the scope of an organization’s SAP environment and team members’ availability.

NO MONKEY’s approach follows this timeline:

  1. Create fundamental SAP security knowledge for each of the cybersecurity teams (Detection Engineering, Incident Response, Security Architecture, etc.)
  2. List and prioritize typical applicable standard attack techniques and identify specific relevant threats for the environment.
  3. Design detection setup, including assessing applicability and correct setup of SAP security event sources.
  4. Configure and test SAP use case cases in the SOC infrastructure.
  5. Tune and adjust detection rules and alerts through simulated attacks
  6. Design, implement, and test Incident Response playbooks.
  7. Communicate and set productive use cases.

Cross-functional collaboration is “absolutely vital” to successful SAP security SOC enablement, Ajrab says. NO MONKEY develops that partnership with the following regimen during this phase of its service:

  • Create fundamental and necessary understanding of SAP technology security traits and terminology for the SOC team through role-specific training
  • Introduce the value (on top of security), processes, and concepts of SOC for the SAP team through role-specific training
  • Conduct collaborative workshops—threat modelling, playbook design, etc.—with NO MONKEY consultant acting as a moderator and translator between stakeholders of the different teams

Ensuring Program Success

Once implemented, how does an organization measure the effectiveness of its new SAP monitoring program? There are several key performance indicators, such as mean detection time,  false positives, and incident escalation rates. You should also regularly test your defenses with simulated attack scenarios.

One measurement of note is the Mean Time to Respond (MTTR). Lower that metric supports overall cost reduction related to incidents.

NO MONKEY’s SAP Security SOC Enablement Service has a best-in-class reputation here. Among organizations that have used the service whose SAP security had graded out as dysfunctional beforehand, every single one improved to the point where the expanded scope for their SOC team was achievable without having to expend further resources.

Overcoming Common Implementation Challenges

The kind of transition NO MONKEY’s SAP Security SOC Enablement Service helps organizations achieve isn’t easily done. It requires a lot of planning, commitment, collaboration, and determination.

Future-Proofing Your SAP Security Program

Cybersecurity is not a discipline that affords complacency. Just as technology is always evolving, so, too, are the techniques and strategies employed by hackers. Cyberattacks are constantly innovating, meaning you and your security must be, too.

Here’s what you can do to maintain SAP security amid changing times:

  • Never stop testing your defenses.
  • Keep up on SAP security advancements and vulnerabilities.
  • Pay attention to the latest trends and emerging practices among hackers.
  • Carefully vet third-party users you give SAP access to.
  • Hold regular training sessions for all stakeholders to maintain team expertise.
  • Rigorously scrutinize your program, always looking to optimize
  • Scale capabilities when and where you can.

Take the Next Step

This article has provided you with a strong starting point to upgrade your organization’s SAP security monitoring. But if you’re ready to take things to the next level and enjoy the peace of mind that comes with end-to-end SAP security expertise to help you protect your business-critical SAP environment, you should contact NO MONKEY right away.

We’ll give you a completely free consultation that includes:

  • Assessment of your current SAP security monitoring maturity
  • Identification of critical gaps and opportunities within your current approach
  • A tailored implementation roadmap

Contact NO MONKEY today to start building a robust SAP security monitoring program.