Efficiently Detect and Respond to Cyberattacks in Critical SAP Systems
Protect yourself with these tools
This blog deals with the question of how the elements of the NIST framework threat detection, response, and recovery can be used effectively in an SAP environment and what added value Arvato Systems offers its customers in the effective application of the NIST framework.
Detecting Cyber Threats Is a Growing Challenge
The number of cyberattacks continues to rise. In the first half of 2022, around 236.1 million ransomware attacks were reported, and the average cost of a data protection breach rose worldwide from 3.5 million US dollars in 2014 to 4.35 million US dollars in 2022.
Despite the cyber security measures in place, the opportunities for hackers remain high. Companies need to monitor and secure thousands of components across their entire system, while a hacker only needs to find a single vulnerability to penetrate successfully.
Malware can be designed to remain undetected in the system for long periods. According to the IBM Cost of a Data Breach Report 2022, the average time required to detect and contain a data breach in 2022 was 277 days. Arvato Systems' own research indicates that a hacker can remain undetected in the network for around 69 days. We advise our customers to implement sophisticated detection functions that reduce this time to a minimum and, in the best case, to zero.
Early detection can minimize the operational, financial, and reputational damage that a security breach can cause.
Early Detection and Response Requires Layered Intelligence
The days when threats could be detected and combated by a single layer of anti-virus software and firewall rules are long gone.Today, detection is based on minute-by-minute information about activities and detailed monitoring of activities in the infrastructure, applications, and data components.
The Security Operations Center (SOC) Is Becoming a Basic Requirement
Hiring a specialized SOC is practically a prerequisite for medium to large companies. This usually means an external SOC with specialized expertise, up-to-the-minute access to industry-wide threat data, and a sophisticated toolset. This is required to detect an attack that may only manifest itself through minor behavioral changes across multiple layers and components.
Most SOCs lack specific SAP security know-how. This makes it all the more important for SAP users to choose a SOC that can integrate the necessary security tools into a company's IT infrastructure and connect the sensors of the security solutions with the relevant SAP systems systems.
Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) tools meet the requirement to combine and analyze security information and events across multiple components in real time to enable a rapid response.
Until August 2022, connecting SAP with existing security solutions was challenging. Now, the Microsoft Sentinel solution for SAP applications, jointly developed by SAP and Microsoft, closes this gap. It is installed on a Docker container and works in the corresponding network segment of the SAP environment, regardless of whether the SAP system is on-premise or in the Azure, Google, or AWS cloud.
Complex Detection and Response Require Orchestration
Rapid identification and analysis of suspicious activity across multiple components requires automated orchestration.
Security Orchestration Automation and Responses (SOAR) is available within Microsoft Sentinel, a tool that collects and correlates security-relevant data across systems to automate the response to an incident as far as possible. It does this by communicating with another sensor via an API, thus minimizing the required log volume. This enables companies to react more quickly to cyber-attacks.
Recovery Requires Careful Planning
Cybersecurity strategies and planning must assume that security breaches will occur, so a fully developed and tested data and systems recovery process is essential.
This planning must take into account that hackers can exploit any fully automated process. For example, ransomware attacks can target automated backup processes to hinder data recovery.
Operational criticality is an important factor for SAP systems. Shutting down the SAP platform for an extended period of time to contain an attack or perform recovery processes is probably not a viable option from a business perspective.
Comprehensive IT expertise, a high level of technical understanding, in-depth industry knowledge and active partnership - that's Arvato Systems.
When it comes to securing business-critical SAP implementations, Arvato Systems can rely on strategic partnerships with key providers — Microsoft, Google Cloud, and AWS — as well as the proven SAP expertise of an SAP Gold Partner.