Previously, SAP has regularly published current security updates to the SAP Support Portal and SAP Solution Manager once a month on what as known as patch day. This provides IT departments with information on relevant security vulnerabilities.
They can then import this information into their SAP system environments in good time to prevent the vulnerabilities from being exploited by attackers. However, there are often technical or organizational reasons as to why it is not possible to import the information promptly.
This is because importing all relevant Security Notes into all affected SAP systems would require a lot of effort.
In addition, many companies defer patch implementation until the next system maintenance window in order to avoid unnecessary downtime.
However, by this time, the affected SAP applications face even higher risks than before – when security updates are published, a large group of people learn about the existing security vulnerabilities and could exploit them specifically. For this reason, security experts call this the “window of exposure”.
Urgency is the deciding factor
To enable IT departments to keep this window of exposure to risks as small as possible, the real-time security solution, SAP Enterprise Threat Detection (ETD), was enhanced to include functions for promptly monitoring SAP Security Notes.
ETD immediately sends an alert if a function with a known vulnerability is performed in an SAP system that has not been patched yet. The decision is made based on the urgency of the available patch installations.
The more often an insecure SAP function is executed, the sooner the affected security update should be imported to avoid potential risks.
ETD does not just check the execution of critical software code points – in many cases, it also checks whether the vulnerability itself is being exploited, for example by evaluating program parameters.
By monitoring reported SAP vulnerabilities in real time, IT departments benefit from being able to import highly critical Security Notes in good time or eliminating the risks temporarily at another level.
For example, this may involve blocking an RFC module or a port that is not critical to business processes.
Less critical Security Notes can continue to be imported during the scheduled maintenance window. This approach saves time and effort. The other vulnerabilities that have not yet been patched are monitored in real time, allowing a direct response to other potential risks.
Essential approach for project success
When the new ETD functions for monitoring SAP Security Notes are introduced, the success of the project depends on taking a structured and efficient approach.
In general, the following applies: The more heterogeneous the existing system landscapes and release statuses, the more effort will be involved in the roll out. It is also important to keep the current backlog of SAP security updates in mind.
In our experience, many SAP customers do not have a security team tasked with systematically and exclusively taking care of importing the current SAP patches. As a result, a sizable backlog of security updates has built up from previous patch days and must be processed first.
The core project requirements include the following:
1. “Get clean” for the patch backlog
The first step is to “triage” the existing backlog by sorting it by urgency. This is done by analyzing the security updates as to when and in what sequence they should be imported into the SAP systems. The goal is to bring the backlog that has built up down to an acceptable starting situation for future evaluations on every patch day.
2. “Stay clean” by taking an efficient approach to Security Notes
Next, companies should perform an evaluation of the current security updates on every patch day in order to achieve permanent protection for the SAP systems.
Considering the large quantities of patches and affected systems, we recommend focusing on the critical Security Notes and integrating the rest into ETD monitoring based on defined checking rules. The basis for this is how the company specifically defines its what it understands as a risk.
3. Create an appropriate alert level
If ETD sent alerts every time an insecure SAP function is called, its acceptance would immediately plummet because a flood of alerts are not manageable in the context of day-to-day work.
Thus, which alerts are relevant for a company and at what threshold values the alerts should be displayed must be defined for the Security Notes to be integrated into ETD monitoring on every patch day.
Combine expertise in security and SAP
This information shows that SAP customers who want to benefit from the new ETD functions must prioritize their triaging efforts. Because many companies do not have enough personnel, we recommend bringing in a external security provider, whether this involves one-time support for the roll out project or ongoing services for each patch day. It is vital for the consulting partner to have the required expertise in SAP and security, and specifically experience in implementing patches, an understanding of different SAP releases and upgrade methods, and knowledge in threat detection – both in general in terms of SIEM solutions (Security Information and Event Management) and particularly in terms of SAP ETD.
Complete with a preventative approach
One way to further boost SAP security is to round out the ETD real-time monitoring of unpatched systems with a preventative approach. This monitoring already identifies vulnerabilities in custom source code or in the SAP system settings.
A current edition of the Business Code Quality Benchmark shows just how great the risk potential is.
According to this, anonymized scans at over 300 SAP customers worldwide showed that customer-specific SAP applications contain, on average, 2,000 critical security errors in internal ABAP code that make a company vulnerable to attacks.
Special SAP security software can be used to automatically identify these vulnerabilities in SAP custom code and – to the extent possible – correct this. What is more, the software also provides the option to integrate these vulnerabilities into ETD monitoring until they are fixed.
A similar option is available for known vulnerabilities in third-party applications used by many SAP customers: ETD sends an alert here, too, when an insecure function is called.
The functions introduced here are available as of SAP Enterprise Threat Detection 1.0 SP04.