Securing SAP BTP - Threat Monitoring: Detecting Unauthorized Changes and Indicators of Compromise
Welcome to the latest in our series on SAP BTP security. So far, we’ve covered the challenges customers are encountering when trying to protect this new, critical asset in their landscape, and how to overcome them and how to build a successful BTP vulnerability management program.
The natural next step—and the other key piece of the proactive application security puzzle—is continuous security monitoring. As I’ve discussed in the past, and as NIST and SAP (in partnership with Onapsis) recommend, the most effective approach for protecting applications like BTP is to pair point-in-time vulnerability scans with continuous monitoring for indicators of compromise.
In addition to detecting indicators of compromise, continuously monitoring your BTP logs for suspicious or unauthorized changes to app configuration or user settings is important for a number of reasons:
- Monitoring user Activity: Customers, including those in the RISE with SAP program, are responsible for tracking their SAP users, their behavior, and access control.
- Addressing User Access Controls: Changes in user permissions and roles could represent a control violation and potential audit finding.
- Identifying Configuration Drift: Customers are also responsible for ensuring their applications are configured securely and aligned with best practices.
Challenges to Successful SAP BTP Security Monitoring
Unfortunately, as you might expect if you’ve been reading this series, security monitoring is another area where building a successful program for SAP is more challenging than it seems. Some of the challenges here, for BTP and SAP applications in general, include:
- Identifying the suspicious or threat activity: Most of the existing monitoring tools security teams rely on don’t sufficiently support SAP, let alone a newer application like BTP. They don’t have the detection rules and intel needed to actually empower teams to identify and respond to threats or unauthorized changes to SAP. This leaves teams relying on manual log reviews, which are time-consuming, error-prone, and of course require quite extensive internal knowledge of SAP activity and the evolving SAP threat landscape.
- Knowing how to prioritize and respond to identified threats: Even if teams are able to successfully identify something suspicious in the logs, it often requires quite a lot of investigation and analysis to understand if that suspicious activity actually represents a threat, the potential impact, and how to respond.
As we know, time is of the essence when it comes to incident response. This is especially relevant given the critical nature of SAP and the new material incident disclosure timelines (e.g., US SEC rules, EU NIS2) that have come into force. Relying on manual efforts, as described above, isn’t just impractical—it also increases risk. Malicious activity can go unnoticed, response times may lag, and vulnerabilities could slip through the cracks.To be successful here, organizations need a reliable, automated threat monitoring solution designed for SAP that will accelerate their incident response efforts.
SAP BTP Threat Monitoring Made Easy with Onapsis
We recently released Onapsis Defend support for SAP BTP, allowing our customers to extend their threat and security monitoring to this critical asset with BTP-specific detection rules and powerful, context-rich alerts to accelerate incident response. Defend for BTP’s focus on role assignments and configuration changes will help customers, including those using RISE with SAP, better manage their responsibilities around user activity and app configurations, giving them an early warning system for any unauthorized changes in these areas that could represent an indicator of compromise, insider threat, or controls violation.
Defend for BTP directly addresses the challenges described above:
- Identifying suspicious or threat activity: Onapsis Defend automatically monitors SAP BTP logs with out-of-the-box detection rules specific to SAP BTP based on SAP security best practices and the latest threat intel from the Onapsis Research Labs. No need for manual log reviews; no need for internal teams to keep up with the evolving SAP threat landscape. With Defend for BTP, customers will receive real-time alerts for critical configuration changes and incorrect or over-privileged role assignments that put critical data, business operations, and compliance at risk.
- Knowing how to prioritize and respond to identified threats: Defend’s real-time alerts, which can be integrated into SIEMs, turn your SOC analysts into instant SAP experts. Your teams will be empowered to make smarter decisions faster with valuable details on severity, root cause, and recommended remediation steps.
The automation and rich intel provided by Defend will accelerate analysis and incident handling, and help support the new disclosure timelines mentioned above (e.g., EU NIS2, US SEC rules) – for BTP and the rest of your critical SAP landscape.
Securing SAP BTP Isn’t Enough: Why You Also Need to Protect Code Developed Within It
So far, I’ve focused mainly on securing BTP itself as an application. In my next post, I’ll take a look at securing what your users are doing in BTP, namely writing code and creating new applications.
Obviously, ensuring that code is high quality and secure is extremely important, but that process can’t get in the way of application delivery goals and timelines. Stay tuned for the next part of this series, where I’ll take a closer look at the challenges organizations are facing when it comes to secure code development in BTP and how they can overcome them.