Duration: 38 minutes
Available On Demand
Live Date: April 29, 2020
Managing Up Means Understanding The Role of Your CIO. A strong company needs a developed IT strategy to remain connected and competitive. The complexity of these IT projects, including digital transformation, is higher than ever.
Duration: 1 hour
Available On Demand
Live Date: April 23, 2020
This joint session with Protiviti will lay the foundation for proper cyber program activities and detail how the Onapsis platform provides the required capabilities to defend against risk and drive growth during transformations.
Duration: 39 minutes
Available On Demand
Live Date: April 17, 2020
See how an attacker can infiltrate your SAP system by abusing well-known misconfigurations, Understand the most common attack vectors towards your SAP landscape, Learn how you can protect yourself by using SAP security automation and alerting.
SAP code, mostly written in the ABAP programming language, is an integral part of securing SAP systems. Complexities in the system make it difficult to ensure the code meets requirements. This e-book highlights just how common code issues are and their negative impact on security, compliance, performance and stability.
Download the e-book to review key findings from Onapsis research, including how many lines of custom code an average SAP system has and how many of those may contain critical security and compliance issues!
Watch Mauricio Guerra, CISO at Dow Chemical, as he describes how the company assessed areas of risk in their SAP systems to optimize operational resiliency.
One of Canada’s largest media organizations has evolved into a full service multimedia publishing across four major platforms: print, online, mobile and video. Handling high volumes of credit card transactions and credit card data is daily business; therefore PCI DSS compliance is a must for the organization.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that store, process or transmit cardholder data. Introduced in 2004 by five major card companies (Visa, Master Card, American Express, Discover and JCB), the primary goal of the standard is to protect cardholder data and to reduce data theft and credit card fraud.
Failure to comply with the standard can result in substantial penalties, restrictions or even barring. Payment Card Industry Security Standards Council, for example, has established fines of up $500,000 per incident for security breaches at non-compliant organizations.
One of the major requirements regarding PCI DSS compliance is to develop and maintain secure systems and applications. After an initial assessment, the media corporation decided to bring all card data into their SAP systems and encrypt it. A lot of work went into moving credit card data from a multitude of less secure databases and files into SAP. Now that SAP was storing cardholder data, it needed to meet PCI DSS standards.
The organization has used SAP solutions since 2002. In order to adapt its SAP solutions to specific requirements of the North American market, they had to put a lot of ABAP custom development into its SAP systems, with most of the major developments done by external companies.
Improve custom ABAP code to meet PCI DSS requirements and pass external audit on SAP systems
Onapsis scans all ABAP code for vulnerabilities or misconfigurations against PCI DSS requirements so developers know exactly what to fix. The media corporation can produce reports from Onapsis and share these with external auditors to prove their code meets compliance. The time and resources needed to make their code compliant and prove that compliance has been significantly reduced, allowing internal teams to focus on development and accelerate application delivery
With Onapsis code analysis, the organization was able to scan their ABAP code to see if it complied with PCI DSS. Onapsis testing is comprehensive and tightly integrated with SAP and can be customized to test code specifically against PCI DSS requirements. This way developers know exactly what to fix.
Using Onapsis also enabled the media corporation to easily produce reports and documentation that they could share with external auditors regarding the current state of their code, which significantly reduced the time and resources needed for the audit process. After a couple rounds of testing and fixing, the organization was able to use these reports to prove to auditors that their ABAP code was compliant with PCI DSS. By building Onapsis code analysis into their development process, they can now ensure these compliance baselines are implemented from the start and all new code will be compliant.
Unaddressed risk in critical SAP applications due to complex patching process and no visibility into other vulnerabilities
A large American utility company relies on SAP applications for many of their business-critical processes. Despite their critical nature, however, the company lacked visibility into the security posture of these applications- what vulnerabilities existed and what risk they posed to the business. Their patching process was complicated and time-consuming, and their existing vulnerability management tools didn’t sufficiently support SAP. The organization realized they had unaddressed risk within their critical systems, but they had no way to measure, understand, and act on it. With a major SAP S/4HANA migration project planned, they knew they needed a solution that could address this risk in the short-term and be used throughout the transformation.
“Onapsis removes the mystery around SAP security by increasing visibility. We can see issues — misconfigurations,missing patches or overly privileged users — what risk they pose and how to fix them.”
Enterprise Security Manager, Utility Company
Onapsis time-saving vulnerability scans provide deep visibility, detailed solutions, and business impact to identify risk and accelerate response
The utility company found their ideal solution with Onapsis Assess, which uniquely provides focused and comprehensive vulnerability management designed for SAP applications. Automated assessments, detailed solutions, and descriptions of business impact enable the organization to easily identify the true risk to their critical application landscape and understand how to respond. Onapsis Assess also significantly improved their patching processes, eliminating much of the manual work that was previously required. The included context from the Onapsis Research Labs helps them quickly determine which SAP Security Notes to prioritize, the best way to implement, and if they are missing any critical patches.
“With Onapsis, we were able to establish and maintain SAP security baselines and can now build them into transformation projects from the start. Onapsis enables us to keep SAP secure without impacting system performance or interfering with Basis teams.”
Enterprise Security Manager, Utility Company
60% less time spent investigating issues and 80% reduction in mean time to remediate (MTTR) thanks to research-driven analysis provided by Onapsis
The deep visibility and research-driven results provided by Onapsis Assess give the utility company an accurate understanding of risk within their critical systems and the context they need to quickly act on it. The detailed explanations and business impact provided by Onapsis mean the company’s security teams don’t have to be SAP experts themselves; they can make informed decisions on how to respond without having to spend a lot of time investigating each issue. Integrating Onapsis Assess with their ServiceNow further facilitates remediation efforts by aligning their security teams using Onapsis with their Basis teams responsible for fixing the issues. Leveraging this workflow and arming the Basis teams with Onapsis-provided step-by-step fixes has helped reduce the company’s mean time to remediate (MTTR) by eighty percent.
The utility company has also leveraged the customizability of Onapsis Assess to establish their own security baseline. By creating a custom scan catered to their business priorities and risk profile, they can regularly assess against it to ensure their systems continue to meet their security standards. They will use this baseline throughout their upcoming SAP S/4HANA migration to ensure their new systems are being configured securely.
As one of the world’s largest food production and shipping companies, with involvement in agriculture, animal nutrition and protein, food and financial and industrial processes, this 150-year-old multinational organization with locations in 70 countries operates at a scale and reach unlike many others. This operational footprint presents them with significant challenges and opportunities from an SAP perspective. They have 400 SAP applications spanning 40 products and 25,000 users, and undertake nearly 400 active projects per month. Given this magnitude and the critical nature of these systems, the organization needed a solution that would help them identify, understand and mitigate security risks across their entire landscape. With security baselines established, they needed a way to measure and operationalize them across new and existing application use cases, including new business ventures, partnerships and growth projects from the start.
As well as SAP security and meeting internal baselines, the organization needed support in terms of regulatory compliance, responding to and demonstrating adherence with legislation such as GDPR and CCPA. Maintaining both their security and compliance posture, despite the significant volume of change involved with managing an SAP system of this scale, was essential for achieving their ultimate goal of cyber resiliency for their business-critical applications.
“Most security professionals can’t spell SAP, yet 77% of global GDP passes through SAP systems. This establishes them as critical systems, but the lack of knowledge around the systems means they are often overlooked. The further up the stack you go, the more specialized this knowledge becomes. There are very few SAP security specialists that look at specific applications and how they pose a threat this is what makes Onapsis such a valuable partner for us.”
Onapsis’s pedigree in both security and compliance for SAP positioned them as the perfect solution for the food production company. The success comes from a relationship based on a partnership, instead one between customer and provider, with each side understanding the role they play. Onapsis provides the actionable insight and continuous monitoring the organization needs to understand security and compliance risk within their SAP environments, but it is ultimately up to the organization to prioritize and respond to these risks given their risk posture and tolerance. Likewise, if the organization needs additional information or support, Onapsis provides the expertise they need to act and protect their applications. By partnering with Onapsis, the organization keeps their global SAP stable, protected and compliant with security baselines. They are able to:
No visibility into vulnerabilities or suspicious activities that put critical supply chain and manufacturing applications – and patient safety – at risk
One of the world’s leading independent biotechnology companies depends on SAP for their supply chain, manufacturing, international trade, and other business-critical operations. Knowing that a “threat to SAP is a threat to the patients that rely on their products,” they knew they needed to harden their applications against internal and external threats. But, their already under-resourced teams didn’t know where to start. With a growing backlog of patches and no easy way to prioritize them, the organization tried to leverage their existing vulnerability management technology, but realized it didn’t sufficiently support SAP.
The team also wanted to bring SAP events into their SIEM so they could be incorporated into their incident response processes, but they lacked the threat intelligence and monitoring technology to do so. Unhappy with the SAP gaps in their existing security solutions, processes, and internal knowledge, they sought a third party technology that would give them the visibility and context they needed to help them better understand and manage their SAP attack surface.
“A threat to our SAP applications is a threat to the patients that rely on our products. With Onapsis we can be proactive with our SAP security and keep our critical applications – and patients – safe. Their vulnerability assessments allow us to understand and act on the risk within our landscape, while their continuous threat monitoring ensures we have pre-patch protection and compensating controls in place until we can apply the appropriate patch or fix.”
Global Lead of SAP Operations, F250 Biotechnology Company
Onapsis automated vulnerability scans provide actionable visibility into risk within critical SAP applications, while its powerful threat monitoring acts as an early warning system for potential cyberattacks
The biotech company found their ideal solution with Onapsis, whose security technologies are designed specifically for ERP systems like SAP. The automated scans, rich research-backed results, and remediation guidance provided by Onapsis Assess offsets the organization’s lack of internal SAP security expertise. It has also enabled them to finally build a strong vulnerability management program for SAP. Now, they can quickly understand the true risk to their critical applications with the context they need to prioritize and act on it.
With Onapsis Defend, the organization has enabled continuous threat monitoring for SAP, leveraging over 2,000 detection rules, anomaly scoring, and mitigation guidance from the industry-leading Onapsis Research Labs. Defend acts as an early warning system, alerting the chemical company of unauthorized changes, misuse, or cyberattacks targeting their SAP applications. With Defend, the company has also gained compensating controls and pre-patch protection. The unique, proactive threat intel that powers Defend allows them to monitor for potential exploit activity before patches are released (zero-day vulnerabilities) or have been applied (known, unpatched vulnerabilities). Given the growing backlog of patches and lengthy patching processes, having protection before fixes can be applied has been a key benefit.
“With Onapsis, we can now quickly identify and act on risk to our critical SAP systems. Integrating with our existing IBM QRadar solution has further accelerated our response times and given our SOC teams much-needed visibility into threats affecting our critical applications.”
Global Lead of SAP Operations, F250 Biotechnology Company
Using Onapsis Assess and Defend, the Biotechnology company has experienced:
75% improved incident response times and 83% reduction in remediation time thanks to Onapsis automation and intelligence
With Onapsis Assess, the organization is able to automate their vulnerability checks and measure the security risk of each vulnerability so they can prioritize fixes. Step-by-step technical solutions and an integration with ServiceNow ensures the SAP teams handling resolution receive timely assignments and the instructions they need to effectively mitigate the vulnerability. This has helped them reduce their remediation time from more than six months to less than one (less than a week for emergencies). Integrating Onapsis Defend with their existing IBM QRadar instance means their SOC teams receive immediate notifications of suspicious or malicious activity targeting their SAP applications, including insight into root cause and remediation recommendations. Bringing SAP security events into existing incident response workflows and the rich context included with each alert has significantly reduced forensic investigation time and resulted in seventy-five percent improvement in incident response times.
