12 Days of AppsMas: 10 Steps to Protect SAP Applications From Ransomware

There’s one thing that’s been clear through 2021 and it’s that cybercriminals love a holiday. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert that threat actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. With 2,084 ransomware complaints and over $16.8M in losses reported to the FBI just in the first half of 2021, protecting your organization’s most critical assets is of the utmost importance this holiday season. To prepare for potential attacks over the coming holiday weekends and beyond, SAP and Onapsis outline several key steps organizations can take to minimize the risk of an attack on their business-critical SAP applications. 

For more on how to mitigate the threat of ransomware to your SAP applications, read our whitepaper or watch our on-demand session with SAP CISO, Richard Puckett and Onapsis CEO Mariano Nunez.

​​1. Identify critical assets

For SAP customers, the entire SAP landscape can be considered a critical asset. This could include SAP technology as well as servers, databases, and any other system integrated into the business processes supported by SAP technology. The issue we see today is that organizations know SAP is critical but are unaware of the specific business processes that SAP is supporting and how to differentiate between them.  

2. Assess risks to and vulnerabilities in critical assets

Once you’ve identified where your critical data and processes are, it’s time to assess them: vulnerabilities, patches, configurations, user authorizations, APIs. The diverse components of your SAP technology stack should be assessed to understand the interconnected risk between applications. The best way to do this is with a specialized vulnerability scanner to understand what risk and vulnerabilities affect the different components.

3. Refine business continuity plans, including backups

Backups for critical applications are an important reactive control that an organization should use when it is the victim of a ransomware attack. Oftentimes, it can be the difference-maker in whether or not an organization has to pay a ransom and can minimize downtime from an attack. While a backup plan won’t prevent a ransomware attack, it can reduce the impact and cost.

Define, communicate, and test existing business continuity plans to ensure they take SAP applications into consideration. Ransomware scenarios should consider a diverse set of ransomware attacks, including scenarios that affect key business processes supported by SAP applications. It’s important to consider all scenarios when preparing BCPs, and whether teams are appropriately prepared for them. These scenarios include a rebuild of the whole SAP environment, the failure of a critical system restore, and how long it may take to restore all files affected by a ransomware attack.

4. Monitor for changes in custom code

Custom code is an important vector we have seen threat actors utilize, especially in large organizations that outsource third-party contractors. Vulnerabilities and compromised code can be introduced into SAP applications through unauthorized access. Having the ability to detect malicious changes to custom code and configurations can reduce the likelihood of infections from outside attackers and minimize risk.

5. Operational and user awareness 

End-user education is one of the easiest ways to minimize risk of malware to SAP applications, as the initial infection may come from a variety of attack vectors, and attackers often target higher-profile end users through social engineering techniques. SAP users should be trained on security best practices and stay vigilant while using their corporate devices. IT admins should leverage multi-factor authentication, VPN, and other secure operational activities to reduce the risk of accidental user collaboration with infections.

6. Apply latest security patches

A process to assess, analyze, and prioritize SAP Security Notes should be implemented. Onapsis Research Labs publishes a SAP Patch Day analysis monthly.

7. Secure the SAP landscape

SAP operates in an interconnected ecosystem. Ransomware actors are able to move laterally once gaining access to a network as evidenced by research from SAP and Onapsis. Organizations should have the proper processes and solutions in place to secure not just the production systems but the entire SAP landscape. 

8. Gain new visibility and insights with threat intelligence

Timely, impactful threat intelligence programs can provide insightful information about current tactics, techniques, and procedures used by threat actors. They can also provide early alerts about new ransomware campaigns as well as actionable intelligence for security teams responsible for designing and implementing security controls. 

9. Build the right monitoring and response toolset

Having the right tools is essential to centralize security events and monitor and react to potential threats in your SAP landscape. Having up-to-date information from multiple sources can allow for security teams to identify and fix issues quickly. Implementing proactive controls can also help reduce the impact of unknown threats.

10. Implement defense in depth

A layered approach to security can significantly reduce the risk of infection. A “defense-in-depth” approach can potentially mitigate, inform, or block the infection process, even if a threat actor bypasses other security measures. (Note: Traditional defense-in-depth security models are great to have but can fall short when it comes to protecting the SAP application itself in today’s interconnected reality.)

For more on how to mitigate the threat of ransomware to your SAP applications, read our whitepaper or watch our on-demand session with SAP CISO, Richard Puckett and Onapsis CEO Mariano Nunez.

In our next blog, we’ll go over how to respond to a ransomware attack to your SAP applications, should your organization fall victim.

More SAP Security Resources

More 12 Days of AppsMas Blogs