ERP systems, such as SAP and Oracle E-Business Suite (EBS), are the operational engine of an organization, running the business-critical applications and holding the data needed for businesses to function. Yet despite the importance of these systems, they almost always fall in a cybersecurity blind spot, left unprotected against internal misuse and external attacks. As business leaders look to their security strategy in 2022, securing ERP should be of the utmost importance. In our last blog, we went over what ERP is and why you need a cybersecurity strategy dedicated to these systems. Today, we’ll go a little bit deeper into the environmental factors that make ERP security an imperative in 2022.
Digital Transformation and Modernization Are Increasing Risk
Organizations have rapidly been moving their systems and applications to the cloud. While the cloud offers many benefits, it also opens organizations' most critical systems to new risks. SAP S/4HANA is the latest version of SAP’s ERP software, built to run exclusively on the SAP HANA database. Many organizations use the move to S/4HANA as an opportunity to move to the cloud. Organizations must upgrade to SAP S/4HANA before 2027 to avoid the risk of their most business-critical operations running on outdated and unpatched software.
Migrating your SAP systems to the cloud is no easy task. This is a major transformation project involving your most important assets. There is pressure on organizations to get the project completed on time and budget. Even well-staffed organizations might struggle with bandwidth and conflicting workload priorities that make it difficult to support a transformation project of this magnitude. Additionally, internal SAP teams might lack familiarity with components of the new system, such as the HANA database or Fiori design language. Teams need help and often bring in third-party developers to help, but validating the work of these third parties can be difficult and time-consuming, and typically relies on manual reviews.
As the 2027 deadline approaches, organizations should be looking for ways to reduce the cost and time it takes for a migration, including how to integrate security measures early in the migration process. When you include security at the beginning of the project, which is called the shift-left approach, you bring in security validation at the moment when code is created instead of at the moment when code is deployed or tested. This means you can prevent those risks from becoming a reality or prevent those risks from leaving the development environment so they don't materialize in production.
Misplaced Trust in Traditional Security Approaches
To protect business-critical applications, enterprise organizations commonly employ a “defense-in-depth” security model (i.e., applying layers of technology to protect critical systems). Traditional firewalls, vulnerability scanners, IPS, and IDS products focus on identifying attack signatures at a different layer and depth than required in business-critical applications. While organizations should absolutely deploy such security solutions, they focus more on network infrastructure. Not enough consideration is given to the last layer of security for the critical application itself, especially since these systems are frequently managed by information technology professionals focused more on development and continuity rather than security.
Many large enterprises also rely on manually instrumenting and configuring built-in tools to secure their business-critical applications (e.g., SAP’s Solution Manager, Oracle Security Console). However, these tools are often not purpose-built for security and, most importantly, are generally not managed by or accessible to security teams.
Security Often Isn’t Prioritized
ERP is just like any other software and requires patches regularly for updates, fixes, and improvements. Unfortunately, just like any other software, ERP patches are often neglected, delayed, or ignored altogether due to fear that the application will stop working as a result, a lack of time or resources, inability to discern which patches are critical and need to be prioritized, the list goes on. This becomes a major problem when the patch addresses security vulnerabilities.
Security is often an afterthought in ERP deployments, taking a backseat to operational priorities and project timelines or budgets. A Turnkey survey found a majority (69%) of SAP users believe their organizations didn't place enough focus on security during previous SAP implementations. Failing to build security baselines and ongoing monitoring into deployments from the start leaves organizations with no easy way to measure their risk posture and understand where they might be vulnerable.
Increase in Cyberattacks Against Business-Critical ERP Applications
A recent SAP and Onapsis report shows that threat actors have the expertise to identify and exploit unprotected business-critical ERP applications. SAP and Onapsis found evidence of over 300 automated exploitations leveraging seven SAP-specific attack vectors and over 100 hands-on-keyboard sessions from a wide range of threat actors. The window for defenders is small; SAP applications are being weaponized within 72 hours of a patch release. It is clear that cyberattackers have sophisticated knowledge of ERP applications. They are actively targeting and exploiting unsecured SAP applications through varied techniques, tools, and procedures.
This need to protect ERP applications has never been more urgent with President Biden’s Executive Order on Improving the Nation’s Cybersecurity and recent Binding Operational Directive 22-01 which mandates an aggressive approach and schedule to remediate known exploited vulnerabilities in software and applications to protect federal systems. According to a February 2021 Ponemon Institute study, 58% of organizations state that it takes days, weeks, and months to shore up an application in production after detecting a vulnerability. To help SAP security administrators directly affected by this BOD, the Onapsis Research Labs have compiled a list of SAP vulnerabilities from CISA’s catalog along with guidance on remediation.
How to Make ERP Application Security a Priority in 2022
Implement a vulnerability management program that specifically targets business-critical applications: Threat actors can exploit vulnerabilities from system configurations, user settings, custom code, and missing patches to gain access to your critical ERP systems. Finding and remediating these vulnerabilities before they can be exploited is essential to protecting your ERP environment.
Build application security testing into development processes: Incorporating security checks into your application development and change management processes allows you to find issues in the shortest possible time. Fixing issues before they hit production is typically easier and less expensive, and helps avoid negative impacts to system security, compliance, performance, or availability.
Continuously monitor for internal and external threats: Business-critical applications are an attractive target for bad actors, both inside and outside the organization. Keeping an eye out for unauthorized changes, misuse, or attack indicators is crucial for identifying this type of malicious behavior early so actions can be taken to prevent serious consequences.
Thanks for following along with our 12 Days of AppsMas series. We'll see you next year!