It’s Time to Take the Ransomware Threat to Business-Critical SAP Applications More Seriously
Almost every day, we see yet another case of ransomware. While, historically, companies of all sizes are targeted, recently it appears that all the news revolves around debilitating attacks on mission-critical or business-critical systems of large enterprises—from fuel and energy companies to food processing companies. It’s not that these enterprises haven’t taken steps to protect these assets; it’s just that the “traditional” way of preparing for and responding to ransomware simply won’t work anymore. So, what’s needed to protect your organization’s business-critical applications from the looming threat of ransomware. That’s exactly what SAP® and Onapsis, in this joint blog post, will seek to address here.
When most people think about ransomware, there are two immediate, “traditional” solutions that come to mind: backups and endpoint security. Both are critical components of a solid security program, without a doubt. However, their presence could lull organizations into a false sense of security, as there still remain gaps, especially related to business-critical systems that are connected in more ways than ever before.
The challenge is that many enterprises realize too late that, in preparation for a ransomware attack, you need to close all the doors and windows of your house—not just the front door of endpoint protection. When thinking about ransomware attack vectors, it’s imperative to consider all potential entry points into the business-critical environment and how to secure them… and, to continue this metaphor, this also includes evaluating your neighbors and how they get into your house too. When you think about all of these vectors, you slowly realize that this challenge goes way beyond just endpoint security and backups. It requires a more holistic look at securing your business-critical applications, including things that we would classify as “good security hygiene”. In a recent joint Onapsis and SAP threat intelligence report, we demonstrated that threat actors clearly have the means, the motivation, and the expertise to identify and exploit unprotected mission-critical applications, and are, in fact, actively doing so.
As an example, a massive, publicly-traded company was recently subjected to a ransomware attack on their ERP application data. Did they have backups? Yes—the backup was refreshed once a week. However, their operations halted anyway. When this happens, even with backups in place, it could still take hours or even days to restore from a backup, and the negative impact on the business and the financial losses are high regardless. Did they have endpoint security? Yes. However, the attackers bypassed the endpoint detection and response (EDR) software by accessing the data through the application. EDR is great for identifying activities on compromised assets and allowing the containment and collection of artifacts (e.g., process trees, files created by malware), but the application level still poses a challenge. And these attackers used that application layer, which was not monitored by the tool itself, to compromise the business-critical assets.
Vulnerabilities such as 10KBLAZE, PayDay, and RECON allow threat actors to take full control of applications through the application layer itself. These threat actors go straight to the application, and, once in, go down to the operating system level there. When you consider CIO digital transformation initiatives or the rapid adjustment to remote work due to the COVID-19 pandemic, there is a significant magnification of risk. Onapsis has observed that new, unprotected SAP applications provisioned in IaaS environments were discovered by threat actors and attacked in less than 3 hours, with 400+ successful exploitations observed as of the date of this blog post publication.
Ultimately, what’s needed then is a new model to defend against ransomware—one that goes beyond the scope of just protecting endpoints, backing up files, and hoping for the best. Gartner claims that organizations should “[i]mplement a risk-based vulnerability management process that includes threat intelligence. Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as these vulnerabilities are exploited by attackers.” We couldn’t agree more.
What’s needed is a renewed commitment to some key security fundamentals:
1. Security Hardening of Business-Critical Applications
2. Timely Patch Management
3. Point-in-time Vulnerability Assessments
4. Continuous Monitoring of Vulnerabilities and Threats to Your Business-Critical Applications
5. Securing Your Custom Code in Business-Critical Applications
6. A Commitment to Control and Governance
SAP is committed to continuously innovating our software to keep your information safe, both on premise and in the cloud. We prioritize cybersecurity so that you can stay focused on running your business and managing your customer relationships effectively using SAP solutions, safe in the knowledge that your data is secured. To protect clients from ransomware attacks, securing development infrastructure (e.g., the build and deploy chain) is of utmost importance to prevent the manipulation of shipment artifacts. As part of our commitment to clients, SAP follows a secure Software Development & Operations Lifecycle to identify and mitigate all kinds of security weaknesses and vulnerabilities during the development of products and services. Through the use of risk identification techniques such as SAP Threat Modeling and secure development trainings, SAP enables development teams to eliminate potential entry points for ransomware and other kind of attacks. It also ensures that basic security principles, such as that of least privilege, are part of the DNA of SAP developers. SAP continues to harden our systems with automated static code analysis, vulnerability scans, and validation from a dedicated, independent SAP internal security team. SAP’s software development lifecycle serves as an example to clients on how to support a DevSecOps model covering development and operations aspects for continuous and secure delivery of software.
When deploying and running SAP applications, it’s imperative that organizations focus on hardening their system to minimize the overall attack surface—for example, ensuring the proper setting of system parameters and other aspects of system configuration, including the activation of security features and functionalities. It is important that the proper configuration settings are in place to protect an organization against possible security vulnerabilities.
SAP provides key features such as the EarlyWatch® Alert service, which monitors the essential administrative areas of SAP components to keep organizations up to date on performance and stability as well as the SAP Security Optimization service, which verifies and improves the security by identifying potential security issues related to your SAP solution and providing key recommendations.
As threat actors continue to devise new modes of attack, and vulnerabilities to these attacks are identified, SAP continuously provides security updates for existing code to keep your systems secure. SAP delivers these security updates through support packages, and, on the second Tuesday of every month, as part of “Security Patch Day,” SAP publishes security notes with the latest security corrections and recommendations. As noted, implementing a security maintenance process to assess and implement recommended security updates is a proven best practice for mitigating risk.
At Onapsis, we have focused on protecting business-critical applications since 2009. We target the application layer with our Onapsis Platform and serve an essential part of our clients’ plans to protect their SAP applications from ransomware attacks.
- By providing automatic visibility into critical vulnerabilities, missing important patches and security updates, misconfigurations, and insecure interfaces, Onapsis identifies all the open doors. This is a crucial component in any ransomware prevention initiative. Once the entry points are identified, they can be closed, thereby reducing the attack surface that may lead to ransomware.
- Through continuous monitoring and real-time alerts for threat indicators, Onapsis helps monitor real-time attempts to access critical systems through any remaining open doors. Win precious time to prevent threat actors from gaining further access.
- With code analysis in real-time, prior to moving into production, and in transport, Onapsis can help identify foreign code (e.g., malware) or new vulnerabilities before they get released to the public. Code vulnerabilities may appear to be a minor attack vector, until they’re not, such as in the case of the Solar Winds attack. In Onapsis’ experience, we generally see one critical vulnerability per 1000 lines of code, but our clients generally have millions of lines of custom code. It’s important to close those thousands of open doors to prevent any access to business-critical systems.
It’s time to think differently about ransomware. We’re in the middle of a perfect storm. More unprotected SAP applications and remote workers than ever before, expert threat actors who have the expertise to attack these systems, hyperconnected business-critical systems across the cloud, and strained InfoSec teams who may have fallen behind in patching and vulnerability management. Ransomware is the final step of an attack that could utilize a myriad of attack vectors to directly access your SAP applications. Organizations should leverage the powerful native security capabilities of SAP, establish the right risk-based patch, code, and vulnerability management processes, and take advantage of the optimized tools and critical threat intelligence from Onapsis. If they do so, organizations can drastically reduce their risk profiles, stay a step ahead of ransomware groups, and ultimately keep their names out of the news.
This blog was authored by Tim McKnight, CSO of SAP, Richard Puckett, CISO of SAP and Mariano Nunez, CEO of Onapsis.
Additional contributors of this content include: Elena Kvochko, Imran Islam, Oliver Meli, Vic Chung, and Robert Lorch from SAP, as well as David D’Aprile, Maaya Alagappan, and Tess Cunard from Onapsis.