Taking a Proactive Approach to Mitigating Ransomware Part 2: Avoiding Vulnerabilities in SAP Applications

Blog Banner Ransomware

In case you missed it, in the first part of this series we talked about the importance of hardening security for the application layer as part of your proactive approach to mitigating ransomware. We know exploited vulnerabilities are the most common root cause of ransomware attacks and we also know that threat actors are actively targeting SAP applications as an entry point to enterprise systems. 

Avoiding these application vulnerabilities before they can be exploited is an essential part of a proactive ransomware strategy, as recommended by NIST and SAP (in partnership with Onapsis). However, understanding your SAP attack surface and addressing these vulnerabilities is easier said than done. Consider the following challenges:

  • Which patches should you prioritize? Given the frequency of releases, complexity of the patching process, and size of app landscapes, most organizations are facing a backlog of patches combined with under-resourced teams. How do you know where to focus your efforts?
     
  • Were your patches applied completely and correctly? Patching is typically handled by application teams or sometimes a third-party service provider. How can you validate their work? 
     
  • What vulnerabilities exist beyond missing patches? First, you need to understand security best practices for application configuration, custom code, and user privileges/authorizations. Then, you need a way to validate that the applications across your landscape are following these best practices. However, relying on manual security reviews for this is both time-consuming and error-prone.
     
  • Which vulnerabilities should you address first? Some vulnerabilities are more easily exploitable, and some are more commonly targeted by threat actors. Each vulnerability has its own independent and interconnected risk to the business. There could be overlap between these two groups, and the impact of a successful exploit could be magnified in severity depending on how chainable or how connected the application is in the broader SAP landscape. You need to understand all vectors of potential risk, and that requires access to real, impactful threat intelligence to help prioritize your remediation efforts.   


There’s an Easier Way: Manage Your SAP Attack Surface with Onapsis

With the right partner, you can be proactive with your ransomware strategy and more effectively avoid vulnerabilities that could be exploited by threat actors. This is where Onapsis comes in. Onapsis Assess addresses the common challenges that keep organizations from building successful vulnerability management programs around SAP. More than just an SAP plugin, Assess is part of the Onapsis Platform, the only cybersecurity and compliance solution in the SAP Endorsed Apps program.

  • Get the visibility you need: You can’t protect what you can’t see. Get the complete picture with automated asset discovery that inventories your entire ERP landscape. And, we are regularly expanding our scope to cover more types of assets, most recently adding comprehensive security checks for SAProuter, a potential point of ingress for attackers.  
     
  • Leverage the most robust and up-to-date vulnerability checks available: Onapsis Research Labs is the most prolific and celebrated contributor of vulnerability research to the SAP Product Security Response Team. Our vulnerability scans are regularly updated with the Labs’ latest security research, so you don’t have to keep up with the latest security best practices or threat intel yourself. Identify security vulnerabilities and threats beyond a simple list of missing patches, such as misconfigurations, misauthorizations, and problems in previously deployed custom code.
     
  • Gain prioritization capabilities from risk-driven analysis and real-time threat intel: Our context-rich scan results translate vulnerabilities into business risk, so you easily understand what to fix first. Real-time Onapsis threat intelligence and AI elevate the vulnerabilities (regardless of CVSS) that warrant immediate attention due to elevated threat activity or vulnerability chaining observed in the wild.
     
  • Align InfoSec and IT teams to accelerate remediation: Leverage in-product workflows or integrate with ServiceNow to streamline remediation and gain cross-team visibility. Arm IT partners with step-by-step technical solutions to make resolutions straightforward.
     
  • Accelerate your SAP security journey: Powered by AI and over 14 years of SAP and cyber experience, the Onapsis Security Advisor provides a single, high-impact view of your current security standing and tailored, actionable guidance for how to improve. Dynamic visual comparisons of your state over time and against industry peers make it effortless to track your progress with data and report out effectively to leadership.

Avoiding Vulnerabilities Is Only Part of It: The Need for Continuous Monitoring 

I hope at this point it’s clear that minimizing your SAP attack surface is not only an essential part of your proactive approach to ransomware, but also an achievable goal if you have the right partner. Unfortunately, avoiding vulnerabilities completely is unrealistic and remediating vulnerabilities takes time – on average, 65 days for critical severity vulnerabilities. As a result, you’re always going to be dealing with some level of unaddressed risk in your application landscape. 

This is where continuous monitoring comes in. I think of this as a one-two punch for addressing vulnerabilities – while you’re running your point-in-time scans and working through remediation to reduce your attack surface, you’re also continuously monitoring in between those points-in-time for any suspicious behavior or potential exploit activity that might be targeting the vulnerabilities you haven’t been able to address yet. 

Detecting that anomalous or suspicious behavior as quickly as possible is critical to efficiently and effectively protecting your SAP environment. As you might expect from the theme of this series so far, that’s easier said than done. Our next post will dive into this. We’ll explore the challenges with continuously monitoring SAP applications and what’s needed to overcome them.