Taking a Proactive Approach to Mitigating Ransomware Part 3: Continuously Monitoring SAP Applications for Indicators of Compromise

Blog Banner Ransomware

This is the last in our series on hardening security for the application layer as part of your proactive approach to mitigating ransomware. In case you missed it, we’ve covered how threat actors are actively targeting vulnerabilities in the application layer as an entry point and how to overcome common challenges and build a successful SAP vulnerability management program to reduce the attack surface


Of course, minimizing the attack surface is essential, but as we know, eliminating all possible vulnerabilities isn’t realistic. Plus, it takes time to remediate vulnerabilities, so you’re always left with a period of time where you’re going to have some amount of unaddressed risk in your landscape.  That’s why continuous monitoring for indicators of compromise is a natural follow-on for any proactive ransomware strategy (see the guidance from NIST and SAP in partnership with Onapsis). 


This makes sense. As you work on remediating vulnerabilities and reducing your attack surface, you’re also monitoring for any suspicious behavior or potential exploit activity that is targeting the vulnerabilities you haven’t been able to address yet. Unfortunately, organizations often struggle to build effective threat monitoring programs for SAP as they have for other systems. Consider the following challenges: 
 

  • How do you identify suspicious activity? Traditional threat detection solutions don’t sufficiently address SAP threats. They lack the detection rules, the latest threat intel, and mitigation guidance for security teams to successfully monitor for ERP-specific threats. This means organizations are often relying on manual log reviews, which are time-consuming and require extensive internal expertise to keep up with the evolving threat landscape. 
     
  • How do you analyze each activity so you know what to prioritize? InfoSec and SOC teams are often under-resourced and new to SAP systems. They don’t have the time or SAP knowledge to analyze each potential threat and understand how to respond. This can lead to delayed response or malicious activity going unnoticed. 
     
  • How are you bringing SAP events into the SOC? As the security hub for an organization, your SOC needs visibility into SAP threats so they can be incorporated into broader security management and incident response processes. But, configuring your SOC tools (e.g., SIEM, SOAR) to directly consume SAP logs requires significant in-house SAP security expertise, time, and resources. And even then, this raw intake requires security contextualization and prioritization.

There’s an Easier Way: Continuously Monitor Your SAP Applications with Onapsis

With the right partner, you can effectively monitor for indicators of compromise that might be tied to a ransomware attack. This is where Onapsis comes in. Onapsis Defend addresses the common challenges that keep organizations from building successful threat monitoring programs around SAP. More than just an SAP plugin, Defend is part of the Onapsis Platform, the only cybersecurity and compliance solution in the SAP Endorsed Apps program

  • Get out-of-the-box, industry-leading SAP threat detection: With Onapsis, you gain access to the industry’s most advanced detection rules, including zero-day threat detection, enhanced with anomaly scores and user behavior analysis. Our rules database is regularly updated with the latest threat intelligence from the award-winning Onapsis Research Labs (“ORL”), the most prolific and celebrated contributor of vulnerability research to the SAP Product Security Response Team. 
     
  • Leverage expert SAP threat intel to prioritize and accelerate response: You don’t need to be an SAP security expert yourself to identify potential threats. Make your SOC analysts instant SAP threat experts with real-time, customizable alerts that provide valuable details on severity, root cause, and recommended remediation steps to accelerate analysis and incident response times.  And, we recently made it even easier for users not familiar with SAP to alert on suspicious user activity, such as assigning highly privileged authorizations or performing key operations, which could be leveraged as part of a ransomware or other cyberattack. 
     
  • Bring curated SAP events into the SOC: Onapsis Defend can be integrated with existing SOC tools (e.g., SIEMs) and workflows so real-time, curated SAP incidents can be incorporated into wider security management and incident response processes. This also reduces “noise” and the amount of data going into your SIEM.  
     
  • Add another layer of protection: Plus, you can add another tool to your “proactive against ransomware” toolkit by extending Onapsis threat intelligence to the network layer with our Defend Network Detection Rule Pack. Unlike other solutions that lock you into a single vendor, you can augment any of your existing network security products with vendor-agnostic, open-source, ORL-written rules that alert on threats (and potentially block them, depending on the capabilities of your network security) before they reach your SAP applications. 
     

It’s Time to Start Taking the Ransomware Threat to Business-Critical Applications More Seriously 

We’ve said it before and we will continue to say it for as long as ransomware continues to pose such a threat to organizations around the world – if you want to be effective with your ransomware strategy, you can’t neglect the application layer. 

Need help getting started? That’s what we’re here for. Onapsis is the industry standard for business application cybersecurity, trusted by nearly 30% of the Forbes Global 100. Talk to us today about how we can help you minimize your SAP attack surface and continuously monitor for indicators for compromise to help you stay ahead of ransomware.  

Read the other parts of this series: