This blog is the fourth of a five-part series on the importance of protecting business-critical applications. In our first three blogs, we share how rapid digital transformation projects, cloud migration, and the rise of cybercrime have left organizations' most critical systems vulnerable to new risks. In this fourth installment, we discuss why defense in depth isn’t enough to protect your enterprise’s crown jewels. Read more in our whitepaper, Five Reasons Why You Need Vulnerability Management for Business-Critical Applications.
Reason 4: Existing Defense-in-Depth Security Deployments Do Not Protect Business-Critical Applications
Existing Defense in Depth Deployments Aren’t Enough
Traditionally, organizations have relied on a defense-in-depth security model in which there are multiple layers of security controls deployed. The hope is that, if a vulnerability exists in one of the layers, the enterprise systems will be protected by the other defenses and the impact of the compromise will be limited. These layers of security also increase the time it might take for a threat actor to penetrate an organization, giving infosec teams more opportunity to stop the attack. While a defense-in-depth model should absolutely be deployed, it is not enough to protect modern organizations' application layer.
As organizations move applications to the cloud or to third-party services, they increase their exposure and expand their attack surface. SaaS and business-critical applications share sensitive information with other applications, which leads to interconnected risk. In an interconnected environment, one misconfigured system or security vulnerability can put the entire enterprise at risk.
Many of today’s defense-in-depth strategies fall short because of this interconnected reality. Ransomware (and malware), misconfigurations, or stolen credentials can be leveraged to breach any layer of security in front of the application layer. Then, a threat actor can move laterally, obtaining increased privileges as they go using various tools and techniques, to infiltrate the business-critical applications. One report states 70% organizations say their application portfolio has become more vulnerable in the past year.1
Onapsis Research Shows Threat Actors Targeting Application Layer
While it is no secret that perimeter and endpoint defenses are a key focus and necessary component of every organization’s cybersecurity strategy, this approach is proven to be inadequate at effectively protecting the application layer. As evidenced by threat intelligence from SAP and The Onapsis Research Labs, threat actors are increasingly targeting the application layer directly. These cybercriminals have the motivation, means, and expertise to identify and exploit unprotected business-critical SAP applications — and are actively doing so.
Why does this matter? Business-critical applications such as ERP, SCM, CRM, SRM, PLM, HCM, and BI support the essential functions and processes of the world’s largest commercial and governmental organizations, including supply chain, manufacturing, finance, sales and services, and human resources. Attackers with access to an unprotected SAP system can steal personal identifiable information (PII) from employees, customers, and suppliers; access financial records; deploy ransomware; and disrupt critical business processes such as supply chain management. For organizations that must meet regulatory compliance mandates, such an incident can lead to expensive third-party audits and penalties, including fines and legal action. Given that SAP software is used by more than 400,000 organizations globally and touches 77% of the world’s transaction revenue, the need for security specific to the application layer is vital.
The Need for Business-Critical Application-Based Vulnerability Management
While many organizations have built vulnerability management programs around their network and endpoint environments, the same can’t be said for their business-critical applications. 60% of IT and security practitioners cite application protection as a top objective, but aren’t yet actioning on it.2 There are many reasons for this.
Traditional vulnerability management solutions simply don’t support business-critical applications. Managing this in house is manual, time-consuming, and prone to human error. And even if a vulnerability is identified, it takes an average of 205 days to fix a critical cybersecurity vulnerability.3 Without a vulnerability management tool specific to business-critical applications, organizations face a growing backlog of patches and often lack the prioritization tools needed to manage updates due to the frequency of releases and complexity of patching processes. Furthermore, organizations lack visibility into application activity; there isn’t an easy way to validate if applications are following best practices for user privileges and configurations, leading to unaddressed risk and open attack vectors.
Further complicating business-critical application vulnerability management is the issue of application ownership. Applications are usually managed by IT teams, and security teams lack the visibility and context to identify vulnerabilities in these ecosystems. This dynamic is made even more complicated by specialist SAP Basis and Oracle DBA teams. And across the board, application environments are increasingly complex due to interconnectivity between applications, customization, and more enterprises using both on-premises and SaaS applications.
There’s a better way to protect your business-critical applications. Onapsis Assess provides comprehensive vulnerability management for organizations’ most business-critical applications such as SAP and Oracle. Onapsis Assess provides deeper visibility, automated assessments, detailed solutions and descriptions of associated risk and business impact. Learn more about how Onapsis Assess can play an integral part of your vulnerability management program.
More Reasons Why
Reason 2: The Shift to the Cloud
Reason 3: The Increasing Risk from Bad Actors