What businesses miss when protecting their data [Q&A]

No business is immune from the threat of cyberattack, but when it comes to protecting their most critical and sensitive data many feel they are inadvertently helping attackers through the leaking information.

We spoke to Paul Laudanski, director of security research at Onapsis, to learn about the most common errors and how to guard against them,

BN: What data is typically stored in business-critical applications like SAP? What major issues do organizations encounter when trying to protect this data?

PL: Not to sound cliche, SAP applications store an organization's most valuable data, from employee records and customer information to financials, essentially, all sensitive and confidential information. For some industries, it holds the critical business information used to conduct their main operations.

When talking with security leaders, the biggest issue is how addressing SAP security is often treated as checking a box for budgetary reasons. Many just meet the minimum standards and say they have compliance and security protection from a business risk perspective, and it works. However, it's not enough to actually protect against today's cybersecurity landscape and the requirements set by SAP to migrate to the cloud by 2027. We often see companies caught in breaches of SAP data because of either shortcuts they take in their security, or the breach occurs before security teams are matured. Additionally, with the deadline of RISE with SAP quickly approaching, there is the potential for many organizations to run into problems when migrating to the cloud securely and efficiently. This could lead to bigger issues down the line when it comes to compliance standards and go-live dates.

Security teams need to take a lot of factors into consideration when trying to protect this data; quick-fix solutions can lead to small mistakes with large implications and delays when trying to go-live due to compliance requirements. Executives need to understand the importance of budget, people, processes and technology for proper implementation. They also must recognize the continued maintenance and leveling up maturity of a holistic program to put their best foot forward in defending their SAP installations.

BN: What are the common security practices organizations do to protect these applications if anything? Is it enough?

PL: Bottom line up front: ensure logs are enabled and processed for critical events, understand what vulnerabilities your environment has and get those patched, and conduct subject-specific penetration testing to reveal the gaps.

I recommend organizations use at least a commonly accessible vulnerability scanner to start. They are typically great at finding at-risk data across the spectrum of tools and protocols, and it's certainly a step in the right direction. However, when security leaders need deep analysis and up-to-date understanding, go with solutions that offer a tailored fit to the environment.

Scanners can only go so far, and with today's threat landscape, security teams need to take their common security practice a step further and take the time to conduct penetration testing (pen testing). Scanners will cover the basic requirements needed by organizations but can only provide so much information. Pen testing evaluates the SAP environment and gives organizations the actionable insights they need to protect their most critical information accurately. To save time and money in the long run, organizations should expect to run security tests regularly (at the minimum once a year) to ensure their SAP ecosystem is secure.

Leaders must decide how seriously/proactively they want to take SAP security and determine how the business monitors, secures and responds to SAP vulnerabilities. Security leaders need to embrace the fact that it is no longer good enough to just check the box ; instead, it's embedding security policy, practices and measures into the company's day-to-day operations to prevent exploitation of vulnerabilities in their SAP applications.

BN: Based on your experiences and interactions with customers, can you share the most common mistakes you see organizations making when protecting their data?

PL: There are a few frequent mistakes we see organizations make when trying to protect their data:

• Keeping default credentials or storing these credentials on file systems
• Misconfigurations of systems and protocols
• Miscommunication between security teams, leaders and employees
• Lack of understanding of what must be in the cloud versus what is needed
• The perception that the organization did everything it could when it comes to security
• Protocols or services left open or running and the organization not really need them
• Not monitoring or responding to critical events in logs

In my opinion, the misconception of how secure they think their SAP ecosystem is the most dangerous mistake. Companies need to have a realistic understanding of what their security systems cover and what could be left vulnerable to threat actors. For example, viewing an internally only accessible SAP system must not be considered 100 percent safe from outside attack.

BN: When/if security teams don't have the above applied, how do threat actors take advantage of obtaining this data?

PL: It all starts with patching; if organizations are not patching their systems, then there is no SAP internal mechanism to prevent its exploitation. Additionally, if security teams are not logging interactions with SAP, they're not going to be able to see critical incidents, such as when threat actors are in their systems and creating privileged accounts.

It's the ultimate game for cyber attackers and cyber defenders. Once threat actors gain access to a small part of the network, they can take down the whole organization. Over the years, we’ve seen power grids, water systems and governments being taken down because of threat actors sitting and waiting in the network. All threat actors need to do is compromise an SAP application, sit on that system, exfiltrate the data and sell access to other criminals that may want entry into that environment so that they can do with that data what they want. There are a myriad of things that can happen if security teams are not monitoring, alerting or patching.

BN: What can security leaders do to ensure they are comprehensively protecting their customers' most essential information?

PL: Start with the foundational aspects; the NIST Cybersecurity Framework lays out a good outline of what a basic cybersecurity program looks like and will provide security leaders with what they need to have a comprehensive security program. Then, there is the Cybersecurity Capability Maturity Model, which addresses the Cybersecurity Framework from different tiers. This is from the perspective of being a reactive security approach and switching to a proactive, adaptive maturity model. Tier 4 is the highest level of maturity defined by the NIST; it not only checks the box but also goes beyond it so to speak.

Company leaders need to invest in tools that are able to ingest logs and identify alerts. This will help prevent teams from getting burnt out by the amount of data they experience daily since I often see how this much data burns out security operation center (SOC) teams. SOC teams need an understanding of vulnerabilities and attacks as well as a way to assess those risks in their own environments.

In addition to understanding, security leaders need to embrace accountability. Accountability is a key element of progress. Management ensures progress and production to implement a cybersecurity framework, but many also need a third party to help stay accountable. This can be internal or external, through legislation or industry standards. This is the same case with tools; they help organizations stay accountable within the foundational framework.

Image credit: achirathep.gmail.com/depositphotos.com