Tuesday, 26 March 2019 08:18

You've been hacked! Featured

You are the CISO of a global brand and your network has been compromised. Your most valuable assets are in SAP and you have no idea if your systems have been infiltrated. Now what?

Which SAP doors were opened and are the systems compromised?

This is a situation that no one wants to find themselves in, and it is of no comfort that you are in the company of the global corporate elite, with the likes of Nvidia, USIS, Sony, Boeing, Maersk, etc. The realization of being hacked is bad enough, but it is even worse not knowing the full extend of the attack. Which systems have been affected, and are the attackers in stealth mode just waiting to make further exploits while your SOC team is distracted with putting out fires?

Your SAP systems have been patched and hardened but hand on heart is that enough?

Highly unlikely. Furthermore, you have custom code with backchannels that no one can patch, except your internal team. Your executive team is looking at you to provide actionable intelligence on what has been infiltrated and how. Adding to the enjoyment, GDPR requires you to report the incident with a potential data breach to the public within some hours.

We experienced scenarios at major corporations that suffered both large and small scale attacks. While the actual attack was indisputable, the extent of infiltration of their SAP applications was not certain. Have SAP systems been compromised? With no real time threat detection, they had no visibility to determine if the systems had been affected. Naturally, reporting that delicate fact to senior executives was one they would rather avoid, so they called us in to deploy our threat detection capabilities, which we installed within a couple of days.

Manually sifting through SAP logs is close to impossible. When we are called in we immediately deploy SecurityBridge, our security monitoring suite. SecurityBridge is an SAP add-on which installs natively within SAP and has a very small footprint. Within a couple of hours we can start to process logs and correlations for the SAP applications. Since SecurityBridge comes fully configured there is no need to manually define identification patterns which would massively slow down the impact assessment. Since we are tasked with running forensic investigations for events which happened in the past, we instruct the intrusion detection platform to look back in time, crawling through all available log sources.

SecurityBridge scans and correlates data sources, searches for user anomalies and exploited vulnerabilities. An executive report will be produced which includes :

  • A comprehensive assessment as to whether or not SAP has been compromised, all fact based, using available log sources
  • An overview of the most significant vulnerabilities and exploits recorded during the audit period
  • Each vulnerability will be documented with a risk rating, its relation to the recent events and a recommendation for mitigation

The technology used to assess the impact of an attack on your SAP landscape remains in place as a guard, 24/7.

Contact us  - in confidence of full discretion - for an SAP impact assessment.

Additional Info

  • Language:: English