Business & Technology

Defending Connected SAP Systems Against Emerging Threats Using Deception Technology

By Moshe Ben Simon | December 16, 2021

Protecting business-critical data is becoming increasingly complex—and by extension, increasingly relevant for today's organizations. One critical element of this evolution is their increasing reliance on and hyperconnectivity across foundational technologies such as data centers, cloud platforms, SaaS applications, and broadly adopted software vendors like Microsoft and SAP.

SAP is among the world's largest software companies. Some 92% of the Forbes Global 2000 use at least some of their enterprise application solutions, and most of those companies deploy SAP S/4HANA in their cloud, whether public or private. And by 2027, even more SAP customers will need to migrate to SAP S/4HANA as they have announced the end-of-life of older versions of their integrated application solutions (the SAP Business Suite). In addition, with SAP FIORI being used as the new user interface, SAP Systems are also increasingly exposed to the internet to provide services to customers and employees.

While changes like these are designed to support today's increasingly hybrid networks and workforces, they also shift the threat landscape and potential attack vectors. And far too many organizations are learning the hard way that the legacy security systems they have deployed in their traditional data centers don't easily translate to cloud and remote network environments. So, as broadly implemented SAP Systems are increasingly deployed in the cloud and accessed through the internet, organizations need to ensure they have deployed an equally secure infrastructure in the cloud that also provides the flexibility that today's meshed architectures require as they expand to include branch locations, home offices, and mobile users.

This isn't just theoretical. SAP released a joint threat report with Onapsis in April 2021 that looked at active cyberattacks on mission-critical SAP applications. This report provides a great view into the threat landscape of SAP. And their concerns were well-founded. Within 72 hours of releasing a subsequent security update, SAP identified exploits actively targeting publicly exposed SAP Systems. And as any cybersecurity professional can tell you, it is not always possible to install necessary software updates within this time period, especially given the complexity and criticality of SAP Systems.

In addition, ransomware and insider threats have already begun expanding the number of threats targeting SAP Systems. Based on the trends we have seen, an attack against SAP Systems could possibly look like the following:

  • An attacker uses phishing or other means to compromise a victim's computer.
  • The attacker then searches through the victim's computer to find interesting files, credentials, configurations, software used, etc., that they can leverage for moving laterally across the network.
  • An attacker searching a local desktop that finds an SAP software installation directory will also likely see the SAP GUI configuration file (saplogon.ini). This will direct them to the victim's SAP Systems, which are often widely accessible from the Client network.
  • At this stage, the attacker could then try to extract the victim credentials, sniff SAP traffic, attempt brute force attacks, or even run a "Man-in-the-Middle" attack to access the SAP system.

Addressing challenges like these that arise when SAP S/4HANA can be deployed either on a public or private cloud requires a security solution that can support both infrastructures to protect the SAP endpoint.

One of the most effective strategies for protecting SAP Systems running over hybrid clouds and mobile users involves obfuscating the underlying network, so attackers have no clear idea about what to target or how to proceed without triggering an alarm. Advanced deception technologies, like FortiDeceptor, add layers of enticing traffic and pseudo devices to the network, filling it with landmines and tripwires, so any unauthorized movement automatically triggers an overwhelming response.

FortiDeceptor has the bonus of using a single pane of glass interface to provide a unified view across the expanded and expanding network. This allows administrators to manage and orchestrate configurations and aggregate collected threat intelligence. It also automatically initiates a unified response to shut down intruders and malware before they can achieve their objectives, protecting their users, connected devices, and investments in critical SAP Systems.

A typical FortiDeceptor deployment for protecting SAP systems

  • Deploy SAP decoys (SAP S/4HANA, Dispatcher, SAPRouter) across your public and private cloud.
  • Deploy SAP Lure (saplogon.ini) across your endpoints to deceive the attacker into engaging with fake SAP servers & routers. (Keep in mind that deception lure is agent-less technology)
  • Use the fabric connector to connect FortiDeceptor with other Fortinet products, like FortiGate, FortiNAC, and FortiEDR, as well as other third-party tools used for threat mitigation. The idea is to automate threat isolation against infected machines based on a FortiDeceptor alert.

With this sort of deployment, an attacker will either be detected during the network reconnaissance phase by the SAP decoys or at the endpoint penetration level by the SAP lure.

The business benefits of using FortiDeceptor to protect SAP systems are very clear:

  • Ease of deployment with a minimal maintenance footprint.
  • A passive, agentless solution that does not require any network topology changes.
  • High-fidelity alerts combined with an automated mitigation response.
  • Attack detection early in the kill chain to reduce DWELL time.

Securing SAP S/4HANA is just as critical as ensuring the availability of the SAP System and its data. FortiDeceptor provides a wide range of technical controls to help reduce risk of deploying this business-critical asset to remote end-users and across hybrid cloud environments.

To learn more about FortiDeceptor, visit FortiDeceptor: Deception-based Breach Protection Overview.