Why are SIEM tools blind to SAP? An interesting question, and not only for operators of critical infrastructure who are migrating to SAP S/4HANA.

Ralf Kempf (SAST SOLUTIONS)Cybersecurity is a hot topic right now: increasing numbers of external attacks on company networks during the pandemic and the further professionalization of the attackers have made it even more important. In recent months, we’ve been reading about attacks on companies almost every day, which have suffered consequences up to and including total shutdowns that lasted for days. What elements of SAP security have changed, for whom is Germany’s IT Security Act 2.0 relevant, how can you take this account during migration to SAP S/4HANA, and what can every company do to improve SAP security?


The following interview between Helge Sanden (Editor in Chief of IT-Onlinemagazin) and Ralf Kempf (CTO SAST SOLUTIONS) was published in IT-Onlinemagazin on January 7, 2022.

Mr. Kempf, have security requirements changed recently – and if so, how?

In SAP S/4HANA, the database, user interface, gateway, applications, and authorizations have become even more tightly interwoven. Access to important data has become even more complex and therefore more difficult to monitor, too. That’s why it’s essential for migration projects to include a comprehensive consideration of security and an end-to-end strategy that covers all these issues.

Do you believe it is necessary to take security aspects into account from an early stage of an SAP S/4HANA migration?

In our experience, it is unfortunately still the case that too few companies that are planning their migration to SAP S/4HANA give adequate consideration to security for the new systems.

During the changeover, it is crucial to incorporate a robust, consistent foundation of security in your migration strategy. This is how companies can avoid both the typical pitfalls when changing platforms – for example, forgetting about interfaces and legacy systems – and the transfer of SAP authorizations much too late in the process.

Whether greenfield, brownfield, or bluefield – all the approaches have one thing in common: that there is a number of basic decisions that must be made well before rolling out SAP S/4HANA. Often, we see that the responsible parties aren’t really aware of the challenges they face at the start of a project. This not only costs time later, but also frequently incurs significant additional costs.

In fact, a migration project really gives you the opportunity to take your SAP IT security to a new level, with a cleanly designed, holistically planned security and compliance strategy for safeguarding your IT systems. At the same time, these challenges can be approached as opportunities to improve the security of your SAP target system, streamline your role concepts, and enable use of the new system with all its benefits.

Is the IT Security Act useful for SAP customers?

For whom is Germany’s IT Security Act 2.0 relevant?

The IT Security Act (IT-SiG) requires detailed business continuity planning and disaster recovery scenarios for all operators of critical infrastructure (KRITIS). To date, nine sectors with critical importance to society have been defined as KRITIS operators, whose impairment would result in sustained supply shortages or significant disruptions of public safety – such as energy suppliers, healthcare, the banking system, and transportation and haulage.

In particular, all of these companies are immediately required to install systems for anomaly and intrusion detection (section 8a), which automate these tasks and send notifications of security failures in real time. And they must provide proof of compliance to the German Federal Office for Information Security (BSI) every two years.

Anomaly and intrusion detection systems identify and specify attacks based on log files and network flows. Pursuant to IT-SiG 2.0, however, this log data not only has to be recorded, but also evaluated. As a result, SIEM (security incident and event management) systems will become nearly indispensable for the rapid identification of cyberattacks in the future. This monitoring is often insufficient to ensure SAP security, however, because the specific SAP logs and analyses can rarely be interpreted and, consequently, attack patterns cannot be recognized. Doing so requires the expertise of SAP security professionals and special software. The SAST SUITE, with its Security Radar module, provides components for SAP SIEM monitoring.

…can you also derive recommendations for companies that are not required to comply with the IT-SiG, but still have high protection requirements?

Definitely. Involving a professional SAP security partner is advisable for all companies that run SAP systems – no matter whether it’s as a part of an SAP S/4HANA project or for optimizing and supplementing an existing SIEM system, whether it’s for a small business or a corporation with many SAP systems.

We repeatedly see in practice that even companies that run highly professional IT security, use SIEM, and have gained a mastery of all non-SAP areas tend to ignore SAP, either unwittingly or even intentionally. Maybe because they hope that their SAP employees will regulate it themselves somehow, or because they aren’t even aware that there are ways to close this gap. Some CISOs have to ask themselves: Am I certain that I am giving my SAP systems enough attention? If not, you should combine the two worlds, because it simply makes more sense to do so.

Our security software features practically out-of-the-box functionality to feed this information from SAP to existing SIEM systems of all types, where it can be analyzed further, and all security-relevant incidents – whether in SAP ERP or SAP S/4HANA – can be consolidated with other IT systems. This ensures that SAP is taken into account in SIEM and companies can generate a reliable dashboard-based display of their full security status at the touch of a button. To identify risks, the SAST SUITE not only analyzes SAP logs, but also integrates analyses of configurations and roles.

Think about SAP Security during SAP S/4HANA Migration

What will we be hearing from you at ITOK22 and who should read your experience report if they might not feel concerned yet?

We’ll be sharing our day-to-day practical experiences in our Expert Talk. What are the weaknesses of classic SIEM tools? Why is SAP missed by the detection algorithms dangerously often? How can operators of critical infrastructure guarantee proper interaction between design and management – as well as between monitoring, administration, and auditing – including during SAP S/4HANA migration?

In addition, our customer rku-it GmbH, an IT service provider for energy suppliers, will provide exclusive insights as to how they meet the requirements of the new IT Security Act 2.0 effectively, while simultaneously increasing the audit compliance of their SAP system landscape.

No matter what phase of the changeover to SAP S/4HANA a company is currently in – still in the information phase, developing the migration strategy, or even in specific preparations for the switch – our expert talk will surely give everyone food for thought for their own projects, as well as interesting lessons learned from other projects.

What do you expect the dominating topic to be in the SAP community in 2022?

The inclusion of an integrated security and authorization concept will remain a key task of the overall process of migrating to SAP S/4HANA, because not doing so is often a reason why a transformation fails as a whole. As such, technical system protection, as well as roles and authorizations, will remain among the greatest challenges for SAP system operators in 2022.

In addition, we’re also seeing that SAP security dashboards are becoming more and more important, both in the management view and the detailed worklist for risk mitigation measures. More and more companies need to get the specific, high-quality information they need for a given situation. And minor spoiler alert: that’s why we’ll be diving deeper into this very topic at the IT online conference in May 2022…

We’re looking forward to it. Thank you for the interview.

Helge Sanden, Editor in Chief of IT-Onlinemagazin, asked the questions.

Helge Sanden IT-Onlinemagazin
Helge Sanden (Editor In Chief of IT-Onlinemagazin) 


We recommend the recording of our SAST Expert Talks, on January 27, 2022 at the IT online conference. Request the access link right now: https://t1p.de/z4ti


This might also interest you:

SAP Cyber Security: Five questions and answers about effectively monitoring SAP systems

SAP security: Why SIEM doesn’t spot everything and how you can draw attention to SAP incidents nonetheless