The details of China’s latest five year plan covering the period between 2016-2020 are expected to be released next month but early indications suggest it will focus upon reducing China’s reliance on foreign technology. Intelligence agencies and security researchers contend there is a strong correlation between industries targeted for growth by China and industries that suffer data breaches as a result of targeted attacks. For example, China’s last five year plan covering 2010-2015 focused upon sectors such as energy, healthcare and manufacturing. Over the same period, companies within these sectors experienced large-scale breaches that bore the hallmark of state-sponsored attacks. This includes organizations such as Anthem, US Steel, Medtronic and Westinghouse.
Since the new five year plan will launch during a period of unprecedented low growth in China, it is expected to lead to even more aggressive economic espionage in the form of cyber attacks against sectors targeted by China. This is likely to accelerate the shift from cyber attacks performed by criminal gangs for financial motives to state-sponsored cyber espionage driven by the strategic objectives of nation states.
According to the recently released Global Threat Report from CrowdStrike, the industry most at risk from China’s attention is energy. The new five year plan is expected to include objectives for building more nuclear power facilities, clean energy technology, and reducing China’s dependence on foreign oil. Next in line is transportation as China seeks to expand its airline and high speed rail industries, and domestic car production, including support for electric and hybrid transportation. Third is the public sector. China is expected to increases efforts to target foreign governments and think tanks in order to further its national interests. Fourth is the defense industry, particularly weapon systems, military personnel information, logistics, and technology related to aircraft carriers and drones. Fifth is the technology sector including the semiconductor industry, software source code, and social media applications that China is looking to replace with domestic versions. Other industries that are expected to feature heavily in the plan are healthcare, telecommunications, finance, manufacturing, media and agriculture. The Global Threat Report is available at crowdstrike.com.
SAP Solution Manager is the second most widely deployed SAP product after ECC. In other words, there are more installations of SolMan in the world than there are for products such as BI, PI, CRM and SRM. This isn’t surprising when you take into account that SolMan is for IT what ECC is for business: it drives the entire system lifecycle including design, deployment and maintenance. It provides a centralized platform for monitoring system operations, managing changes, provisioning users, and a score of other core IT services. Yet, despite it’s versatility and widespread deployment, most organizations fall short of leveraging the full potential of SolMan. This is especially the case for system security.
Other than central user administration, earlywatch alerts, and system recommendations, most SAP customers are in the dark when it comes to other tools in SolMan that could be used to further security. This includes tools to manage and secure custom code (Clone Finder, Coverage Analyzer), identify security risks (SOS), and validate compliance using customer-specific security policies (Configuration Validation). The SAP paper Managing Security with SAP Solution Manager is intended to bridge this gap by informing customers how to realize the potential of SolMan for security. According to SAP, SolMan’s deep connectivity into systems, it’s central position in each landscape, and its link to the SAP extranet provides the ideal platform for defining, implementing and sustaining secure system landscapes. The paper can be downloaded directly from SAP using this link.
Released earlier this month, the third version of the SAP Cybersecurity Framework includes important changes in the areas of transport layer security, logging and monitoring, and vulnerability management. It also discusses the most significant hack against SAP systems to date: the devastating data breach suffered by U.S Investigation Services (USIS). USIS performed background checks on prospective federal employees for the Office of Personnel Management (OPM) and other government agencies before it’s contracts were severed after the announcement of the breach in 2015.
The breach is estimated to have impacted the personal information of up to 20 million individuals. According to the findings of an internal forensic investigation, attackers were able to breach systems at USIS by exploiting an undisclosed vulnerability in a connected SAP ERP system sometime in 2013. The attack went unnoticed by intrusion detection and other network-level monitoring devices. The specific vulnerability exploited by the attackers has been the subject of widespread speculation by security researchers. Some have argued that the breach was caused by a brute-force password attack. Others have pointed towards RFC exploits or unapplied security patches. The source of the breach could have been any one of these or a combination of other vulnerabilities. The wide attack surface presented by SAP systems makes it impossible to pinpoint the root cause without access to the log data. Regardless, the breach demonstrated the destruction that can be wrought by successful attacks against vulnerable SAP systems. The contracts lost by USIS as a direct result of the attack were valued at $3 billion. The organization laid off 2500 workers and filed for bankruptcy shortly after the public announcement of the breach.
For transport layer security, the framework has been updated in line with RFC 7568 issued by the Internet Engineering Task Force (IETF) for deprecating Secure Sockets Layer Version 3 (SSL v3). SSL was the standard protocol for securing Web-based communication between clients and servers. Support for SSL has been gradually waning as a result of the growing awareness of weaknesses in its encryption scheme and key exchange mechanism. The POODLE vulnerability proved to be the final straw since it could be exploited to break encrypted SSL sessions and access sensitive data passed within such sessions including cookies, passwords and tokens.
The new version of the Framework includes an improved section on Read Access Logging (RAL). RAL should be configured to log access and changes by unauthorized users for sensitive data fields in SAP systems. This includes fields for banking, credit card and salary data. Exclusion lists can be maintained to rule out logging for authorized users. Together with the updated framework, you can also refer to an earlier Layer Seven article on protecting sensitive data in SAP systems using RAL for more information.
Lastly, much of the technical jargon related to Configuration Validation (ConVal) in earlier versions has been removed to focus on the core use-case for ConVal. ConVal is a powerful vulnerability management framework included in SAP Solution Manager that is recommended by SAP for managing vulnerabilities in SAP systems.
Since licensing for Solution Manager is included in SAP support and maintenance agreements, ConVal provides the most cost-effective alternative to third party tools.
You can download version 3 of the SAP Cybersecurity Framework in the whitepaper Protecting SAP Systems from Cyber attack from the Resources section.
One of the most telling statistics revealed at BlackHat USA earlier this year was the fact that 84 percent of InfoSec professionals regard unmanaged privileged credentials as the biggest cyber security vulnerability within their organizations. For SAP environments, the dangers posed by abusing user accounts with privileged access are well-known and can include shutting down SAP servers to interrupt the availability of services, reading or modifying sensitive information, and performing unauthorized changes to system configurations, programs, users, and other areas. For this reason, privileged access is carefully granted and vigilantly monitored in most systems, especially productive systems. This includes privileges assigned through powerful authorization profiles such as SAP_ALL, SAP_NEW, S_ABAP_ALL and S_A.SYSTEM.
However, countermeasures to prevent abuses of privileged credentials in SAP systems are usually focused upon dialog users since interactive logon is not possible with most other user types. This includes system users that are used for background processing. Therefore, it’s common to find system users with privileged access in productive systems, especially when such users support several cross-system connections and integration scenarios.
The risks posed by system users with privileged credentials should not be overlooked and can be as grave as those posed by dialog users. Attackers are able to modify user types from system to dialog in several ways. The most common method is through the Function Builder used to build, test and manage function modules.
Attackers can access the Function Builder through transaction SE37 in a connecting system to execute the BAPI_USER_CHANGE remote-enabled function module (RFM). This RFM can be used to implement user changes in destination systems. The changes are applied using a privileged system user in the destination system. The credentials for such users are often stored in RFC destinations configured in connecting systems. The relevant RFC destination is entered in the field RFC target sys of the Function Builder (see below). The username of the system user configured for the RFC connection is entered in the USERNAME import parameter. Finally, the values of the LOGONDATA and LOGONDATAX are maintained to specify the dialog user type.
Once executed from the connecting system, BAPI_USER_CHANGE will change the system user to a dialog user type in the destination system through a remote function call. This will enable the attacker to logon to the destination system through methods such as the Remote Logon option in the RFC destination maintained in the connecting system (see below).
Since attackers can bypass the restrictions placed on system users by abusing the privileged credentials provided to such users, it stands to reason that super user privileges should be managed for all user types, not just dialog users. This should include minimizing privileges for technical system and communication users to the minimum required for each scenario. Trace tools such as STAUTHTRACE, STRFCTRACE and STUSOBTRACE can be used to identify the authorization objects required for each user. This should be supported by enabling switchable authorization checks for sensitive function modules such as BAPI_USER_CHANGE, BAPI_USER_CREATE1 and BAPI_USER_PROFILES_ASSIGN, and, in NetWeaver releases 7.4X, enabling Unified Connectivity (UCON) to restrict external access to remote-enabled function modules.
RFC destinations with stored logon credentials can be identified using the config store RFCDES_TYPE_3 in Configuration Validation (ConVal). RFC users with critical profiles such as SAP_ALL can be identified using the store RFCDES_TYPE_3_CHECK. See below.
Earlier this month, the New York Stock Exchange released a definitive guide to cybersecurity targeted at directors and officers of public companies. Developed with Palo Alto Networks, the guide includes contributions from over thirty-five industry experts and contends with a wide range of questions including legal and regulatory issues, cyber insurance, supplier risks, and incident detection and response. It also discusses investor perspectives towards cybersecurity and cites a recent survey of 130 global institutional investors with an estimated $3 trillion under management that reveals 4 out of 5 institutions would blacklist the stocks of hacked organizations. The full report can be downloaded here.
According to the guide, cybersecurity risk management plans should include several critical countermeasures. One of the most important is effective patch management. In fact, the report points out that “system compromise and data breach are rarely the result of some sophisticated attack that no one has ever been seen before. The bulk of effective attacks use vulnerabilities that have been known for years…..Lack of patching and other standard security issues are normally the culprits” (p95).
This suggests that more active and rapid patching can significantly lower the risk of successful cyber attack. For SAP customers, this calls for the regular application of SAP-delivered security patches to address programming and other flaws. Security fixes are generally released by SAP on Security Patch Day, scheduled for the second Tuesday of every month. Corrections are packaged in Hot News, Security and Support Package Notes that are available through the SAP Support Portal.
There are several options for discovering relevant Security Notes for SAP systems. The first is directly through the SAP Support Portal using preconfigured filters for registered systems and products. Automatic email notifications can be setup through the Portal for newly released Notes.
The third is a standard report available in Configuration Validation (ConVal). Although this approach draws upon SysRec, it consolidates missing SAP patches for all systems across landscapes. This is useful if you need to check the patch status of several systems at the same time. The instructions below provide a step-by-step guide for detecting unapplied SAP Security Notes using ConVal.
Step 1. Open Configuration Validation from the Root Cause Analysis or Change Management work center in SAP Solution Manager. Click on the image below to enlarge.
Step 2. Select the Reporting Templates option from the Report Execution tab.
Step 3. Select the report highlighted below and click ‘Start configuration reporting’.
Step 4. Maintain the filters for the report by selecting specific SAP System IDs (SIDs), system types, areas, and the date range. In the example below, we have selected Hot News and Security Notes released between Jan-Sep 2015 for all ABAP systems in the landscape. Click Execute when you are done.
Step 5. Analyze the results. In the report below, the table on the left provides a count of missing Notes by SID. The table on the right displays the unapplied Notes in each row against SIDs in each column.
The details of each unapplied Note are provided in the lower section of report. This includes version, description, priority level, and impacted application components. The results can be filtered by priority level to focus on Hot News and High Priority patches. Results can also be exported to .xls and other file formats for further analysis.
How to Implement Advanced Security Monitoring Without Third-Party Software
The fear and anxiety driven by the wave of cyber attacks in recent years has led many companies to bolster their security programs. It’s also led to a stream of software solutions from third-party developers offering to solve customers’ cyber security challenges. You may have heard the sales spin, watched the demos, and even considered the proposals. But before you launch the purchase order, ask yourself: Is there an alternative? What if the tools you need to secure your SAP systems were available to you at this very moment?
SAP has equipped customers with a variety of tools to protect against even the most advanced forms of cyber threats. The tools are available in SAP Solution Manager and include:
1. Configuration Validation: Implement automated vulnerability checks across your entire SAP landscape
2. System Recommendations: Detect security-relevant SAP patch day and support package notes
3. Change Analysis: Analyze the root cause of changes in your SAP systems
4. End-to-End (E2E) Alerting: Investigate email and SMS alerts for critical SAP security events
5. Security Dashboards: Monitor the health of your SAP systems in near real time
The need to monitor access to classified data in SAP systems has never been greater. End users are increasingly working with SAP data from outside the borders of corporate networks. Corporate information is also increasingly under threat from cyber criminals, hacktivists, cyber spies and terrorists that seek to exploit classified information for financial gain or to further ideological or national interests.
Read Access Logging (RAL) empowers organizations to combat these threats by providing the ability to detect and contain information leaks before they escalate into large-scale data breaches. This is performed by logging and monitoring access to sensitive data in SAP systems. RAL can also be used to identify malicious changes by tracking old and new values for classified data.
This article will explain how you can enable RAL in your SAP systems. The use-case illustrated in the article is sensitive employee data including social security numbers (SSN), salary and banking information. However, RAL can support any use case including health records, payment data, pricing information, etc. It can also be used to monitor access to custom data fields in your SAP systems.
RAL is accessed using the SRALMANAGER transaction. The screen below displays the options available in the Administration tab of the control panel. You will need the templates roles SAP_BC_RAL_ADMIN_BIZ, SAP_BC_RAL_ADMIN_TEC and/ or SAP_BC_RAL_CONFIGURATOR to administrator RAL.
The options in the Administration tab are organized in line with the sequence of activities performed to configure RAL. The first step is the definition of Logging Purposes. A log purpose is the specific use-case for the log groups you will create in later steps. In the example below, we have created a use-case to group sensitive employee-related data.
Next we must create Log Domains. These are assigned to data fields to support log analysis since many fields are unintelligible when relying on just system identifiers. The screen below captures the log domains we have created for employee data including banking information, salary and SSN.
Once we have defined our log domains, we must configure recordings to capture the data fields that we will assign to the domains. Recordings can be used for SAP GUI (Dynpro) and Web GUI (Web Dynpro) sessions. Below we have created a recording to capture specific types of employee information using SAP GUI. Click on the image to enlarge.
We can choose the data fields to log by selecting the Record Field option in the context menu. The screen below shows that we have selected to record the SSN field during a recording session in an IDES system with mock data using SAP GUI.
The fields captured in RAL during the recording sessions are assigned to log domains during the configuration step. In the example below, we have assigned the SSN field to the SSN log domain. You can choose to record field values in log entries during this step and to include/ exclude initial values. You can also specify whether the trigger for logging should be data entry performed by the end user or data displayed to the user or both. Specific users can be excluded from RAL using the User Exclusion List. Therefore, we can ensure HR and other users that require access to employee information for their role are not included in log results.
The final step is enabling RAL by maintaining the profile parameter sec/ral_enabled_for_rfc in each application server. RAL configuration settings can be transported within your SAP landscape using transaction SRAL_TRANS.
Log analysis is performed using the options in the Monitor tab. This can be performed using the role SAP_BC_RAL_ANALYZER.
The entries for all log domains are displayed below. The first entry in the log reveals that the user SAPADMIN successfully read the SSN of employee ID 109815 at 9.06AM on September 18, 2015.
Other log entries reveal that the user also accessed the bank details and salary information of the employee on the same day. See below.
Changes performed by SAPADMIN for data fields logged by RAL would be displayed as separate log entries if we had selected the option to record field inputs with values.
RAL is available in NetWeaver 7.40 but SAP intends to make it available for earlier releases. For further information including professional services to enable Read Access Logging in your SAP systems, contact Layer Seven Security.
For logging table-level access in SAP systems, we recommended using the Workload Monitor accessible through transaction ST03. You can configure table access logging for up to five transactions including well-known table maintenance transactions such as SE16, SM30 and SM31. The log below from the Workload Monitor displays the number of records viewed or modified using transaction SE16 for the user table USR02 during a specific date. Large record counts could indicate a potential data breach. Correlation with transaction starts performed by users logged in the Security Audit Log or STAD should be possible using conventional SIEM solutions or SAP Enterprise Threat Detection.
Can you trust SAP with your system security? The question is worth pondering, not least since it is one of the key arguments used by third party software vendors to support the use of their security tools over SAP-delivered solutions. Although the argument is usually made in the context of vulnerability management for cybersecurity, the logical extension of this point of view is that SAP shouldn’t be trusted for any security domain, including access control, identity management, program development, and security patching. In this article, we discuss whether SAP has earned the right to your trust and the implications of a low-trust and a high-trust relationship with SAP for your security needs. The discussion will be driven by the notions of trust taxes and trust dividends which can either constrain or multiply your organization’s performance.
But, firstly, what is trust? There are many definitions but they all boil down to a single concept: confidence. Trust is confidence in the integrity, strength or ability of someone or something. By this definition, most economies and societies are low-trust. According to one of the most widely-known studies of global perspectives on trust, confidence in governments, leaders, and organizations has never been lower. The Edelman Trust Barometer has charted the worldwide decline in trust levels over 14 years. In 2014, the study surveyed 33,000 people in 27 countries. Although it revealed a general level of mistrust in people and institutions, it’s important to note that trust is impacted by many factors including geography and industry. Interestingly, companies based in Germany or operating in the technology sector tend to command the highest levels of trust.
Security is driven by mistrust. Therefore, it’s not surprising that organizations are investing in resources, training and technologies to strengthen information security in environments with declining levels of trust. The reaction is understandable and necessary given the dramatic rise in cybercrime, commercial espionage and insider threats. Improved security measures can realize substantial, tangible benefits but there is a cost. This includes not only the direct costs associated with investing in further resources, training programs and security tools, but indirect costs arising from the organizational impact of security measures. Mistrust can be very expensive.
Performance is often measured as the outcome of an organization’s strategy and its ability to execute on the strategy. In other words, strategy + execution = results. However, there are hidden variables that can undermine this equation. The results of a great strategy combined with flawless execution can be undone by low levels of trust which push up costs and reduce the speed of execution. This is known as the so-called Trust Tax. On the other hand, results can be amplified in high trust scenarios since costs are held down and the pace of execution is higher. This is called the Trust Dividend.[1]
Based on this model, organizations that trust SAP-delivered solutions for vulnerability management should be able to realize a trust dividend by minimizing the cost side of the equation: vulnerability management can be performed using standard components in SAP Solution Manager over licensing third party solutions. However, the question remains: can SAP be trusted to provide sound and independent security guidance?
Trust requires creditability. Credibility is based on integrity, intent, capabilities and results. Therefore, to answer this question, we must ask another: is there any reason to doubt the integrity or intent of SAP or question its capabilities and results? I can think of none. SAP’s commitment to educate and empower customers with insight and tools to manage the security of its solutions is undeniable. Its difficult to imagine any benefit SAP could derive from anything other than an honest and transparent approach to security. SAP has demonstrated its commitment to improving software quality by strengthening development procedures to detect and remove program vulnerabilities before general availability. It has also established a robust security response process to deal with vulnerabilities identified by internal teams and external researchers. Finally, SAP continues to deliver innovative solutions to enable customers to deal with today’s threat landscape. This includes tools designed to:
Discover data leaks (Read Access Logging)
Detect system vulnerabilities (Configuration Validation)
Manage security patches (System Recommendations)
Control access to sensitive function modules (Unified Connectivity)
Analyze security-relevant changes (Change Analysis)
Remove redundant custom code (Coverage Analyzer)
Secure custom code (Code Vulnerability Analyzer)
Detect attacks in real-time (Enterprise Threat Detection)
So, can you trust SAP with your system security? The answer is, why not?
According to a recent study performed by the Center of Strategic and International Studies, the annual cost of cybercrime is more than $400 billion. This is equal to almost 1 percent of global income and higher than the national income of most countries. The report states that “The most important loss from cybercrime is in the theft of IP (intellectual property) and business confidential information, as this has the most significant economic implications”. In fact, some estimates place the cost of IP theft higher than the actual returns to IP creators: According to the World Intellectual Property Organization (WIPO), the world IP market generates $180 billion a year in fees and royalties, whereas IP theft costs the US economy alone more than $200 billion. This means that eliminating IP theft could more than double the returns on innovation for IP-generating firms.
Losses can vary significantly between sectors. The risk of IP theft and losses resulting from stolen data is higher in sectors where IP can be more readily monetized such as finance, chemicals, aerospace, energy, defense and IT. The impact of IP theft on individual firms can also fluctuate depending on how closely R&D and innovation-driven IP is tied to profitability. In extreme cases, it can lead to a complete collapse in profits. This is illustrated by the experience of Codan, an Australian technology company that manufactures mining and communications equipment. Codan’s net profit fell by 500 percent in a single year from $45M to $9M following the theft of technology blueprints during a targeted cyber attack. The stolen blueprints were used by counterfeiters to manufacture imitations that substantially undercut the price of genuine products manufactured by Codan. Despite slashing the price of its products, Codan was unable to stem the loss of market share that eventually eroded the company’s profits. The attack against Codan was profiled in a recent episode of Four Corners, a current affairs program aired by the Australian Broadcasting Corporation. The episode can be viewed below and underlines the destructive impact of financially-motivated economic espionage. According to research performed by Symantec and Kaspersky, such attacks are growing in volume and sophistication. They are frequently performed by organized criminal groups that target high-value corporate information that can be exploited for insider trading or other purposes.
Protection against such threats requires a layered security strategy including countermeasures at the network, OS, database and application level. For SAP application stacks, you can refer to Layer Seven’s white paper Protecting SAP Systems from Cyber Attack. The paper outlines a comprehensive approach for securing SAP systems against advanced threats and includes guidance for encrypting sensitive communications, securing access, implementing robust password policies, effectively patching SAP systems, and other areas.
The fallout from the record-breaking breach disclosed by the Office of Personnel Management (OPM) earlier this month reached a low point at a Capitol Hill hearing on June 16. During the hearing, members of the House Committee on Oversight and Government Reform scolded OPM officials and IT executives for their “complete and utter failure” to protect sensitive personal information stored in compromised systems. The breach is estimated to impact at least 3.2M federal employees and contractors. However, the number of breached records may be as high as 14M.
While the root cause of the breach is yet to be disclosed, there are several factors that are suspected to have contributed to the successful attack against the OPM. The first is OPM’s sluggish response to the recommendations of a systems audit performed by the Inspector General last year. The Inspector General Audit Report identified numerous material weaknesses in OPM’s security program and practices, including missing configuration baselines for operating platforms and ineffective security monitoring procedures. OPM has been widely criticized for failing to implement many of the key recommendations made by the Inspector General.
The second is weaknesses in cybersecurity tools put in place by the Department of Homeland Security to detect and contain the type of incident that led to the breach at OPM. The most widely criticized tool is Einstein, the multi-billion dollar intrusion detection system deployed by US-CERT to monitor government Internet gateways for malicious traffic. Einstein is at the cornerstone of the $4.5 billion U.S National Cybersecurity and Protection System (NCPS) program. Despite a recent $200M upgrade, it failed to expose the original attacks that led to the breach at OPM. Yet again, this serves to illustrate known limitations with signature-based intrusion detection systems that can be circumvented by scrambling or encrypting attack payloads. These and other drawbacks have led institutions such as SANS to conclude “It is far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of defense against intruders”.
It also illustrates the broader concern over the effectiveness of cybersecurity solutions, not just network-based IDS or, for that matter, IPS systems. According to a joint study performed by Juniper Networks and RAND earlier this year, worldwide spending on cybersecurity is growing between 10 to 15 percent per year. However, despite investing increasing amounts on cybersecurity tools, most companies report a low level of confidence in the ability of such tools to improve the security of their infrastructure. This sentiment is understandable and is based on the questionable success of conventional tools to combat cyber threats. The irony of sky-rocketing costs for cybersecurity tools against the backdrop of the declining value of such tools is not lost on customers.
For this reason, organizations would be better served by redirecting budgets from dubious investments in redundant tools to tackling the most critical issue in cybersecurity today: the shortage of skilled resources capable of modelling and managing the wide array of risks in complex and evolving threat landscapes. The global cybersecurity skills shortage is borne out by the following startling facts:
83% percent of enterprises lack the skills to protect their IT assets (1)
1 out of 3 security professionals are not familiar with advanced persistent threats (2)
62% of organizations did not increase security training in 2014 (2)
There are 1M unfilled positions for security professionals worldwide (3)
One of the consequences of the skills shortage is that it often leads enterprises to rely on a patchwork of third parties for core security services. OPM, for example, is alleged to have granted privileged access to contractors in China, one of the nation states suspected of perpetrating the attack.
For SAP systems, the aim of fostering an effective security operations center or center of excellence is made easier by the availability of a wide array of powerful monitoring tools in Solution Manager. The most important of these tools is Configuration Validation (ConVal) which can be leveraged to implement automated, policy-based vulnerability management. The accessibility and convenience of tools such as ConVal eliminates the need for third party security software and enables customers to focus more resources on staffing, training and other needs.
ConVal performs system configuration monitoring. It also monitors critical authorizations, transactions and profiles. For security information and event monitoring (SIEM), most existing platforms can analyze event data in SAP log files including the Security Audit Log. Platforms such as HP Arcsight, RSA enVision, McAfee/ Intel, and Splunk can be tuned to review SAP logs using available connectors or modules. For more information on ConVal or integrating SAP systems with your SIEM platform, contact Layer Seven Security.
Sources:
1 ESG, March 2015
2 2014 APT Study, ISACA, April 2014
3 Annual Security Report, Cisco, January 2014