Taking a Proactive Approach to Mitigating Ransomware Part 1: You Can’t Neglect the Application Layer

Ransomware continues to dominate cybersecurity news. The proliferation of attacks – 66% of organizations were hit in the past year – and the ability for threat actors to more easily execute these attacks at scale, makes ransomware “arguably the biggest cyber risk facing organizations today.” Recovery costs for ransomware attacks have also continued to increase year-over-year, up 30% from 2022 to 2023. 

This growing threat has required organizations to shift from the reactive mindset of years past (think: backups, endpoint security) to a more proactive approach in hopes of avoiding costly business disruptions and recovery processes.  As we’ve discussed in the past, “in preparation for a ransomware attack, you need to close all the doors and windows of your house – not just the front door of endpoint protection.” 

 

How Do Your SAP Applications Fit into This? 

Vulnerability exploits are the most common root cause of ransomware attacks. And, from Onapsis Research Labs threat intelligence, we know that threat actors have the means and expertise to target SAP application vulnerabilities directly. This means ransomware groups can leverage unaddressed application vulnerabilities as an entry point – bypassing endpoint security measures – before moving laterally or down to the operating system level to wreak further havoc. 

This risk is even greater now that modernization and digital transformation initiatives have eroded the perimeter. Business-critical applications are increasingly moving off-premises (where perimeter security approaches previously offered some protection) into the cloud, or connecting to third-party services, or becoming publicly accessible. All of these increase exposure, interconnected risk, and the chances of exploitation. 

 

Theory vs Reality: The Challenges with Avoiding Vulnerabilities and Continuously Monitoring Your SAP Applications 

In theory, you know how to solve this problem. Two key strategies for doing so, as outlined in the NIST cybersecurity framework for Ransomware Risk Management and similarly in our joint white paper with SAP, Mitigating the Threat of Ransomware to Business-Critical SAP Applications, are:

• Avoiding vulnerabilities that ransomware could exploit, and
• Continuously monitoring for indicators of compromise.

The problem is putting those strategies into practice is easier said than done. Most of the tools security teams would traditionally use to accomplish this don’t sufficiently support SAP, leaving InfoSec without the visibility and context they need to manage their SAP attack surface and monitor for suspicious behavior therein. Additionally, SAP app environments are large, complex, and highly customized, resulting in a greater number and variety of vulnerabilities. Additionally, they’re generally managed by IT teams, so remediation efforts require additional back-and-forth and cross-team alignment. A backlog of vulnerabilities combined with longer remediation times leads to even larger windows of vulnerability, further driving the need for continuous threat monitoring both for visibility and as compensating security controls. 

 

Securing Your Complex SAP Application Ecosystems Doesn’t Have to Be Complicated

Over the course of this blog series, we’ll take a closer look at the challenges organizations are facing with attack surface management and continuous monitoring for their SAP applications and how they can be overcome. With the right partner, organizations can make their dreams of proactive ransomware mitigation a reality…without burdening already busy security and IT teams.