In this Help Net Security podcast recorded at RSA Conference 2019, Juan Pablo Perez-Etchegoyen, CTO at Onapsis talks about the challenges of securing and monitoring ERP applications for vulnerabilities and compliance gaps across cloud and on-premise deployments.
Juan Pablo leads the research & development team that keeps Onapsis on the cutting-edge of the business-critical application security market.
Here’s a transcript of the podcast for your convenience.
Hello everyone. Welcome to this Help Net Security podcast. In this one, we’re going to be talking about ERP cybersecurity and the state of the art of securing ERP applications which are supporting some of the most complex and critical business processes and data in the majority of organizations in the world.
I would like to start with the problem. What is it that is really keeping me up at night, keeping awake some CISOs in regards to ERP applications? What we have been looking at over time is that there’s been a big gap in terms of security for ERP applications. Don’t get me wrong, organizations were investing in ERP security ever since ERP was created, but organizations were investing in things that are very important and critical, but not in a real holistic way. And that means organizations are making sure that all their employees have the right access like identity management, roles and profiles, maintenance of authorizations, segregation of duties, those tasks that are even enforced by SOX and our regulations.
In the end, it’s making sure that all the users of ERP business applications can connect and perform their duties but do nothing more than that. By itself, it’s super complex because ERP applications have some of the most complex authorization mechanism of any application, because of the type of tasks that need to be done, the criticality, the diversity, the complexity of the business processes, how customized those business processes need to be. It ends up being a complex problem.
That was the understanding of ERP security for organizations. In this case, what we saw since we started it, is that all the technology layer, all the components and building blocks of ERP applications, all the interfaces, the gigantic landscapes of systems, services, processes, that are supporting the business process, are not properly secured because of a lack of knowledge, because of this complexity and these proprietary protocols of components. In the end that has been a gap for the IT security teams.
CISOs traditionally didn’t have any say or any visibility into the security of ERP applications. That’s what we realized and what we are changing in the market, in the organizations. Really driving this change to bring together ERP application people, IT security people and internal audit people, all those teams that are ultimately responsible in different ways to secure ERP applications, to have a unified pane of glass and really speak about the same level of risks, independently of which team we are talking about.
The way we are doing it is through a platform, being able to actually get everyone on board, have a unified visibility of the different risk levels, regardless of which area of risk we are talking about. We can be talking about authorizations, patches, configurations, transport, development like custom code, interfaces, many different areas.
We bring them visibility but also something else that we are doing is, we can provide also a solution to that, both in the way that we become preventive. We give you visibility on all the risks and we can prevent you and your teams to add additional risks to that, which has been very well received from customers on the market.
It’s one step into the solution, already being preventive. Also, organizations typically have a big backlog of security risks that they just were not banishing, they barely know that they have. But it’s there, so we are automating a lot of those mitigations and solutions for that backlog. That’s another step that we are actively working on and is really also very well received by customers because you have visibility into the risks, you understand what’s your risk posture, on one hand. On the other hand, you prevent from having all the different things that are operating on using the ERP to introduce additional risks. And on the other hand, you can automate and work towards actively reducing that level of risk, eventually going into a steady state with a better security posture.
Those three areas tackling different type of risks within the ERP applications, have been getting the majority of our priorities and work. The reason why we have been going down that path is because we really want organizations to be able to address those cybersecurity risks in ERP applications because we know that cyber threat actors are actively targeting those.
Last year we got together with Digital Shadows and we released a report on the state of the art of threats and cyber attacks to ERP applications, analyzing all the different campaigns over the last years, with data coming from open, deep and dark web. We’re talking about cybercriminal forums, underground forums, social media, pretty much everything.
Capturing that data, analyzing together, their analysts with our researchers, and we identified a number of different campaigns that in some shape or form are targeting ERP applications. We see evidence of that in cybercriminals through Trojans being modified and updated to target ERP applications, in hacktivists actively using vulnerabilities in ERP applications, but also nation states. That’s something that we are closely following.
How these nation states are building and weaponizing ERP vulnerabilities to be able to compromise the application that ultimately has the information that they are looking after. We have seen examples of exfiltration of financial records, modification of employee’s information, routing of payment checks and many other examples of real business outcomes and business impact on this. Building this toolkits of exploits targeting ERP applications, that’s something that we have been seeing as well. That’s why the US-CERT alert came out in 2016, another one in 2018, and we believe that more are going to be issued by the Department of Homeland Security just because the threat is getting bigger and bigger.
Having said that, I encourage you to take a look at the research, all the publications that we have, and we work with Help Net Security as well, to pick up on some of that research and really understand what’s your security posture on your ERP application, understand how many of those risks are really relevant for your organization. If you haven’t been doing anything on the area, on the topic, I’m pretty sure that you will be surprised on the outcome of that. Research vulnerabilities, threats, make sure that you are on top of that, as it pertains to ERP applications, because threat actors are actively targeting that. That’s something that you definitely need to take care of, because it has a business impact in the end. We are not just talking about vulnerabilities and threats, we are talking about the business and risks that directly affect the business.