Security Company Builds Intrusion Detection System for SAP

Security company Onapsis released on Wednesday a product that allows intrusion detection systems to recognize attacks against SAP applications holding critical financial and business data.

The product, called Onapsis IPS, is a collection of signatures, or tell-tale signs that a hacker may be trying to exploit an SAP system, said Mariano Nunez, CEO of Onapsis, headquartered in Boston. Onapsis conducts penetration testing and vulnerability assessment for SAP software.

Large enterprises use SAP's ERP (enterprise resource planning) and CRM (customer relationship management) software to manage payroll, invoices and supply chains, forming a central part of how a business is electronically managed. The applications handle very sensitive information.

In the last few years, SAP software has come under increasing scrutiny from security researchers and hackers, Nunez said. SAP has been releasing around 60 patches a month for its systems and has released more than 2,000 security patches since 2010.

The number of patches poses a problem for system administrators, who often must shut down the software and test it to make sure the patches work. It's complicated work that takes a long time.

"Many organizations don't apply SAP security patches promptly," Nunez said. "Some of them do not even apply them at all."

The time in between when an attack becomes public and when the patch is applied is an open window in which hackers could successfully attack. Although many companies have intrusion protection or detection systems (IPS/IDS), those systems are not tuned to detect SAP attacks.

To solve that problem, Onapsis has developed Snort signatures, which can be imported into most IPS/IDS appliances on the market. Nunez said Onapsis thought it was better to write signatures rather than build a separate appliance, he said.

Once the signatures are imported, administrators can decide then whether they want to stop an attack or be sent an alert when one is under way, Nunez said. SAP attacks are rarely publicized widely, which has lead to a lower awareness for enterprises even though a breach could have a significant impact on their business if data was compromised.

"What we found is many organizations told us they have never been hacked but they don't have any security auditing feature enabled," Nunez said. "The only truth is they really don't know. The fact they have never seen any alerts really doesn't mean it is not happening."

Onapsis IPS will be sold as an annual subscription, with new signatures sent monthly, Nunez said. The price is based on the number of IP addresses connected to the SAP software, he said.

Among the company's other products is X1, a tool that will allow companies to test their ERP (enterprise resource planning) software for vulnerabilities and shows how those problems could reveal critical business information and how to fix them.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments