With high-profile security breaches focusing attention on reducing risks for critical systems, business application security provider ERPScan is now opening a new office to serve the Australian and New Zealand markets.
ERPScan had its origins in 2007, when Alexander Polyakov, then a security consultant and now CTO of ERPScan, found he could gain access to an SAP system in just 15 minutes. He began partnering with SAP, providing information about vulnerabilities in its systems, and in 2010, co-founded ERPScan together with CEO Dr Ilya Medvedovsky. Initially, they consulted on SAP security, but soon realised that the sheer number of aspects – whether configuration issues or vulnerabilities – they had to monitor made it almost impossible. They built a tool for their own use, but quickly realised it could be valuable to companies and managed service providers, consulting companies and clients.
This tool became their flagship product, the ERPScan Security Monitoring Suite.
“This tool allows you to identify, analyse and react on different vulnerabilities, misconfigurations, custom code issues and access control violations to name a few,” Polyakov says.
The Suite can identify almost 10,000 different vulnerabilities and misconfigurations in a variety of systems – from SAP’s standard ERP system to HANA, mobile platforms and industry solutions. Once issues have been identified, advanced analysis can be undertaken, showing criticality, risk and probability. This information is also correlated to the other modules of the system, which can also have an impact on criticality and risk.
“Sometimes if you have vulnerability in the source code, but you have secure configuration, the risk of this vulnerability will be much lower. So we correlate this information from different modules,” Polyakov says.
The final component of the scan is analysis, with threat path an area of increasing interest for system owners.
“We can draw a graphical representation of connections between SAP systems – either real connections or potential connections that can be used by penetration testers, for example, if in one system you have a user with the same password as in another system,” Polyakov says.
“They can have a virtual penetrating testing map, and understand what is the most critical part of the entire landscape to patch first.”
System owners can then develop a strategy to address these vulnerabilities and issues, via SAP Solution Manager, SAP’s Governance, Risk and Compliance (GRC) solutions, or other risk management systems, or even directly fix some of issues from ERPScan console.
The ERP Security Monitoring Suite complements SAP GRC, and integrates with SAP GRC Process Control.
“You can, for example, identify misconfigurations, automatically send them to Process Control and monitor those misconfigurations. We provide this integration so that people from the security team can use ERPScan, and can send the information in a way that people from the SAP team will understand, and they will know what to do with the GRC system,” Polyakov says.
ERPScan continues its ongoing relationship with SAP, through continually monitoring products for vulnerabilities, and also working on contract for specific testing projects such as source code scanning and internal penetration testing.
Attack detection
While the ERPScan Security Monitoring Suite provides organisations with a picture of how secure their SAP system is and where it is vulnerable, the company is now releasing a new tool that will detect and respond to real attacks or attempts to breach the system.
Polyakov says the company is looking to address several problems in this area, with a combination of event management and intrusion detection designed specifically for SAP.
The new solution, which will also be available as a managed service, will create a connection between SAP and existing security tools such as SIEM and IDS, by collecting, normalising and filtering security information from SAP logs and sending it to security event management solutions.
But perhaps more importantly, ERPScan will also provide intelligence such as dashboarding and analytics of this information, to increase user understanding of what is occurring with their systems.
“Because the size of logs is really huge, we collect only the most necessary information in terms of security, correlate this data with information about vulnerabilities and provide visualisation of this information,” Polyakov says.
Customers also want to prevent attacks, so ERPScan has signatures for existing and 0-day vulnerabilities that can be implemented in the tool, Polyakov says.
“If something has happened, customers can identify those attacks in the log files by using our signatures. We can provide signatures for zero-day vulnerabilities that we are continuously finding in SAP systems, so we have threat intelligence information about business application risks.”
Global expansion
ERPScan now has around 60 employees, with headquarters in Palo Alto, California, European headquarters in Amsterdam, and a local office in Copenhagen. They have also received more than 30 awards including Rookie Company of the Year from SC Magazine, Innovative Vulnerability Management solution from CDM Magazine, and most promising SAP Solution Provider from CIO Review.
In the past, ERPScan has worked with Australian consulting companies to undertake one-off scans for clients. But now, with the right team in place to open the Australian office, ERPScan is well positioned to offer a full range of services to customers in Australia, New Zealand and in Asia, including India, Hong Kong, Singapore and Malaysia.
“We have a technical and sales team to give those customers who want to install the ERPScan Security Monitoring Suite in their system the opportunity to support it, but also to provide a managed service using a security operation centre, so that our team can automatically monitor the customer’s system in real time, daily, weekly, or quarterly, analyse reports, and provide support in addressing vulnerabilities,” Polyakov says.
ERPScan will also provide vulnerability assessments to partners to provide to their SAP clients.
Having already completed their first scans within Australian companies, ERPScan has a good sense of the maturity of the Australian market. Most systems in use here are relatively new, which means many fixes have already been implemented.
“They don’t have the old dinosaurs that we find in large enterprises in Europe or the US. If you look at a large oil and gas organisations in Europe, for example, they have hundreds of SAP installations, sometimes they have SAP R/3 systems, and they have a lot of different issues,” Polyakov says.
However, Australian organisations should be wary of the false sense of security – pardon the pun – that comes with having a modern system.
“Every month, SAP releases new patches. Every month you create new custom programs, and you assign different roles to different users. Security is a continuous project, and every month your security configuration changes, and new threats appear – you can start with very good configuration, and then end with something even worse than in other companies.”
For more information about ERPScan’s ANZ offering, contact Bruce Allan at bruce.allan@erpscan.com.
Get all the news from Inside SAP direct to your inbox –
subscribe to our free weekly newsletter with a General Admission
membership here.