In this Spotlight podcast* we’re joined by Jason Fruge, the VP of Business Application Cybersecurity at Onapsis to talk about the growing attacks against critical systems like ERP and General Ledger applications by SAP and Oracle. We also talk about why these critical systems often lag on key security measures.
Security experts have been banging the drum about “risk based security” for years. The idea is simple: identify the assets and data within your organization that are critical to your mission, then concentrate resources – including staff and technology spending- on securing them.
That sounds sensible, but are companies listening? By one measure, they are not. Specifically: security for critical business systems such as Enterprise Resource Planning (ERP) and General Ledger systems continues to lag. A recent survey of 430 IT decision makers by the firm IDC, for example, found that 64% of ERP deployments had been breached within the preceding 24 months. Those incidents exposed financial, sales and HR data as well as intellectual property and personally identifiable information on customers, IDC found.
With all the talk about protecting organizations’ “crown jewels,” how is it that platforms like SAP and Oracle – the IT equivalent of the Tower of London where those jewels are kept – are often left unlocked and unprotected?
To understand a bit more, we invited Jason Fruge into the Security Ledger studios. Jason is the Vice President of Business Application Cybersecurity at Onapsis and a former CISO at fashion design firm Fossil Group.
In this interview, Jason and I talk about both the technical and cultural challenges of securing applications like Oracle and SAP. Those applications are so complex and bespoke that they often frustrate analysis using traditional vulnerability scanners and other security tools. We discuss the increase in attacks targeting these systems and what organizations can do to fend off attacks.
We also talk about the recent Onapsis publication of a slew of vulnerabilities in Oracle Business Suite, which Onapsis dubbed BigDebIt. That publication accompanies patches issued by Oracle. If left unpatched, the BigDebit vulnerabilities could allow an attacker to launch unauthenticated attacks on Oracle EBS platforms.
PAUL: This Spotlight episode of The Security Ledger Podcast is sponsored by Onapsis. Onapsis protects mission critical applications that run the global economy. The Onapsis platform uniquely delivers actionable insight, secure change, automated governance, and continuous monitoring for critical systems; ERP, CRM, PLM, HCM, SCM, and business intelligence applications from well-known vendors such as SAP, Oracle, and leading Cloud applications. Check them out at onapsis.com.
[MUSIC] PAUL: Hello, and welcome to a Spotlight edition of The Security Ledger Podcast. I’m Paul Roberts, Editor in Chief at The Security Ledger. In this edition of the podcast…
JASON: What they did was, they said to the systems, ‘hi, I’m another production SAP system.’ They said ‘oh, hi, welcome aboard,’ and they gave it a trust infection into the cluster. This is scary. ‘Cause my jaw immediately hit the floor. I said to the guy that was doing the work, I said could he — ‘can you create a vendor from here?’ He said, ‘sure.’ I said, ‘could you create an invoice?’ He said, ‘absolutely.’ I said ‘well, then, could you pay the invoice?’ He said, ‘yep.’ None of those things I described were security events.
PAUL: Security experts have been banging the drum about risk-based security for years. The idea is simple; identify the assets and data within your organization that are mission-critical and concentrate your resources, including staff and technology spending on securing those. That sounds sensible, but are companies listening? By one measure, they are not. Specifically, security for critical business systems such as enterprise resource planning, or ERP systems, continues to lag. A recent survey of 430 IT decision-makers conducted by IDC, for example, found that 64% of ERP deployments had been breached within the preceding twenty-four months. With all the talk about protecting organizations’ crown jewels, how is it that platforms like SAP and Oracle, which are the IT equivalent of the Tower of London, are often left unlocked and unprotected?
To understand a bit more about this problem, we invited Jason Fruge into The Security Ledger studios. He’s the vice president of business application cyber-security at Onapsis, and the former Chief Information Security Officer at the fashion design firm Fossil Group. In this interview, Jason and I talk about both the technical and cultural challenges of securing applications like Oracle and SAP which are so complex and unique in their design and operation that they often frustrate traditional security and monitoring tools like vulnerability scanners. We also talk about the recent Onapsis publication of a slew of vulnerabilities in the Oracle E-Business Suite platform which Onapsis dubbed BigDebIT. To start off, I asked Jason to tell us a little bit about himself and also about Onapsis.
JASON: Jason Fruge, vice president, business application cyber-security for Onapsis.
PAUL: Jason, welcome to The Security Ledger Podcast.
JASON: Thank you. Glad to be here.
PAUL: Glad to have you. For listeners who don’t know of Onapsis, first of all, tell us a little bit about Onapsis and what your company does.
JASON: Well, Onapsis is a company that — its mission is really to protect business critical applications that run the global economy. We have a heavy focus on ERP systems today. We’re growing into supporting other systems such as success factors and others that we deem mission-critical for that purpose.
PAUL: You guys are particularly well-known for often finding vulnerabilities in platforms like Oracle and SAP and stuff like that. If you’ve heard about Onapsis in the cyber-security space, it’s probably something like that.
JASON: Absolutely. Yeah, usually in a given month when SAP or Oracle releases their patches, the majority — at least half of those vulnerabilities were identified by our research team. We place a tremendous amount of focus on finding these issues and then working very closely with the software developers to address them and then protect our customers rapidly after that.
PAUL: Before you came to — you’ve been at Onapsis about a year, but before that, you were the Chief Information Security Officer at Fossil, the watch-maker. Many people are probably familiar with their products. You noted that, and what brought you over, was this realization that the priorities within large organizations are often kind of misplaced in terms of where they’re spending money to secure IT assets. Talk just a little bit about that revelation that you had and also what you learned as a Chief Security Officer at a big, public-facing company that sells into the consumer space.
JASON: Yeah, so one of my observations over many years has been we take this kind of peanut butter approach where a lot of times, security practitioners will take that kind of approach where they [00:05:00] say everything in the company needs to be patched under the same speed and rigor, so, the same security protocols and timing and everything else. I’ve found through my observation that so many IT constraints, resource issue cause that to just become an impossibility, especially as we get a better view of the critical application landscape and the complexities of patching those applications.
The philosophy that I’ve adopted in most recent years is that you really have to apply the most rigor where it matters most. The first step, obviously, is understanding what are those most critical applications and then associating it with that critical infrastructure that supports those applications, increasing that rigor and focus there. I’ll tell you a funny story; as I was starting to get my arms around SAP and building a security strategy for SAP, I was sitting in my office reflecting. I looked over at my printer, and it just occurred to me that I spend more money and effort patching office printers than I did patching SAP and securing SAP. I was badly failing at my own philosophy. I had to do something about it.
PAUL: Not that office printers aren’t a valuable IT asset to protect, right? But…
PAUL: …in the scheme of things, probably not a top priority, right?
PAUL: Why is that? I mean, you would think, obviously — especially these days ‘cause we talk ‘til our face is blue about taking a risk-based approach to security and figuring out where your sensitive data and IT assets are and focusing resources, energy, on those; not that everybody just nods when you start saying those things, so you assume that everyone got the message. But why is it then still the case that critical application, ERP, SAP, Oracle, might still be underfunded when it comes to security?
JASON: Well, I think there’s a lot of reasons. I think for many CISOs, what you don’t know, you don’t know, right? I heard the term recently SAPanese, just ‘cause the SAP, for example, ecosystem is so proprietary that it’s unlike any application you have in your environment, and the same is true for Oracle E-Business Suite as well. It goes to the point that most of us don’t know how to ask the right questions about those applications. When we do, I think the standard response many of us get when we go to our IT leaders and we say tell me about the SAP security strategy, for example. You might hear well, it’s audited once or twice a year for financial integrity. We have a team dedicated to performing security functions on it. You hear wow, that’s great. Okay, good enough. But it really isn’t ‘cause once you peel back the layers of what does that security team do, it’s a very antiquated approach.
They’ll have, for example, a team dedicated just to looking at toxic combinations with user IDs to make sure people can’t perform functions like create a vendor and then pay the vendor. They have to split those out using a forced-collusion in the organization if something bad were to — if someone were to want to do something bad with that. But that isn’t enough. That used to be enough, but as we’ve seen rises in people breaching these systems due to configuration issues in patching, code issues being inserted that do malicious things, we’re starting to see all these new threat vectors and no one is really addressing this. So, for me, I think it’s just become something of a blind spot. There’s a heavy focus on applying those fundamentals, you know, in those patching programs everywhere else, and then these mission-critical applications which perform the digital supply chain and your company relies on it and everything else are just often overlooked.
PAUL: That’s really interesting, is part of it also just that there’s such a concern about loss of availability with these applications because they do such important work that people kind of — it’s the ‘if it ain’t broke, don’t fix it’ -type mentality, right? People just don’t want to break anything.
JASON: That is absolutely true. I think many of us who run into those walls in the past where we’ve been told hey, we can’t scan that system because if you scan it, the system will go down. You’re left with that conundrum of well, that’s exactly why I should scan it, right? Because someone else will if I don’t. Yeah, right, so, we can’t allow those systems that are so fragile to get away with that excuse. We have to do something to shore up the security around them. I think that’s absolutely — in fact, in another company I was at where we had an SAP system, the system took three days to restart. Once it had an availability issue, and the system had to be brought up in pieces. It was a very distributed-type application and it had to be brought up in pieces, and that took three days. There is a lot of concern, and rightly so, with business leaders that we don’t want to do anything disruptive to these systems, but at the same time, it takes a strong security leader to say understood; we don’t want to do something disruptive, but hackers are a dynamic adversary. Today, they’re [00:10:00] shifting their focus to these applications and we have to do something very thoughtfully, very carefully, or we have to do something to prepare these systems to be more resilient.
PAUL: What are we seeing in terms of the attention that these platforms are getting from cyber-adversaries? ‘Cause my guess is that at a certain level, the sophistication and complexity of these platforms did provide a degree of security through obscurity. If you weren’t an SAP or Oracle ninja, maybe as an adversary, maybe you would be hard-put to attack these applications. But what are we seeing these days?
JASON: You’re seeing a lot of fraudulent-type activity. We get engaged and it’s hard to be very specific, obviously, due to — unable to talk about specific breaches, but we do get involved in a variety of different issues. It’s very easy for corporate espionage, for you to sabotage your competitor’s supply chain, for example. It’s a simple scenario, like, if you had a 30-day reorder of certain parts; if someone were to enter the system and change that 30 to 300, it would be very disruptive to your supply chain ‘cause now you’re on a ten-month rotation as opposed to a one-month. Finding that issue and then attributing it to a breach is very difficult ‘cause it just looks like a simple mistake that someone made, so we see things like that. I can tell you a story; we were once doing…
PAUL: You’re listening to a Spotlight edition of The Security Ledger Podcast, sponsored by Onapsis.
JASON: …an assessment where a company — we do this thing called business-risk illustration where we do this free of charge. We’ll come in and just do a black box assessment of your source code or your — and your patching and config and just a holistic view, and then we work with you to understand how you use the system and tell you what those impacts could be if you were breached in these certain ways. One time we were doing that, specifically looking at code, and we came across this exfiltration code. This is proprietary code, by the way. This is a — what’s called ABAP code, or advanced business application programming code, and it’s very — it’s proprietary to SAP and it’s — the capability to do something malicious is very high in there.
In this particular situation, we found this script that someone had written that at the end of every quarter, it would gather up the financial data and then it would e-mail it to someone’s Gmail address. In the middle of that — and this was a publicly-held company too, by the way, so it was a big deal to find that. The people we were talking to said hold on, we’ve gotta stop right now. We’re gonna go address this. We’ll be back. After a period of time, they came back and they said that developer who wrote that code had left the company six years prior. That had been going on for six years and that’s an example of an insider threat scenario, but that’s a big deal. Nobody had the tools or the capabilities to look at that ABAP code to find issues like that. We see those kind of issues quite a bit. That’s just an example. I can give others.
PAUL: First of all, these applications, many of them have been around for decades, right? Oracle, SAP, both of them have been serving the business community in this way for a long time, so there’s probably — there’s almost certainly a code base here that in some areas is probably old, and these are really at the heart of what sophisticated businesses do in their IT operations. You don’t want to mess around with your heart or your brain; you don’t want to mess around with these things, either. But on the other hand, we haven’t seen necessarily the same response on the security front from these vendors that we have from, let’s say, a vendor like Microsoft which in the early 2000s, famously with Trustworthy Computing, really did a pivot on security. I don’t know that I’ve — that I’m aware of SAP and Oracle doing the same type of ground-up rearchitecting for security. Are we kind of seeing — are we basically reaping the fruits of that, that this has just been a problem that has not been dealt with in a holistic fashion at these organizations?
JASON: Absolutely. I think that the reason Microsoft has responded the way you described is because it’s been required of them. The different companies have said we have an expectation that you take certain steps and give us our capabilities to ease patching and everything else. We haven’t seen that as prevalently in the ERP space with either Oracle or SAP, so we’re starting to. Certainly both Oracle and SAP have some built-in tools to assist with patching and identifying configuration issues. Similar to Microsoft’s own security tools, most enterprises aren’t leveraging them exclusively. They don’t have, for example, like we have at Onapsis, a dedicated team of security researchers and a focus on simply securing it, right? Their primary focus is on business enablement. Ours is on application security. We work well together. We take any of the security capabilities that they do have today, which to your point or not, that advanced, but we do [00:15:00] take them and we make them very sophisticated and very advanced when we overlay it with our capabilities.
PAUL: Jason, Onapsis just released a report on a couple of vulnerabilities, quite serious ones that you guys are calling BigDebIT, and these affect the Oracle platform. Could you just tell us a little bit about those and kind of what folks are out there using Oracle, General Ledger, which these affect what they need to know?
JASON: Absolutely. Last week, we published a report that the Onapsis research team had uncovered this, as you called, BigDebIT vulnerability. We’ve been working with Oracle to create patches because there’s really no other work-around for the vulnerability. It’s a big deal. It’s quite an exposure. It allows someone unauthenticated to break into the system and, using the General Ledger which is a powerhouse application inside the E-Business Suite, they can commit all kinds of fraud. They can redirect payments, they can modify your company’s financial ledger, all your data could be manipulated. It’s very difficult to detect and it can only be fixed with a patch. Our research is, there’s roughly 21,000 implementations of the E-Business Suite and roughly around half of them are vulnerable to those. It’s something we really want to get the word out about and make sure people are reacting quickly, because it is very serious.
PAUL: These BigDebIT vulnerabilities in Oracle, E-Business Suite, where do things stand today?
JASON: There’s not an active exploit on it, but it’s an example of something you need to address quickly. There’s just no way to fix it without the patch. A lot of times too, we see people who think they’ve applied a patch might believe they’re secure, but if they don’t have the ability to reassess that system with a tool like Onapsis provides, they can’t confirm that the patch was effective and that it was applied properly. Even in some cases where they think they’re secure, they’re still vulnerable.
PAUL: Is the problem with delayed patching on these platforms one of a lack of tools or is it more of the cultural stuff that we were talking about; fear of breaking stuff or just not a high priority to put on — applying patches for these systems?
JASON: Well, I think it’s a little of both. I think the — many people take for granted that their tools they have — and as CISOs, we’ve all invested quite heavily — our company’s invested quite heavily in equipping us with tools to scan a variety of different things, but these systems like Oracle and systems like SAP are so proprietary that the scanners you have don’t work. You can point Equalis or something like that at these systems; they literally don’t know what to do with the system, so they don’t turn back and tell you about the vulnerabilities. While you might assume that you’ve got this comprehensive view of your vulnerability and application landscape, you’re missing big pieces of information. You can’t properly report on it and provide the governance capabilities that would normally give you some data so you could go back to the IT organization or the executive team and dimension the severity of this problem. You just simply don’t have the information. Without it, it’s hard for the company to respond, right, and put focus on those patching activities and maintenance activities that they should be doing. It’s so important to assess that gap and figure out how to get that information into your governance process so you can start to react to it.
PAUL: You mentioned that these companies are starting to pivot, take security more seriously, build in more sophisticated features for monitoring security events and logs and so on. The other big change, of course, is a lot of these platforms are moving to the Cloud if they haven’t already. Does that change the story or the posture of these applications security-wise for companies?
JASON: Oh, 100%. A lot of times when I talk with CISOs, one of the things that I hear back, which I think is kind of unfortunate, people will say well, I know that application might have some vulnerabilities. We might have underinvested in securing it, but it’s still behind our firewall, so we know it’s still safe. There’s this kind of illusion, and I think that’s kind of yesterday’s thinking too, where we say the perimeter’s firewall is sufficient. Really, I think today we can generally agree that the data is where the perimeter needs to be. Putting security solutions on your critical applications is the only way to keep track of insider threats and all the other things that are on your network; third-party connections that aren’t accounted for, ‘cause we really don’t often know our full landscape.
But when people move to the Cloud, that breaks that paradigm because now they’re like well, it’s not behind my firewall anymore. It’s behind someone else’s. Those particular folks with that mentality that the firewall was sufficient now have to reconcile that with the fact that their data is now on someone else’s network. Then they’ll come and look at solutions like ours. My point of view is that we’re — we do secure it in the Cloud. We’re just as important on perim but certainly we’re equally important in both places. [00:20:00] The Cloud brings a lot of new capability but it also brings some new exposure as well, so we certainly can recognize that.
PAUL: How do attacks on these platforms start? My guess is they probably start like other attacks, with account takeovers and credential theft and those types of things, but are there any tell-tales that organizations can look to as evidence that something might be amiss?
JASON: The anatomy of a ERP breach is often similar to other breach anatomies that we look at, but sometimes they’re just far more basic. I’ll give an example from my own experience; when I was at Fossil, I had a risk illustration done from Onapsis and it was literally less than sixty seconds. The person had taken over what I would call a root-level permission on my system without any credential theft or anything. They didn’t even try a force attack. What they did was, they said to the systems, hi, I’m another production SAP system. They said oh, hi, welcome aboard, and they gave it a trust infection into the cluster. They kinda faked being an SAP system and suddenly, they were in. When they were in there — this is scary, ‘cause my jaw immediately hit the floor — I said to the guy that was doing the work, I said could he — can you create a vendor from here? He said, sure. I said, and could you create an invoice? He said, absolutely.
I said well, then, could you pay the invoice? He said, yep. I went to my CFO and I said, if something like that happened, could we detect it? We could, but it would be seven days out and it would have been a manual process. None of those things I described were security events. The actual joining of the system, the way that he did that to mimic himself being an SAP system, that wasn’t detected by any of my security surveillance systems. We didn’t see it happen at all. You’re seeing a scenario where a security event took place that I couldn’t see, and now we have this fraud take place that I also can’t see. We actually are uniquely positioned, I think, as a product to secure that scenario quite well, but also, we can promote those non-security events I described; creating a vendor, creating an invoice, and paying it.
This can all now be promoted to your SIM, right? You put [inaudible] block or Exabeam or whatever, and now you can — because they’re still not security events, you can dimension the time. So, the normal course of business, you can say, if you see those three things happen in less than twenty-four hours, that’s probably a fraud activity. I’d send a note to finance so they can investigate. Now you’ve got this new — I call it next-level security capability where you’re looking at the normal course of business, not just traditional security things, and you’re providing a whole new level of value back to your CFO and other folks in the business that have — they’ve never been able to rely on security for that before.
PAUL: What typically is the lag time for, in your experience, for people applying critical patches? Do they tend to get applied pretty quickly or not?
JASON: It’s kind of mixed. I think some companies are very responsive, but on the whole, we have some vulnerabilities that are absolutely critical and we’ve been talking about them for, in some cases, ten years. We’ve even had the Department of Homeland Security issue bulletins on some of these issues and they’re still not getting the response. They’re still not getting taken care of. They’ve been out there for ten plus years, and they’re so easy to exploit. It’s very important to incorporate that ERP data into your understanding of the vulnerability landscape in your company so you can address those critical findings. As I mentioned earlier, it’s just one of those things that isn’t often done, isn’t always done. It’s a very worthy exercise to go through and make sure you’re gathering that data and you’ve got a scanner that does understand SAP and does understand Oracle so you can incorporate it. It’s really the only way to get it addressed.
PAUL: You mentioned when you were at Fossil kind of having a risk assessment done on your environment there. That’s one of the services that Onapsis performs. If listeners hear that and they’re interested in having that done within their own environment, what can they do to make that happen?
JASON: Great question. They can head over to onapsis.com. From there, they’ll see a link to request a business risk illustration. This is a very low time commitment for them. But what we’ll do is come in and perform a black box assessment, so nothing installed, no credentials needed. It looks at a portion of the vulnerabilities that we can assess from the black box perspective, and then we interview them about how they use the applications. From that, we do an impact assessment. We say okay, these are the vulnerabilities and this is how badly it could affect your organization if these were exploited. It’s a very worthwhile activity. If you haven’t done one before, I would strongly encourage it. Anytime that you’re taking on a new challenge like this in security, as all your listeners know, you have to build a business case. This is a great way to kickstart that process. We give you a ton of data. As I mentioned, it’s completely free, [00:25:00] very worthwhile.
PAUL: [MUSIC] Jason Fruge of Onapsis, thank you so much for coming on and speaking to us on Security Ledger Podcast.
JASON: My pleasure.
PAUL: Jason Fruge is the vice president of business application cyber security at Onapsis. You’ve been listening to a Spotlight edition of The Security Ledger Podcast, sponsored by Onapsis. Onapsis protects mission critical applications that run the global economy. The Onapsis platform uniquely delivers actionable insight, secure change, automated governance, and continuous monitoring for critical systems; ERP, CRM, PLM, HCM, SCM, and business intelligence applications from well-known vendors such as SAP, Oracle, and leading Cloud applications. Check them out at onapsis.com.
[END OF RECORDING]
Transcription by: www.leahtranscribes.com
(*) Disclosure: This podcast and blog post were sponsored by Onapsis. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.