CORRECTING and REPLACING SANS Maps SAP Cybersecurity to Top Twenty CIS Critical Security Controls for Effective Cyber Defense

Following on recent cyber attacks aimed at SAP systems, SANS maps SAP cybersecurity to the Critical Security Controls list for the first time Onapsis

BOSTON--()--Please replace the release with the following corrected version due to multiple revisions to the third and fourth paragraphs.

The corrected release reads:


Following on recent cyber attacks aimed at SAP systems, SANS maps SAP cybersecurity to the Critical Security Controls list for the first time

Onapsis, the global experts in business-critical application security, today announced a SANS white paper that maps SAP cybersecurity to the CIS Critical Security Controls for Effective Cyber Defense for the first time. As cyber attacks targeting SAP continue to grow, it is highly recommended that organizations secure their SAP landscape as part of their organization’s overall security posture.

The CIS Critical Security Controls are a set of internationally recognized standards outlining the most important cyber hygiene actions that every organization should implement to protect their information technology (IT) networks. They are highly regarded by the global IT community as they are developed, refined, validated, and updated by cyber experts who pull data from a variety of public and private threat sources; and are transforming security in government agencies and other large enterprises by focusing spending on the key controls that block known attacks and find the ones that get through.

“Direct attacks on ERP systems such as SAP are being disclosed more frequently, validating the assumption that even complex applications housed in secure facilities need specific protection and that safeguarding them should be a top priority. Attacks aimed directly at complex, mission-critical applications result in extraordinary costs and impact to the business,” according to Barbara Filkins, a senior SANS analyst and author of a white paper that maps the CIS Critical Security Controls to key points in the SAP security framework. “To protect an SAP system, start by looking retroactively at current configurations to be sure they’re up to date with the latest patches and that they are continually monitoring unauthorized user behavior and advanced threats.”

The SANS paper mapping the CIS Critical Security Controls for Effective Cyber Defense to SAP's cybersecurity framework outlines a step-by-step approach organizations can take to secure SAP implementations. This approach is largely application-oriented, but also applies network restrictions to underlying network devices and firewalls, in addition to closing loopholes through operational procedures and training. The Four-Step Approach to Applying the CIS Critical Security Controls is:

  • Step 1: Tailor Enterprise Processes (CIS Control: 1, 2, 3, 4, 5, 6, 10, 13, 14, 16)
  • Step 2: Secure the Landscape (CIS Control: 3, 7, 9, 10, 11, 12, 18)
  • Step 3: Configure the Technical Controls (CIS Control: 2, 3, 4, 5, 6, 8, 13, 14, 16)
  • Step 4: Create the Human Action Framework (CIS Control: 17, 19, 20)

“Having SAP cybersecurity formally recognized as a standard control for organizations is a major achievement in building awareness for the business-critical application security market. This is still a blindspot for many organizations, as they often assume that their SAP data - or ‘crown jewels’ - are covered by traditional security methods or by the SAP administration team. However, the recent U.S. CERT Alert showed us the very real ways in which attackers are accessing these applications, and the vulnerabilities they are leveraging to do so. Having SAP cybersecurity mapped to the CIS Critical Security Controls will help organizations to better understand why SAP needs to be included in the overall security posture, and provides steps for how to best do so,” said Juan Pablo Perez-Etchegoyen, CTO, Onapsis.

To download the “Blueprint for CIS Control Application: Securing the SAP Landscape”, please visit:

On June 2nd, SANS and Onapsis will be hosting a webcast titled, “A Blueprint to Secure SAP Applications Using CIS Controls As a Guide” to further discuss this topic. For more information, or to register, please visit:

Onapsis will be hosting a lunch and learn at the SANS Security Operations Center Summit in Crystal City, VA on May 26, 2016 12:30 P.M. EDT in the Wilson Ballroom. For additional details please visit:

About SANS

The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center.

About Onapsis

Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cybersecurity, Onapsis’ patented solutions enable security and audit teams to have visibility, confidence and control of advanced threats, cyber risks and compliance gaps affecting their enterprise applications.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cybersecurity solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.


Kesselring Communications
Leslie Kesselring, 503-358-1012
Kesselring Communications
Tamarie Ellis, 503-746-8107

Release Summary

SANS maps SAP Cybersecurity to Top Twenty CIS Critical Security Controls for Effective Cyber Defense for the first time, following on recent cyber attacks aimed at SAP systems.


Kesselring Communications
Leslie Kesselring, 503-358-1012
Kesselring Communications
Tamarie Ellis, 503-746-8107