BCAS: What is it and why do you need it?

By Tim Wallen, Regional Director UK&I at Logpoint

  • 2 years ago Posted in

Business critical applications are the backbone of departments, acting as digital hubs of business-critical assets, data, information and productivity. From enterprise resource planning (ERP), to supply chain management (SCM) and customer relationship management (CRM) software to human capital management (HCM), product lifecycle management (PLM), business critical applications (BCA) offer comprehensive support to almost every facet of the organisation. Such platforms reduce operational costs and administrative complexity, streamline data collection and management processes, and provide flexible scalability.

Their importance, however, is not reflected in the protection being afforded to them. A recent poll surveying IT and cybersecurity professionals across the US and UK revealed insecure and unmonitored business-critical systems, with four in ten noting that they do not include business-critical systems in their cybersecurity monitoring. Additionally, 27 per cent were unsure if it was included in their cybersecurity monitoring at all. Given the dependency upon BCA, this is a problem.

A major problem with BCAs is that they are often long established and cater to the needs of specific departments ie finance, HR, logistics so therefore become siloed and are not integrated into central security strategies. Consequently, BCAs are often not monitored by security teams, making it difficult to patch and maintain them, let alone spot emerging threats. But not including them in centralised security monitoring leaves the organisatios vulnerable and exposed to cyber threats. It’s a problem further exacerbated by BCA moving to the cloud, with almost three quarters of businesses admitting they lack visibility within the cloud environment leading to challenges over managing configuration.

The risks associated with BCAs

Perhaps unsurprisingly, malicious actors are now increasingly targeting these data-rich, critical applications. The same reason why BCAs have become indispensable to specific departments is why they represent highly lucrative targets for cyber attackers.

Should BCAs be subject to an attack, the consequences can be catastrophic, cascading across multiple risk areas. First, intellectual property – the lifeblood of an organisation upon which its success or failure is often defined – can become compromised. Trade secrets, financial data and customer data can in turn end up in the public domain, while firms may also face potential penalties stemming from the loss of customer and financial data. And that’s before we mention the impact of reputational damages or disrupted innovation cycles.

Companies which fail to handle data correctly can also face significant penalties. In the case of GDPR, organisations may be fined up to 4% of their annual turnover for a lack of compliance. Further, if third-party data (be it from business partners, suppliers or subcontractors) is compromised, the Copyright Act expressly provides cause for claims for imposed damages, which can be substantial.

With BCAs, there is also an operational risk to consider. Providers of such applications will often audit systems, requesting information on settings, data integrity and processes to determine if key regulations are being adhered to. A failed audit can lead to a shutdown in systems, requiring the use

of expensive resources to remediate. Equally, it may also result in personal liability against leadership teams and even heighten the potential for fraud.

Security is typically separated

Given these risks, effective operational and security practices are both vital. In terms of the latter, many firms opt to secure BCAs with separate security solutions, further adding complexity with more external solutions, software and applications. Yet this is far from an optimal approach.

SIEM and BCAs operate in separate worlds. SIEM grew out of IT network technology, designed to monitor events in the interconnected IT network layer, collecting logs and event data on everything from origin/destination IP addresses, user IDs and device IDs to normal/abnormal traffic patterns and other network-layer information. It employs IT rule sets and controls to analyse network activity and report back to security analysts. As such, SIEM focuses on the security of network infrastructure, not on specific applications.

Take SAP, for example – one of the most common BCAs (or more precisely, a suite of software applications). SAP systems comprise something of an independent network with its own unique rules. A single SAP application, such as NetWeaver, uses multiple logs to capture security-relevant events. However, these logs use varied formats and structures, not just between different SAP applications but within these single applications themselves. Further, the company has its own specific vocabulary to describe IT network equipment.

This lack of standardisation or conformity with the wider security market makes it very difficult for SAP to be part of the central security strategy. While SAP had developed its own SIEM, this only siloes the security approach, preventing the ability to monitor attack patterns enterprise wide.

The statistics speak volumes. As part of the Logpoint poll, respondents were asked how they currently review SAP logs for cybersecurity events or cyberthreat activity. Almost 30 per cent admitted to not reviewing SAP logs in any way, and again, nearly 30 per cent said they didn’t know if this was being monitored. Meanwhile, only 23 per cent said the process of reviewing SAP logs for cybersecurity events or cyberthreat activity was automated through SIEM, with almost 19 per cent still doing so manually.

Developing a BCAS strategy for transformed visibility

To unlock the benefits of BCAs while also mitigating the potential security risks, firms must adopt a comprehensive business critical application security (BCAS) strategy.

Effective BCAS will establish best practices that ensure these critical software applications are monitored thoroughly and centrally, aligning people, processes and technologies to increase visibility of activities. Only with complete transparency can the business monitor and secure its data irrespective of which systems it resides in, necessitating the integration of BCAs into the wider cybersecurity strategy.

When this divide is broken down, BCAs are empowered to benefit from an arsenal of security solutions including SIEM, SOAR and UEBA, helping to unlock transformative threat insights. These technologies provide automated threat detection, investigation and response capabilities as well as accurate, risk-based analytics, guiding security teams in combating advanced threats and empowering them to protect themselves properly.

So, just how easy is it to implement an effective BCAS strategy? Where can you begin?

Fortunately, there are solutions on the market that undertake much of the heavy lifting, effectively bridging the gap with limited effort. Some have been specifically designed to successfully solve the challenge of SIEM-SAP separation, for example, by efficiently and effectively integrating SAP data into any SIEM system.

Data from the SAP system(s) is first normalised, and then stored in the SIEM system, providing real-time analysis of internal SAP activity as well as allowing firms to correlate SAP data with the other events in the IT network.

Indeed, this benefits both parties, improving threat visibility and insights by monitoring all elements in the network. Through continuous, automatic and transparent auditing of BCAs, firms become empowered to yield greater value from the SIEM systems and enhance their security posture.

Given the growing threat, volume and complexity of cyberattacks globally, Business Critical Application Security (BCAS) should now be a priority for businesses seeking to bolster their cybersecurity. The merits of breaking down the technological siloes between operating departments and security setups are no less than transformative.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.