Onapsis Podcast

Onapsis Podcast

Transcript

Back to episode

00:00:11: And thanks for joining us today and welcome to Fireside Chat, Security & Compliance in the Shared Responsibility Model with OG&E and Anapsis.

00:00:21: I'm Heather Alima, I am a content producer here at ASUG.

00:00:24: Today's webcast will be recorded.

00:00:26: you'll receive post-event email link on demand recording.

00:00:30: Please feel free to pass that link along to any colleagues if they found information useful.

00:00:36: And at the end of the webcast, a two-question survey is going to pop up on your screen.

00:00:41: Please take a moment to fill it out because we like to know what you think here at ASUG.

00:00:45: If you have any questions please enter them in the Q&A box over to your left and Any Questions We Don't Get To On The Webcasts?

00:00:52: We will be sure to answer offline.

00:00:55: Now I'll hand it off.

00:00:56: Paul Klein Schnitz CRO of Anapsis.

00:01:03: Heather, thank you so much for the introduction.

00:01:05: Thank you ASUG for hosting us.

00:01:07: I'm very excited for our Our conversation here today with my friend Ian Anderson from OG&E.

00:01:16: We'd love to start with some introductions So if i can get these slides to work.

00:01:32: All right Ian we're going to start With You!

00:01:33: I'd Love For You To Introduce Yourself As Well as your Company.

00:01:38: Well, good morning.

00:01:39: Good afternoon kind of wherever you are in the world.

00:01:42: My name is Ian Anderson.

00:01:43: I'm the director of enterprise security network and monitoring at Oklahoma gas and electric OGE.

00:01:49: We are a vertically integrated investor owned electric utility And that's all just kind of fancy talk for Where we're your electric company?

00:01:59: We transmit, we distribute electricity.

00:02:02: Ultimately we rub things together and get them to your house.

00:02:04: that's the electricity you use for power of businesses or lives.

00:02:10: everything in between.

00:02:12: so were headquartered in Oklahoma City, Oklahoma where we proudly serve a little over nine hundred thousand customers across the Oklahoma service area even into parts of Arkansas.

00:02:24: So for me personally, director.

00:02:28: I'm the executive responsible for all security cyber physical IT OT.

00:02:33: my teams also include our network and telecommunications team as well as are monitoring or observability team.

00:02:39: so been doing this SAP Security thing about close to ten years now.

00:02:46: It's been quite a lot has changed over the past decade.

00:02:49: So it's a real treat to get to come, you know?

00:02:51: To this group and hang out with UPK and talk about some of things that are going

00:02:56: on.

00:02:59: Thanks, Dianne.

00:03:00: Yeah, Youth OG&E has been great customer but more importantly partner of ours.

00:03:05: we've had longstanding relationship.

00:03:07: We appreciate the insights You provide us both from industry as well as features we put into product based your background.

00:03:16: So as mentioned earlier, I am Paul Kleinstance.

00:03:18: I'm our Chief Revenue Officer here at Onopsis, essentially I'm responsible for all of our customer-facing functions and onopsis.

00:03:27: we've been around for a while.

00:03:29: you know We have about over three hundred global two thousand customers.

00:03:35: One the things that were very proud is that we identified over one thousand zero day vulnerabilities.

00:03:40: in fact any given month we've identified forty to sixty percent of the vulnerability that SAP is ultimately generated patches for.

00:03:49: We're also, the only SAP endorsed security product within the portfolio.

00:03:56: what this simply means as you go through an annual certification both from a product perspective and shared resources across SAP and onopsis that are working together as we build solutions to help defend the likes of Ian, and Ogini in others.

00:04:15: And then lastly were very proud there our customer seesat is ninety six percent plus.

00:04:20: so with that let's jump into the content.

00:04:23: The format We're going use today has a fireside chat.

00:04:25: you know I just thought That You Know Going Through A Conversation Rather Than Much As Slides Would Be Of More Value and be more interesting To Everyone.

00:04:32: Yeah and Really?

00:04:33: We want to start With.

00:04:35: The topic of today, as mentioned is the shared responsibility.

00:04:40: It's a bit of a reality check for individuals especially As it relates to thinking about moving to rise.

00:04:45: You know the industry joke Is that shared responsibility often turns into shared blame when disability gaps are ignored.

00:04:53: When individuals like Ian and his organization look at moving to Rise The reality is SAPs in a phenomenal job And putting together the appropriate security controls and technologies to support the infrastructure in the cloud, but your data is still on.

00:05:09: And you're ultimately accountable for it?

00:05:11: Yeah.

00:05:11: Um then there's this intersection between security networking monitoring um Ian not just a security guy he sits right in the middle at OG&E between operations compliance security networking uh and monitoring where his central tip two understanding of problem solving further problems mitigating this.

00:05:36: So Ian, how about we jump in?

00:05:38: Yeah!

00:05:40: This first part is... We want to talk about who does what as it relates to the shared responsibility model.

00:05:46: yeah and The First question I have for you Is when You started this engagement And you looked at their rise contract What was the biggest ha-ha When It related To your responsibilities Versus S&P's Responsibilities and Ultimately Accountability?

00:06:01: Yeah i mean you know i think they're Properly answer that Question.

00:06:05: you got to go back like way before rise, right?

00:06:09: So our journey around SAP security really started in earnest around twenty seventeen.

00:06:16: Where we started kind of see the wind shift with things like ERPs and SAP specifically as a threat for organization.

00:06:27: I think lot us sit.

00:06:30: You worry about the email, you worry active director.

00:06:34: Like just have these systems that you worry more because we see it in news more or... And don't really think like an ERP your core business application what happens truly if an adversary gets a hold of that?

00:06:51: But as seen over past decade cyber criminals really focusing more on monetization rather than other impacts and denials.

00:07:02: SAP is ripe for that type of activity, so thats kinda what started us down this journey ten years ago with ECC.

00:07:11: you know, like many companies we had this very traditional SAP deployment is all on print.

00:07:17: It's kind of tucked away it's hidden.

00:07:20: by no means does that mean?

00:07:22: Was impervious right but there are different layers of abstraction.

00:07:27: the attacker has to do a whole lot more work in order.

00:07:31: But it was a real eye-opener because we recognize things like, hey our patching and note processes aren't necessarily conducive to the way modern world is shifting.

00:07:44: You see zero day go from your report down into concept of an exploitable package within days now rather than months.

00:07:53: And even for something as complicated as SAP We're seeing time to action shrink.

00:08:01: So when we first kind of got a hold on this contract and SIP is pitching the idea shared responsibility, great.

00:08:14: We like that because there's a lot... When you hear shared responsibilities really think partnership Right?

00:08:20: And so we went in with all these kind of preconceptions like, hey here's the stuff.

00:08:23: Like you're going to handle this and We're gonna handle that but we're gonna share some visibility because That's what partners do like.

00:08:29: we hold each other accountable.

00:08:30: We support each Other and it wasn't necessarily that right.

00:08:34: It was...we handled The infrastructure.

00:08:38: You don't worry about any Of which is a major, it was a major change for us.

00:08:42: Like when you own everything on Prim and you can really put your hands on the metal or devices You could go look at all of traffic that you want like there's nothing.

00:08:50: that kind gets in your way Of getting a holistic view Your environment.

00:08:56: And I think That has actually been probably more challenging shift For most companies.

00:09:03: They've gone from very IT centric ability to monitor and having a shift into this new paradigm, which is what shared responsibility calls for.

00:09:10: Which as an application centric monitoring in security program like you know.

00:09:17: so I'd liken SAP a lot to OT operational technology.

00:09:23: i call it OT of the business right?

00:09:25: So we're an electric company.

00:09:27: We've got power plants parts and things that are going on in our environment because we're producing this physical product, getting it out into the world.

00:09:41: When you look at the challenges we have on the OT side right?

00:09:45: You know these systems.

00:09:46: they get put in...and may live there for ten-twenty years!

00:09:51: Really only people who knows how those work or maybe folks just hung around.

00:09:57: so they've got decades of experience taking care some of their systems.

00:10:02: They don't handle change very well But for the most part, they're pretty reliable.

00:10:08: And then from a talent perspective it's kind of an niche area like finding someone that is really good with OT or OT security is really difficult.

00:10:17: Now if I hadn't used the words OT at all in my little statement there It would sound a lot like SAP as well.

00:10:24: We put in these SAP systems and they'll sit there for ten, twenty years.

00:10:27: And then we're like kind of forced upgrade.

00:10:29: SAP is really built on the backbone of people that have just done it forever!

00:10:34: Then if you want to get some talent either grow yourself or its expensive because theres not a ton of people out here.

00:10:42: so thats still legacy.

00:10:43: but now SAP are shifting all through shared responsibility model.

00:10:48: We kind of joke, we don't really view it as the shared responsibility model because what they're not sharing is accountability.

00:10:57: Because no matter what happens like oh you know their infrastructure gets popped our infrastructure gets pop but there's going to be finger point and there's the blame game all that stuff.

00:11:06: my customer is not going

00:11:08: to care.

00:11:09: My regulators are NOT GOING TO CARE.

00:11:11: They're gonna say well OGNEE THAT'S ON YOU.

00:11:13: And so regardless of Shared Responsibility it is not shared accountability.

00:11:18: That's one of the things that we can't as defenders and leaders, we cannot lose sight

00:11:24: off.".

00:11:27: We went in really excited where he was like oh well look its all Azure.

00:11:32: so just set up a log forwarding to see what are going on with infrastructure?

00:11:37: No!

00:11:38: Thats not what Shared Responsibility means

00:11:41: right?!

00:11:42: We were advocating for shared accountability responsibility.

00:11:46: And so that was kind of been the wake up and we realized like, hey... So now we have to really manage.

00:11:52: what are our true exposures?

00:11:53: What other things do you need a focus

00:11:55: on?".

00:11:56: It's at the app level!

00:12:00: I've heard others in similar roles as yours describe SAP more akin to OT or even referred to as shadow IT especially thinking about this idea that's not shared, no it is going to change.

00:12:17: Were there anything internal to your organization?

00:12:20: you had to do either educate or rally the appropriate stakeholders who drive awareness and acknowledge reality?

00:12:29: Yes certainly at first this was completely absent of rise but I literally have a security vendor.

00:12:36: ask me why so much about SAP Security?

00:12:40: And this is actually when we were trying to acquire onapsis for the first time.

00:12:43: A reseller told me that, too my face and it's like well then you clearly don't understand SAP or if you don't have some of these massive systems internally.

00:12:55: again speaking of the fragility or the perceived fragility of SAP in I think some of our legacy systems where probably in this condition there was real fear into SAP that it's going to harm performance.

00:13:09: It's going impact customers, its gonna impact financials and do all these things well.

00:13:14: luckily we had spent years kind of getting better in the OT security space so actually applied a lot those same concepts right?

00:13:22: So everything is passive.

00:13:23: you know the security tool like kinda fails for lack of a better phrase.

00:13:27: before the actual production tool uptime is paramount.

00:13:33: I got to tell you, the amount of stress testing that we put onto our onapsis products prior to allowing anything into production... We ended up shaking out more performance and supportability errors in other third-party tools than what business critical far more than anything on apps is found.

00:13:59: So like we were stress testing the,

00:14:01: The heck out

00:14:02: of our environment and finding it's all the other stuff that was causing problems but we're glad to know about It.

00:14:08: so That created an opportunity for us To tell that story.

00:14:11: Hey this Is not About Like security as a partner And security isn't integrated concept Of This We can help um...and we are Not here to bring you down.

00:14:23: That established a little bit of the rapport.

00:14:25: So going into rise and that migration, it made a lot more sense.

00:14:29: And we could even say things like hey... We're doing code analysis.

00:14:34: so let's not inject bad code.

00:14:36: because when I went back to look at all our old legacy codes in ECC some of those are very good.

00:14:44: People here attending may be shocked oh my god there is bad ABAP out there?

00:14:50: Yeah!

00:14:53: So, we were able to say like hey let's try and get clean.

00:14:58: And stay clean.

00:15:00: throughout this deployment We used it as a tool to kind of tell a positive story about how...we are very intentional around the supportability The security and maintain ability in our SAP environment.

00:15:16: One thing that has helped out huge is you know, SAP vulnerabilities are starting to become more common.

00:15:23: And so like onapsis threat intelligence actually will send something out and be able to go into the platform.

00:15:30: So let me just tell a story.

00:15:34: I think it was like The Wall Street Journal or MSN or something published your story about how SAP environments were getting hacked and it caused almost like this little panic among the, you know in a C-suite they will read that be like oh we also use SAP.

00:15:48: Like how in trouble are we?

00:15:50: Are we the next

00:15:50: Jaguar?".

00:15:52: And then you can go into to um you know into the platform and you can see.

00:15:57: yep!

00:15:58: We see the vulnerability hear the devices.

00:16:04: Either we validated that were not susceptible or have a direct path to know what is susceptible.

00:16:10: And just being able speak at level of intentionality and control over your own environment on the side, it's incredibly powerful!

00:16:21: We've been sure tell right stories build relationships which has made the rise transition easier from security because we're not creating these relationships on the fly.

00:16:38: We've established this rigor and this rapport, now we are leveraging tools to drive projects forward.

00:16:45: It sounds like being able respond to scenarios that's responding to news articles or anything else within board level executive levels even in your teams tries another level of confidence with an organization?

00:17:00: At end-of-the-day what were trying do is make right tooling process decisions, we're trying to develop the right people.

00:17:07: So one when bad happens because it's going to happen where ready today that were ready to handle it but also like you know what?

00:17:13: We are thinking strategically like the net.

00:17:15: next ask the next need is coming and so look at your art our belief as if or efficient for effective-if we are doing things intelligently its a lot easier.

00:17:26: So let's

00:17:37: transition to compliance for a second.

00:17:41: We all know that compliance is meant be in place to help security and the mechanism of control.

00:17:47: Utilities are obviously under our microscope, whether it's NERC-CIP or other regulations.

00:17:52: how did they move to rise?

00:17:53: either simplify or complicate

00:17:55: them?

00:17:59: Wow!

00:18:00: That's good question from a federal regulatory perspective.

00:18:07: if you're an electric utility You know, the big challenge is around NERC-SIP.

00:18:14: We've kind of like bifurcated or separated ourselves from that to reduce our

00:18:19: compliance

00:18:19: related exposure.

00:18:20: but it's interesting.

00:18:22: SOX, Sarbanes Oxley is absolutely still in play.

00:18:25: so if you're publicly traded and have to align with that honestly we took as an opportunity actually get better.

00:18:37: We went and reviewed our processes, redefined them.

00:18:39: And then we built in the controls that were necessary from an app's platform perspective... There is a little bit of feedback.

00:18:50: I don't know if it was me?

00:18:52: I hope not.

00:18:54: So

00:18:54: anyway.

00:19:00: so we took as opportunity to kind of redefine some of our compliance processes.

00:19:09: um having this concept of like the tools work for us rather than we worked for the tools because what we saw over the past like twenty years uh living with ecc was that a lot of our processes started to kind of take on a tent of, well were there to

00:19:24: feed

00:19:24: the beast that is ECC working actively for us.

00:19:29: And so as we kind of redefine, and then figuring out what are the right integration points?

00:19:35: One of the real challenges we've had around just being able to do investigative things when it comes to compliance level activity.

00:19:42: So in that's one thing that we'd been really proud to get to work with you all on the investigate solution or module.

00:19:54: So we can say, hey, we still have this type of activity.

00:19:57: Where else can we find this?

00:19:59: And it's almost like were able to now do threat hunting but from a compliance perspective.

00:20:05: Now compliance you'll hear me readily argue compliance does not equal security But they can't work together.

00:20:11: and so if we're able to say got the secure environment obviously some sort of control needs to be tuned or adjusted, and how do we go do that?

00:20:21: To ensure that were meeting the compliance related need.

00:20:27: That's been pretty successful.

00:20:29: so you gotta take this like migration or whatever your doing.

00:20:31: if you're moving into RISE You have to take it as an opportunity rather than a punishment.

00:20:37: Go change things for better because not gonna get another chance once thats in its end None of us can go change our legacy ECC environments.

00:20:47: So why do we think that?

00:20:48: We're going to be able to put stuff in and then go clean up.

00:20:50: And Put security in after the fact.

00:20:52: it's not, It's just not gonna work very

00:20:53: well.

00:20:55: you know what I mean.

00:20:55: That's so true an um.

00:20:57: i've heard You mentioned a couple times whether its on this webcast or Just conversations you and I have had which is Um you can't defend What you don't see.

00:21:06: that's right um.

00:21:07: and so how Do you gain The visibility into an environment that your Not physically managing?

00:21:12: Well yeah What a hassle, because we have traditionally relied upon network level controls like the ability to just see at a packet-level who's coming and going.

00:21:29: We've had really adjust and embrace some of the new world order.

00:21:34: so one other thing is that I probably think about this too much this concept called cyber persistence theory.

00:21:42: So just for everyone's awareness, my side hustle I'm on the faculty at Arizona State University and I teach in the Master of Arts in Global Security program.

00:21:50: so if you're looking for a good masters You should check that one out.

00:21:55: but what are classes?

00:21:55: I teaches around cybersecurity strategy planning And we really starting to focus on this concept of cyber persistence Theory which basically says that look This idea that we are deterring negative cyber activity is crazy.

00:22:11: It's just not the reality, and what they're saying?

00:22:14: that you know this Cyber domain itself.

00:22:16: it like this domain of persistent contact which in interesting take when apply to rise.

00:22:22: because look Rise Is now putting yourself out into some sort of hyperscaler.

00:22:28: You can either be directly exposed to internet partially exposed fully encapsulated but are in a different kind of touch area, right?

00:22:39: You can't hide behind obscure IP addresses.

00:22:44: The friction is very, very different.

00:22:46: for an adversary to come touch you which is what the cyber persistence theory calls forth says like in traditional battle spaces like Kinetic and all that...you actually have to cross an ocean or get somewhere.

00:23:00: well really For something like SAP rise environment anyone in world could touch it.

00:23:05: It's as much a feature, it is a bug.

00:23:08: Now so what we're trying to do... We are trying to reduce down the opportunities for exploitation in areas that we can't control and so exploitation occurs through traditional SAP approach of things which is role-based access control.

00:23:28: You handle that.

00:23:29: So authentication authorization, but beyond that like exploitation still occurs at a code level and that's still where the vast majority folks are weak.

00:23:40: And so that's where like on apps is coming in saying hey we've got you know On the application layer The layer that we can control We have the appropriate vulnerability response Where seen things going in or monitoring for you know, types of activity that are indicative of exploitation.

00:24:00: because that's where we're kind of forced to go have that battle

00:24:04: on.

00:24:08: Our abstract mentions early decision or making decisions really in the process as moving into any type of hyperscaler is critical.

00:24:20: Yeah You could go back and based on lessons learned the decisions you made that were key early.

00:24:28: What would be a couple, whether technical or procedural guardrails to put in place?

00:24:33: Or do you recommend individuals are looking at this putting placed now or earlier?

00:24:38: Yeah it's weird deal because SAP is also moving so fast and things are changing continuously.

00:24:49: And so whatever you put in, You need to really understand and be flexible.

00:24:55: So as an example there's a lot of ask around like clean core right?

00:25:00: Oh we want to go to the clean core Right.

00:25:02: what that is not saying?

00:25:04: Like?

00:25:05: I think That There's some confusion Of there's clean core Then there's custom code right.

00:25:10: Clean Core Is Not Calling for The Elimination of Custom Code Right.

00:25:14: And so custom code is getting pushed into.

00:25:15: this thing called BTP, which frankly Is a new paradigm for SAP?

00:25:22: It's kind of a new product and we already like Paul or PK We ran in to issues between Ogenio Napsis Like how are we even you know How does BTP license if we had To go work through that?

00:25:34: because I looked at the ground was shifting under both Of us and what were realizing Was micro segmenting A lot of our BTP areas.

00:25:43: But that wasn't necessarily conducive to licensing and it created identity access management challenges, things like that.

00:25:49: So what I would recommend is whatever you do build in flexibility because the thing will change around you... It's my personal opinion.

00:26:01: a lot of rise has been designed for building an airplane as we fly Right, and we went live about a year ago.

00:26:09: And I can tell you like structurally A lot of things have already changed.

00:26:12: now It's kind of smoothing out a little bit for us.

00:26:14: You know these deployments are so big and complicated but it is important that you have an organization That can pivot in make some adjustments because the cloud Is going to require that.

00:26:29: Now let's go make lemonade out of lemons Because that sounds terrible But once your start better at like being able to move quickly.

00:26:38: There's other benefits that come with that, so going back the cyber persistence theory and let's just talk about vulnerabilities.

00:26:45: So the average time of a vulnerability you know?

00:26:48: To go from like hey zero day announcement or patch notification Or so an in-day if you will You know was for SAP could have been like thirty days or something.

00:26:57: I mean it's gonna get boiled down to literally a day.

00:27:00: It'll eventually maybe get boiled on two hours thanks artificial intelligence Right?

00:27:05: So now as organizations, we have to be able to patch faster.

00:27:11: We have to move quicker because our exposure to the adversary is different now and can't hide behind a lot of traditional controls that we've relied upon in the past.

00:27:23: so go remove opportunities for exploitation rather than create the wall, right?

00:27:30: Like there is no big firewall that's coming to save you.

00:27:33: We have to go actually make institutional fixes at the code level or the process level of a system level in order to reduce opportunities for

00:27:42: exploitation.".

00:27:44: So like... That's where I see the big challenge for us organizationally not just at OG&E.

00:27:50: we're getting better but i think across the entire landscape as were collection of users used to patching maybe monthly.

00:28:01: I know, i've seen some shops that have patched twice a year.

00:28:04: you now there's an HR patch and then the daylight savings patch or whatever.

00:28:07: right.

00:28:08: so theres like two of these patches.

00:28:10: they throw all notes in its just this big endeavor.

00:28:12: we're gonna get leaner were going to be faster because thats what the adversary is going force our hand into.

00:28:22: You know your insights on those subjects are always fascinating.

00:28:30: What I'd like to really transition into is, what's next for Ogini?

00:28:35: Maybe touch on.

00:28:36: you mentioned earlier the new product that Anopsis has launched called Investigate.

00:28:42: Yeah would love for the audience learn how was your relationship with us evolve?

00:28:47: What are you expecting from us in general?

00:28:50: and maybe How were you planning using this investigate project?

00:28:53: yeah so We like a lot of companies out there.

00:28:58: I think that we really value being able to control our own destiny at some level, right?

00:29:03: So um i don't like the play victim...I'd like to call the shots and so you know what we're trying to do is kind of gain initiative over your environment.

00:29:16: What does this mean?

00:29:18: for most us it's just a fancy way.

00:29:20: The problem is we don't really know how to hunt in some of these environments.

00:29:25: And even with the hunt, what do we do about it?

00:29:29: So you know, what we're going to be looking to do is like How are we intaking threat intelligence and not just indicators or compromise right where We were moving so far beyond?

00:29:38: Just like oh, you know IP's hashes Like that's table stakes.

00:29:42: If if You're Not doing That Today like Your Really Going To Have Some Significant Challenges What Were Looking At Is TTPs.

00:29:50: And because what we see is the advanced adversaries are living off of land, they're taking identities.

00:29:54: They're pivoting their exploiting internal there doing all sorts interesting stuff.

00:29:59: We don't necessarily know What that looks like in our own environment.

00:30:03: and so things like adversary emulation mixed with high end investigative capabilities That will help us hunt forward With a byproduct band.

00:30:13: now we go tune or security controls.

00:30:16: So, you know what we do at OG&E is We take in thread intel.

00:30:20: We emulate the activity and then we say all right Did my tools see it?

00:30:25: did they alert on It?

00:30:26: did They block it In that order because You can't block you can't alert when you don't See And you certainly Can't lock What you Don't see.

00:30:34: so we Do have That cascade.

00:30:36: also don't necessarily want to Block everything just offhand.

00:30:39: Right you Want To maybe Say like Is this worth blocking?

00:30:43: What are some of the downstream impacts?

00:30:45: And by the way, you learn this the hard way when you start messing around with OT systems.

00:30:50: It's not always the best idea to just kill a process.

00:30:53: This is not IT right and that's why I would argue like ERPs aren't IT they're very different.

00:30:59: I don't know if i can call them OT but their very different than your traditional IT services.

00:31:05: so what we will be working on?

00:31:07: how do want ensure getting value out out of our investments.

00:31:13: So like we're challenging them, We are seeing how they operate based upon actual threat intelligence and how the adversary is actually working.

00:31:21: then were tuning our controls And uh...and we're seeking to move faster Like that's.

00:31:27: That's The goal..And I think the rise environment actually lends itself To some Of those capabilities.

00:31:35: You know

00:31:36: Ian.

00:31:36: um I want to turn this over to Q&A here in a second but I love this quote from you where, and if you've touched on it actually several times in the discussion but security isn't a project phase.

00:31:48: It's a foundation.

00:31:49: yeah If you wait for security to-if you way for that phase of your Verizon regulation You have already lost.

00:31:54: Yeah Is there any additional parting kind of wisdom or recommendations?

00:31:58: Or even coaching for those who are On The Line Are listening?

00:32:06: There's so many now opportunities out there.

00:32:09: So look, we just deployed rise were already working on a big upgrade.

00:32:13: These things are coming back again.

00:32:15: it is never too late to get started and start building the relationships.

00:32:21: our initial entry into SAP security space was hard because introducing new concepts.

00:32:28: but like an ERP nothing will be done in repetition, it takes focus.

00:32:37: It takes intentionality.

00:32:38: showing up every single day we kind of joke about.

00:32:42: like a lot of the times my security team feels like you know were tourists right?

00:32:47: We show up looking around.

00:32:49: this is kinda neat.

00:32:50: your just learning and you're there to let tour guide tell ya all cool stuff that can do.

00:32:58: thats where its begins.

00:33:00: so don't be afraid being tourist probably with a lot And I know, I've kind of fought this at times.

00:33:08: It's like you go in and people look to you for answers or they looked.

00:33:11: he was like oh You're the smart guy in the room.

00:33:13: Go be the dumb guy in there.

00:33:15: Just go listen just go learn and then you come back and always Be offering something.

00:33:22: One other things PK can attest one thing that i'm Always pushing our vendors on is The days having these really expensive security specific tools are coming to an end because we're now approaching a point where leaders, so executive teams you know shareholders right like everyone is looking and saying okay I've got this tool like Onapsis.

00:33:48: And it sits in this wonderfully privileged part of a very important system.

00:33:54: what other value can i go derive out?

00:33:58: And so one of the things I've liked about working with PK and his team is, this how I think.

00:34:05: When I throw out ideas like hey what if it could do this?

00:34:09: The answer is huh!

00:34:11: It's not really what we do.

00:34:13: you know its always okay.

00:34:15: help us understand value because ultimately security has to continue being a value add in just the cost center.

00:34:22: We're already expensive enough

00:34:24: right

00:34:25: Once we add value because we sit in unique places and have unique perspectives on the things that are, interactions that are going on these systems.

00:34:32: It becomes way more valuable to the organization And that's how you become sticky.

00:34:37: How do get other teams using your security tools?

00:34:39: Not just the security team themselves.

00:34:42: You know it's Ian is one of the reasons why

00:34:44: our

00:34:45: organizations Have had such a strong and positive relationship.

00:34:49: Is We value this thing very similar things In fact whenever core values is hacking And really what that means is celebrating and encouraging individuals within our organization to experiment, try new things.

00:35:01: There's not a negative consequence for doing so in having feedback from customers like yourselves.

00:35:09: either we collectively hack it then maybe generate some feature or wind teller whatnot.

00:35:15: It actually testament the product launched as well.

00:35:19: We appreciate their relationship.

00:35:23: At this point, I'm going to turn this back to Heather.

00:35:25: To open up for Q&A

00:35:32: All right So if you have any questions please go ahead and enter them in that q&a box over to the left And we will get started.

00:35:40: guys it looks like you have a friend in here.

00:35:43: He says Ian Varela Forgive me If i mispronounce your name Says hi Ian and ball.

00:35:48: This is Ian varela from Cypher BSC.

00:35:52: How did OG&E balance SAP's portion of the shared responsibility model with your own accountability for the application layer?

00:36:05: Spam call.

00:36:06: Sorry, okay.

00:36:08: Hey Ivan great question.

00:36:10: So how do you need balanced SAPs portion Of this shared responsibility with our own accountability?

00:36:18: You know.

00:36:19: so We try to do some things around.

00:36:24: how are we creating opportunities for visibility in places that we do control, right?

00:36:30: So this idea of an ERP is one hundred percent isolated and its own environment.

00:36:43: pretty much anything.

00:36:44: So what we did is, we set up opportunities and detection points at those kind of gateways so we can at least see some things that are going on.

00:36:55: then you know?

00:36:55: We attempted to derive logs out the out of SAP.

00:37:01: That maybe indicates like hey!

00:37:03: We've got a long running batch job or these challenges These thing's Going On.

00:37:09: What You won't necessarily get from SAP Is that clear check mark guidance of like, yeah you do this.

00:37:16: This and this they basically just say.

00:37:18: anything beyond the infrastructure is your responsibility?

00:37:21: And so we had to kind of figure out how go get clever and hack it in a way.

00:37:27: all right given these connections giving data points what are some assumptions that could make about not only security the environment, but also the performance?

00:37:39: because performance matters.

00:37:41: That's what your customers are going to be looking at.

00:37:43: they security is expected.

00:37:45: you know performances expect it.

00:37:48: so how are you tracking risk mitigation efforts and performance cyber security KPIs?

00:37:55: across all of Genie.

00:37:57: we got some things with SAP specifically onapsis as our partner And So that does have some robust reports.

00:38:06: One of the things that has been great is some organizations will outsource elements in their SAP support stacks, like BASIS for example.

00:38:19: We always wonder how do we keep bases accountable?

00:38:22: Because really it's there job to do this stuff right and so And actually build in KPIs and things like that into these agreements, saying hey we're expecting this level of vulnerability management.

00:38:38: This time to act, you know?

00:38:40: This amount of time to kind get these notes in, these fixes then reduce risk.

00:38:46: So the platform has been a great tool Good question.

00:38:51: Thank You

00:38:53: Thanks for your answer.

00:38:55: So the next question is we have some systems on rise, not ERP.

00:39:00: Rise has lots of security holes inherent in the build for example enforcement of encrypted RFC which violate SIPA's own recommendations.

00:39:09: so how are you dealing with that?

00:39:11: Probably the same way you are Darrell I mean... We're doing our best because it is like.

00:39:16: i mean It's a real interesting Interesting thing, right?

00:39:20: Because they've got some stuff that's like in rise.

00:39:23: But then they'd get a whole suite of other applications that are not so like success factors field class.

00:39:30: I mean don't even give me started on my IG and IS And some of the other.

00:39:35: you know three letter acronyms That are really four-letter words If you catch by drift We we You know.

00:39:44: one of things it's maddening to me is the lack of firefighter continuity across their their services, right?

00:39:50: So Firefighter is a critical control for many of us to go and manage admin rights.

00:39:58: It's almost like SAP pioneered in some ways with the GRC module Man, the Microsoft intro deployment of privileged identity management which is effectively just like in the firefighter process.

00:40:16: Is so much better than what SAP has and it's so much more consistent Which is crazy to talk about like microsoft having a consistent security strategy against their cloud properties.

00:40:27: So Like that's more The struggle that I've been experiencing not only in just like the gaps and coverage, I'm saying oh yeah you can't encrypt this or that but other tooling services we do rely on that are SAP owned and developed.

00:40:47: We're not seeing consistently deployed across their apps.

00:40:51: now part of it is they buy these products quickly integrating it because I got to get into market, but its like behind.

00:40:59: It doesn't follow some of the same access control mechanisms...I'll go back my earlier statement.

00:41:09: there's a lot building airplane while we fly and so this is where i say being nimble be an agile you know having organization that resilient going pay off big time as continue smooth these things out.

00:41:24: We all know SAP doesn't turn on the dime, so I would expect these conditions to persist for a bit.

00:41:33: Thank

00:41:34: you with the answer Darrell was looking for but it is what

00:41:39: It does not have to be.

00:41:40: just has been real

00:41:43: right?

00:41:43: Yeah So look i'm not shy too.

00:41:46: kind of bag on SAP where they deserve.

00:41:51: now I will say going back this shared responsibility model.

00:41:55: but there's so much potential value in SAP controlling the infrastructure.

00:42:00: There is so much financial value and just some of the micro segmentation, and just leveraging the cloud for how it has truly been designed like I think we initially even looked at what if we host our own SIP environment?

00:42:13: And all were going to do was really replicate what we're doing on physical data center up into the Cloud which is using the Clouds or all along reasons.

00:42:24: the immense amount of value in allowing SAP to manage the infrastructure and do things along those lines.

00:42:32: It does hurt my soul a little bit, not be able to see because I'm trust but verify guy?

00:42:38: See what's going

00:42:39: on?".

00:42:39: But I do believe that rise implementation is right direction.

00:42:43: we will get where we need it as us frontiersmen.

00:42:49: you know customers.

00:42:51: It's going to be interesting for a bit.

00:42:56: Well, thank you.

00:42:58: SAP pushes the clean core methodology heavily for rise customers.

00:43:04: We all know this.

00:43:06: Clean Core is hot topic.

00:43:07: So Ian how does having a specialized security partner like an absus help?

00:43:12: You maintain a clean core while ensuring your custom utility extensions don't introduce new vulnerabilities.

00:43:19: Yeah I. so i don't think it actually helps us.

00:43:22: Like I don't look at Fundamentally, I don't view it as a clean core versus unclean core.

00:43:28: I viewed this clean code versus UncleanCode.

00:43:32: The location of the code matters.

00:43:36: If you say clean core really does absolve SAP like other structural issues and things that they may have to deal with?

00:43:44: In their best interest for you not go mess-with the core code set into leverage PTP For many, many reasons.

00:43:54: But you know.

00:43:55: so for us where does O-Napsis fit in?

00:43:58: Well I mean it is literally just the code scanning piece.

00:44:02: but we underwent this challenge years ago were started really looking at quality of our Java and ABAP code because like a lot organizations you know, probably outsourced pieces of that development and we brought it in.

00:44:16: And yeah, We did the code review on everything.

00:44:17: but Did The Code Reviewers Know All The Nuance Of All The Different RFC Calls?

00:44:27: Right?

00:44:28: And so what SAP has allowed us to do, or excuse me.

00:44:30: What Onapsis have allowed is go and take that code and say all right are we aligning with kind of basic standards?

00:44:36: and where we're at now is were not introducing critical vulnerabilities because it gets stopped before that happens.

00:44:45: Onapsise has done a great job like getting into the DevSecOps pipeline and saying like, hey we're gonna prevent the bill.

00:44:51: We're going to prevent that migration until we get some clean

00:44:54: code.".

00:44:55: And it will take your developers off at first but ultimately ends up saving you a lot of headache from your parent pulling things back or your security team spending the weekend looking at a problem.

00:45:06: just let's develop cleaner code in also set an expectation where not just here to bang out some crummy code and just get into production so I can cash my check go home for today.

00:45:17: These are real implications.

00:45:19: So I don't want us as an industry to focus on clean core versus not or whatever, I think what we really need to do is focused on clean code.

00:45:28: What i also don't like though Is that can necessarily scan the code that SAP puts in?

00:45:35: Because i'm sure That has its problems too.

00:45:38: You know i'll jump in real quick especially since We're talking about clean code.

00:45:42: you Know one thing and then all mentioned.

00:45:44: so it's obvious our platform doesn't distinguish whether it's human generated or AI-generated code.

00:45:53: It provides the same level of value and a different level of identification vulnerabilities, so as all of us are trying to figure out what AI means in our worlds how we manage agents and likely code generated from those agents just I wanted make sure everyone is aware that our product does not distinguish.

00:46:13: It'll provide the same value and, you know go through it.

00:46:16: And identify the same vulnerabilities.

00:46:20: Absolutely Thank You Okay.

00:46:24: so next question is for utilities The audit cycle never really ends.

00:46:30: In a move to rise of this shared responsibility model Have found that your internal or external auditors had changed their approach?

00:46:38: How did prove them That the shared components were actually secure?

00:46:45: Yeah,

00:46:46: I mean they

00:46:49: oh my god.

00:46:49: We you

00:46:50: know we got beat up on that like the shared model because these are stock systems.

00:46:56: They want to know well what changes are happening?

00:46:58: What's going on?

00:46:59: and it's like yeah Well we don't really.

00:47:01: no were kind of blinded To It!

00:47:03: They Don't Want to call it a SASS.

00:47:04: they dont wanna Call it A PASS its SAP RISE Its own unique animal.

00:47:10: Where where we benefited is just.

00:47:14: We try not to be adversarial with our auditors, because one as this question rightfully calls out the cycle never ends.

00:47:21: And so these people are coming right back around seeing a lot of organizations kind of go more.

00:47:26: I'm going to be antagonistic toward my auditor and it never ends up well.

00:47:31: So what we really focus on is like all right how do we get to a shared okay?

00:47:35: Right Like i know i'm not gonna get everything right?

00:47:39: And so we try to have these relationships.

00:47:41: because then, we can leverage those relationships and say like hey here's the reality that we're dealing with.

00:47:46: This is an OG&E making this decision-this is SAP.

00:47:50: um...and look you know our auditors are uh..you know they're trying to figure all this stuff out too!

00:47:57: So maybe this is an opportunity as a customer that we can help grow our auditors.

00:48:02: We can say, hey here's how we view this problem and then they can take it back to their partners and stuff like that... And-and we can start building a more reasonable kind of compliance stack.

00:48:13: um the paradigms are shifting things are different and so what they're going to be letting you know relying on?

00:48:18: Here's how I've traditionally done it.

00:48:20: well That's no longer available.

00:48:21: So How do i go?

00:48:22: answer something similar?

00:48:24: This is where onapsis comes in for us.

00:48:26: So one of the questions we get, well who's got dialogue access?

00:48:30: What are these firefighter accounts up to?

00:48:32: Well we actually have custom alerts that are all set-up to notify when certain types of events happen and it triggers an incident.

00:48:39: you do all sorts of stuff but then at the end of day we hand that report over our auditors.

00:48:44: they're like okay this gives me warm and fuzzy.

00:48:48: We can test with them.

00:48:53: Look, tools at the end of day.

00:48:55: And in PK this is not to dump on onapsis but like every tool out there is going to fail you at some point.

00:49:03: that's why we at Ogini don't really look at it.

00:49:06: Like tools are opportunities To communicate.

00:49:11: They are relationship building opportunities.

00:49:13: We take onapsis and we say, this is how I'm measuring performance of my groups.

00:49:18: This is helping keep customer stuff secure but also telling a story about effective management across more organization.

00:49:26: Working with our auditors to help make sure that were compliant with our SOX controls in getting favorable judgment shared by the board or stock shareholders.

00:49:36: You know, the people.

00:49:40: The relationships are what's actually going to pull you out of the fire.

00:49:43: that tool itself is just a mechanism to build those relationships and help streamline it make your little bit more operationally efficient

00:49:50: when trying to accomplish couldn't agree more

00:49:56: great.

00:49:57: um yeah sorry pk most of these are for Ian.

00:50:05: he likes it like oh great

00:50:08: Man, so we almost didn't hear me talk.

00:50:11: Ian's a star!

00:50:14: Well since most utility companies have a security operation center that monitors the network can you explain why a traditional Security Operations Center might be blind to an SAP level breach?

00:50:28: and how has OG&E bridged that gap?

00:50:32: Yeah

00:50:35: I mean with RISE they're looking at the wrong stuff The way we have traditionally went and I think maybe this electric utility industry, it's like... We are a cyber physical company.

00:50:48: Like we have very physical assets that we deliver in physical good.

00:50:51: We had a service territory.

00:50:53: everything is kind of geospatial its physical nature.

00:50:56: so for us you can't necessarily touch the packet but you can conceive one.

00:51:01: But what we're really talking about with Rise is monitoring this amorphous SAP thing.

00:51:09: And if you are an SAP outsider, like a lot of us... You don't know all these SKUs or everything's weird three-letter acronym for stuff and there's different landscapes.

00:51:24: it's this weird language and we've never really, I think the vast majority of security teams have never understood how to speak that language.

00:51:32: The Onapsis platform for us has been like almost a translator right?

00:51:37: And so when you know as we were implementing Rise We Were Lucky Enough To Have A Onapsus Resident Engineer Kind Of Helping Us Build Out A Lot These Things.

00:51:48: So What She Actually Went Did was she would walk through like, hey we saw this event in onapsis.

00:51:56: And then work with our SOC team and say when you see this is what it actually means because we don't speak SAP.

00:52:05: so we needed almost a Sherpa to help us understand some of the basics.

00:52:12: your SOC teams are smart.

00:52:14: all they really need You know, give me a little bit of push.

00:52:18: I need a little guidance and then...I'm smart person so i can go figure some these things out.

00:52:23: The way SAP operates is just inherently different than the other stuff that our defenders are asked to secure.

00:52:29: So thats why we've been blind.

00:52:33: And especially traditionally it's We've been able to hide SAP behind things that do fit our traditional like paradigms for securing an environment.

00:52:43: So it's been behind a firewall and network, you know we had access to the UNIX Linux logs or whatever right infrastructure logs?

00:52:51: Uh...we never really have focus on application side itself.

00:52:58: Nice

00:53:02: I love idea of having

00:53:03: a Sherpa Thanks.

00:53:05: A marketing team might steal that from you,

00:53:07: yeah?

00:53:09: So in the rise environment SAP handles some patching but the customer handles others.

00:53:15: how do you manage timing and testing of security patches so they don't disrupt the critical utility operations or billing cycles?

00:53:23: You know I don't know like what we're trying to do on the security side.

00:53:26: Like i'm not dictating That.

00:53:28: What i'm dictating is The reality that the adversary's moving faster And thus our processes must be more efficient.

00:53:35: But at the end of a day, like security only gets to wield that hammer every so often where it's like thou shall patch this within twenty four hours.

00:53:42: And we have to be very careful with how you wheeled that right?

00:53:45: Because if you wheel too often You'll lose and then you will loose your group.

00:53:51: So what were more trying do is really better understand criticality Vulnerability enrichment.

00:54:00: So things like, you know, the Napsys Intel, CISA Kev.

00:54:04: You just other... Like how critical is this skew?

00:54:07: How critical is business application?

00:54:09: What it's network exposure?

00:54:12: Is this accessible via the internet or do have to be internal?

00:54:15: Or what does the makeup of this thing...?

00:54:18: Well we have start getting out that oh its a CVE-TEN.

00:54:22: so I've got drop everything and go fix it.

00:54:24: well no thats not necessarily case.

00:54:28: not all vulnerabilities are created equal across all organizations.

00:54:31: In fact, a concept we're working on here at OG&E is actually something that's pushed by CISA and Carnegie Mellon out of Pittsburgh in it called the SSVC or Stakeholder Specific Vulnerability Categorization.

00:54:44: And in fact I may even hit up my friends at ONAFSA to say what if were able to incorporate elements into our onapsis vulnerability findings, because what this will do is it says already in.

00:54:58: This is a drop everything and do-it thing like.

00:55:00: and here's why actually give reasons.

00:55:03: people are very reasonable in my.

00:55:04: well let me roll that back.

00:55:07: People can sometimes be very reasonable if you give them the right information to help then make an intelligent decision.

00:55:12: So If You say I've got this problem from this problem Like Here's Why We Are Calling This A stop The Presses Go Fix It Right Now.

00:55:20: I think if people understand the why, they're more likely to help you.

00:55:24: But If You just come and say patch this because i'm scared And I said so cuz im security Like I Think that's where you start to

00:55:31: really run into problems.

00:55:32: No, I agree with you on That.

00:55:40: Thank you.

00:55:41: Such a good point.

00:55:41: Cool!

00:55:41: Well we have time for one More question.

00:55:46: Yeah, so I'm going to do this one.

00:55:48: If someone in the audience is currently negotiating their rise contract.

00:55:53: what does one security requirement or visibility clause they should insist on including?

00:55:58: To ensure they aren't left in the dark after go live

00:56:04: with something that they need to push for like you know before that paper signed.

00:56:10: That's when you have all the power and an SAP has all sorts of security kind And I would get whatever you can possibly get out of that.

00:56:20: I would say, show me your list to add on and then give me everything that you've possible got.

00:56:25: Try and get all that built

00:56:26: in.".

00:56:27: You know...I remember when we first started talking they tried upsell for a next generation firewall which is wild because i was doing next-generation firewall stuff like city municipal worker in twenty fifteen.

00:56:42: the fact that S&P said this isn't an extra skew.

00:56:46: So, so take their list of stuff and say like why is this just not included?

00:56:50: Like we're spending millions and millions and billions of dollars.

00:56:54: Why are some of the stuff non-included?

00:56:56: you don't get that power after you've signed.

00:56:59: You only have that power before you sign And they are trying to get people to sign that paperwork.

00:57:06: If anyone really wants to get wild Go push for getting read-only access logs from their Azure infrastructure, whatever their hypervisor is.

00:57:17: If you are successful let me know.

00:57:20: I will buy you a coffee or beer or soda and i'll pick your brain because that's my holy grail of giving information to help defend the organization.

00:57:30: Awesome!

00:57:33: You heard Ian.

00:57:36: he just offered you drink or wine?

00:57:41: Yes, so we're gonna wrap up now.

00:57:43: Please go ahead and check out what we've put in the resource box over to your right.

00:57:48: there are a bunch of different white papers and things that can help you out And We're going to wrap-up this webcast.

00:57:57: thank you so much for joining us.

00:57:59: Thank You Ian and PK for such great insights.

00:58:05: we really appreciate your expertise.

00:58:08: We'll put Ian in the Expertise category, I appreciate that and I appreciate anyone who's spent their last hour with us.

00:58:13: so you know they're all busy.

00:58:15: thank-you

00:58:16: thanks everyone.

00:58:17: Thank You!

00:58:19: In a moment two questions are raised.

00:58:21: get pop up on your screen.

00:58:23: please take that And stay tuned for the post event email tomorrow With The Link to On Demand Presentation And please go ahead and share it with your colleagues.

00:58:33: Sharing is caring, thank you so much.

00:58:35: have a great rest

00:58:38: of.

About this podcast

Welcome to our Onapsis Podcast, a podcast brought to you by Onapsis, the global leader in SAP cybersecurity.

Join us as we delve into the fascinating world of safeguarding SAP systems from cyber threats and uncover the secrets to protecting your organization's most critical assets.
In each episode, our expert hosts and special guests will explore a variety of captivating topics surrounding SAP cybersecurity, shedding light on the challenges, best practices, and cutting-edge solutions that help businesses maintain the integrity and resilience of their SAP landscapes.
From the latest emerging threats to innovative techniques for vulnerability management and threat detection, our podcast provides invaluable insights for professionals working with SAP systems or those interested in learning more about the importance of securing the digital core.

by Onapsis

Subscribe

Follow us