Anytime an executive moves to a new company the first question they get is, “Why did you pick that company?” In the case of Onapsis, I leapt at the opportunity because we have a massive role to play in protecting everything that matters to the Global 2000. Onapsis is attacking a business-critical problem, but from a cybersecurity perspective. Global 2000 enterprises leverage ERP – it’s where the crown jewels reside; Financials, Customer Data, any corporate sensitive data, etc. But these complex applications were not designed with security in mind. So guess what? They’re not secure. I’m reminded of the answer Slick Willie Sutton gave when asked why he robbed banks. He said, “Because that’s where the money is!” It’s no different when it comes to ERP.
So, when I hear about a major breach, the spotlight is typically shined on the assets that were stolen and the ways in which the adversary got in (e.g., spear phishing, email, firewall, end-point). Yet there’s very little attention paid to the security of ERP systems. I find it ironic that there seems to be a lack of focus on the fact that in most cases the adversary was targeting the crown jewels, which are largely in ERP. It demonstrates to me that hardening the inner core is the last bastion of defense for the assets which reside in ERP.
The challenge is exacerbated due to the ways companies are structured. CISOs, who know it’s open season on ERP and want to do something about it, often do not have jurisdiction over ERP. And on the operations side, CIOs are often unaware how susceptible ERP is to being compromised at will; even that they are not in compliance in many cases. During my interviews with Onapsis, which were extensive indeed, I asked how often they could prove (being verified by SAP, Oracle) that they were vulnerable to a major attack. Their answer made my jaw drop. They said, “One hundred percent of the time.” Knowing the truth stretching that happens in cybersecurity, I probed further. “Give me an example of something you typically see that is significant.” They explained that they can get onto the network and, without credentials and passwords, get into ERP systems. Once there, they can demonstrate how they could seize the passwords of executives, create an invoice for whatever amount they want, and get paid. Clearly this is not demonstrated in a production SID, but is typically shown in functional copies. That is a big deal.
When you think about what the attackers are after in organizations, it’s usually the financial, customer data or any corporate sensitive data that is considered valuable to the organization. In a company that has a large ERP implementation, all of this data resides in these systems. Once an attacker, internal or external, is past perimeter defenses, this trove of content at the inner core is exposed to any number of attacks that could be detrimental to the organization, and the hackers know it. Years ago, hacktivists started attacks on SAP, which was interesting but not critical. Then you saw more professional cyber criminal organizations come forward with more sophisticated attacks–you see some of these activities coming with state sponsorship. And now DHS has issued its 2nd critical alert for business-critical applications.
Onapsis is bringing together CPOs, CIOs, and CISOs the combination of which will allow for better secured business-critical applications and better cross-functional awareness. At the same time we have proven use cases of reducing operational costs and cutting in half the time it takes an enterprise to move to the cloud. Our partnerships with SAP and Oracle are a testament to the importance Onapsis delivers.
And we have friends. Our strategic partnerships with the leading system integrators and MSSPs are natural because they have domain expertise on the operational side (ERP) and the security side. So the Onapsis solution falls perfectly into their sweet spot of service offerings, having a service specific to ERP business implementations and a separate service for information security practices.
When I learned about what the Onapsis Security Platform does for the enterprise and what the Onapsis Research Labs does for the market, I jumped at the opportunity to play a leading role in bringing it to the world. I’m looking forward to applying my expertise in serving customers to an already well-known organization.