What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
Securing Business-Critical Apps in the Cloud Era
Interested in being a guest? Email us at admin@evankirstel.com
Cybersecurity for business-critical applications represents one of the most significant blind spots in enterprise security today. As Mariano Nunez, CEO and co-founder of Onapsis reveals, sophisticated attackers are now targeting the crown jewels of organizations – their SAP, Oracle, and other mission-critical systems – with unprecedented success.
What makes these attacks particularly alarming is how they bypass traditional security controls. While most organizations focus on user access controls and segregation of duties, today's threat actors exploit vulnerabilities at the application layer without requiring any user credentials. As Mariano explains, "Attackers are exploiting and attacking the systems even without a user to begin with. It's a different paradigm." This fundamental shift coincides with the migration of formerly protected internal systems to cloud environments where they're increasingly exposed to external interfaces, AI integrations, and new business models.
The most sobering revelation comes from Mariano's disclosure of an unprecedented cyber campaign that began in January 2023. Chinese threat actors developed zero-day exploits for SAP systems, silently compromising hundreds of organizations worldwide, including critical infrastructure and government entities. Even after patches were released, many organizations found themselves in a troubling position: "It's almost as if you would unlock your front door and change the front door lock, but the thief is already in the basement." This represents the worst attack campaign against business applications in 15 years, highlighting the urgent need for specialized security approaches.
Onapsis differentiates itself by providing purpose-built protection for these critical systems, working in close partnership with vendors like SAP and Oracle while helping security teams manage risk even when immediate patching isn't possible due to downtime constraints. For organizations navigating digital transformation, the message is clear: generic security tools provide a dangerous false sense of security when it comes to your most valuable business applications.
Want to learn how your organization can protect its business-critical applications from sophisticated attacks? Listen to the full conversation and discover why traditional security approaches are failing to address these emerging threats.
More at https://linktr.ee/EvanKirstel
Hey everybody, fascinating chat today, important topic as we talk about securing business-critical applications in the enterprise, with Onapsis Mariano. How are you?
Speaker 2:Very good, Evan. Good to be here. Thanks for having me.
Speaker 1:Well, thanks for being here. Really timely chat. Cybersecurity is top of everyone's mind, but before that, maybe introduce yourself and your journey and mission at Onapsis, yeah yeah, happy to so.
Speaker 2:Mariano Nunez, ceo and co-founder here at Onapsis, my background is in cybersecurity.
Speaker 2:I've been in cyber since I was 18.
Speaker 2:I started working at a consulting firm out of Argentina, buenos Aires that's where I'm originally from consulting firm out of Argentina, buenos Aires that's where I'm originally from.
Speaker 2:So I was doing ethical hacking, penetration, testing, vulnerability assessments for our customers and as part of that, basically I ran into an ERP application back then and I really realized that there was this major gap in the industry where, at that point in time, everyone was protecting the endpoints, the networks, the infrastructure, but for a strange reason, no one was really protecting the business critical applications that they were running to support the most sensitive data and processes. So that really led to us founding Onapsis in 2009. And it's been really quite a journey, I would say, since then to really scale the business now living in Boston, massachusetts in the US, and continue really to execute against this mission, which is protecting the business-critical applications that power the global economy. So very excited about the mission we're still executing against after so many years, because a lot has changed in the world during that time. So happy to be here to chat more about this or any other topics.
Speaker 1:Yeah, well, let's talk about that. What are the kinds of cyber threats that are most common for those business critical applications? Do you think ERP, for example, companies like SAP, oracle, where I used to work other places? What do they have in common? Yeah, look.
Speaker 2:I think the first thing they have in common is this misconception that when you think about ERP security whether it's SAP, oracle, as you named, or any others traditionally what that security meant was really segregation of duties and access controls, meaning if Evan has access to create an invoice, he shouldn't be able to create an event or a report disorder and really make sure that those segregation of duties controls are in.
Speaker 2:Has access to create an invoice, he shouldn't be able to create an event or a purchase order and really make sure that those segregation of these controls are in place. Unfortunately, those controls are very important, but where we're coming from really, what we see is attackers exploiting and attacking the systems even without a user to begin with. It's a different paradigm when you're protecting against, and that, I say, is common across all these applications, I would say probably the second thing that is very common is how these applications used to be behind the firewalls, in the internal networks, behind the walled gardens, and now they're all pushed to the cloud. They're pushed to the edge, like being accessible for B2B purposes, for providers, customers and other interfaces, exposed to AI, exposed to RPA, exposed to new, basically, business models. That is significantly increasing the attack surface and the risk of these business critical applications.
Speaker 1:Now, with the new cloud transformations and AI initiatives, they're under yes, gary Times times for sure, and you know I talked to CIOs at banks. They might have 60, 70 different cybersecurity tools under their roof. What makes you guys different from those other security solutions or tools that are out there already?
Speaker 2:Yeah, absolutely. It's a lot that CISOs have to deal with and, of course, we're shrinking budgets and more pressure on resources given the macro. But I think what sets us apart is all our customers. If you think about what we do, all our customers have generic security capabilities, whether it's cloud security, vulnerability management, threat detection, and the reason they still really partner with us and Onapsis and the use of the Onapsis platform is because, again, those solutions are very important and they're having really important controls against different parts of their stack.
Speaker 2:Right, it could be at the operating system layer, the infrastructure, the cloud, the hyperscaler layer, the custom code layer, but they don't have the intelligence and the capabilities to really look at ERP and business-critical applications at the application layer, right?
Speaker 2:So if you use any of those generic tools today to protect your ERP systems, you're going to be able to stop some basic attacks and common attacks, but you would be getting a false sense of security because you scan your ERP applications that. Take SAP with one of those solutions and it may tell you hey, there are some issues in the operating system and the network and the firewall in front of it, but everything else is fine. When you go and run a scan with an APSIS, it will tell you that you may be missing hundreds of SAP security patches or you may have misconfigurations that are actively being exploited by attackers. Right, so we're not talking about a theoretical kind of risk here. We're talking about active cyber attackers that are compromising applications or business applications at this layer, and that's why what you really need for this type of asset, you need purpose-built capabilities like the ones that we pioneered at Onapsis.
Speaker 1:Interesting. Do you have any stories or anecdotes where your team had to step in and help what happened and obviously anonymized customers? Don't really tell about those stories by name.
Speaker 2:Of course. Confidentiality is, of course, paramount, as you know, in cybersecurity, especially for us, given the profile of the customers we work with. We work with very, very large organizations across the US and Europe, all the way from public Fortune 10, fortune 100, to government organizations, military government agencies, because, if you think about it, everyone runs solutions like SAP and Oracle for the most critical data and processes right. So we have to be very careful about how we design our products to make sure they're not introducing any operational risk to those environments ourselves so we have a lot of high-quality kind of design and capabilities there but also make sure that when there is something bad that could happen in the systems, we're alerting our customers as soon as possible and providing them the capabilities they need to protect themselves. So I'll tell you a very recent example. Actually over the last I'll say, three months, really, it's really recent. I would say it's the first time we see what I would describe as an unprecedented cybersecurity threat campaign against SAP applications.
Speaker 2:Again, we've been doing this for 15 years, so we've seen many attacks and incidents in the past. Many of those never got to the public domain and you will not see that in the headlines, but over the last few months literally started between January to some extent, but especially during March and April and May of this year. January to some extent, but especially during March and April and May of this year we've seen for the first time a group of cyber threat actors that are connecting now to Chinese kind of Nexus groups that basically developed what's called zero days for SAP, meaning vulnerabilities that did not have a patch, so there was basically no way for you as an SAP customer to be protected against this, and they actually use these capabilities, these exploits, to break into hundreds of SAP customers worldwide. So that really was discovered around mid-April based on some symptoms. A security firm was looking at their customers and then, when we started analyzing this, we realized that they actually started this exploitation all the way back in January and they've been silently compromising. Again, if you look at the victim list, it's a lot of the largest and most well-known organizations in the planet, a lot of critical infrastructure organizations, government organizations that have these Chinese threat actors, actors and then other actors fully compromising the systems silently.
Speaker 2:Fortunately, sap responded very quickly after this news. They released a patch and a lot of customers started to apply the patch. The problem was many of them already had the systems compromised when they applied the patch. So it's almost as if you would go in and unlock your front door and change the kind of front door lock, but the thief is already in the basement right. So, unfortunately, there was a lot of misconceptions and misunderstandings and there's still, as of today, many exposed SAP systems online and compromised systems. So we're doing our best to really notify and raise awareness about this topic, together with the US and international government agencies, with SAP, with other cybersecurity firms. But, yeah, this is a very, very recent example that I would say in the last 15 years is the worst we've seen, and it's a clear indication that this is again what we were talking about before. People move SAP and these applications to the cloud. Packers know this, so they're going after them more aggressively, investing more capabilities, and we see a pretty significant uptick in terms of threats against these systems.
Speaker 1:Wow, that's unbelievable. A lot of companies are also running very old ERP versions and systems, a lot of technical debt, and I guess the philosophy used to be well, if it's not broke, don't fix it. Not sure that works anymore. So how do you help keep those older systems secure as well?
Speaker 2:That's a huge problem. But unfortunately, I think we're in this I would say cycle right now where a lot of modernizations are happening. So a lot of companies are actually moving to the cloud, moving to newer capabilities like S4HANA or Fusion Cloud Apps. So we're going through a bit of a modernization phase right now, which helps. But at the same time, even if you're in the latest S4HANA solution, these systems are so mission critical that even in many cases, like customers know they have a latent risk, a new patch they need to apply, but they don't get the downtime Because if you take the system offline, maybe you need to reboot the system to apply the patch. It may cost millions of dollars per hour to have those systems offline.
Speaker 2:So the mission critical nature of the systems make it really really hard to fix some of the critical issues.
Speaker 2:So one of the ways we help really in that scenario is maybe you cannot apply the patch, but one of the capabilities with an apps is you deploy thread monitoring. So one of the ways we help really in that scenario is maybe you cannot apply the patch, but one of the capabilities with an abscess is you deploy threat monitoring. So if we know you have the critical vulnerability in, let's say, your ERP or supply chain system and we know you cannot apply the patch because you don't get the downtime we can monitor as a compensated control and if we see an active exploitation against that vulnerability, we can trigger response activities like inform your security operations center, block that access. So at least you can manage the risk. If you're going to fully mitigate it, you can manage the risk and buy you some time until maybe you can apply the patch at the next downtime cycle that you have. But yeah, definitely the mission-critical nature adds a lot of complexity to fixing these issues. Even in other systems it's even worse, absolutely.
Speaker 1:I bet. And what changes are you seeing from the ERP vendors themselves right now? I mean, I imagine they're trying to up their game, but these are big companies as well. They see you as a partner, enabler or otherwise.
Speaker 2:Yeah, yeah, absolutely Like to give you an example. But we work very closely both with Oracle and SAP, for example, but I'll say SAP specifically. We're most of our core businesses. We're today the only cybersecurity solution that were officially endorsed by SAP for applications and compliance. So we work very closely with them. So, basically, they're SAP. To give you a practical example, sap's sales team and account executives are recommending Onapsis to their customers so that they use Onapsis as they go to the cloud, because they realize that they can go to the cloud faster and more securely by using Onapsis as part of the project versus trying to fix of fix these things kind of later on. So that's one good example that we're kind of working.
Speaker 2:On the commercial side, we also have a very deep, I would say, research and technical partnership, where a good example is today, july 8th, sap just released their monthly security patches. Sap just released their monthly security patches. Almost I think over 80% of the critical patches that SAP released today were thanks to the contribution from our research labs working with SAP to find these vulnerabilities, help them develop the patch, test the patches. So we're really working really well with these vendors and we do the same thing with Oracle and others, to make sure that our customers, of course, would always get the most advanced threat capabilities, intelligence and protection, but we also want to make sure that every customer has the ability to protect themselves from these attacks, so that's why we do this, and then the vendor can release a patch so they'd be protected. So, yeah, we have a great partnership, very strategic in nature, with many of these ERP and business application providers.
Speaker 1:Well done. And what about customers? How do you partner with work with internal security teams? Are you replacing tools? Are you helping them do more obviously? But are there different, new workflows? They have to learn what's that process look like from the inside?
Speaker 2:Yeah, absolutely. I guess it really depends on the maturity of the customer. We have customers where they have mature security programs and they've been trying to tackle this themselves with either native tools or manual, trying to kind of couple together different technologies. And that's where we can provide not only really significant risk reduction but also cost reduction, because we can actually, instead of using 14 different tools and having people that have to know the domain really well, we capture all that intelligence in the platform and we automate a lot of these activities for them so we can reduce their cost and operational tasks significantly by using the platform versus manual or native tools.
Speaker 2:And then you have customers who maybe are earlier in that maturity, that may not have yet tackled ERP cybersecurity.
Speaker 2:So with them it's more about the risk reduction and acceleration of the transformation.
Speaker 2:Maybe they're going to the cloud, maybe they're infusing AI, using business AIs, for example, from SAP, or going to cloud solutions like BTP.
Speaker 2:So in that case we help them. Basically they use our platform to secure their legacy environments, but especially the new environments. So they have the peace of mind that every time they provision a new system in the cloud, they run on apps against that in a continuous way and they create the right alerts and scan the custom code that is going into the systems and they can be sure that that system is secure by design and by default and then stay secure as they go to operations. So it really gives them that acceleration and peace of mind that again we have customers investing hundreds of millions and billions of dollars in 10-year ERP transformations. So it gives you a sense that there's a significant amount of budget and initiative and criticality at the board level. I'm talking about Fortune 10, fortune 100 companies where the board is aware about the level of investment and the need to secure the system. So we basically make it easy for them in a comprehensive and automated way.
Speaker 1:Fantastic. So you're doing an amazing job serving those SAP and Oracle customers. But there is a sea change happening in ERP lots of new vendors, new entrants, reinvention of the space with AI. In many ways, where do you think ERP security is headed over the next five years? What needs to happen to secure all these new you know business-critical applications out there?
Speaker 2:Yeah, it's a good question. It's funny because when we started the business, there was a lot of questions, especially from the venture capital community or private equity, where they felt that SAP and Oracle were legacy providers, that they were going to be replaced by a lot of the new players like the Workdays and the NetSuite of the world. If you look at kind of fast forward, that today both SAP and Oracle are like two of the fastest growing cloud companies right, forget about ERP specifically, they're two of the fastest cloud applications companies in the planet. And AI I just saw a huge news I think it was last week from Oracle they closed a $30 billion a year AI contract. Sap is also lending a huge amount of their new customers and existing customers are like accelerating investment with AI. So it's honestly been impressive to see how they transform themselves, not only executing against a cloud pivot but also an AI pivot.
Speaker 2:At the same time, both SAP and Oracle are now growing at a faster rate at scale than even many of the new entrants. But if you think about applications like Salesforce, like Workday, like ServiceNow, like others, they have the same critical data, critical processes. They are highly regulated, so there is a significant need to protect them. And at Anapsis we're actually expanding beyond SAP and Oracle to go and really protect other applications like that as well, because customers, as you said at the beginning, they don't want yet another tool, they don't want yet another dashboard, they don't want yet another product, they have 70 plus. So we are actually becoming that convergence point where you can make sure that those applications for example, an incident in those applications you can respond and validate this very quickly and really do that with an integrated platform.
Speaker 1:Yeah, fantastic proposition. So exciting times, lots of interesting events coming up, including in the summer. You got Black Hat and DEF CON. Of course, many, many more in the fall. What are you excited about? Where are you headed next? What's coming up?
Speaker 2:Yeah, definitely going to Black Hat. I was fortunate to be a speaker at Black Hat for many, many years. Back in 2007 is when I did the first presentation on SAP cyber attacks and ERP cyber attacks. And yeah, this year I was also very honored I was invited to be a guest reviewer at the Black Hat Review Board. Congratulations, thank you. Yeah, it's definitely something very kind of a big honor to me, just having lived through the conference for now almost 20 years. And, yeah, I was privileged to see a lot of the submissions, and the level of talks that are going to be at Black Hat is simply outstanding, as always. So really excited to see a lot of those submissions now become talks and I know there's going to be a lot of excitement about many of them.
Speaker 2:So, yeah, going to be at Black Hat for sure. Not sure if we're going to be able to stay for DEF CON. Like, usually a few days in Las Vegas is more than enough for me. I'm going to be at Black Hat, for sure. I'm not sure if I'm going to be able to stay for DEF CON. Usually a few days in Las Vegas is more than enough for me. So I'm not as young as before.
Speaker 1:I could do Black Hat and DEF CON much more than now, but, yeah, definitely looking forward to the events for sure. Well, stay cool in Vegas. I used to not have to worry about saying stay cool in Boston, but yes, it's a hotter year than in Vegas right now. Enjoy the summer. Thanks so much for joining and sharing the vision and the mission.
Speaker 2:It was my pleasure to be here. Thank you very much for the great questions. I look forward to seeing you again.
Speaker 1:Thank you and thanks everyone for listening, watching, sharing the episode and also check out our new TV show, techimpact TV, now on Bloomberg and Fox Business.