July 11, 2025 • 19 mins
Interested in being a guest? Email us at admin@evankirstel.com
Cybersecurity for business-critical applications represents one of the most significant blind spots in enterprise security today. As Mariano Nunez, CEO and co-founder of Onapsis reveals, sophisticated attackers are now targeting the crown jewels of organizations – their SAP, Oracle, and other mission-critical systems – with unprecedented success.
What makes these attacks particularly alarming is how they bypass traditional security controls. While most organizations focus on user access controls and segregation of duties, today's threat actors exploit vulnerabilities at the application layer without requiring any user credentials. As Mariano explains, "Attackers are exploiting and attacking the systems even without a user to begin with. It's a different paradigm." This fundamental shift coincides with the migration of formerly protected internal systems to cloud environments where they're increasingly exposed to external interfaces, AI integrations, and new business models.
The most sobering revelation comes from Mariano's disclosure of an unprecedented cyber campaign that began in January 2023. Chinese threat actors developed zero-day exploits for SAP systems, silently compromising hundreds of organizations worldwide, including critical infrastructure and government entities. Even after patches were released, many organizations found themselves in a troubling position: "It's almost as if you would unlock your front door and change the front door lock, but the thief is already in the basement." This represents the worst attack campaign against business applications in 15 years, highlighting the urgent need for specialized security approaches.
Onapsis differentiates itself by providing purpose-built protection for these critical systems, working in close partnership with vendors like SAP and Oracle while helping security teams manage risk even when immediate patching isn't possible due to downtime constraints. For organizations navigating digital transformation, the message is clear: generic security tools provide a dangerous false sense of security when it comes to your most valuable business applications.
Want to learn how your organization can protect its business-critical applications from sophisticated attacks? Listen to the full conversation and discover why traditional security approaches are failing to address these emerging threats.
More at https://linktr.ee/EvanKirstel
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
Hey everybody, fascinating chat today,
important topic as we talk aboutsecuring business-critical
applications in the enterprise,with Onapsis Mariano.
How are you?
Speaker 2 (00:13):
Very good, Evan.
Good to be here.
Thanks for having me.
Speaker 1 (00:16):
Well, thanks for being here.
Really timely chat.
Cybersecurity is top ofeveryone's mind, but before that
, maybe introduce yourself andyour journey and mission at
Onapsis, yeah yeah, happy to so.
Speaker 2 (00:29):
Mariano Nunez, ceo and co-founder here at Onapsis,
my background is incybersecurity.
I've been in cyber since I was18.
I started working at aconsulting firm out of Argentina
, buenos Aires that's where I'moriginally from consulting firm
out of Argentina, buenos Airesthat's where I'm originally from
.
So I was doing ethical hacking,penetration, testing,
vulnerability assessments forour customers and as part of
(00:57):
that, basically I ran into anERP application back then and I
really realized that there wasthis major gap in the industry
where, at that point in time,everyone was protecting the
endpoints, the networks, theinfrastructure, but for a
strange reason, no one wasreally protecting the business
critical applications that theywere running to support the most
sensitive data and processes.
So that really led to usfounding Onapsis in 2009.
(01:21):
And it's been really quite ajourney, I would say, since then
to really scale the businessnow living in Boston,
massachusetts in the US, andcontinue really to execute
against this mission, which isprotecting the business-critical
applications that power theglobal economy.
So very excited about themission we're still executing
against after so many years,because a lot has changed in the
(01:43):
world during that time.
So happy to be here to chatmore about this or any other
topics.
Speaker 1 (01:49):
Yeah, well, let's talk about that.
What are the kinds of cyberthreats that are most common for
those business criticalapplications?
Do you think ERP, for example,companies like SAP, oracle,
where I used to work otherplaces?
What do they have in common?
Yeah, look.
Speaker 2 (02:04):
I think the first thing they have in common is
this misconception that when youthink about ERP security
whether it's SAP, oracle, as younamed, or any others
traditionally what that securitymeant was really segregation of
duties and access controls,meaning if Evan has access to
create an invoice, he shouldn'tbe able to create an event or a
report disorder and really makesure that those segregation of
duties controls are in.
Has access to create an invoice,he shouldn't be able to create
(02:25):
an event or a purchase order andreally make sure that those
segregation of these controlsare in place.
Unfortunately, those controlsare very important, but where
we're coming from really, whatwe see is attackers exploiting
and attacking the systems evenwithout a user to begin with.
It's a different paradigm whenyou're protecting against, and
that, I say, is common acrossall these applications, I would
(02:49):
say probably the second thingthat is very common is how these
applications used to be behindthe firewalls, in the internal
networks, behind the walledgardens, and now they're all
pushed to the cloud.
They're pushed to the edge,like being accessible for B2B
purposes, for providers,customers and other interfaces,
exposed to AI, exposed to RPA,exposed to new, basically,
(03:14):
business models.
That is significantlyincreasing the attack surface
and the risk of these businesscritical applications.
Speaker 1 (03:20):
Now, with the new cloud transformations and AI
initiatives, they're under yes,gary Times times for sure, and
you know I talked to CIOs atbanks.
They might have 60, 70different cybersecurity tools
under their roof.
What makes you guys differentfrom those other security
(03:41):
solutions or tools that are outthere already?
Speaker 2 (03:44):
Yeah, absolutely.
It's a lot that CISOs have todeal with and, of course, we're
shrinking budgets and morepressure on resources given the
macro.
But I think what sets us apartis all our customers.
If you think about what we do,all our customers have generic
security capabilities, whetherit's cloud security,
vulnerability management, threatdetection, and the reason they
(04:07):
still really partner with us andOnapsis and the use of the
Onapsis platform is because,again, those solutions are very
important and they're havingreally important controls
against different parts of theirstack.
Right, it could be at theoperating system layer, the
infrastructure, the cloud, thehyperscaler layer, the custom
code layer, but they don't havethe intelligence and the
(04:28):
capabilities to really look atERP and business-critical
applications at the applicationlayer, right?
So if you use any of thosegeneric tools today to protect
your ERP systems, you're goingto be able to stop some basic
attacks and common attacks, butyou would be getting a false
sense of security because youscan your ERP applications that.
Take SAP with one of thosesolutions and it may tell you
(04:50):
hey, there are some issues inthe operating system and the
network and the firewall infront of it, but everything else
is fine.
When you go and run a scan withan APSIS, it will tell you that
you may be missing hundreds ofSAP security patches or you may
have misconfigurations that areactively being exploited by
attackers.
Right, so we're not talkingabout a theoretical kind of risk
(05:11):
here.
We're talking about activecyber attackers that are
compromising applications orbusiness applications at this
layer, and that's why what youreally need for this type of
asset, you need purpose-builtcapabilities like the ones that
we pioneered at Onapsis.
Speaker 1 (05:28):
Interesting.
Do you have any stories oranecdotes where your team had to
step in and help what happenedand obviously anonymized
customers?
Don't really tell about thosestories by name.
Speaker 2 (05:39):
Of course.
Confidentiality is, of course,paramount, as you know, in
cybersecurity, especially for us, given the profile of the
customers we work with.
We work with very, very largeorganizations across the US and
Europe, all the way from publicFortune 10, fortune 100, to
government organizations,military government agencies,
because, if you think about it,everyone runs solutions like SAP
(06:02):
and Oracle for the mostcritical data and processes
right.
So we have to be very carefulabout how we design our products
to make sure they're notintroducing any operational risk
to those environments ourselvesso we have a lot of
high-quality kind of design andcapabilities there but also make
sure that when there issomething bad that could happen
in the systems, we're alertingour customers as soon as
(06:24):
possible and providing them thecapabilities they need to
protect themselves.
So I'll tell you a very recentexample.
Actually over the last I'll say, three months, really, it's
really recent.
I would say it's the first timewe see what I would describe as
an unprecedented cybersecuritythreat campaign against SAP
applications.
(06:45):
Again, we've been doing this for15 years, so we've seen many
attacks and incidents in thepast.
Many of those never got to thepublic domain and you will not
see that in the headlines, butover the last few months
literally started betweenJanuary to some extent, but
especially during March andApril and May of this year.
January to some extent, butespecially during March and
(07:05):
April and May of this year we'veseen for the first time a group
of cyber threat actors that areconnecting now to Chinese kind
of Nexus groups that basicallydeveloped what's called zero
days for SAP, meaningvulnerabilities that did not
have a patch, so there wasbasically no way for you as an
SAP customer to be protectedagainst this, and they actually
(07:25):
use these capabilities, theseexploits, to break into hundreds
of SAP customers worldwide.
So that really was discoveredaround mid-April based on some
symptoms.
A security firm was looking attheir customers and then, when
we started analyzing this, werealized that they actually
started this exploitation allthe way back in January and
(07:47):
they've been silentlycompromising.
Again, if you look at thevictim list, it's a lot of the
largest and most well-knownorganizations in the planet, a
lot of critical infrastructureorganizations, government
organizations that have theseChinese threat actors, actors
and then other actors fullycompromising the systems
silently.
(08:08):
Fortunately, sap responded veryquickly after this news.
They released a patch and a lotof customers started to apply
the patch.
The problem was many of themalready had the systems
compromised when they appliedthe patch.
So it's almost as if you wouldgo in and unlock your front door
and change the kind of frontdoor lock, but the thief is
already in the basement right.
So, unfortunately, there was alot of misconceptions and
(08:31):
misunderstandings and there'sstill, as of today, many exposed
SAP systems online andcompromised systems.
So we're doing our best toreally notify and raise
awareness about this topic,together with the US and
international governmentagencies, with SAP, with other
cybersecurity firms.
But, yeah, this is a very, veryrecent example that I would say
in the last 15 years is theworst we've seen, and it's a
(08:55):
clear indication that this isagain what we were talking about
before.
People move SAP and theseapplications to the cloud.
Packers know this, so they'regoing after them more
aggressively, investing morecapabilities, and we see a
pretty significant uptick interms of threats against these
systems.
Speaker 1 (09:12):
Wow, that's unbelievable.
A lot of companies are alsorunning very old ERP versions
and systems, a lot of technicaldebt, and I guess the philosophy
used to be well, if it's notbroke, don't fix it.
Not sure that works anymore.
So how do you help keep thoseolder systems secure as well?
Speaker 2 (09:31):
That's a huge problem .
But unfortunately, I thinkwe're in this I would say cycle
right now where a lot ofmodernizations are happening.
So a lot of companies areactually moving to the cloud,
moving to newer capabilitieslike S4HANA or Fusion Cloud Apps
.
So we're going through a bit ofa modernization phase right now
, which helps.
But at the same time, even ifyou're in the latest S4HANA
(09:52):
solution, these systems are somission critical that even in
many cases, like customers knowthey have a latent risk, a new
patch they need to apply, butthey don't get the downtime
Because if you take the systemoffline, maybe you need to
reboot the system to apply thepatch.
It may cost millions of dollarsper hour to have those systems
(10:14):
offline.
So the mission critical natureof the systems make it really
really hard to fix some of thecritical issues.
So one of the ways we helpreally in that scenario is maybe
you cannot apply the patch, butone of the capabilities with an
apps is you deploy threadmonitoring.
So one of the ways we helpreally in that scenario is maybe
you cannot apply the patch, butone of the capabilities with an
abscess is you deploy threatmonitoring.
So if we know you have thecritical vulnerability in, let's
say, your ERP or supply chainsystem and we know you cannot
(10:35):
apply the patch because youdon't get the downtime we can
monitor as a compensated controland if we see an active
exploitation against thatvulnerability, we can trigger
response activities like informyour security operations center,
block that access.
So at least you can manage therisk.
If you're going to fullymitigate it, you can manage the
risk and buy you some time untilmaybe you can apply the patch
(10:58):
at the next downtime cycle thatyou have.
But yeah, definitely themission-critical nature adds a
lot of complexity to fixingthese issues.
Even in other systems it's evenworse, absolutely.
Speaker 1 (11:11):
I bet.
And what changes are you seeingfrom the ERP vendors themselves
right now?
I mean, I imagine they'retrying to up their game, but
these are big companies as well.
They see you as a partner,enabler or otherwise.
Speaker 2 (11:27):
Yeah, yeah, absolutely Like to give you an
example.
But we work very closely bothwith Oracle and SAP, for example
, but I'll say SAP specifically.
We're most of our corebusinesses.
We're today the onlycybersecurity solution that were
officially endorsed by SAP forapplications and compliance.
So we work very closely withthem.
(11:48):
So, basically, they're SAP.
To give you a practical example, sap's sales team and account
executives are recommendingOnapsis to their customers so
that they use Onapsis as they goto the cloud, because they
realize that they can go to thecloud faster and more securely
by using Onapsis as part of theproject versus trying to fix of
(12:09):
fix these things kind of lateron.
So that's one good example thatwe're kind of working.
On the commercial side, we alsohave a very deep, I would say,
research and technicalpartnership, where a good
example is today, july 8th, sapjust released their monthly
security patches.
Sap just released their monthlysecurity patches.
(12:30):
Almost I think over 80% of thecritical patches that SAP
released today were thanks tothe contribution from our
research labs working with SAPto find these vulnerabilities,
help them develop the patch,test the patches.
So we're really working reallywell with these vendors and we
do the same thing with Oracleand others, to make sure that
our customers, of course, wouldalways get the most advanced
(12:52):
threat capabilities,intelligence and protection, but
we also want to make sure thatevery customer has the ability
to protect themselves from theseattacks, so that's why we do
this, and then the vendor canrelease a patch so they'd be
protected.
So, yeah, we have a greatpartnership, very strategic in
nature, with many of these ERPand business application
providers.
Speaker 1 (13:11):
Well done.
And what about customers?
How do you partner with workwith internal security teams?
Are you replacing tools?
Are you helping them do moreobviously?
But are there different, newworkflows?
They have to learn what's thatprocess look like from the
inside?
Speaker 2 (13:28):
Yeah, absolutely.
I guess it really depends onthe maturity of the customer.
We have customers where theyhave mature security programs
and they've been trying totackle this themselves with
either native tools or manual,trying to kind of couple
together different technologies.
And that's where we can providenot only really significant
(13:48):
risk reduction but also costreduction, because we can
actually, instead of using 14different tools and having
people that have to know thedomain really well, we capture
all that intelligence in theplatform and we automate a lot
of these activities for them sowe can reduce their cost and
operational tasks significantlyby using the platform versus
(14:08):
manual or native tools.
And then you have customers whomaybe are earlier in that
maturity, that may not have yettackled ERP cybersecurity.
So with them it's more about therisk reduction and acceleration
of the transformation.
Maybe they're going to the cloud, maybe they're infusing AI,
using business AIs, for example,from SAP, or going to cloud
(14:30):
solutions like BTP.
So in that case we help them.
Basically they use our platformto secure their legacy
environments, but especially thenew environments.
So they have the peace of mindthat every time they provision a
new system in the cloud, theyrun on apps against that in a
continuous way and they createthe right alerts and scan the
(14:50):
custom code that is going intothe systems and they can be sure
that that system is secure bydesign and by default and then
stay secure as they go tooperations.
So it really gives them thatacceleration and peace of mind
that again we have customersinvesting hundreds of millions
and billions of dollars in10-year ERP transformations.
(15:12):
So it gives you a sense thatthere's a significant amount of
budget and initiative andcriticality at the board level.
I'm talking about Fortune 10,fortune 100 companies where the
board is aware about the levelof investment and the need to
secure the system.
So we basically make it easyfor them in a comprehensive and
automated way.
Speaker 1 (15:34):
Fantastic.
So you're doing an amazing jobserving those SAP and Oracle
customers.
But there is a sea changehappening in ERP lots of new
vendors, new entrants,reinvention of the space with AI
.
In many ways, where do youthink ERP security is headed
over the next five years?
What needs to happen to secureall these new you know
(15:58):
business-critical applicationsout there?
Speaker 2 (16:01):
Yeah, it's a good question.
It's funny because when westarted the business, there was
a lot of questions, especiallyfrom the venture capital
community or private equity,where they felt that SAP and
Oracle were legacy providers,that they were going to be
replaced by a lot of the newplayers like the Workdays and
the NetSuite of the world.
If you look at kind of fastforward, that today both SAP and
(16:25):
Oracle are like two of thefastest growing cloud companies
right, forget about ERPspecifically, they're two of the
fastest cloud applicationscompanies in the planet.
And AI I just saw a huge news Ithink it was last week from
Oracle they closed a $30 billiona year AI contract.
Sap is also lending a hugeamount of their new customers
(16:49):
and existing customers are likeaccelerating investment with AI.
So it's honestly beenimpressive to see how they
transform themselves, not onlyexecuting against a cloud pivot
but also an AI pivot.
At the same time, both SAP andOracle are now growing at a
faster rate at scale than evenmany of the new entrants.
(17:11):
But if you think aboutapplications like Salesforce,
like Workday, like ServiceNow,like others, they have the same
critical data, criticalprocesses.
They are highly regulated, sothere is a significant need to
protect them.
And at Anapsis we're actuallyexpanding beyond SAP and Oracle
(17:32):
to go and really protect otherapplications like that as well,
because customers, as you saidat the beginning, they don't
want yet another tool, theydon't want yet another dashboard
, they don't want yet anotherproduct, they have 70 plus.
So we are actually becomingthat convergence point where you
can make sure that thoseapplications for example, an
incident in those applicationsyou can respond and validate
(17:54):
this very quickly and really dothat with an integrated platform
.
Speaker 1 (17:59):
Yeah, fantastic proposition.
So exciting times, lots ofinteresting events coming up,
including in the summer.
You got Black Hat and DEF CON.
Of course, many, many more inthe fall.
What are you excited about?
Where are you headed next?
What's coming up?
Speaker 2 (18:13):
Yeah, definitely going to Black Hat.
I was fortunate to be a speakerat Black Hat for many, many
years.
Back in 2007 is when I did thefirst presentation on SAP cyber
attacks and ERP cyber attacks.
And yeah, this year I was alsovery honored I was invited to be
a guest reviewer at the BlackHat Review Board.
Congratulations, thank you.
(18:34):
Yeah, it's definitely somethingvery kind of a big honor to me,
just having lived through theconference for now almost 20
years.
And, yeah, I was privileged tosee a lot of the submissions,
and the level of talks that aregoing to be at Black Hat is
simply outstanding, as always.
So really excited to see a lotof those submissions now become
(18:57):
talks and I know there's goingto be a lot of excitement about
many of them.
So, yeah, going to be at BlackHat for sure.
Not sure if we're going to beable to stay for DEF CON.
Like, usually a few days in LasVegas is more than enough for
me.
I'm going to be at Black Hat,for sure.
I'm not sure if I'm going to beable to stay for DEF CON.
Usually a few days in Las Vegasis more than enough for me.
So I'm not as young as before.
Speaker 1 (19:18):
I could do Black Hat and DEF CON much more than now,
but, yeah, definitely lookingforward to the events for sure.
Well, stay cool in Vegas.
I used to not have to worryabout saying stay cool in Boston
, but yes, it's a hotter yearthan in Vegas right now.
Enjoy the summer.
Thanks so much for joining andsharing the vision and the
mission.
Speaker 2 (19:34):
It was my pleasure to be here.
Thank you very much for thegreat questions.
I look forward to seeing youagain.
Speaker 1 (19:39):
Thank you and thanks everyone for listening, watching
, sharing the episode and alsocheck out our new TV show,
techimpact TV, now on Bloombergand Fox Business.
Hey everybody, fascinating chat today,
important topic as we talk aboutsecuring business-critical
applications in the enterprise,with Onapsis Mariano.
How are you?
Speaker 2 (00:13):
Very good, Evan.
Good to be here.
Thanks for having me.
Speaker 1 (00:16):
Well, thanks for being here.
Really timely chat.
Cybersecurity is top ofeveryone's mind, but before that
, maybe introduce yourself andyour journey and mission at
Onapsis, yeah yeah, happy to so.
Speaker 2 (00:29):
Mariano Nunez, ceo and co-founder here at Onapsis,
my background is incybersecurity.
I've been in cyber since I was18.
I started working at aconsulting firm out of Argentina
, buenos Aires that's where I'moriginally from consulting firm
out of Argentina, buenos Airesthat's where I'm originally from
.
So I was doing ethical hacking,penetration, testing,
vulnerability assessments forour customers and as part of
(00:57):
that, basically I ran into anERP application back then and I
really realized that there wasthis major gap in the industry
where, at that point in time,everyone was protecting the
endpoints, the networks, theinfrastructure, but for a
strange reason, no one wasreally protecting the business
critical applications that theywere running to support the most
sensitive data and processes.
So that really led to usfounding Onapsis in 2009.
(01:21):
And it's been really quite ajourney, I would say, since then
to really scale the businessnow living in Boston,
massachusetts in the US, andcontinue really to execute
against this mission, which isprotecting the business-critical
applications that power theglobal economy.
So very excited about themission we're still executing
against after so many years,because a lot has changed in the
(01:43):
world during that time.
So happy to be here to chatmore about this or any other
topics.
Speaker 1 (01:49):
Yeah, well, let's talk about that.
What are the kinds of cyberthreats that are most common for
those business criticalapplications?
Do you think ERP, for example,companies like SAP, oracle,
where I used to work otherplaces?
What do they have in common?
Yeah, look.
Speaker 2 (02:04):
I think the first thing they have in common is
this misconception that when youthink about ERP security
whether it's SAP, oracle, as younamed, or any others
traditionally what that securitymeant was really segregation of
duties and access controls,meaning if Evan has access to
create an invoice, he shouldn'tbe able to create an event or a
report disorder and really makesure that those segregation of
duties controls are in.
Has access to create an invoice,he shouldn't be able to create
(02:25):
an event or a purchase order andreally make sure that those
segregation of these controlsare in place.
Unfortunately, those controlsare very important, but where
we're coming from really, whatwe see is attackers exploiting
and attacking the systems evenwithout a user to begin with.
It's a different paradigm whenyou're protecting against, and
that, I say, is common acrossall these applications, I would
(02:49):
say probably the second thingthat is very common is how these
applications used to be behindthe firewalls, in the internal
networks, behind the walledgardens, and now they're all
pushed to the cloud.
They're pushed to the edge,like being accessible for B2B
purposes, for providers,customers and other interfaces,
exposed to AI, exposed to RPA,exposed to new, basically,
(03:14):
business models.
That is significantlyincreasing the attack surface
and the risk of these businesscritical applications.
Speaker 1 (03:20):
Now, with the new cloud transformations and AI
initiatives, they're under yes,gary Times times for sure, and
you know I talked to CIOs atbanks.
They might have 60, 70different cybersecurity tools
under their roof.
What makes you guys differentfrom those other security
(03:41):
solutions or tools that are outthere already?
Speaker 2 (03:44):
Yeah, absolutely.
It's a lot that CISOs have todeal with and, of course, we're
shrinking budgets and morepressure on resources given the
macro.
But I think what sets us apartis all our customers.
If you think about what we do,all our customers have generic
security capabilities, whetherit's cloud security,
vulnerability management, threatdetection, and the reason they
(04:07):
still really partner with us andOnapsis and the use of the
Onapsis platform is because,again, those solutions are very
important and they're havingreally important controls
against different parts of theirstack.
Right, it could be at theoperating system layer, the
infrastructure, the cloud, thehyperscaler layer, the custom
code layer, but they don't havethe intelligence and the
(04:28):
capabilities to really look atERP and business-critical
applications at the applicationlayer, right?
So if you use any of thosegeneric tools today to protect
your ERP systems, you're goingto be able to stop some basic
attacks and common attacks, butyou would be getting a false
sense of security because youscan your ERP applications that.
Take SAP with one of thosesolutions and it may tell you
(04:50):
hey, there are some issues inthe operating system and the
network and the firewall infront of it, but everything else
is fine.
When you go and run a scan withan APSIS, it will tell you that
you may be missing hundreds ofSAP security patches or you may
have misconfigurations that areactively being exploited by
attackers.
Right, so we're not talkingabout a theoretical kind of risk
(05:11):
here.
We're talking about activecyber attackers that are
compromising applications orbusiness applications at this
layer, and that's why what youreally need for this type of
asset, you need purpose-builtcapabilities like the ones that
we pioneered at Onapsis.
Speaker 1 (05:28):
Interesting.
Do you have any stories oranecdotes where your team had to
step in and help what happenedand obviously anonymized
customers?
Don't really tell about thosestories by name.
Speaker 2 (05:39):
Of course.
Confidentiality is, of course,paramount, as you know, in
cybersecurity, especially for us, given the profile of the
customers we work with.
We work with very, very largeorganizations across the US and
Europe, all the way from publicFortune 10, fortune 100, to
government organizations,military government agencies,
because, if you think about it,everyone runs solutions like SAP
(06:02):
and Oracle for the mostcritical data and processes
right.
So we have to be very carefulabout how we design our products
to make sure they're notintroducing any operational risk
to those environments ourselvesso we have a lot of
high-quality kind of design andcapabilities there but also make
sure that when there issomething bad that could happen
in the systems, we're alertingour customers as soon as
(06:24):
possible and providing them thecapabilities they need to
protect themselves.
So I'll tell you a very recentexample.
Actually over the last I'll say, three months, really, it's
really recent.
I would say it's the first timewe see what I would describe as
an unprecedented cybersecuritythreat campaign against SAP
applications.
(06:45):
Again, we've been doing this for15 years, so we've seen many
attacks and incidents in thepast.
Many of those never got to thepublic domain and you will not
see that in the headlines, butover the last few months
literally started betweenJanuary to some extent, but
especially during March andApril and May of this year.
January to some extent, butespecially during March and
(07:05):
April and May of this year we'veseen for the first time a group
of cyber threat actors that areconnecting now to Chinese kind
of Nexus groups that basicallydeveloped what's called zero
days for SAP, meaningvulnerabilities that did not
have a patch, so there wasbasically no way for you as an
SAP customer to be protectedagainst this, and they actually
(07:25):
use these capabilities, theseexploits, to break into hundreds
of SAP customers worldwide.
So that really was discoveredaround mid-April based on some
symptoms.
A security firm was looking attheir customers and then, when
we started analyzing this, werealized that they actually
started this exploitation allthe way back in January and
(07:47):
they've been silentlycompromising.
Again, if you look at thevictim list, it's a lot of the
largest and most well-knownorganizations in the planet, a
lot of critical infrastructureorganizations, government
organizations that have theseChinese threat actors, actors
and then other actors fullycompromising the systems
silently.
(08:08):
Fortunately, sap responded veryquickly after this news.
They released a patch and a lotof customers started to apply
the patch.
The problem was many of themalready had the systems
compromised when they appliedthe patch.
So it's almost as if you wouldgo in and unlock your front door
and change the kind of frontdoor lock, but the thief is
already in the basement right.
So, unfortunately, there was alot of misconceptions and
(08:31):
misunderstandings and there'sstill, as of today, many exposed
SAP systems online andcompromised systems.
So we're doing our best toreally notify and raise
awareness about this topic,together with the US and
international governmentagencies, with SAP, with other
cybersecurity firms.
But, yeah, this is a very, veryrecent example that I would say
in the last 15 years is theworst we've seen, and it's a
(08:55):
clear indication that this isagain what we were talking about
before.
People move SAP and theseapplications to the cloud.
Packers know this, so they'regoing after them more
aggressively, investing morecapabilities, and we see a
pretty significant uptick interms of threats against these
systems.
Speaker 1 (09:12):
Wow, that's unbelievable.
A lot of companies are alsorunning very old ERP versions
and systems, a lot of technicaldebt, and I guess the philosophy
used to be well, if it's notbroke, don't fix it.
Not sure that works anymore.
So how do you help keep thoseolder systems secure as well?
Speaker 2 (09:31):
That's a huge problem .
But unfortunately, I thinkwe're in this I would say cycle
right now where a lot ofmodernizations are happening.
So a lot of companies areactually moving to the cloud,
moving to newer capabilitieslike S4HANA or Fusion Cloud Apps
.
So we're going through a bit ofa modernization phase right now
, which helps.
But at the same time, even ifyou're in the latest S4HANA
(09:52):
solution, these systems are somission critical that even in
many cases, like customers knowthey have a latent risk, a new
patch they need to apply, butthey don't get the downtime
Because if you take the systemoffline, maybe you need to
reboot the system to apply thepatch.
It may cost millions of dollarsper hour to have those systems
(10:14):
offline.
So the mission critical natureof the systems make it really
really hard to fix some of thecritical issues.
So one of the ways we helpreally in that scenario is maybe
you cannot apply the patch, butone of the capabilities with an
apps is you deploy threadmonitoring.
So one of the ways we helpreally in that scenario is maybe
you cannot apply the patch, butone of the capabilities with an
abscess is you deploy threatmonitoring.
So if we know you have thecritical vulnerability in, let's
say, your ERP or supply chainsystem and we know you cannot
(10:35):
apply the patch because youdon't get the downtime we can
monitor as a compensated controland if we see an active
exploitation against thatvulnerability, we can trigger
response activities like informyour security operations center,
block that access.
So at least you can manage therisk.
If you're going to fullymitigate it, you can manage the
risk and buy you some time untilmaybe you can apply the patch
(10:58):
at the next downtime cycle thatyou have.
But yeah, definitely themission-critical nature adds a
lot of complexity to fixingthese issues.
Even in other systems it's evenworse, absolutely.
Speaker 1 (11:11):
I bet.
And what changes are you seeingfrom the ERP vendors themselves
right now?
I mean, I imagine they'retrying to up their game, but
these are big companies as well.
They see you as a partner,enabler or otherwise.
Speaker 2 (11:27):
Yeah, yeah, absolutely Like to give you an
example.
But we work very closely bothwith Oracle and SAP, for example
, but I'll say SAP specifically.
We're most of our corebusinesses.
We're today the onlycybersecurity solution that were
officially endorsed by SAP forapplications and compliance.
So we work very closely withthem.
(11:48):
So, basically, they're SAP.
To give you a practical example, sap's sales team and account
executives are recommendingOnapsis to their customers so
that they use Onapsis as they goto the cloud, because they
realize that they can go to thecloud faster and more securely
by using Onapsis as part of theproject versus trying to fix of
(12:09):
fix these things kind of lateron.
So that's one good example thatwe're kind of working.
On the commercial side, we alsohave a very deep, I would say,
research and technicalpartnership, where a good
example is today, july 8th, sapjust released their monthly
security patches.
Sap just released their monthlysecurity patches.
(12:30):
Almost I think over 80% of thecritical patches that SAP
released today were thanks tothe contribution from our
research labs working with SAPto find these vulnerabilities,
help them develop the patch,test the patches.
So we're really working reallywell with these vendors and we
do the same thing with Oracleand others, to make sure that
our customers, of course, wouldalways get the most advanced
(12:52):
threat capabilities,intelligence and protection, but
we also want to make sure thatevery customer has the ability
to protect themselves from theseattacks, so that's why we do
this, and then the vendor canrelease a patch so they'd be
protected.
So, yeah, we have a greatpartnership, very strategic in
nature, with many of these ERPand business application
providers.
Speaker 1 (13:11):
Well done.
And what about customers?
How do you partner with workwith internal security teams?
Are you replacing tools?
Are you helping them do moreobviously?
But are there different, newworkflows?
They have to learn what's thatprocess look like from the
inside?
Speaker 2 (13:28):
Yeah, absolutely.
I guess it really depends onthe maturity of the customer.
We have customers where theyhave mature security programs
and they've been trying totackle this themselves with
either native tools or manual,trying to kind of couple
together different technologies.
And that's where we can providenot only really significant
(13:48):
risk reduction but also costreduction, because we can
actually, instead of using 14different tools and having
people that have to know thedomain really well, we capture
all that intelligence in theplatform and we automate a lot
of these activities for them sowe can reduce their cost and
operational tasks significantlyby using the platform versus
(14:08):
manual or native tools.
And then you have customers whomaybe are earlier in that
maturity, that may not have yettackled ERP cybersecurity.
So with them it's more about therisk reduction and acceleration
of the transformation.
Maybe they're going to the cloud, maybe they're infusing AI,
using business AIs, for example,from SAP, or going to cloud
(14:30):
solutions like BTP.
So in that case we help them.
Basically they use our platformto secure their legacy
environments, but especially thenew environments.
So they have the peace of mindthat every time they provision a
new system in the cloud, theyrun on apps against that in a
continuous way and they createthe right alerts and scan the
(14:50):
custom code that is going intothe systems and they can be sure
that that system is secure bydesign and by default and then
stay secure as they go tooperations.
So it really gives them thatacceleration and peace of mind
that again we have customersinvesting hundreds of millions
and billions of dollars in10-year ERP transformations.
(15:12):
So it gives you a sense thatthere's a significant amount of
budget and initiative andcriticality at the board level.
I'm talking about Fortune 10,fortune 100 companies where the
board is aware about the levelof investment and the need to
secure the system.
So we basically make it easyfor them in a comprehensive and
automated way.
Speaker 1 (15:34):
Fantastic.
So you're doing an amazing jobserving those SAP and Oracle
customers.
But there is a sea changehappening in ERP lots of new
vendors, new entrants,reinvention of the space with AI
.
In many ways, where do youthink ERP security is headed
over the next five years?
What needs to happen to secureall these new you know
(15:58):
business-critical applicationsout there?
Speaker 2 (16:01):
Yeah, it's a good question.
It's funny because when westarted the business, there was
a lot of questions, especiallyfrom the venture capital
community or private equity,where they felt that SAP and
Oracle were legacy providers,that they were going to be
replaced by a lot of the newplayers like the Workdays and
the NetSuite of the world.
If you look at kind of fastforward, that today both SAP and
(16:25):
Oracle are like two of thefastest growing cloud companies
right, forget about ERPspecifically, they're two of the
fastest cloud applicationscompanies in the planet.
And AI I just saw a huge news Ithink it was last week from
Oracle they closed a $30 billiona year AI contract.
Sap is also lending a hugeamount of their new customers
(16:49):
and existing customers are likeaccelerating investment with AI.
So it's honestly beenimpressive to see how they
transform themselves, not onlyexecuting against a cloud pivot
but also an AI pivot.
At the same time, both SAP andOracle are now growing at a
faster rate at scale than evenmany of the new entrants.
(17:11):
But if you think aboutapplications like Salesforce,
like Workday, like ServiceNow,like others, they have the same
critical data, criticalprocesses.
They are highly regulated, sothere is a significant need to
protect them.
And at Anapsis we're actuallyexpanding beyond SAP and Oracle
(17:32):
to go and really protect otherapplications like that as well,
because customers, as you saidat the beginning, they don't
want yet another tool, theydon't want yet another dashboard
, they don't want yet anotherproduct, they have 70 plus.
So we are actually becomingthat convergence point where you
can make sure that thoseapplications for example, an
incident in those applicationsyou can respond and validate
(17:54):
this very quickly and really dothat with an integrated platform
.
Speaker 1 (17:59):
Yeah, fantastic proposition.
So exciting times, lots ofinteresting events coming up,
including in the summer.
You got Black Hat and DEF CON.
Of course, many, many more inthe fall.
What are you excited about?
Where are you headed next?
What's coming up?
Speaker 2 (18:13):
Yeah, definitely going to Black Hat.
I was fortunate to be a speakerat Black Hat for many, many
years.
Back in 2007 is when I did thefirst presentation on SAP cyber
attacks and ERP cyber attacks.
And yeah, this year I was alsovery honored I was invited to be
a guest reviewer at the BlackHat Review Board.
Congratulations, thank you.
(18:34):
Yeah, it's definitely somethingvery kind of a big honor to me,
just having lived through theconference for now almost 20
years.
And, yeah, I was privileged tosee a lot of the submissions,
and the level of talks that aregoing to be at Black Hat is
simply outstanding, as always.
So really excited to see a lotof those submissions now become
(18:57):
talks and I know there's goingto be a lot of excitement about
many of them.
So, yeah, going to be at BlackHat for sure.
Not sure if we're going to beable to stay for DEF CON.
Like, usually a few days in LasVegas is more than enough for
me.
I'm going to be at Black Hat,for sure.
I'm not sure if I'm going to beable to stay for DEF CON.
Usually a few days in Las Vegasis more than enough for me.
So I'm not as young as before.
Speaker 1 (19:18):
I could do Black Hat and DEF CON much more than now,
but, yeah, definitely lookingforward to the events for sure.
Well, stay cool in Vegas.
I used to not have to worryabout saying stay cool in Boston
, but yes, it's a hotter yearthan in Vegas right now.
Enjoy the summer.
Thanks so much for joining andsharing the vision and the
mission.
Speaker 2 (19:34):
It was my pleasure to be here.
Thank you very much for thegreat questions.
I look forward to seeing youagain.
Speaker 1 (19:39):
Thank you and thanks everyone for listening, watching
, sharing the episode and alsocheck out our new TV show,
techimpact TV, now on Bloombergand Fox Business.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.