The new release of the Cybersecurity Extension for SAP (CES) brings enhanced threat detection and configuration checks to SAP environments, including CVE/CVSS integration for security notes, directory traversal protection, and expanded Indicators of Compromise (IOC) patterns for Microsoft Server platforms, all designed to improve SAP security posture and compliance.
Executive Summary
The latest release of the Cybersecurity Extension for SAP (CES) introduces critical updates to help organizations secure their SAP landscapes against advanced cyber threats. Key improvements include enhanced integration with System Recommendations (SysRec) by incorporating CVE, CVSS, and vector data for security notes. The update also adds robust configuration checks for directory traversal in ABAP systems, SAP Virus Scan Interface (VSI) profiles, and Unified Connectivity (UCON) settings. Beyond configuration hardening, the release expands threat detection capabilities with new Indicators of Compromise (IOC) patterns for Microsoft Server environments and SAP system parameters. A new security framework specifically for S/4HANA enables automated compliance checking against SAP requirements. Additionally, the release enhances operational efficiency by deprecating legacy infocubes, allowing for faster data processing, and introducing improved alert mapping and filtering. This update provides a comprehensive toolkit for monitoring critical access and segregation of duties, bridging gaps in existing security frameworks as SAP GRC reaches end of maintenance.
Key Takeaways
- Enhanced System Recommendations (SysRec) now include CVE, CVSS, and vector information for security notes.
- New configuration checks protect ABAP systems against directory traversal and malware via SAP VSI.
- Expanded IOC detection patterns now cover Microsoft Server platforms and critical SAP system parameters.
- A new security framework automates compliance checking for S/4HANA systems.
- Performance improvements include the deprecation of custom infocubes for faster data set processing.
How does the update improve System Recommendations (SysRec)?
The release extends SysRec capabilities by including CVE, CVSS, and vector information for calculated security notes. This builds upon the previous capability to automatically discover and remove false positive security notes, further reducing the manual effort required by SAP administrators to analyze security patches.
What new security checks are included?
The update introduces a wide range of configuration and vulnerability checks to harden SAP environments:
| Feature Area | Description of Checks |
|---|---|
| ABAP Systems | Path validation for files and physical path definitions. |
| SAP VSI | Settings in Virus Scan Interface profiles and supported MIME types. |
| UCON | HTTP whitelists for clickjacking protection and background jobs. |
| Read Access Logging | Log domains, groups, and fields. |
| Payment Data | Masking and encryption of payment card data. |
How does CES support S/4HANA compliance?
A new security framework has been added to CES specifically for S/4HANA. This framework enables customers to automatically check the compliance of their S/4HANA systems against the requirements defined in the official SAP Security Guide for S/4HANA. Additionally, over 210 checks for critical S/4HANA transactions are included, with future releases planned to cover authorization checks for ECC, BW/4HANA, and CRM.
What new threat detection capabilities are available?
New patterns for detecting Indicators of Compromise (IOCs) have been added to help identify potential ransomware and system tampering. These include:
- Microsoft Server Platforms: Detection of program installations, uninstallations, and changes.
- Linux Platforms: Continued support for ransomware detection patterns.
- SAP System Parameters: Detection of changes to security-relevant parameters in SAP ABAP and HANA.


What performance and operational improvements were made?
The release deprecates custom infocubes and process chains used in earlier versions, which dramatically improves stability and performance. The system can now process large data sets with minimal resources. Other improvements include:
- Alert Mapping: Security alerts for multiple hosts can now be mapped to specific SAP System IDs.
- Alert Filtering: A new field supports searching alerts by time range (HH:MM:SS).
- Vulnerability Details: Reports now include tables with complete fields and values from source CCDB stores, supporting easier data filtering and export.
Frequently Asked Questions
When was this release available?
The new release of the Cybersecurity Extension for SAP was scheduled for general availability on April 24, 2023.
What is the status of SAP GRC integration?
Future releases will roll out authorization checks for solutions like S/4HANA, ECC, and BW/4HANA to enable customers to monitor critical access and segregation of duties in lieu of SAP GRC, given its scheduled end of maintenance.
What is coming in future releases?
The next release, scheduled for June 2023, is planned to include support for detecting IOCs in logs for SAP ASE databases, vulnerability and event correlation, and trend analysis for tracking changes in vulnerabilities, patches, and alerts for up to two years.