The boilerplate has it that German software powerhouse SAP supports mission-critical workloads for thousands of customers all over the world, and as one of the biggest customers of the big three hyperscalers – Amazon Web Services (AWS), Google Cloud and Microsoft Azure – probably runs the largest private cloud in the world.
However large its business may be aside, under the surface, the complexities that SAP experiences in securing the confidential enterprise data of thousands of its clients while dealing with an ever-more dangerous threat landscape and the ever-changing data security compliance and sovereignty requirement environment are undeniable.
This surely makes former chess champion and candidate master Roland Costea, now SAP chief information security officer (CISO) for enterprise cloud services, one of the world’s busiest cyber professionals.
“The main challenge for us when it comes to security is we need to have the right visibility end-to-end [and] we need to act with speed into all the layers of identity, detect, protect, respond and recovery,” Costea tells Computer Weekly.
If it sounds like a tall order, it is. The price of analysing such vast datasets, which regularly exceed 150TB per month, via Splunk, was becoming too much to bear, says Costea, not just in terms of time, but in terms of network capacity and financial cost as well. To make matters worse, it wasn’t even analysing half of its data.
The problem this created for SAP and its customers is obvious: it simply wasn’t possible to find all the relevant security signals. Important things were probably being missed, and that’s far from ideal. Take vulnerability management, which Costea says has been a problem “since forever”. Traditionally, he would scan the environment for a new vulnerability, research whether an exploit was available, and patch it if possible.
“But every exploit has preconditions,” he says, “and SAP is so complex that the preconditions for an exploit may be a list of 10 or 12 things that I want to know in real time. I want to know … am I vulnerable to this, and why, and to be able to inject and search for what kind of preconditions I have there and how they are configured, and to know, based on the state the application has today, that I am or am not vulnerable.
“I can’t do that with the vulnerability management tool, I can’t do that with an XDR [extended detection and response], I can’t do that with any tool on the market,” adds Costea.
New, advanced approaches to security data analytics were clearly needed, and in a bid to ease some of its burdens – SAP has now teamed up with Uptycs, a Boston innovator in AI-powered hybrid cloud security, to implement its Juno AI analyst platform.
“Uptycs is in the business of cloud infrastructure security,” says company founder and CEO Ganesh Pai. “What that means is, when large enterprises and operators such as SAP deploy massive infrastructure in one of the large hyperscalers, we provide the technology which gets integrated with their hyperscale providers and the workloads they run.
“We provide security observability, which manifests as a series of security controls or a cloud-native application protection platform [CNAPP], a suite of tooling which empowers organisations to do both proactive and reactive security controls, most of which fall in the bucket of governance, regulation and compliance, or that of threat operations, detection and response, incident response, and the like.”
D’you know Juno?
Juno itself joins AI agents and human cyber analysts together in a team where the humans are left free to concentrate on advanced threat hunting and deeper attack path analysis while the AI handles the grunt work.
According to Pai, Juno was originally built as a threat-hunting tool for both cloud-native and on-premise environments, but, working alongside the likes of SAP, it is now delivering more value as a strategic agentic consultant that goes beyond standard threat detection.
“Why this is important is that, as you can imagine, there is a lot of AI which is available out there today, but we harness telemetry and we make it available in a way such that in addition to what we collect, we’re able to integrate with the [customer] data lake to provide an interface which inspires user confidence,” he says.
“This is key because when they start asking ad hoc questions across the spectrum of security controls that are needed, the answers which come back inspire confidence by showing the elements of trust but verify.”
In essence, while many threat-hunting agents will happily yell “fire”, they won’t say why (and like a too-sensitive fire alarm, they will often be responding to burnt toast). Juno differs, says Pai, because its outputs are verifiable – a human can check its output against the same signals, and it cites its sources and produces its receipts.
“That’s where the value proposition of what we built comes into play,” he tells Computer Weekly. “We built an agent tech framework which marries the rest of the components to create workflows. And hence it’s not a typical agent; it has got autonomous abilities to go and do a series of steps which a human would have otherwise hours, or, in some cases, weeks, and it’s able to collapse that into order.”
Pai, who coined the term “the Wikipedia of cyber” with help from his public relations team, claims Juno is already capable of producing “McKinsey-level” strategic risk reports in minutes.
“The industry is tired of security slop and AI that guesses,” he says. “This partnership demonstrates how we can safely combine human and AI capabilities, moving from reactive security to strategic transformation.”
Juno in practice
So, how is SAP using Juno? Costea explains: “We have smaller lakes in every subscription based on hyperscalers, but we also have what we call a big data lake based in Databricks today that represents the core for us.
“What we are building with Uptycs is, practically, more like an in-house in private cloud mechanism to have real-time activity and real-time searches and real-time insights based on all the possible data sets and telemetry we have stored in Databricks, because it’s much cheaper than sending it to Splunk, and we can get to a level of granularity that we could never go to with Splunk,” he says.
“What we are looking for all the time is what I like to call the low and slow operational activities that could become a suspicious attempt.”
For example, a user with valid cloud identity session has accessed the AWS instance and assumed what appears to be a normal deployment role in a standard continuous integration and deployment (CI/CD) pipeline, but is then using the system manager in AWS to access a small set of different instances and conduct additional actions in the bucket: maybe they enhance their permissions in some way, or exfiltrate a small snapshot to another account. It could be nothing.
“It’s literally normal – nothing fancy or extensive,” says Costea. “What you will see with normal toolsets, say you have an XDR on the endpoint, you will maybe see a shell, but for an admin, if it’s nothing malicious, it’s normal.
“If you are not granularly looking and correlating the right context, the right action, the right timing, and all that, it’s hard to get to the point where you can say it’s actually suspicious.
“What you can do with Uptycs and Juno by searching in the big pool of data is you can say, show me some evidence of, let’s say, an identity session provenance, or a role assumption, or a permission change, and then show me some specific commands that were made,” he says. “Then you can search all the datasets and find the trails and everything that happened that, in the end, could say that from an operational perspective, that’s not normal activity for us – there’s something weird happening.”
It’s these details, says Costea, that matter the most for SAP, because ultimately, it enables his defenders to spot discrepancies and oddities before they blow up into something much noisier – in the worst-case scenario, ransomware.
New toys
For Costea, the value SAP is realising from Juno is apparent when he thinks about how his team is responding to it. He compares them – not unkindly – to kids showing off a new toy to their parent.
“It’s that kind of feeling like they got a new toy, and they are so excited about it, and they are trying to exploit it to the level that they can do more things,” he says.
“They’re discovering things that they were not able to see before or they thought did not exist.”
Again, much of what Juno is surfacing is not, in the moment, malicious or necessarily even suspicious, says Costea, but rather an indication that people are doing things that they shouldn’t be doing or shouldn’t be able to.
This kind of data, previously inaccessible, is incredibly valuable to the security team because if a random administrator at SAP was able to perform a dangerous action, an attacker already inside the organisation’s network certainly could. This knowledge enables them to work potential attack scenarios that may not have been obvious before.
“Security in today’s cloud-centric world demands tools that not only detect threats, but elevate strategic decision-making,” he says.
“Our partnership with Uptycs reflects a shared commitment to verifiable, intelligent cyber security solutions that empower teams to stay ahead of risk while transforming how enterprise security operates.”