Transcript
In fact, one could say that this year may not serve as a huge wake-up call for CISOs and CIOs worldwide. We have two critical SLP zero-day scenarios that, while patched quickly, will lead to multiple waves of attacks of vulnerable SLP systems at critical infrastructure and large SLP enterprises worldwide. We saw Shiny Hunters not only breach multiple large global organizations, but also release a public SLP exploit in August. And then just one month later, Shiny Hunters used that same exploit to attack and unfortunately cripple operations at one of the world's largest manufacturers, which ended up publicly disclosing $260 million of direct one-time costs related to that cyber incident. In 2025, we're on pace for the largest number of reported SLP vulnerabilities on record. And unfortunately, many of our SLP defenders have faced challenges obtaining, disseminating, and operationalizing good SLP threat insights and exploit detection that would have helped them defend what matters most to their organizations. And that changes today. The new integration between Microsoft's Thinking for SLP solution and Linux's Defend gives security teams exactly what they need to combat and ultimately keep ahead of these targeted and sophisticated attacks. By delivering focused SLP security events, threat insights, and powerful SLP exploit detection directly to the security operations center in the platform that you use every day. Together, Microsoft and Linux are eliminating these SLP security gaps and enabling faster, smarter incident response. This partnership unites Microsoft Sentinel's best-in-class correlation engine and powerful security co-pilot AI with Enapsis's unmatched threat coverage, which includes the world's largest dedicated knowledge base of SAP threat rules, SAP-focused insights from the world-renowned Enapsis Research Labs, and exclusive access to zero-data rules that can protect your critical systems before SAP patches are even made available. Together, we're empowering our customers to accelerate SAP threat detection and response, vastly reduce the risk from SAP security incidents, and defend the critical systems from the threat actors and ransomware groups that are attacking enterprises worldwide. You'll see now in the demo next, like a sample of an adversary in the middle attack, where we actually run a multi-factor authentication bypass, which then reflects on the Sentinel site. We correlate what Enapsis Defend provides them as evidence from the SAP backend, and everything that Microsoft can do through our Sentinel for SAP offering is then enriched from there. So let's roll from there so that we can see this in action. So on the left, we have the victim screen, and on the right, the hacker in parallel. So imagine they are on different machines, and phishing email campaigns are still a thing. So you see there a weaponized email link where the user tries to log in, provides all their credentials, gets the typical MFA pop-up, fills in the numbers, and the hacker is already there sitting, waiting, because non-phish-resistant MFA can be bypassed through this. And we see here the hacker is seeing the session cookie for the multi-factor authentication bypass attack, and is now able to use the recorded cookie that the victim provided in a different country, different place, and use it either through an already compromised network where you have access to internal resources, and you see the session cookie here giving you access to the Fiori launchpad. For the purpose of this demo, we also added here the capability to run the transaction that gives you voice access. So now we switch over to the SOC team. Let's see this consolidated view of the attack timeline, everything that Sentinel already has, which ranges from the phishing link click and outlook, and the user reporting that they found this a bit funky, how the screen worked, adding another signal there, and EntroID giving us the MFA risky user state also. And there on the right, we see security copilot reasoning over this. We have on-office defend being mentioned as one of the signals, so that the summary already on this attack incident shows you all the steps were taken, where the signals came from, and of course the ability to contain from here the device, the user, run SAP user blocks, password reset, et cetera. And this is then presented back on, for instance, for teams to the SAP security team or the SOC team, providing the evidence on what's happening and if you want to take action. Block the SAP user from here with the human in the middle so that you can make conscious actions on this rather than fully automatic. Then everything you put in here as a comment is then fed back into Sentinel so that you have a complete trail on reasoning why and who did execute this action. And it's very simple to install. Just go to Sentinel Constant Hub, find your Napsos Defend entry there, go browse for it, check the installation prerequisites, and hit the deploy button, which gives you all the things needed as the receiver on the end on the Sentinel side, and the information down below to fed back to your Napsos Defend installation to actually finalize the integration. It's a push-based mechanism, so you just bring in the information back to Defend, configure there, click submit, and it starts sending to all Sentinel.
