SANS Maps Oracle E-Business Suite to Top 20 CIS Critical Security Controls for Effective Cyber Defense

Share Article

Step-by-step roadmap helps organizations secure EBS implementations against cyberattacks targeting ERP applications.


Our mapping to the CIS Critical Controls helps narrow down the hundreds of potential security controls and prioritize the most critical ones to protect these systems.

Onapsis, the global experts in business-critical application security and compliance, today announced a SANS white paper that maps Oracle E-Business Suite (EBS) to the CIS Critical Security Controls for Effective Cyber Defense for the first time. As cyberattacks targeting ERP applications continue to grow, it is highly recommended that organizations secure their EBS landscape as part of their organization’s overall security posture.

The CIS Critical Security Controls are a set of internationally recognized standards outlining the most important cyber hygiene actions that every organization should implement to protect their information technology (IT) networks. These standards are highly regarded by the global IT community as they are developed, refined, validated and updated by cyber experts who pull data from a variety of public and private threat sources. The CIS Critical Security Controls are transforming security in government agencies and other large enterprises by focusing spending on the key controls that block known attacks and find the ones that get through.

“Exploits of ERP systems are being disclosed more frequently. And the number of vulnerabilities found in Oracle EBS systems, specifically, have increased dramatically over the past year. Given the importance of an ERP to a business, attacks aimed directly at these complex, business-critical applications can result in extraordinary costs and impacts that can be devastating to that business. Assuming that these applications don’t need the protection of effective security controls is a myth. Safeguarding ERP information assets should be a top priority. The challenge organizations struggle with is, given the complexity of these systems, where to start,” said Barbara Filkins, a senior SANS analyst.

Filkins recommends, “Our mapping to the CIS Critical Controls helps narrow down the hundreds of potential security controls and prioritize the most critical ones to protect these systems. Based on this research, we recommend that organizations start by looking retroactively at current configurations to be sure they’re up to date with the latest patches and that there is a consistent and frequent method to apply security patches as quickly as possible once they are released from Oracle.”

The SANS paper mapping the CIS Controls for Effective Cyber Defense to Oracle EBS’s cybersecurity framework outlines a step-by-step roadmap for organizations to secure EBS implementations. This approach is largely application oriented, but also applies network restrictions to underlying network devices and firewalls, in addition to closing loopholes through operational procedures and training. The four-step approach to applying the CIS Critical Security Controls is:

●    Step 1: Tailor Enterprise Processes (CIS Control: 1, 2, 3, 4, 5, 6, 10, 13, 14, 16)
●    Step 2: Secure the Landscape (CIS Control: 3, 7, 9, 10, 11, 12, 18)
●    Step 3: Configure the Technical Controls (CIS Control: 2, 3, 4, 5, 6, 8, 13, 14,16)
●    Step 4: Create the Human Action Framework (CIS Control: 17, 19, 20)

“Having Oracle cybersecurity formally recognized as a standard control for organizations is a major achievement in building awareness for the Business-Critical Application Security market. Oracle EBS applications are still a blind spot for many organizations, as they often assume that their ERP data, or ‘crown jewels’, are covered by traditional security methods or by the Oracle administration team. We worked with SANS to understand the framework for securing Oracle EBS so that they could produce this mapping, helping organizations better understand why Oracle needs to be included in the overall security posture and providing steps for how best to do so,” said Juan Pablo Perez-Etchegoyen, CTO, Onapsis.

Download “Blueprint for CIS Control Application: Securing the EBS Landscape.”

About SANS
The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center.

About Onapsis
Onapsis cybersecurity solutions automate the monitoring and protection of your SAP and Oracle applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis's solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform™, which is the most widely-used SAP-certified cybersecurity solution on the market. Unlike generic security products, Onapsis's context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs, who continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts at the Onapsis Research Labs were the first to lecture on SAP cyberattacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™. This patented technology is well known, industry wide, and has gained Onapsis recognition on the Deloitte Technology Top 500, as a Red Herring North America Top 100 company and a SINET 16 Innovator.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Leslie Kesselring
Kesselring Communications
+1 5033581012
Email >
Visit website