SAP Security Monitoring with agilesi. agilesi tm Solution Brief Product Specification July 2012 Version 1.1

Transcription

1 SAP Security Monitoring with agilesi Solution Brief agilesi Rel. 1.1

2 Product Overview agilesi turns SAP Security Data into Insight, Action and Competitive Advantage. The new agilesi solution is a game-changer in the space of monitoring SAP systems for critical security events, through its combination of unprecedented depth of visibility and the deep, built-in knowledge of how to best utilize that visibility. agilesi goes far beyond regular SoD checks performed on a few selected systems. With its ABAP-based extractor framework it integrates seamlessly with SAP landscapes. Centrally managed and precisely configured extractors offer unlimited access to the various sources within an SAP R/3 system and all its modules. All relevant event and configuration information is pulled in customizable intervals from all systems of interest. Of course it s officially certified by SAP to integrate with SAP applications. Leveraging on its extensive built-in content base a vast array of suspicious events, fraudulent activities and weak settings will become visible, and thus identifying vulnerabilities, threats and other important issues at the earliest possible stage. By improving SAP Security & Risk Management agilesi generates intelligent, actionable insights, lowers the number and criticality of auditors' findings, enables compliance and transforms risk into remediation.» A paradigm shift in the purpose of 360 SAP Security Monitoring out-of-the-box solution which not only alerts on issues, but pre-emptively monitors for early warning signs, and proactively secures your most critical business application «Product Description System Architecture Figure 1: agilesi system architecture agilesi is based on a three layer architectural model with a collection, an Administration and an Analytics Layer (Figure 1). The main task to be performed at the Collection Layer is the extraction of data performed by the agilesi agents running on SAP systems that will be monitored. The agents are developed in ABAP and integrate closely with the SAP systems. They will be delivered as Add-Ons or SAP transports, i.e. having their own namespace registered with SAP. The Agents and the central component called Core form a powerful versatile extractor framework the backend of agilesi. The main component of the Administration Layer is the agilesi Core - the central instance for setting up the solution, configuring and monitoring it, which also receives and preprocesses all security monitoring data extracted by the Agents. The agilesi Core also is an Add-On, and can be installed on one of the Agent systems along with an Agent, or separately on a dedicated SAP Netweaver Application Server ABAP. The central pillar of the Analysis Layer is the agilesi frontend which can be either a SIEM solution which may already exist in the customers IT infrastructure or as Standalone Version utilizing an embedded front-end based on Splunk. Security Intelligence for the SAP landscape System Features agilesi eliminates the blind spot in SAP Security Monitoring. It is a real Security Intelligence solution that covers auditor guidelines, security recommendations for SAP systems and the results of numerous SAP penetration tests out of the box. It can be easily adapted to cover customer specific monitoring requirements without any programming efforts. agilesi also interworks with SAP code scanning solutions for a more holistic approach. Common point-solutions only solve a few aspects of SAP security lacking variety of flexible formats and causing a significant overhead in manual efforts. agilesi extracts and interprets continiously all of the necessary data in SAP landscapes that regular tools cannot provide. The agilesi agents have several data extractors to access data stored in log files, tables, change documents, etc. Table 1 lists all extractors and the data available through agilesi. Extractor Events/Data Example Use Cases!» Over 95% of SAP systems are exposed to espionage, sabotage and fraud attacks.«do you really think auditing SoD controls is sufficient? Deep, High Resolution Visibility agilesi continuously scans the whole SAP landscape (ABAP-based system) and detects weak system configurations, excessive user access rights (and SoD violations), potential threats through attacks, and can be used to monitor critical transactions or privileged user activity. The preprocessed data is analyzed in SIEM (Security Information and Event Management) solutions of different vendors, and cross-device correlated with events from the surrounding ITinfrastructure, e.g. databases, operating systems, user identity management systems, etc. at the same time. Security Audit Log System Log Subset of security events in SAP systems, such as (failed) logins, transaction starts, etc. SAP basis log for availability, error tracking, security,... Brute force login User created / deleted /l ocked / unlocked Password changes Execution of reports Debugging Execution of OS commands System Parameters SAP system configuration Password policy checks SAP Gateway check Encryption of communication (SNC status)

3 Tables Data stored in tables System and client change settings Single Sign-On / Logon Tickets RFC configuration Any data stored in any table Ping Monitor availability Check availability of SAP systems Gateway Config. & Log Communication with external programs Monitor 'denied' external calls Access Controls Authorization data SoD checks Table Logging Changes to data stored in tables Monitor critical tables (master data, conditions of purchase) Table 1: agilesi TM Extractors and Example Use Cases Figure 3: agilesi Standalone Dashboard (example) Figure 4: agilesi for ArcSight ESM Dashboard (example) The Core is the agilesi central component at the Administration Layer which provides a native web interface based on SAP s Web Dynpro ABAP (WP) technology to centrally configure and monitor the backend part of the solution (figure 2). The predefined reports based on generally accepted audit guidelines and SAP security recommendations help customers to get the findings into a remediation cycle and take action to improve system security or react on security incidents. The solution delivers results out of the box but is highly customizable to allow adoption to special requirements and customers security policies. agilesi currently provides reports for the TOP20 SAP Security Use Cases for all supported SIEM systems and for the standalone solution. The report collection for agilesi for ArcSight ESM additionally contains all reports covering the DSAG (Germanspeaking SAP User Group ) audit guidelines (see figure 5). Figure 2: Core s administration Web frontend Depending on the SIEM system, the Core and it s Consumer Connector create output data in either file-based format, which can be accessed by the SIEM system at the file system level or as a syslog stream. The data format can be different to support the various frontends, e.g. ArcSight s Common Event Format (CEF). The messages are fed into SIEM systems, get categorized, often utilizing extended schemes, e.g. Domain Field Sets to handle the more than SAP-specific key value pairs. The agilesi Security Analytics Pack provides a comprehensive set of predefined correlation rules, meaningful dashboards, and adoptable reports for security relevant key indicators. The rule sets are applied to check for compliance, and identify violations, suspicious patterns, anomalies and security-related events. Presenting a view of the information, agilesi provides real-time dashboards with a highly intuitive and customizable layout for each of the SIEM systems to be integrated (figure 3 & 4). Figure 5: Report collection provided with agilesi for ArcSight

4 Supported Platforms agilesi is supported for all ABAP-based applications that are in SAP Mainstream Maintenance, installed on SAP Netweaver Application Server ABAP 7.0 EHP 1 or later (see figure 6), for example: SAP NetWeaver 7.0 EHP 1 SAP NetWeaver 7.3 SAP ERP 6.0 SAP CRM 6.0, 7.0 SAP SCM 5.1, 7.0 SAP SRM 6.0, Key Values and Benefits agilesi - A CISO s Weapon for Passing Audits and Minimizing Risks Integrating application security events into SIEM systems can quickly become a parody of its promise: inefficient, expensive and time-intensive. agilesi helps security teams and business process owners to take direct, timely action to operate proactively and effciently in handling security incidents. Automation, continuous data extraction and smart correlation are the three key factors to save money, protect transaction integrity and reduce staff workload. Eliminate the blind spot in SAP Security Monitoring Regain control with Security Intelligence for SAP Continously monitors critical system conditions and events Automates collection, correlation, visualization & reporting Reduces audit costs & efforts Provides standard checks and SAP-specific threat vector detection Enables SOC teams to interpret SAP security events Improves SAP Security & Risk Management Lowers number and criticality of auditors' findings Transforms risk into remediation Supports fulfillment of compliance requirements Consolidates the SAP tool zoo into one holistic approach Major vendors evaluated agilesi and signed in technology partnerships and joint-development programs to enhance the detection capabilities of their SIEM products by bridging the 'SAP-SIEM-Gap'. Global corporations and government agencies have tested agilesi to drive smarter, faster decisions in security risk management that contribute directly to the bottom line of IT operations. Figure 6: Supported SAP products (as of March 2012): agilesi TM is supported on Mainstream Maintenance products (yellow). Source: SAP AG! agilesi supports CEF for HP/ArcSight ESM, and other formats e.g. for splunk, IBM Q1Labs QRadar, and LogRhythm. Other consumers will be supported in the future

5 About Headquartered at Munich, Germany, it-cube is a leading full-service provider for IT-Security with a proven track record of projects delivering a measurable reduction in business risk and lowering the long term investment in information security. it-cube is committed to providing excellence and innovation through highly specialized developments, products and services, including Consulting, Customization, System Integration, Training, and Operational Services. With over 10 years of experience and an extremely motivated, qualified and certified team it-cube serving national and international major blue chip organizations. With agilesi it-cube SYSTEMS provides a continuous analysis platform for 360 SAP Security Monitoring that generates actionable insights and competitive advantage without requiring that SOC teams become SAP experts. Our packaged security analytics convert risk into remediation making critical events and settings interpretable by meaningful visualizations showing what happened, by whom, why and how to solve it. While it-cube SYSTEMS is an endorsed SAP business partner, agilesi is officially certified to be integrated with SAP applications. it-cube SYSTEMS is active throughout Germany / Austria / Switzerland and around the globe. Our customers include renowned large corporations as well as medium-sized enterprises of various sectors, such as the aerospace, automotive, financial, insurance, telecommunication, and chemical industries. Founded in 2006, it-cube SYSTEMS is privately held and headquartered in Munich, Germany. For more information about agilesi, please visit our Web site at /sap, us at [email protected] or call us at Copyrights and Trademarks Copyright 2012 All Rights Reserved. All information to be changed without further notice. it-cube will accept no liability for the information provided here and will not guarantee that it is up to date, correct, complete or sound. Liability claims against the author, based on material or ideal damages caused by the use or ignorance of information provided here, will be generally excluded except in proven cases of gross negligence or conscious wrong-doing on the part of the author. The author explicitly reserves the right to modify, complete, delete certain sections of web-pages or the entire offer without further notice, or to cease to publish this content temporarily or definitively. agilesi as well as the respective logo is a trademark or registered trademark of it-cube Systems GmbH in Germany and other countries. SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. ArcSight ESM is a trademark of ArcSight, an HP company. All other product and service names mentioned are the trademarks of their respective companies. legal notice: photo page 8: blind date / photographer: birdy`s. / source: photocase.com; front: fotolia.com; page 2: istockphoto.com, Published by Paul Gerhardt-Allee München Handelsregister: HRB USt-ID-Nummer nach 27 a UStG: DE Geschäftsführer: Dipl.-Ing. Andreas Mertz T: F: E: info(at)it-cube.net