Andreas Mertz (Founder/Man. Dir. it-cube SYSTEMS, CISSP) 360 SAP Security

Andreas Mertz (Founder/Man. Dir. it-cube SYSTEMS, CISSP) 360 SAP Security

Agenda Motivation SAP Threat Vectors / SAP Hack Solution Approach the 360 of agilesi Threat Detection Secenarios / SIEM use cases Key Benefits Questions & Answers 2

Motivation

ESPIONAGE. SABOTAGE. FRAUD. Why Business Applications Are Critical? Essential Business Processes Sensitive/Critical Data FI, HR, CO, PP, CRM, SRM Intellectual Property (e.g. Product data) How/Where would you attack your company? Where to earn/make or lose money? Any information an attacker wants is stored in the company s ERP system! 4

SAP SECURITY - A DANGEROUS STATUS QUO Application Security has been neglected Imbalance of allocated spending and perceived security risk Source: Study The STATE of RISK-BASED SECURITY MANAGEMENT by Ponemon Institute llc, 2012 5

SAP SERVERS ON THE INTERNET The MYTH: SAP systems are inaccessible from the Internet, so vulnerabilities can be only exploited by insiders. TRUTH: Business processes are changing and anticipate the need to for remote and mobile access via web portals. PROVE: Increasing numbers of SAP systems are exposed to the Internet: Dispatcher, Message Server, HostControl, Web Services, Solution Manager, etc STATS: Searches performed using well-known Google search requests or Shodanhq result in hundreds of SAP Servers accessible from the Internet Application Server Type Search String Number based on Shodan Search SAP NetWeaver J2EE (Enterprise Portal) inurl:/irj/portal 834 SAP Business Objects (SAP ITS) inurl:infoviewap 20 SAP NetWeaver ABAP inurl:/sap/bc/bsp 113 6

MOTIVATION SAP ABAP Risk / Attack Vectors Insecure ABAP Coding Configuration Errors (system settings) Business Logic Business Runtime Database Not controlled, remote access via RFC, SOAP etc. Transports / SW Deployment Operating System Data Manipulation OS Commands Over 95% of SAP systems are exposed to espionage, sabotage and fraud attacks. Do you really think auditing SoD controls is sufficient? 7

SAP Live Hacking

LIVE HACKING Hack example: /SA38 as a backdoor EDITOR CALL /SA38 EXPLOIT Minimalistic Authorization Report start, but No Table Access rights Execute Report incl. EDITOR CALL TABLE read & write access 9

LIVE HACKING SAP hack detection & alerting with agilesi (example) agilesi CODE Scanner checks coding when imported to Agent systems EDITOR_CALL agilesi Transport Extractor SoD conflict detection AUTHORITY_CHECK Transport released by containing objects created by Hidden ABAP Transport imported by 10

360 SAP Security

360 SAP SECURITY MONITORING 360 = SAP goes SIEM Identity Mgmt. Systems Physical Access Email/Web Gateways Endpoints Servers Network devices SIEM Security devices Databases Runtime of Business Applications 12

360 SAP SECURITY MONITORING 360 = Continous! Automated! Complete! In one spot! SIEM agilesi SAP -SIEM integration SAP Security Sources SAP SIEM Integration Security Audit Log automated System Log continuous System Parameters complete Tables in one spot Transport Log Gateway Config & Log Change Documents SIEM SAP Security Analytics Content & Use Cases derived from: DSAG Audit Guidelines SAP Security Recommendations SAP Pentesting Practises Dashboards, Reports, Notifications Table Change Logging SAP specific categorization for SIEM Access Control Data Monitors, Active Lists, Rules Security Notes Cross-Event & Device Correlation 13

HOLISTIC APPROACH FOR CONTINUOUS SAP SECURITY MONITORING Secure Code Virtual Forge Secure Apps Change Mgmt Source Code weaknesses Secure Systems Patch status, SW deployment (SAP transports) SOS Business Transaction Monitoring Detect Attacks CSI AA GRC System settings, SoD & critical authorizations. manual/custom ACL/Oversight tools Critical transactions and commands Workflow anomalies, fraud und human factor Code Scanner Enterprise IT Environment 14

THE EFFECT The agilesi effect (e.g. critical authorizations) check assignment usage for critical auth. of critical auth. continuous landscape continuous landscape continuous landscape agilesi snapshot landscape on demand landscape on demand Firefigher only SAP GRC snapshot single systems not available not available of critical auth. audit 15

SECURITY MONITORING WITH SAP SOLUTIONS Manual SAP Security With agilesi snapshot continuous monitoring single systems complete landscape control manual work full automation single event source cross event/device correlation many point solutions holistic, complete functionality on demand alerting only continuous, automated, complete 360 SAP security monitoring/alerting 16

Use Cases

USE CASES / DETECTION SCENARIOS Predefined Detection Use Cases = Fast Time to Value SoD Conflicts & Access Control All DSAG checks implemented and covered by agilesi Checks are maintainable, customizable, extendable System & Client change option Check settings and changes Administrator/ Firefighter activity SAP standard accounts lock status and activity monitoring Changes to SAP standard accounts Change/Switch off authorization checks Security Audit Log settings Transactions SU24, SU25, SU26, SM01, AUTH_SWITCH_OBJECTS profile parameter auth/object_disabling_active Security Audit Log activation status configuration check filter configuration settings and changes Content & Use Cases derived from: SAP Pentesting & Security Experience DSAG Audit Guidelines STMS/Transport Table Change Logging Monitoring SAP Security Recommendations Activation status: Profile parameter rec/client and DB table settings table logs to control critical data OS Commands transport imports of critical objects imports at unusual time critical STMS parameters like RECCLIENT and VERS_AT_IMPORT Changes to user master records Data Loss Detection added value of agilesi cross device event correlation Check SAP event and network events (Client/PC activity) Debugging 18

BUSINESS TRANSACTION MONITORING More use cases Business Transaction Monitoring Major Invoices being made without purchase orders Deviation of: value of purchase order and invoice value at equal quantity of goods Invoice receipt and payment before date of good receipt Control of critical data of application within customer namespace (e.g. applications in production process) 19

VISIBILITY IS KEY. ArcSight w/ agilesi 1.0 agilesi Extractors Extractors: Visibility & Coverage Extractor Events/Data Example Use Cases Security Audit Log Subset of security events in SAP systems, such as (failed) logins, transaction starts, etc Brute force login User created / deleted / locked / unlocked Password changes Execution of reports System Log SAP basis log, for availability, error tracking, security,... Debugging Execution of OS commands Table logging in program disabled by user System Parameters SAP system configuration Password policy checks SNC encryption status SAP Gateway check Tables Data stored in Tables System and client change settings RFC configuration Single Sign-On / Logon Tickets Any data stored in any table Ping Monitor availability Check availability of SAP systems Transport Log Change management through transports with code, customizing Updates to roles Transports of critical objects, at unusual times Gateway Config & Log Communication with external programs Monitor denied external calls Change Documents Changes to Business Objects Roles, profiles and User master data Table Change Logging Changes to data stored in tables Monitor critical tables (master data, conditions of purchase) Access Control Checks against critical combinations of authorization objects SoD Conflicts Backdoor implementation via transports Security Notes SAP RSECNOTE implementation status Security notes missing in system landscape 20

Solution Architecture

agilesi ARCHITECTURE MODEL data collection agilesi AGENT monitored systems data extraction acc. to CORE config extractor job programs/reports FI CO log SM SIEM MM SD analysis agilesi Analytics frontend dashboards, reports, notifications SAP specific categorization in SIEM event correlation, security analytic PP administration agilesi CORE Extractor Service Management event transformation (SIEM format) Web DynPro interface (conf. frontend) AA 22

SETUP Extractor management/deployment/scheduling 23

SIEM FRONT END agilesi 4 ArcSight: Management Dashboards missing security patches per system overall PROD system landscape 24

MEANINGFUL DASHBOARDS agilesi 4 ArcSight: SOC focused control dashboards Compliance/ security dashboard overview event graph from top level charting to event drilldown 25

Offerings 26

OFFERINGS agilesi is available for: 27

LICENSE MODEL (# SID) SID: ECP SID: PLP Host: sap-lnx-01 Host: sap-windows-01 Instance: 00 (central instance) Instance: 00 (central instance) Application: ECC 6.0 Application: PLM SID: ECP Host: sap-lnx-02 LICENSE: # SID = 3 Instance: 01 (dialog instance) Application: ECC 6.0 SID: ECP ECP PLP CRP SID: PLP Host: sap-windows-02 Instance: 01 (dialog instance) Application: PLM SID: CRP Host: sap-lnx-03 Host: sap-windows-03 Instance: 02 (dialog instance) Instance: 00 Application: ECC 6.0 Application: CRM 28

Summary

How can you protect your most critical application while reducing costs? Eliminate the blind spot in SAP Security Monitoring Continuously monitor your critical system conditions and events Automate collection, correlation, visualization, reporting & alerting Reduce your audit costs & efforts and safe costly SAP consultants Utilize predefined checks and SAP -specific threat vector detection Enable your SOC team to interpret SAP security events and act 30

Key use & benefits Regain control with Security Intelligence for SAP Improve your SAP Security & Risk Management Lower the number and criticality of auditor s findings Transform your risks into remediation Fulfill compliance requirements for your SAP landscapes Consolidate the SAP tool zoo into one holistic approach 31

Let s discuss it!

IT S ABOUT THE I IN IT, NOT JUST THE T! Thank you for your attention! For more information visit www.agilesi.net it-cube SYSTEMS GmbH Paul-Gerhardt-Allee 24 81245 München Germany P: F: M: W: +49 (89) 2000 148 00 +49 (89) 2000 148 29 info@it-cube.net www.it-cube.net

Company Overview

COMPANY OVERVIEW Our Expertise Full-service provider for IT-/SAP-Security with 10+ years experience Vendor-neutral consulting, system integration, product development Founded in 2001, privately held Partnerships with 20+ A-brand vendors 28 consultants, 8 developers Approved for classified information (Ü2) by BMWi 35

SOLUTION OVERVIEW Portfolio it-cube SYSTEMS GmbH SIEM & Security Intelligence, Security Log Management, SAP Security Monitoring, APT & Malware Defense, Application Firewalling, Database Security, Software Security & Code Analysis, Data Leakage Prevention (DLP), Secure Data Exchange und Managed Security Services (MSS), Threat Intelligence, Digital Forensic, Endpoint Security, Business Analytics, IT Networks, SIEM & Security Intelligence, Security Log Management, SAP Security Monitoring, APT & Malware Defense, Application Firewalling, Database Security, Software Security & Code Analysis, Data Leakage Prevention (DLP), Secure Data Exchange und Managed Security Services (MSS), Threat Intelligence, Digital Forensic, Endpoint Security, Business Analytics, IT Networks, SIEM & Security Intelligence, Security Log Management, SAP Security Monitoring, APT & Malware Defense, Application Firewalling, Database Security, Software Security & Code Analysis, Data Leakage Prevention (DLP), Secure Data Exchange und Managed Security Services (MSS), Threat Intelligence, Digital Forensic, Endpoint Security, Business Analytics, IT Networks, SIEM & Security Intelligence, Security Log Management, SAP Security Monitoring, APT & Malware Defense, Application Firewalling, Database Security, Software Security & Code Analysis, Data Leakage Prevention (DLP), Secure Data Exchange und Managed Security, Database 36

SOLUTION PORTFOLIO it-cube SYSTEMS Defending your success. it-cube Solutions Security Intelligence Managed Services Security Information & Event Management (SIEM) Log-Management & IT-Search Threat Intelligence Digital Forensics Industrial/SCADA Security Governance Risk Compliance (GRC) Managed Security Services (MSS) Security Outsourcing Operational Outtasking Service & Support Helpdesk People & Processes IT-/Business Application Monitoring Transaction Monitoring SOC / NOC Process Design Identity and Access Management (IAM) Security Awareness Building Security Training Data Analytics Operational Intelligence Big Data Analysis Business Analytics IT-Search Business Application Monitoring Professional Services Security Consulting Security Training Security Assessments System Integration Product Development Customizing & Engineering Network & Infrastructure Applications SAP-Security Data Loss Prevention (DLP) Malware Protection Software Code Analysis Secure Data Exchange Database Virtualization IT-Monitoring Firewalling Intrusion Prevention Web/E-Mail Security Remote Access Network Access Control Vulnerability Management Virtualization Security 37