3
AGENDA
Case for SAP Cybersecurity Framework
Respond to SAP Security Incidents
Demo Time
4Source: Industry-Focused Data Breach Report 2018
CRITICAL ASSETS
5
TYPICAL INCIDENTS
Source: Industry-Focused Data Breach Report 2018
6Security Team
SAP Users
BASIS Administrators
Management
AS IS
May I download BP000 table?
SM20 let us to track every action!
Our SOC monitors all network flows!
SAP_ALL for ALL!
7
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Awareness and Training
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
TO BE
9
50%
80% 99%
3-6 months
6-12 months 12 months
1
23
IMPLEMENTATION TIERS
RESPONDInvestigate, take action, and improve
11
SAP SECURITY INCIDENTSUSECASE EXAMPLE ACTION
CONFIGURATIONS:
Weak Configuration System has configuration issues:security audit log is disabled, encryption of RFC isn’t configured
Create remediation plan for SAP administrators
Vulnerabilities Unpatched SAP SSO component (SAPNote 2389042: A denial of service vulnerability in SAP SSO component)
Install security patch, implement security note
Authorizations Weak passwords, SoD conflicts, critical profiles assignedAnalyze the need for provided access
EVENTS:
Threat Events Successful critical actions (OS command, system configuration, RFC, DB, user management, program, report)
Investigate activity, revoke authorizations, adjust correlation rules
Attack Events• Potential attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal,
Missing Authorization, Verb Tampering• Real attacks (specific SAP services)
Block access and investigate network activity
Anomaly All actions with transactions and tables (Business Partners, Customers, Documents, Purchase, HR data, Users, Invoices, …)
Review anomalous activity and adjust notification rules
RESPOND
12
PROCESS PURPOSE
Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices
Clear Communications To structure SAP security responsibilities in a business and provide means for clear communications between its members
Continuous Analysis To continuously monitor the effectiveness of SAP security processes and provide insights into the state of SAP security
Mitigation To design and model changes to the security of SAP systems
Improvements To learn from external events and internal assessments of SAP security controls
INCIDENT RESPONSE
13
• Incident Definitions
• Incident Cases
• Incident Response Plans
Develop SAP security event correlation rules and incident alert threshold
Develop SAP incidents response and recovery plans
Automate SAP incident response procedures
Implementation: Outcomes:1
2
3
To systematically respond to violation or threat of violation of SAP security policies and practices
INCIDENT TEMPLATE
14
NAME ADMINISTRATIVE LOGON OUTSIDE OF SPECIFIC SEGMENT OF LAN
DescriptionProductive SAP systems must be administrated from the specific segment of LAN only.All connections outside of the segment are prohibited and shall be investigated in order to prevent future violations of the requirement.
Data Sources Security Audit Logs
ThresholdIP address is not like 172.16.3.%ANDSAP user is in [SAP*, TMSADM, EARLYWATCH]
Response• Notify Network Team to block network access.• Locate hosts involved in action. Check for virus infections and configuration.• Identify responsible individuals. Conduct interviews to avoid recurrence of the incident.
Reporting Notify CISO, include in “non-compliances” section in weekly security report
ENABLE LOGGING• Network Level:
• SAProuter• ICM and WebDispatcher• Message Server• HTTP logs
• SAP system level:• System Log• Security Audit Log• Authorization Traces
• Object level:• Transport System Changes• Table Changes• Document Changes
• Interface level:• Read Access Logging• UI Masking• UI Logging
15
Collect Correlate Analyze Act
INCIDENT RESPONSE. WORKFLOW
16
17
• Security Responsibilities
• Security Roles Delineation
• Cyber Threat Information
Assign responsibilities for ensuring SAP Security
Establish communications between security team and other parties
Establish communications with 3rd party companies and threat intelligence providers
Implementation: Outcomes:1
2
3
CLEAR COMMUNICATIONS
To structure SAP security responsibilities in a business and provide means for clear communications between its members
18
Research Centers
Peer organizati
ons
CERTs
Vendors
CLEAR COMMUNICATIONS. CONTACTS
19
• SAP Security Metrics
• SAP Security Dashboards
• Forensic Procedures
Develop SAP security metrics
Automate tracking of SAP security metrics and analyze trends
Develop SAP forensic investigation procedures
Implementation: Outcomes:1
2
3
To provide insights into the state of SAP security
CONTINUOUS ANALYSIS
20
• Percentage (%) of SAP systems that have security plans in place
• Percentage (%) of SAP systems and service acquisition contracts that include SAP security requirements
• Percentage (%) of developers made vulnerabilities in code
• Percentage (%) of systems with unimplemented SAP Notes with public exploits
• Percentage (%) of users with simple passwords
• Percentage (%) of SAP systems covered by risk assessment
CONTINUOUS ANALYSIS. METRICS
21
• Knowledge Base
• Security CMDB
• Security Workarounds
Develop SAP security controls knowledge base
Implement task and change management practices for SAP systems
Deploy virtual patching and automatic correction tools for SAP security issues
Implementation: Outcomes:1
2
3
To design, model and make changes to the security of SAP systems
MITIGATION
22
MITIGATION. VIRTUAL PATCHING
23
• ImprovementsSuggestions
• Controls Assessments
Continuously analyze SAP security updates and threats
Attend SAP security events and trainings
Assess the effectiveness of SAP security controls
Implementation: Outcomes:1
2
3
To learn from external events and improve SAP security
IMPROVEMENTS
24
IMPROVEMENTSSAP SECURITY CONFERENCES 2018
Demo TimeERPScan Smart Cybersecurity Platform
THANK YOU
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
EU:Štětkova 1638/18, Prague 4 - Nusle,
140 00, Czech Republic
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
Michael RakutkoHead of Professional [email protected]