Professional Documents
Culture Documents
IBMSol Con 2013 Andreas Metz ITCUBESYSTEMSSAPDerblinde Fleck 14062013
IBMSol Con 2013 Andreas Metz ITCUBESYSTEMSSAPDerblinde Fleck 14062013
Security
Manual Handling: Monitoring After-The-Fact:
Audits are snapshots and Only real-time monitoring
expensive as they are done and alerting allows
manually counter-actions
t or
c k Vec
Atta
Business Logic
Atta
ck V
e ctor Business Runtime
Atta
Database ck V
e ctor
TRUTH: Business processes are changing and anticipate the need to for remote and mobile
access via web portals.
PROVE: Increasing numbers of SAP systems are exposed to the Internet, including
Dispatcher, Message Server, HostControl, Web Services, Solution Manager, etc
STATS: Searches performed using well-known Google search requests or Shodanhq result in
hundreds of SAP Servers accessible from the Internet
Over 95% of SAP® systems are exposed to espionage, sabotage and fraud attacks.
Do you really think auditing SoD controls is sufficient?
Identity
Identity
Application QRadar Mgmt.
Mgmt.
Run-time SIEM Systems
Systems
FI AA
CO
Physical
Physical
Databases
Databases Access
Access
Status Endpoints
Status Quo
Quo SAP
SAP Security
Security Endpoints
Servers
Servers
Many point
Many point solutions
solutions
Different report
Different report formats
formats SAP-SIEM
SAP-SIEM Integration
Integration
For single
For single systems
systems only
only Automated
Automated
Not fully
Not fully customizable
customizable Continuous
Continuous
Several people
Several people involved
involved Complete
Complete
Manual tasks
Manual tasks In one
In one spot
spot
Transaction
Transaction
Secure
Secure Code
Code Secure
Secure Apps
Apps Secure
Secure Systems
Systems Detect
Detect Attacks
Attacks Monitoring
Monitoring
SOS ACL/Oversigh
Virtual Change CSI AA manual/custo t
Forge Fortify Mgmt GRC m tools
Detect
Detect critical
critical Detect
Detect fraud,
fraud,
Scan
Scan source
source Check
Check patch
patch Check
Check configs,
configs, command
command exec.,
exec., anomalies
anomalies in in
code
code for
for status,
status, changes
changes settings,
settings, SoD
SoD && suspicious
suspicious workflows,
workflows, trace
trace
vulnerabilities
vulnerabilities (transports)
(transports) critical
critical authoriz.
authoriz. activity
activity priv.
priv. users
users
CodeScanner
Enterprise
Enterprise IT
IT Environment
Environment
SIEM
SIEM
SIEM Integration
Integration
Contin. Data Collection & Preprocessing without
without agileSI™:
agileSI™:
Security
Security Audit
Audit Log
Log
only
only
no
no SAP-specific
SAP-specific
Content
Content
SAP Security Sources
• Security Audit Log
• System Log
SAP Security Analytics Pack
• CCMS and Solution Manager Diagn.
• Other logs (Transport, Gateway, …) Content & Use Cases derived from:
• Report for System Parameters DSAG Audit Guidelines
• Tables SAP Security Recommendations
• Table logging SAP Pentesting Practises
• Reports for Change Documents Dashboards, Reports, Notifications
• User Information System (suim) SAP specific categorization for SIEM
• Audit Information System (AIS) Data Monitors, Active Lists, Rules
• EarlyWatch & Sec. Optimiz. Servc.
• RSECNOTE
• Trust Manager and SSO, SNC
such as (failed) logins, transaction starts, etc • User created / deleted / • Execution of reports
locked / unlocked
System Log SAP basis log, for availability, error tracking, • Debugging • Table logging in program
security, ... • Execution of OS commands disabled by user
System Parameters SAP system configuration • Password policy checks • SAP Gateway check
agileSI Extractors
Tables Data stored in Tables • System and client change • Single Sign-On / Logon Tickets
settings • Any data stored in any table
• RFC configuration
Gateway Config & Log Communication with external programs • Monitor “denied” external calls
Change Documents Changes to Business Objects • Roles, profiles and User master data
Table Change Logging Changes to data stored in tables • Monitor critical tables (master data, conditions of purchase)
Security Notes SAP RSECNOTE implementation status • Security notes missing in system landscape
Product Overview
SAP SAP SAP SAP SAP
Industry’s first automated ERP SCM PLM CRM …
& SAP-certified solution SAP NW
Collection
Collection
AS ABAP
Monitored
Monitored systems
systems
ABAP Application
Runs on SAP NW AS agileSI™ Agent
3 Tier Architecture
Administration
Administration
SAP NW
Collection layer AS ABAP
Admin layer Central
Central configuration
configuration and
and control
control
Analysis layer
agileSI™ Core
QRadar® Integration
SAP Parser
Analysis
SAP specific Categorization
Analysis
Q1Labs
Correlation Rules, Dashboards, QRadar Dashboards,
Dashboards, Reports,
Reports, Alerting
Alerting
Reports
agileSI™ Frontend
Extractor Infrastructure
• Extractor Agents
Collection
• Configuration Handling
• Extractor Scheduling
FI AA PP SD
CO MM
Administration
Service Factory
• Extractor Management
• Event Format Transformation
• WebDynPro Interface SM
Analysis
• Dashboards, Reports, Notifications
• SAP specific Categorization for SIEM
• Event Correlation, Security Analytics
ABAP Systems in Mainstream Maint. Own SAP name space & approved
(Basis 7.x) quality of code
Use security functions built into
NetWeaver (RFC/SNC, authoriz., …)
agileSI™ authorization objects
Data integrity: Store log data in
SIEM system
Application logging to enable
agileSI™ audit
agileSI/custom
use cases
Offenses Integration
Custom Rules
firing
Our Expertise
Full-service provider for IT-/SAP-Security with 10+ years experience
Vendor-neutral consulting, system integration, product development
Founded in 2001, privately held
Partnerships with 20+ A-brand vendors
28 consultants, 8 developers
Approved for classified information (Ü2) by BMWi
iT-CUBE Solutions