360° SAP Security

Protecting your SAP Systems against Hackers and industrial Espionage

Andreas Mertz, CISSP, iT-CUBE SYSTEMS GmbH

Motivation
 SECURITY MONITORING / TACTICAL VIEW

The forgotten world: Corporate Business Application Systems

Security Silos: Network Exposure:
Applications have versatile security Applications and threats pass
models, interfaces, formats … network barriers

Security
Manual Handling: Monitoring After-The-Fact:
Audits are snapshots and Only real-time monitoring
expensive as they are done and alerting allows
manually counter-actions

Multiple ID’s: Incomplete, undetected:

Administrators, technical users, SAP / Transactional data –
account sharing, … It’s the blind spot of IT-Security

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 3

 MOTIVATION

How to bridge the SAP–SIEM –GAP?

Security Application
Professionals Experts
are not don‘t know
Application about
Experts IT-Security

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 4

 ESPIONAGE. SABOTAGE. FRAUD.

Why are Business Applications in Focus of Attacks? Why SAP?

1. All business processes are generally contained in ERP systems.
2. Any information an attacker want is stored in a company’s ERP.
3. The most critical data to be targeted in SAP are:
• Financial Data, Financial Planning (FI)
• HR data, personal, contact details (HR)
• Corporate Secrets (PLM)
• Supplier tenders (SRM)
• Customer Lists (CRM)
4. SCADA and ERP systems are often connected. And prone to sabotage.
5. Software has vulnerabilities. ERP has more issues; being different:
• Customization – No two SAP systems are the same.
• Complexity kills security. - ERP systems are huge complex landscapes that contain different DBs, APP
servers, middleware, frontend SW, OS, use many technologies.
• Risky – ERP systems store and process business-critical data. Any downtime incurs significant costs. Patching
is risky. Vulnerable SW lives for years.
• Unknown – ERP systems are less researched, much less scrutinized, less targeted but often contain simple
and easy to discover vulnerabilities and now get connected to the Internet.

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 5

 THINKING AHEAD: SAP SECURITY MONITORING FOR PREEMPTING BUSINESS RISK

SAP stores the most critical business info.

… and you are loosing control.

Program Vulnerabilities

The number of SAP Security Notes has increased
drastically over the last 3 years.

Most of these issues affect the Business Runtime.

Architecture Flaws

Configuration Errors

t or
c k Vec
Atta
Business Logic
Atta
ck V
e ctor Business Runtime
Atta
Database ck V
e ctor

Attack Vector Operating System

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 6

 SAP SERVERS ON THE INTERNET

MYTH: SAP systems are inaccessible from the Internet, so SAP

vulnerabilities can be only exploited by insiders.

TRUTH: Business processes are changing and anticipate the need to for remote and mobile
access via web portals.

PROVE: Increasing numbers of SAP systems are exposed to the Internet, including
Dispatcher, Message Server, HostControl, Web Services, Solution Manager, etc

STATS: Searches performed using well-known Google search requests or Shodanhq result in
hundreds of SAP Servers accessible from the Internet

Application Server Type Search String Number based on

Shodan Search
SAP NetWeaver J2EE (Enterprise inurl:/irj/portal 834
Portal)
SAP BusinessObjects (SAP ITS) inurl:infoviewap 20

SAP NetWeaver ABAP inurl:/sap/bc/bsp 113

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 7

 SAP SECURITY BREACHES – WHO IS RESPONSIBLE?

SAP ABAP Attack Vectors

• SAP Web Server leaks • Brute Force Attacks • Password Sniffing in
information in HTTP headers  Config. Checked? unencrypted Srv-Srv / Client –
and error messages  (SAL + Table Data) Srv Communication
 Config. approved?  Config. Checked?
• Priviledge escalations from low
 (Table Data)  (Profile Parameters)
risk to high risk SAP Systems
• SAP Web Server runs services (RFC, SSO) • Program Code Vulnerabilities in
without authentication  Intrinsic relationships hardened? AddOns
 Services deactivated?  (Table Data + Cross Device  Code scanned for vulns?
 (Table Data) Correlation)  (Code Profiler + Table Data)
 Standard users secured? 
• Backdoor implementation • SAP Gateway Weaknesses
(Table Data, Profile Parameters)
(Program/ Role changes (unlimited acces for external
• SOAP RFC Service allows to call through transports programs)
ABAP Function Modules  Suspicious transports detected?  Weak configs detected?
 Execution deactivated? deactivated?  (Gateway Cfg. + Log)
 (Table Data)  (Transport Log)
• Changes of critical data
• Debugging Mode allows data • OS Command execution  Changes discovered?
manipulation without  Execution discovered?  (Table Log)
authentication  (System Log + Cross Device
 Debugging enabled? Correlation)
 (System Log)

Over 95% of SAP® systems are exposed to espionage, sabotage and fraud attacks.
Do you really think auditing SoD controls is sufficient?

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 8

 SAP SECURITY REALTIME MONITORING

Continuous Auditing / Continuous Monitoring

Simplify it! Automate it! Secure it! Security
Security
Devices
Devices
Network Email/Web
Email/Web
Network
Devices Gateways
Gateways
Devices

Identity
Identity
Application QRadar Mgmt.
Mgmt.
Run-time SIEM Systems
Systems

FI AA
CO
Physical
Physical
Databases
Databases Access
Access
Status Endpoints
Status Quo
Quo SAP
SAP Security
Security Endpoints
Servers
Servers

Many point

Many point solutions
solutions

Different report

Different report formats
formats SAP-SIEM
SAP-SIEM Integration
Integration

For single

For single systems
systems only
only
Automated

Automated

Not fully

Not fully customizable
customizable
Continuous

Continuous

Several people

Several people involved
involved
Complete

Complete

Manual tasks

Manual tasks
In one

In one spot
spot

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 9

360°SAP Security
 A HOLISTIC APPROACH TO AUTOMATE SAP SECURITY ASSESSMENTS.

Transaction
Transaction
Secure
Secure Code
Code Secure
Secure Apps
Apps Secure
Secure Systems
Systems Detect
Detect Attacks
Attacks Monitoring
Monitoring

SOS ACL/Oversigh
Virtual Change CSI AA manual/custo t
Forge Fortify Mgmt GRC m tools

Detect
Detect critical
critical Detect
Detect fraud,
fraud,
Scan
Scan source
source Check
Check patch
patch Check
Check configs,
configs, command
command exec.,
exec., anomalies
anomalies in in
code
code for
for status,
status, changes
changes settings,
settings, SoD
SoD && suspicious
suspicious workflows,
workflows, trace
trace
vulnerabilities
vulnerabilities (transports)
(transports) critical
critical authoriz.
authoriz. activity
activity priv.
priv. users
users

CodeScanner

Enterprise
Enterprise IT
IT Environment
Environment

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 11

 HOW TO AUTOMATE SAP SECURITY ASSESSMENTS.

Collect & Process what’s relevant.

SIEM
SIEM
SIEM Integration
Integration
Contin. Data Collection & Preprocessing without
without agileSI™:
agileSI™:


Security
Security Audit
Audit Log
Log
only
only


no
no SAP-specific
SAP-specific
Content
Content
SAP Security Sources
• Security Audit Log
• System Log
SAP Security Analytics Pack
• CCMS and Solution Manager Diagn.
• Other logs (Transport, Gateway, …)
Content & Use Cases derived from:
• Report for System Parameters
DSAG Audit Guidelines
• Tables
SAP Security Recommendations
• Table logging
SAP Pentesting Practises
• Reports for Change Documents
Dashboards, Reports, Notifications
• User Information System (suim)
SAP specific categorization for SIEM
• Audit Information System (AIS)
Data Monitors, Active Lists, Rules
• EarlyWatch & Sec. Optimiz. Servc.
• RSECNOTE
• Trust Manager and SSO, SNC

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 12

 VISIBILITY IS KEY.

agileSI Extractors: Visibility & Coverage

Event Source Event Type Use Case
Security Audit Log Subset of security events in SAP systems, • Brute force login • Password changes
ArcSight w/ agileSI 1.0

such as (failed) logins, transaction starts, etc • User created / deleted / • Execution of reports
locked / unlocked

System Log SAP basis log, for availability, error tracking, • Debugging • Table logging in program
security, ... • Execution of OS commands disabled by user

System Parameters SAP system configuration • Password policy checks • SAP Gateway check
agileSI Extractors

• SNC encryption status

Tables Data stored in Tables • System and client change • Single Sign-On / Logon Tickets
settings • Any data stored in any table
• RFC configuration

Ping Monitor availability • Check availability of SAP systems

Transport Log Change management through transports with • Updates to roles

code, customizing • Transports of critical objects, at unusual times

Gateway Config & Log Communication with external programs • Monitor “denied” external calls

Change Documents Changes to Business Objects • Roles, profiles and User master data

Table Change Logging Changes to data stored in tables • Monitor critical tables (master data, conditions of purchase)

Access Control Checks against critical combinations of • SoD Conflicts

authorization objects • Backdoor implementation via transports

Security Notes SAP RSECNOTE implementation status • Security notes missing in system landscape

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 13

Use Cases
 STARTOVER WITH PREDEFINED USE CASES

Technical Use Case & Detection Scenarios

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 15

 BUSINESS TRANSACTION MONITORING

Business Transaction Monitoring Use Cases

Major Invoices being made without purchase orders

Deviation of: value of purchase order and invoice value at equal quantity of goods

Invoice receipt and payment before date of good receipt

Control of critical data of application within customer namespace (e.g. applications
in production process)

IBM SolutionsConnect 2013 © iT-

17.06.2013 16
CUBE SYSTEMS GmbH
 Solution Architecture
17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 17
 SOLUTION ARCHITECTURE

Product Overview
SAP SAP SAP SAP SAP
Industry’s first automated ERP SCM PLM CRM …
& SAP-certified solution SAP NW

Collection
Collection
AS ABAP
Monitored
Monitored systems
systems
ABAP Application
Runs on SAP NW AS agileSI™ Agent

3 Tier Architecture

Administration
Administration
SAP NW

Collection layer AS ABAP

Admin layer Central
Central configuration
configuration and
and control
control

Analysis layer
agileSI™ Core

QRadar® Integration

SAP Parser

Analysis

SAP specific Categorization

Analysis
Q1Labs

Correlation Rules, Dashboards, QRadar Dashboards,
Dashboards, Reports,
Reports, Alerting
Alerting
Reports
agileSI™ Frontend

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 18

 agileSI™ ARCHITECTURE MODEL

Extractor Infrastructure
• Extractor Agents

Collection
• Configuration Handling
• Extractor Scheduling

FI AA PP SD
CO MM

Administration

Service Factory
• Extractor Management
• Event Format Transformation
• WebDynPro Interface SM

SIEM-based Analytics Frontend

SIEM

Analysis
• Dashboards, Reports, Notifications
• SAP specific Categorization for SIEM
• Event Correlation, Security Analytics

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 19

 SUPPORTED PRODUCTS & CERTIFICATION

Supported SAP Products Certification & Built-in Security

ABAP Systems in Mainstream Maint.
Own SAP name space & approved
(Basis 7.x) quality of code

Use security functions built into
NetWeaver (RFC/SNC, authoriz., …)

agileSI™ authorization objects

Data integrity: Store log data in
SIEM system

Application logging to enable
agileSI™ audit

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 20

agileSI in Action
 DASHBOARDING

agileSI: custom dashboard

agileSI/custom
use cases

Offenses Integration

Custom Rules
firing

IBM SolutionsConnect 2013 © iT-

17.06.2013 22
CUBE SYSTEMS GmbH
 CUSTOM USE CASES

Example use cases

Changes to user master records on

productive systems…

… are unusual,

… severe auditors findings

… need to be monitored

… must only be done by a small set of
adminstrators

Security Audit log is not enough.

Change documents give transparency
and need to be correlated

IBM SolutionsConnect 2013 © iT-

17.06.2013 23
CUBE SYSTEMS GmbH
 CUSTOM USE CASES

Example use cases: SAP Standard Account logon activity

SAP standard user accounts are high

privileged accounts

Login and action via free accessible terminals or
terminal servers are anonymous

SAP* = root

SAP* must be locked in system landscape

SAP* activity is highly critical and

needs to be checked

Top severe auditor finding

>> Event drilldown

SAP* = “root“

IBM SolutionsConnect 2013 © iT-

17.06.2013 24
CUBE SYSTEMS GmbH
 LOG ACTIVITY

Log activity: dashboard drilldown

>> Event drilldown

IBM SolutionsConnect 2013 © iT-
17.06.2013 25
CUBE SYSTEMS GmbH
 LOG ACTIVITY - DRILLDOWN

Log activity: dashboard drilldown

Logon and user account changes

IBM SolutionsConnect 2013 © iT-

17.06.2013 26
CUBE SYSTEMS GmbH
 LOG ACTIVITY

agileSI log integration: log activity

IBM SolutionsConnect 2013 © iT-

17.06.2013 27
CUBE SYSTEMS GmbH
Summary
How can you protect your most critical application while reducing costs?
Eliminate the blind spot in SAP® Security Monitoring

Continuously monitor your critical system conditions and events

Automate collection, correlation, visualization & reporting

Reduce your audit costs & efforts and safe costly SAP consultants

Utilize standard checks and SAP® -specific threat vector detection

Enable your SOC team to interpret SAP® security events and act

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 29

Key use & benefits
Regain control with Security Intelligence for SAP®

Improve your SAP® Security & Risk Management

Lower the number and criticality of auditor’s findings

Transform your risks into remediation

Fulfill compliance requirements for your SAP® landscapes

Consolidate the SAP® tool zoo into one holistic approach

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 30

Let‘s discuss it!
IT’S ABOUT THE I IN IT, NOT JUST THE T !

Thank you for attending this session!

iT-CUBE SYSTEMS GmbH P: +49 (89) 2000 148 00
Paul-Gerhardt-Allee 24 F: +49 (89) 2000 148 29
81245 München M: info@it-cube.net
Germany W: www.it-cube.net
Company Overview
 COMPANY OVERVIEW

Our Expertise

Full-service provider for IT-/SAP-Security with 10+ years experience

Vendor-neutral consulting, system integration, product development

Founded in 2001, privately held

Partnerships with 20+ A-brand vendors

28 consultants, 8 developers

Approved for classified information (Ü2) by BMWi

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 34

 SOLUTION PORTFOLIO

iT-CUBE SYSTEMS – We keep IT trusted.

iT-CUBE Solutions

Security Intelligence Managed Services Professional Services

Security Information & Event
Managed Security Services
Security Consulting

Management (SIEM)

Log-Management & IT-Search

Threat Intelligence

Digital Forensics

Industrial/SCADA Security

Governance Risk Compliance
(GRC)
(MSS)

Security Outsourcing

Operational Outtasking

Service & Support Helpdesk

Security Training

Security Assessments

System Integration

Product Development

Customizing & Engineering

People & Processes Data Analytics Applications

IT-/Business Application
Operational Intelligence
SAP-Security
IT-Monitoring

Monitoring

Transaction Monitoring

SOC / NOC Process Design

Identity and Access
Management (IAM)

Security Awareness Building

Security Training

Big Data Analysis

Business Analytics

IT-Search

Business Application
Monitoring

Data Loss Prevention (DLP)

Malware Protection

Software Code Analysis

Secure Data Exchange

Database Virtualization

Firewalling

Intrusion Prevention

Web/E-Mail Security

Remote Access

Network Access Control

Vulnerability Management

Virtualization Security

17.06.2013 IBM SolutionsConnect 2013 © iT-CUBE SYSTEMS GmbH 35