![Page 1: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/1.jpg)
![Page 2: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/2.jpg)
MotivationThe Business Case for SAP Cybersecurity Framework
![Page 3: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/3.jpg)
Current state 3
CISO
CIO
PATCHING SAP SYSTEMS
SAP BASIS
SAP SECURITY
SEGREGATION OF DUTIES
IT OPERATIONS
MONITORING SAP SYSTEMS
ENTERPRISE SECURITY
VULNERABILITY MANAGEMENT
LACK OF EFFECTIVE OVERSIGHT
LACK OF VISIBILITY
COMPLEXITYPOOR
INTEGRATION
SLIPPED THROUGH THE CRACKS
![Page 4: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/4.jpg)
Future state 4
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Secure
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
![Page 5: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/5.jpg)
5History
Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks
https://www.gartner.com/doc/2665515/
EAS-SEC
![Page 6: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/6.jpg)
![Page 7: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/7.jpg)
SAP Cybersecurity Framework 7
Category PREDICT
Process Secure Development
Purpose To ensure security during SAP systems development and acquisition.
Outcomes• Security Requirements• Development Standards and Processes• Security Plans
Implementation steps
1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations
2. Create secure development standards and processes3. Automate secure development processes
![Page 8: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/8.jpg)
Implementation Tiers 8
50%
80% 99%
3-6 months
6-12 months 12 months
1
23
![Page 9: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/9.jpg)
Benefits 9
SAP Cybersecurity Framework
Security Program
Security Policies
Security Plans
Process Descriptions
Technical Solutions
![Page 10: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/10.jpg)
PREDICTUnderstand SAP environment
![Page 11: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/11.jpg)
PREDICT 11
Process Purpose
Asset Management To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements
Business Environment To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships
GovernanceTo develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
Vulnerability Management
To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
Risk Management To make decisions on addressing possible adverse impacts from the operation and use of SAP systems
Secure Development To ensure security during SAP systems development and acquisition
![Page 12: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/12.jpg)
Asset Management 12
• Inventory of Assets
• Criticality Assessments
• Acceptable UseRequirements
Create an Inventory of Assets
Assess criticality of the assets
Develop complete specification of the SAP systems
Implementation: Outcomes:
Purpose: To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements
1
2
3
![Page 13: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/13.jpg)
Asset Management. Inventory of assets 13
System ID Purpose Interconnected Systems
SystemCriticality
Responsibility
System Type
Application Servers Clients Platform
DM0 Supply chain management • Internal: ERP, • Internet: no;• ICS: no;• Partners:
Partner1, Partner2
• Mobile: no
High John F. K. PROD 10.0.0.110.0.0.2
100:PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP)
ERP Enterprise Resource Planning
• Internal: HR1, HR2
• Internet: no• ICS: MES System• Partners: no• Mobile: no
Low Mike. PROD 10.0.16.6 200:PRD SAP ECC 6.0NetWeaver AS 7.3 ABAP
CRM Customer Relationship management
• Internal: ERP• Internet: yes• ICS: no• Partners: no• Mobile: no
Very High PROD 10.0.34.5 210:PRD SAP CRM 6.0NetWeaver AS ABAP 7.0
![Page 14: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/14.jpg)
Business Environment 14
• Business Context
• SAP Continuity Plans
• Supplier Catalogue
Identify business context
Prepare SAP Continuity Plans
Maintain supplier catalogue
Implementation: Outcomes:
Purpose: To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships
1
2
3
![Page 15: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/15.jpg)
Business Environment. Business Impact Analysis 15
Process Stakeholder SAP System Outage ImpactsEstimated Downtime
MTD RTO RPO
Pay vendor invoice
Joseph R. ERP Costs: 5.000 $ / dayOperations: moderateImage: moderate
72 hours 48 hours 12 hours (last backup)
Hire to retire Dorothy F. HR Image: High 72 hours 48 hours 12 hours (last backup)
![Page 16: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/16.jpg)
Governance 16
• SAP Cybersecurity Policy
• SAP Security Processes
• Control Procedures
Establish SAP Cybersecurity Policy
Develop SAP security processes
Implement control procedures
Implementation: Outcomes:
Purpose: To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
1
2
3
![Page 17: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/17.jpg)
Governance Structure 17
![Page 18: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/18.jpg)
Vulnerability Management 18
Regularly perform SAP security audits and penetration tests
Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations
Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds
Implementation: Outcomes:
Purpose: To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
1
2
3
• Scan Plans
• Scan Profiles
• Remediation Plans
![Page 19: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/19.jpg)
Vulnerability Management. Analysis 19
Constraints and requirements (example):• Duration: not more than 60 days• Vulnerability risk level: medium and higher• Allowed remediation types: No kernel patch
Tasks:1. Prioritizing vulnerabilities:
- ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc.;
- impact of a successful exploitation: full disclosure and OS-level access or just revealing of technical data;
- prevalence of the vulnerability in SAP systems;- criticality of the SAP systems with the vulnerability.
2. Filtering vulnerabilities:
Outcome:
• Remediation Plan
![Page 20: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/20.jpg)
20Vulnerability Management. Remediation PlanRemediation
Priority Vulnerability Vulnerability Risk
Remediation Type Remediation
1 SSEA_1000003: External RFC server registration
An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information
High Update configuration
Effort level: medium (~2d, downtime 4h)
To resolve this issue, it is recommended to configure the RFC server correctly
Links:RFC/ICF Security Guide
2 SSCA_00130: SSL encryption for ICM connections
No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack.
Medium Update configuration
Effort level: easy (~4h, downtime 2h)
Set the icm/server_port_NN parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access
3 SSCA_00223: Central application server that maintains the system log
Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks.
Medium Update configuration
Effort level: easy (~4h, downtime 2h)
The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges.
Links:• BOOK "Security, Audit and Control Features (SAP ERP 3rd
edition)" p. 413 check.4.10.2• DOC rslg/collect_daemon/host - Central Log Host
![Page 21: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/21.jpg)
Risk Management 21
• Threat Model
• Risk Register
• Risk Responds
Create threat model for SAP systems
Assess likelihoods and estimate business impacts of cybersecurity risks
Automate risk management and develop risk response plans
Implementation: Outcomes:
Purpose: To make decisions on addressing possible adverse impacts from the operation and use of SAP systems
1
2
3
![Page 22: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/22.jpg)
22Risk Management. Oil & Gas ERP RisksSAP
Module Asset Threat Consequences
SCM Supply chain schema Rerouting supply chain Theft of crude oil and refined products
HRM HR data Stealing employees data (personal, salary, experience, etc.) Identity theft, headhunting
PM Oil and gas gaining systemscontrol data Disrupting SCADA logic and processes Service outage, equipment
damage, workers injuries
MII Field data Stealing coordinates and volumes of exploratory and production wells
Losing competitive advantageous
SCM Midstream and downstream assets
Stealing information about equipment and transportation Facilitating theft and sabotage
PP Production line control data Disrupting SCADA logic and processes Production suspension
SD Prices Stealing price formation schemas Losing partners
FICO Finance transactions Creating fraud transactions Monetary losses
![Page 23: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/23.jpg)
Secure Development 23
• SAP SecurityRequirements
• Development Standards and Processes
• Security Plans
Develop basic security requirements to configuration of servers, networks, SAP applications and endpoints
Create secure development standards and processes
Automate secure development processes
Implementation: Outcomes:
To ensure security during SAP systems development and acquisition
1
2
3
![Page 24: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/24.jpg)
24Secure Development. Code Vulnerability Usage
Type Cause Exploiter
Code Injections Security ignorance Hackers
Backdoors
• Desire to simplify development
• Intent to control a system
Developers
Missing authorization checks Negligence Insiders
Obsolete statements Natural obsolescence of code
Administrators (unintentionally)
![Page 25: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/25.jpg)
![Page 26: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/26.jpg)
PREVENTReduce the surface area of attack
![Page 27: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/27.jpg)
PREVENT 27
Process Purpose
Access Control To limit rights of authorized users and prevent unauthorized use of an SAP system
Awareness and Training To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities
Data Security To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer
Secure Architecture To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls
![Page 28: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/28.jpg)
Access Control 28
Access Rules
Access Mechanisms
Access Control Reports
Secure the network, servers and endpoint devices
Implement role-based access control to SAP functionality
Enforce Segregation of Duties controls according to business process rules
Implementation: Outcomes:
Purpose: To limit rights of authorized users and prevent unauthorized use of an SAP system
1
2
3
![Page 29: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/29.jpg)
Access Control. How to Create a User? 29
Ways to create a user in SAP system:1. Transaction SU01
2. Database table USR02
3. RFC function BAPI_USER_CREATE
4. Web exploit using InvokerServlet feature and CTC servlet
Number of objects:1. More then 300 000 transactions
2. More then 500 000 tables
3. More then 40 000 RFC functions
4. 500 known web exploits
![Page 30: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/30.jpg)
Awareness and Training 30
• Training Materials
• Training Records
• Knowledge Assessment Reports
Enlist commitment of Board and C-level executives
Provide SAP security trainings for BASIS and security teams
Provide awareness trainingto SAP users
Implementation: Outcomes:
Purpose: To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities
1
2
3
![Page 31: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/31.jpg)
Awareness and Training. Commitment 31
Dissatisfaction + Vision + First Steps > Resistance to Change
• SAP security project news• SAP security articles• Board interviews
• Establish security team activities• Hire staff• Purchase tools• Provide trainings• Conduct audits and assessments
![Page 32: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/32.jpg)
Data Security 32
• Data Inventory
• Data Flows
• Data Security Reports
Classify data assets according to its value to organization
Protect data-in-transit using SNC and SSL/TLS
Protect data-at-rest by encryption, secure storage location and tokenization
Implementation: Outcomes:
Purpose: To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer
1
2
3
![Page 33: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/33.jpg)
Data Security. Data Inventory 33
Data Asset Information Asset Type Location Protection
Requirements
Current Level of Protection
At Rest (description)
In Transit (description)
Payments Table Payment Cards Details
Oracle DB Table
DataSource=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)));
GDPR, PCI DSS -
Payments Transaction
Payment Cards Details
SAP Transaction TR12 GDPR, PCI DSS SAP
AuthorizationsCould be exported to NAS
Reports .XLSX Payment Reports
Electronic sheets, files on NAS
nas:\\finance\reports PCI DSS
Stored on NAS, protected by AD politics.
-
![Page 34: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/34.jpg)
Secure Architecture 34
• SAP SecurityArchitecture
• SAP Security Controls
• SAP Technical Solutions
Outcomes:
Purpose: To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls
1
2
3
Protect SAP perimeter
Secure SAP communications
Integrate SAP security and enterprise security
Implementation:
![Page 35: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/35.jpg)
Secure Architecture. System Schema 35
![Page 36: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/36.jpg)
36
![Page 37: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/37.jpg)
DETECTMonitor threats
![Page 38: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/38.jpg)
DETECT 38
Process Purpose
Event Management To collect information on SAP security related events
Threat Detection To detect attacks and possible threats to SAP systems
User Behavior To detect deviations of user behavior from typical in SAP systems
Data Leakage To detect data leakages in SAP systems
![Page 39: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/39.jpg)
Event Management 39
Configure SAP security audit log
Collect SAP security-related events
Monitor SAP related network, systems, personnel and external service provider activities
Implementation: Outcomes:
Purpose: To collect information on SAP security related events
1
2
3
• Audit Events
• Event Databases
• Event CollectingProcedures
![Page 40: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/40.jpg)
Event Management. Event Sources 40
o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log
More than 30 logs
Log Management Solutions
![Page 41: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/41.jpg)
Threat Detection 41
• Threat Catalogue
• Threat Data Sources
• Threat Detection Rules
Implementation: Outcomes:
Purpose: To detect attacks and possible threats to SAP systems
1
2
3
Configure IDS/IPS systems to detect SAP attack signatures
Manually review SAP security events
Monitor potential attacks, security event combinations and anomalies
![Page 42: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/42.jpg)
Threat Detection. Examples 42
• Password brute forcing attempts• Unauthorized access to RFC-services• Attacks on WEB-resources (XSS, SQL Injection, Buffer overflow, etc.)• Attacks via source code vulnerabilities• Authentication bypass (Verb Tampering, Invoker servlet)• Critical actions (transaction, programs, URL’s)• SOD conflicts
![Page 43: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/43.jpg)
User Behavior 43
• Critical Actions Reports
• Baseline Behavior Profiles
• Anomaly Detection Rules
Outcomes:
Purpose: To detect deviations of user behavior from typical in SAP systems
1
2
3
Review privilege accounts activities
Establish profiles for SAP user behavior and detect anomalies
Monitor SAP business activities and SOD conflicts in real time
Implementation:
![Page 44: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/44.jpg)
User Behavior. Examples 44
1. Atypical behavior of users from audit department in Sweden branch in comparison to their USA colleagues.
2. Running an administrative transaction (e.g. SE16) by a non-privileged user.
3. Use of account after the long (e.g. six months) period of inactivity.
4. First change of user location from USA to Egypt
5. Access to risky resources (e.g. financial reports).
6. Change of frequency for downloading reports.
7. User generates unusual amount of traffic, possibly trying to download the whole content of client database.
![Page 45: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/45.jpg)
Data Leakage 45
• Data Marking Practice
• Leakage Conditions
• Leakage Detection Rules
Outcomes:
Purpose: To detect data leakages in SAP systems
1
2
3
Identify data leakage conditions in custom code and configuration
Analyze security events to detect possible data leakage
Monitor data flows and devices to detect data leakage in real time
Implementation:
![Page 46: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/46.jpg)
Data Leakage. Leak Points 46
• Reports
• RFC / database / network connections
• Source code:
• Hardcoded e-mails
• Hardcode hostnames/SIDs
• Log files:
• Session_id in java log traces
![Page 47: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/47.jpg)
47
![Page 48: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/48.jpg)
RESPONDInvestigate, take actions and improve
![Page 49: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/49.jpg)
RESPOND 49
Process Purpose
Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices
Clear Communications To establish structure for SAP security responsibility in a business and provide means for clear communications between its members
Continuous Analysis To continuously monitor effectiveness of SAP security processes and provide insights into state of SAP security
Mitigation To design and model changes to security of SAP systems
Improvements To learn from external events and internal assessments of SAP security controls
![Page 50: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/50.jpg)
Incident Response 50
• Incident Definitions
• Incident Cases
• Incident Response Plans
Develop SAP security event correlation rules and incident alert threshold
Develop SAP incidents response and recovery plans
Automate SAP incident response procedures
Implementation: Outcomes:
Purpose: To systematically respond to violation or threat of violation of SAP security policies and practices
1
2
3
![Page 51: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/51.jpg)
Incident Response. Workflow 51
Collect Correlate Analyze Act
![Page 52: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/52.jpg)
Clear Communication 52
• Security Responsibilities
• Security Roles Delineation
• Cyber Threat Information
Assign responsibilities for ensuring SAP Security
Establish communications between security team and other parties
Establish communications with 3rd party companies and threat intelligence providers
Implementation: Outcomes:
Purpose: To establish structure for SAP security responsibility in a business and provide means for clear communications between its members
1
2
3
![Page 53: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/53.jpg)
Clear Communication. Contacts 53
Research Centers
Peer organizati
ons
CERTs
Vendors
![Page 54: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/54.jpg)
Continuous Analysis 54
• SAP Security Metrics
• SAP Security Dashboards
• Forensic Procedures
Develop SAP security metrics
Automate tracking of SAP security metrics and analyze trends
Develop SAP forensic investigation procedures
Implementation: Outcomes:
Purpose: To provide insights into state of SAP security
1
2
3
![Page 55: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/55.jpg)
Continuous Analysis. Metrics 55
• Percentage (%) of SAP systems that have security plans in place
• Percentage (%) of SAP systems and service acquisition contracts that include SAP security requirements
• Percentage (%) of developers made a vulnerabilities in code
• Percentage (%) of systems with unimplemented SAP Notes with public exploits
• Percentage (%) of users with simple passwords
• Percentage (%) of SAP systems covered by risk assessment
![Page 56: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/56.jpg)
Mitigation 56
• Knowledge Base
• Security CMDB
• Security Workarounds
Develop SAP security controls knowledge base
Implement task and change management practices for SAP systems
Deploy virtual patching and automatic correction tools for SAP security issues
Implementation: Outcomes:
Purpose: To design, model and make changes to security of SAP systems
1
2
3
![Page 57: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/57.jpg)
Mitigation. Virtual Patching 57
![Page 58: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/58.jpg)
Improvements 58
• Improvements Suggestions
• Controls Assessments
Continuously analyze SAP security updates and threats
Attend SAP security events and trainings
Assess effectiveness of SAP security controls
Implementation: Outcomes:
Purpose: To learn from external events and improve SAP security
1
2
3
![Page 59: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/59.jpg)
Improvements. SAP Security Conferences 2017 59
![Page 60: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/60.jpg)
60
![Page 61: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/61.jpg)
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
HQ Netherlands:Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
Thank you
Michael RakutkoHead of Professional [email protected]
61
![Page 62: Motivation - SAP Cyber Security Solutions · 1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations 2. Create secure development](https://reader036.vdocuments.us/reader036/viewer/2022071008/5fc67071c32d6405137628ea/html5/thumbnails/62.jpg)
62