how to predict sap data breaches? - erpscan.com · • saprouter • icm and webdispatcher •...
TRANSCRIPT
3
AGENDA
Case for SAP Cybersecurity Framework
Detect SAP Security Incidents
Demo Time
4
THE CHALLENGES WE FACECyber attack kill chain
5Security Team
SAP Users
BASIS Administrators
Asset Owners
How do different people understand SAP security?
I chose abcd1234 password and saved
on desktop
SAP Security? Is it about antivirus?
We are in complete compliance with
GDPR requirements
rsau/enable = 0?ok, that’s fine!
6
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Awareness and Training
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
FUTURE STATE
KEY IDEASWhy do companies need a framework for SAP security?
• To ensure compliance and reliability of SAP systems
What is SAP Cybersecurity Framework?• Description of activities to secure SAP systems
How to use the framework?• Map compliance requirements to SAP security controls and choose security
solutions and services
Why now?• The world has changed, SAP has changed, attacks have changed• So an approach to SAP security has to change too
9
10
50%
80% 99%
3-6 months
6-12 months 12 months
1
23
IMPLEMENTATION TIERS
DETECTMonitor threats
12
SAP SECURITY DETECTION USE CASESUSECASE EXAMPLE ACTION
CONFIGURATIONS:
Misconfigurations System has configuration issues:security audit log is disabled, encryption of RFC isn’t configured
Create remediation plan for SAP administrators
Vulnerabilities Unpatched SAP SSO component (SAPNote 2389042: A denial of service vulnerability in SAP SSO component)
Install security patch, implement security note
Critical Authorizations
Weak passwords, SOD conflicts, critical profiles assignedAnalyse the need for provided access
EVENTS:
Threat Events Successful critical actions (OS command, system configuration, RFC, DB, user management, program, report)
Investigate activity, revoke authorizations, adjust correlation rules
Attack Events• Potential attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal,
Missing Authorization, Verb Tampering• Real attacks (specific SAP services)
Block access and investigate network activity
Anomalies All actions with transactions and tables (Business Partners, Customers, Documents, Purchase, HR data, Users, Invoices, …)
Review anomalous activity and adjust notification rules
13
Process Purpose
Event Management To collect information on SAP security related events
Threat Detection To detect attacks and possible threats to SAP systems
User Behavior To detect deviations of user behavior in SAP systems
Data Leakage To detect data leakages in SAP systems
DETECT
14
Configure SAP security audit log
Collect SAP security-related events
Monitor SAP related network, systems, personnel and external service provider activities
Implementation: Outcomes:1
2
3
• Audit Events
• Event Databases
• Event CollectingProcedures
EVENT MANAGEMENT
To collect information on SAP security-related events
ENABLE LOGGING• Network Level:
• SAProuter• ICM and WebDispatcher• Message Server• HTTP logs
• SAP system level:• System Log• Security Audit Log• Authorization Traces
• Object level:• Transport System Changes• Table Changes• Document Changes
• Interface level:• Read Access Logging• UI Masking• UI Logging
15
16
16
SAP ABAP Security Audit Log
LOGGINGUser actions: logons, access to reports and tables, executions of transactions
SAP ABAP HTTP logs(ICM/MS/WebDispatcher)
Attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal…
Enabled in 57% systems
Gateway Network actions, RFC actions, dynamic parameter changes
Maximum audit log file size is less then
ICM: enabled in 38% systems
MS: enabled in 27% systems
WD: enabled in 23% systems
Enabled in 15% systems
200M
Enable all logs, set a big enough file size (2 Gb), archive and rotate logs
17
THREAT AND ATTACK DETECTION
• Threat Catalogue
• Threat Data Sources
• Threat Detection Rules
Implementation: Outcomes:1
2
3
Configure IDS/IPS systems to detect SAP attack signatures
Manually review SAP security events
Monitor potential attacks, security event combinations and anomalies
To detect attacks and possible threats to SAP systems
HOW SAP DATA BREACH LOOKS LIKE?
18
• Scan for vulnerable services, default SAP pages
• Brute force against default users
• Attempts to exploit SAP vulnerabilities
• Maintenance actions (SE16, SU02) from non-administrative users
• Spike of downloads (RFC_READ_TABLE, report downloads, etc.)
• User anomalies: new IP address, never seen TCODE and non-working (or lunch-time) execution
THREAT DETECTION RULES
19
Method Example Reliability
Regular expressions
Records in HTTP log\network traffic:XSS: script, on, alert, import, exception, …SQL inj: exec, union, like, between, …RCE: cmd, bash, arp, cacls, del, …
LOW
Specific SAP signatures
RCE in SAP NetWeaver CTC:Rule: «ctc/`+`servlet/`+`ConfigServlet»
XSS in PeopleSoft PSOL FullTextSearch:Rule: “PSOL/`+`servlet/`+`FullTextSearch”
MEDIUM
Assessment
Get confirmation:• server responded (HTTP 200 OK)• related vulnerability exists on attacked server• retest by exploit
HIGH
20
USER BEHAVIOR
• Critical Actions Reports
• Baseline Behavior Profiles
• Anomaly Detection Rules
Outcomes:
1
2
3
Review privileged account activities
Establish profiles for SAP user behavior and detect anomalies
Monitor SAP business activities and SOD conflicts in real time
Implementation:
To detect deviations of user behavior in SAP systems
21
1. Unusual behavior of users from audit department in the Sweden branch in comparison to their USA colleagues.
2. Running an administrative transaction (e.g. SE16) by a non-privileged user.
3. Use of account after a long (e.g. six months) period of inactivity.
4. First change of user location from the USA to Egypt
5. Access to risky resources (e.g. financial reports).
6. Change of frequency for downloading reports.
7. User generates unusual amount of traffic, possibly trying to download the content of the client database.
Examples
USER BEHAVIOR
22
DATA LEAKAGE
• Data Marking Practice
• Leakage Conditions
• Leakage Detection Rules
1
2
3
Identify data leakage conditions in custom code and configuration
Analyze security events to detect possible data leakage
Monitor data flows and devices to detect data leakage in real time
To detect data leakages in SAP systems
Outcomes:Implementation:
23
DATA LEAKAGE
From GUI:
• Transactions
• Reports
From Network:
• RFC
• database connections
• network connections
Leak Points
From Source code:• Hardcoded e-mails
• Hardcoded hostnames/SIDs
From Log files:• Session_id in java log traces
• Plaintext passwords in logs
Demo TimeERPScan Smart Cybersecurity Platform
THANK YOU
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
EU:Štětkova 1638/18, Prague 4 - Nusle,
140 00, Czech Republic
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
Michael RakutkoHead of Professional [email protected]