https://erpscan.com/

3

AGENDA

Case for SAP Cybersecurity Framework

Detect SAP Security Incidents

Demo Time

4

THE CHALLENGES WE FACECyber attack kill chain

5Security Team

SAP Users

BASIS Administrators

Asset Owners

How do different people understand SAP security?

I chose abcd1234 password and saved

on desktop

SAP Security? Is it about antivirus?

We are in complete compliance with

GDPR requirements

rsau/enable = 0?ok, that’s fine!

6

CISO CIO

ENTERPRISE SECURITY

Vulnerability Management+ Asset Management+ Risk Management+ Secure Development

SAP BASIS

Patching SAP systems+ Incident Response+ Mitigation+ Improvements

SAP SECURITY

Segregation Of Duties+ Data Security+ Secure Architecture+ Awareness and Training

IT OPERATIONS

Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage

CRO

FUTURE STATE

KEY IDEASWhy do companies need a framework for SAP security?

• To ensure compliance and reliability of SAP systems

What is SAP Cybersecurity Framework?• Description of activities to secure SAP systems

How to use the framework?• Map compliance requirements to SAP security controls and choose security

solutions and services

Why now?• The world has changed, SAP has changed, attacks have changed• So an approach to SAP security has to change too

9

10

50%

80% 99%

3-6 months

6-12 months 12 months

1

23

IMPLEMENTATION TIERS

DETECTMonitor threats

12

SAP SECURITY DETECTION USE CASESUSECASE EXAMPLE ACTION

CONFIGURATIONS:

Misconfigurations System has configuration issues:security audit log is disabled, encryption of RFC isn’t configured

Create remediation plan for SAP administrators

Vulnerabilities Unpatched SAP SSO component (SAPNote 2389042: A denial of service vulnerability in SAP SSO component)

Install security patch, implement security note

Critical Authorizations

Weak passwords, SOD conflicts, critical profiles assignedAnalyse the need for provided access

EVENTS:

Threat Events Successful critical actions (OS command, system configuration, RFC, DB, user management, program, report)

Investigate activity, revoke authorizations, adjust correlation rules

Attack Events• Potential attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal,

Missing Authorization, Verb Tampering• Real attacks (specific SAP services)

Block access and investigate network activity

Anomalies All actions with transactions and tables (Business Partners, Customers, Documents, Purchase, HR data, Users, Invoices, …)

Review anomalous activity and adjust notification rules

13

Process Purpose

Event Management To collect information on SAP security related events

Threat Detection To detect attacks and possible threats to SAP systems

User Behavior To detect deviations of user behavior in SAP systems

Data Leakage To detect data leakages in SAP systems

DETECT

14

Configure SAP security audit log

Collect SAP security-related events

Monitor SAP related network, systems, personnel and external service provider activities

Implementation: Outcomes:1

2

3

• Audit Events

• Event Databases

• Event CollectingProcedures

EVENT MANAGEMENT

To collect information on SAP security-related events

ENABLE LOGGING• Network Level:

• SAProuter• ICM and WebDispatcher• Message Server• HTTP logs

• SAP system level:• System Log• Security Audit Log• Authorization Traces

• Object level:• Transport System Changes• Table Changes• Document Changes

• Interface level:• Read Access Logging• UI Masking• UI Logging

15

16

16

SAP ABAP Security Audit Log

LOGGINGUser actions: logons, access to reports and tables, executions of transactions

SAP ABAP HTTP logs(ICM/MS/WebDispatcher)

Attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal…

Enabled in 57% systems

Gateway Network actions, RFC actions, dynamic parameter changes

Maximum audit log file size is less then

ICM: enabled in 38% systems

MS: enabled in 27% systems

WD: enabled in 23% systems

Enabled in 15% systems

200M

Enable all logs, set a big enough file size (2 Gb), archive and rotate logs

17

THREAT AND ATTACK DETECTION

• Threat Catalogue

• Threat Data Sources

• Threat Detection Rules

Implementation: Outcomes:1

2

3

Configure IDS/IPS systems to detect SAP attack signatures

Manually review SAP security events

Monitor potential attacks, security event combinations and anomalies

To detect attacks and possible threats to SAP systems

HOW SAP DATA BREACH LOOKS LIKE?

18

• Scan for vulnerable services, default SAP pages

• Brute force against default users

• Attempts to exploit SAP vulnerabilities

• Maintenance actions (SE16, SU02) from non-administrative users

• Spike of downloads (RFC_READ_TABLE, report downloads, etc.)

• User anomalies: new IP address, never seen TCODE and non-working (or lunch-time) execution

THREAT DETECTION RULES

19

Method Example Reliability

Regular expressions

Records in HTTP log\network traffic:XSS: script, on, alert, import, exception, …SQL inj: exec, union, like, between, …RCE: cmd, bash, arp, cacls, del, …

LOW

Specific SAP signatures

RCE in SAP NetWeaver CTC:Rule: «ctc/`+`servlet/`+`ConfigServlet»

XSS in PeopleSoft PSOL FullTextSearch:Rule: “PSOL/`+`servlet/`+`FullTextSearch”

MEDIUM

Assessment

Get confirmation:• server responded (HTTP 200 OK)• related vulnerability exists on attacked server• retest by exploit

HIGH

20

USER BEHAVIOR

• Critical Actions Reports

• Baseline Behavior Profiles

• Anomaly Detection Rules

Outcomes:

1

2

3

Review privileged account activities

Establish profiles for SAP user behavior and detect anomalies

Monitor SAP business activities and SOD conflicts in real time

Implementation:

To detect deviations of user behavior in SAP systems

21

1. Unusual behavior of users from audit department in the Sweden branch in comparison to their USA colleagues.

2. Running an administrative transaction (e.g. SE16) by a non-privileged user.

3. Use of account after a long (e.g. six months) period of inactivity.

4. First change of user location from the USA to Egypt

5. Access to risky resources (e.g. financial reports).

6. Change of frequency for downloading reports.

7. User generates unusual amount of traffic, possibly trying to download the content of the client database.

Examples

USER BEHAVIOR

22

DATA LEAKAGE

• Data Marking Practice

• Leakage Conditions

• Leakage Detection Rules

1

2

3

Identify data leakage conditions in custom code and configuration

Analyze security events to detect possible data leakage

Monitor data flows and devices to detect data leakage in real time

To detect data leakages in SAP systems

Outcomes:Implementation:

23

DATA LEAKAGE

From GUI:

• Transactions

• Reports

From Network:

• RFC

• database connections

• network connections

Leak Points

From Source code:• Hardcoded e-mails

• Hardcoded hostnames/SIDs

From Log files:• Session_id in java log traces

• Plaintext passwords in logs

Demo TimeERPScan Smart Cybersecurity Platform

THANK YOU

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

EU:Štětkova 1638/18, Prague 4 - Nusle,

140 00, Czech Republic

Read our blogerpscan.com/category/press-center/blog/

Join our webinarserpscan.com/category/press-center/events/

Subscribe to our newsletterseepurl.com/bef7h1

erpscan.cominbox@erpscan.com

Michael RakutkoHead of Professional Servicesm.rakutko@erpscan.com