MotivationThe Business Case for SAP Cybersecurity Framework

Current state 3

CISO

CIO

PATCHING SAP SYSTEMS

SAP BASIS

SAP SECURITY

SEGREGATION OF DUTIES

IT OPERATIONS

MONITORING SAP SYSTEMS

ENTERPRISE SECURITY

VULNERABILITY MANAGEMENT

LACK OF EFFECTIVE OVERSIGHT

LACK OF VISIBILITY

COMPLEXITYPOOR

INTEGRATION

SLIPPED THROUGH THE CRACKS

Future state 4

CISO CIO

ENTERPRISE SECURITY

Vulnerability Management+ Asset Management+ Risk Management+ Secure Development

SAP BASIS

Patching SAP systems+ Incident Response+ Mitigation+ Improvements

SAP SECURITY

Segregation Of Duties+ Data Security+ Secure Architecture+ Secure

IT OPERATIONS

Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage

CRO

5History

Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks

https://www.gartner.com/doc/2665515/

EAS-SEC

SAP Cybersecurity Framework 7

Category PREDICT

Process Secure Development

Purpose To ensure security during SAP systems development and acquisition.

Outcomes• Security Requirements• Development Standards and Processes• Security Plans

Implementation steps

1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations

2. Create secure development standards and processes3. Automate secure development processes

Implementation Tiers 8

50%

80% 99%

3-6 months

6-12 months 12 months

1

23

Benefits 9

SAP Cybersecurity Framework

Security Program

Security Policies

Security Plans

Process Descriptions

Technical Solutions

PREDICTUnderstand SAP environment

PREDICT 11

Process Purpose

Asset Management To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements

Business Environment To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships

GovernanceTo develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes

Vulnerability Management

To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors

Risk Management To make decisions on addressing possible adverse impacts from the operation and use of SAP systems

Secure Development To ensure security during SAP systems development and acquisition

Asset Management 12

• Inventory of Assets

• Criticality Assessments

• Acceptable UseRequirements

Create an Inventory of Assets

Assess criticality of the assets

Develop complete specification of the SAP systems

Implementation: Outcomes:

Purpose: To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements

1

2

3

Asset Management. Inventory of assets 13

System ID Purpose Interconnected Systems

SystemCriticality

Responsibility

System Type

Application Servers Clients Platform

DM0 Supply chain management • Internal: ERP, • Internet: no;• ICS: no;• Partners:

Partner1, Partner2

• Mobile: no

High John F. K. PROD 10.0.0.110.0.0.2

100:PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP)

ERP Enterprise Resource Planning

• Internal: HR1, HR2

• Internet: no• ICS: MES System• Partners: no• Mobile: no

Low Mike. PROD 10.0.16.6 200:PRD SAP ECC 6.0NetWeaver AS 7.3 ABAP

CRM Customer Relationship management

• Internal: ERP• Internet: yes• ICS: no• Partners: no• Mobile: no

Very High PROD 10.0.34.5 210:PRD SAP CRM 6.0NetWeaver AS ABAP 7.0

Business Environment 14

• Business Context

• SAP Continuity Plans

• Supplier Catalogue

Identify business context

Prepare SAP Continuity Plans

Maintain supplier catalogue

Implementation: Outcomes:

Purpose: To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships

1

2

3

Business Environment. Business Impact Analysis 15

Process Stakeholder SAP System Outage ImpactsEstimated Downtime

MTD RTO RPO

Pay vendor invoice

Joseph R. ERP Costs: 5.000 $ / dayOperations: moderateImage: moderate

72 hours 48 hours 12 hours (last backup)

Hire to retire Dorothy F. HR Image: High 72 hours 48 hours 12 hours (last backup)

Governance 16

• SAP Cybersecurity Policy

• SAP Security Processes

• Control Procedures

Establish SAP Cybersecurity Policy

Develop SAP security processes

Implement control procedures

Implementation: Outcomes:

Purpose: To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes

1

2

3

Governance Structure 17

Vulnerability Management 18

Regularly perform SAP security audits and penetration tests

Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations

Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds

Implementation: Outcomes:

Purpose: To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors

1

2

3

• Scan Plans

• Scan Profiles

• Remediation Plans

Vulnerability Management. Analysis 19

Constraints and requirements (example):• Duration: not more than 60 days• Vulnerability risk level: medium and higher• Allowed remediation types: No kernel patch

Tasks:1. Prioritizing vulnerabilities:

- ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc.;

- impact of a successful exploitation: full disclosure and OS-level access or just revealing of technical data;

- prevalence of the vulnerability in SAP systems;- criticality of the SAP systems with the vulnerability.

2. Filtering vulnerabilities:

Outcome:

• Remediation Plan

20Vulnerability Management. Remediation PlanRemediation

Priority Vulnerability Vulnerability Risk

Remediation Type Remediation

1 SSEA_1000003: External RFC server registration

An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information

High Update configuration

Effort level: medium (~2d, downtime 4h)

To resolve this issue, it is recommended to configure the RFC server correctly

Links:RFC/ICF Security Guide

2 SSCA_00130: SSL encryption for ICM connections

No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack.

Medium Update configuration

Effort level: easy (~4h, downtime 2h)

Set the icm/server_port_NN parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access

3 SSCA_00223: Central application server that maintains the system log

Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks.

Medium Update configuration

Effort level: easy (~4h, downtime 2h)

The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges.

Links:• BOOK "Security, Audit and Control Features (SAP ERP 3rd

edition)" p. 413 check.4.10.2• DOC rslg/collect_daemon/host - Central Log Host

Risk Management 21

• Threat Model

• Risk Register

• Risk Responds

Create threat model for SAP systems

Assess likelihoods and estimate business impacts of cybersecurity risks

Automate risk management and develop risk response plans

Implementation: Outcomes:

Purpose: To make decisions on addressing possible adverse impacts from the operation and use of SAP systems

1

2

3

22Risk Management. Oil & Gas ERP RisksSAP

Module Asset Threat Consequences

SCM Supply chain schema Rerouting supply chain Theft of crude oil and refined products

HRM HR data Stealing employees data (personal, salary, experience, etc.) Identity theft, headhunting

PM Oil and gas gaining systemscontrol data Disrupting SCADA logic and processes Service outage, equipment

damage, workers injuries

MII Field data Stealing coordinates and volumes of exploratory and production wells

Losing competitive advantageous

SCM Midstream and downstream assets

Stealing information about equipment and transportation Facilitating theft and sabotage

PP Production line control data Disrupting SCADA logic and processes Production suspension

SD Prices Stealing price formation schemas Losing partners

FICO Finance transactions Creating fraud transactions Monetary losses

Secure Development 23

• SAP SecurityRequirements

• Development Standards and Processes

• Security Plans

Develop basic security requirements to configuration of servers, networks, SAP applications and endpoints

Create secure development standards and processes

Automate secure development processes

Implementation: Outcomes:

To ensure security during SAP systems development and acquisition

1

2

3

24Secure Development. Code Vulnerability Usage

Type Cause Exploiter

Code Injections Security ignorance Hackers

Backdoors

• Desire to simplify development

• Intent to control a system

Developers

Missing authorization checks Negligence Insiders

Obsolete statements Natural obsolescence of code

Administrators (unintentionally)

PREVENTReduce the surface area of attack

PREVENT 27

Process Purpose

Access Control To limit rights of authorized users and prevent unauthorized use of an SAP system

Awareness and Training To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities

Data Security To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer

Secure Architecture To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls

Access Control 28

Access Rules

Access Mechanisms

Access Control Reports

Secure the network, servers and endpoint devices

Implement role-based access control to SAP functionality

Enforce Segregation of Duties controls according to business process rules

Implementation: Outcomes:

Purpose: To limit rights of authorized users and prevent unauthorized use of an SAP system

1

2

3

Access Control. How to Create a User? 29

Ways to create a user in SAP system:1. Transaction SU01

2. Database table USR02

3. RFC function BAPI_USER_CREATE

4. Web exploit using InvokerServlet feature and CTC servlet

Number of objects:1. More then 300 000 transactions

2. More then 500 000 tables

3. More then 40 000 RFC functions

4. 500 known web exploits

Awareness and Training 30

• Training Materials

• Training Records

• Knowledge Assessment Reports

Enlist commitment of Board and C-level executives

Provide SAP security trainings for BASIS and security teams

Provide awareness trainingto SAP users

Implementation: Outcomes:

Purpose: To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities

1

2

3

Awareness and Training. Commitment 31

Dissatisfaction + Vision + First Steps > Resistance to Change

• SAP security project news• SAP security articles• Board interviews

• Establish security team activities• Hire staff• Purchase tools• Provide trainings• Conduct audits and assessments

Data Security 32

• Data Inventory

• Data Flows

• Data Security Reports

Classify data assets according to its value to organization

Protect data-in-transit using SNC and SSL/TLS

Protect data-at-rest by encryption, secure storage location and tokenization

Implementation: Outcomes:

Purpose: To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer

1

2

3

Data Security. Data Inventory 33

Data Asset Information Asset Type Location Protection

Requirements

Current Level of Protection

At Rest (description)

In Transit (description)

Payments Table Payment Cards Details

Oracle DB Table

DataSource=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)));

GDPR, PCI DSS -

Payments Transaction

Payment Cards Details

SAP Transaction TR12 GDPR, PCI DSS SAP

AuthorizationsCould be exported to NAS

Reports .XLSX Payment Reports

Electronic sheets, files on NAS

nas:\\finance\reports PCI DSS

Stored on NAS, protected by AD politics.

-

Secure Architecture 34

• SAP SecurityArchitecture

• SAP Security Controls

• SAP Technical Solutions

Outcomes:

Purpose: To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls

1

2

3

Protect SAP perimeter

Secure SAP communications

Integrate SAP security and enterprise security

Implementation:

Secure Architecture. System Schema 35

36

DETECTMonitor threats

DETECT 38

Process Purpose

Event Management To collect information on SAP security related events

Threat Detection To detect attacks and possible threats to SAP systems

User Behavior To detect deviations of user behavior from typical in SAP systems

Data Leakage To detect data leakages in SAP systems

Event Management 39

Configure SAP security audit log

Collect SAP security-related events

Monitor SAP related network, systems, personnel and external service provider activities

Implementation: Outcomes:

Purpose: To collect information on SAP security related events

1

2

3

• Audit Events

• Event Databases

• Event CollectingProcedures

Event Management. Event Sources 40

o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log

More than 30 logs

Log Management Solutions

Threat Detection 41

• Threat Catalogue

• Threat Data Sources

• Threat Detection Rules

Implementation: Outcomes:

Purpose: To detect attacks and possible threats to SAP systems

1

2

3

Configure IDS/IPS systems to detect SAP attack signatures

Manually review SAP security events

Monitor potential attacks, security event combinations and anomalies

Threat Detection. Examples 42

• Password brute forcing attempts• Unauthorized access to RFC-services• Attacks on WEB-resources (XSS, SQL Injection, Buffer overflow, etc.)• Attacks via source code vulnerabilities• Authentication bypass (Verb Tampering, Invoker servlet)• Critical actions (transaction, programs, URL’s)• SOD conflicts

User Behavior 43

• Critical Actions Reports

• Baseline Behavior Profiles

• Anomaly Detection Rules

Outcomes:

Purpose: To detect deviations of user behavior from typical in SAP systems

1

2

3

Review privilege accounts activities

Establish profiles for SAP user behavior and detect anomalies

Monitor SAP business activities and SOD conflicts in real time

Implementation:

User Behavior. Examples 44

1. Atypical behavior of users from audit department in Sweden branch in comparison to their USA colleagues.

2. Running an administrative transaction (e.g. SE16) by a non-privileged user.

3. Use of account after the long (e.g. six months) period of inactivity.

4. First change of user location from USA to Egypt

5. Access to risky resources (e.g. financial reports).

6. Change of frequency for downloading reports.

7. User generates unusual amount of traffic, possibly trying to download the whole content of client database.

Data Leakage 45

• Data Marking Practice

• Leakage Conditions

• Leakage Detection Rules

Outcomes:

Purpose: To detect data leakages in SAP systems

1

2

3

Identify data leakage conditions in custom code and configuration

Analyze security events to detect possible data leakage

Monitor data flows and devices to detect data leakage in real time

Implementation:

Data Leakage. Leak Points 46

• Reports

• RFC / database / network connections

• Source code:

• Hardcoded e-mails

• Hardcode hostnames/SIDs

• Log files:

• Session_id in java log traces

47

RESPONDInvestigate, take actions and improve

RESPOND 49

Process Purpose

Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices

Clear Communications To establish structure for SAP security responsibility in a business and provide means for clear communications between its members

Continuous Analysis To continuously monitor effectiveness of SAP security processes and provide insights into state of SAP security

Mitigation To design and model changes to security of SAP systems

Improvements To learn from external events and internal assessments of SAP security controls

Incident Response 50

• Incident Definitions

• Incident Cases

• Incident Response Plans

Develop SAP security event correlation rules and incident alert threshold

Develop SAP incidents response and recovery plans

Automate SAP incident response procedures

Implementation: Outcomes:

Purpose: To systematically respond to violation or threat of violation of SAP security policies and practices

1

2

3

Incident Response. Workflow 51

Collect Correlate Analyze Act

Clear Communication 52

• Security Responsibilities

• Security Roles Delineation

• Cyber Threat Information

Assign responsibilities for ensuring SAP Security

Establish communications between security team and other parties

Establish communications with 3rd party companies and threat intelligence providers

Implementation: Outcomes:

Purpose: To establish structure for SAP security responsibility in a business and provide means for clear communications between its members

1

2

3

Clear Communication. Contacts 53

Research Centers

Peer organizati

ons

CERTs

Vendors

Continuous Analysis 54

• SAP Security Metrics

• SAP Security Dashboards

• Forensic Procedures

Develop SAP security metrics

Automate tracking of SAP security metrics and analyze trends

Develop SAP forensic investigation procedures

Implementation: Outcomes:

Purpose: To provide insights into state of SAP security

1

2

3

Continuous Analysis. Metrics 55

• Percentage (%) of SAP systems that have security plans in place

• Percentage (%) of SAP systems and service acquisition contracts that include SAP security requirements

• Percentage (%) of developers made a vulnerabilities in code

• Percentage (%) of systems with unimplemented SAP Notes with public exploits

• Percentage (%) of users with simple passwords

• Percentage (%) of SAP systems covered by risk assessment

Mitigation 56

• Knowledge Base

• Security CMDB

• Security Workarounds

Develop SAP security controls knowledge base

Implement task and change management practices for SAP systems

Deploy virtual patching and automatic correction tools for SAP security issues

Implementation: Outcomes:

Purpose: To design, model and make changes to security of SAP systems

1

2

3

Mitigation. Virtual Patching 57

Improvements 58

• Improvements Suggestions

• Controls Assessments

Continuously analyze SAP security updates and threats

Attend SAP security events and trainings

Assess effectiveness of SAP security controls

Implementation: Outcomes:

Purpose: To learn from external events and improve SAP security

1

2

3

Improvements. SAP Security Conferences 2017 59

60

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

HQ Netherlands:Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam

www.erpscan.cominbox@erpscan.com

Thank you

Michael RakutkoHead of Professional Servicesm.rakutko@erpscan.com

61

62