motivation - sap cyber security solutions · 1. develop basic security requirements to...
TRANSCRIPT
MotivationThe Business Case for SAP Cybersecurity Framework
Current state 3
CISO
CIO
PATCHING SAP SYSTEMS
SAP BASIS
SAP SECURITY
SEGREGATION OF DUTIES
IT OPERATIONS
MONITORING SAP SYSTEMS
ENTERPRISE SECURITY
VULNERABILITY MANAGEMENT
LACK OF EFFECTIVE OVERSIGHT
LACK OF VISIBILITY
COMPLEXITYPOOR
INTEGRATION
SLIPPED THROUGH THE CRACKS
Future state 4
CISO CIO
ENTERPRISE SECURITY
Vulnerability Management+ Asset Management+ Risk Management+ Secure Development
SAP BASIS
Patching SAP systems+ Incident Response+ Mitigation+ Improvements
SAP SECURITY
Segregation Of Duties+ Data Security+ Secure Architecture+ Secure
IT OPERATIONS
Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage
CRO
5History
Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks
https://www.gartner.com/doc/2665515/
EAS-SEC
SAP Cybersecurity Framework 7
Category PREDICT
Process Secure Development
Purpose To ensure security during SAP systems development and acquisition.
Outcomes• Security Requirements• Development Standards and Processes• Security Plans
Implementation steps
1. Develop basic security requirements to configuration of servers, networks, SAP applications and client stations
2. Create secure development standards and processes3. Automate secure development processes
Implementation Tiers 8
50%
80% 99%
3-6 months
6-12 months 12 months
1
23
Benefits 9
SAP Cybersecurity Framework
Security Program
Security Policies
Security Plans
Process Descriptions
Technical Solutions
PREDICTUnderstand SAP environment
PREDICT 11
Process Purpose
Asset Management To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements
Business Environment To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships
GovernanceTo develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
Vulnerability Management
To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
Risk Management To make decisions on addressing possible adverse impacts from the operation and use of SAP systems
Secure Development To ensure security during SAP systems development and acquisition
Asset Management 12
• Inventory of Assets
• Criticality Assessments
• Acceptable UseRequirements
Create an Inventory of Assets
Assess criticality of the assets
Develop complete specification of the SAP systems
Implementation: Outcomes:
Purpose: To communicate information about SAP assets, security category of the assets, rules of acceptable use and protection requirements
1
2
3
Asset Management. Inventory of assets 13
System ID Purpose Interconnected Systems
SystemCriticality
Responsibility
System Type
Application Servers Clients Platform
DM0 Supply chain management • Internal: ERP, • Internet: no;• ICS: no;• Partners:
Partner1, Partner2
• Mobile: no
High John F. K. PROD 10.0.0.110.0.0.2
100:PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP)
ERP Enterprise Resource Planning
• Internal: HR1, HR2
• Internet: no• ICS: MES System• Partners: no• Mobile: no
Low Mike. PROD 10.0.16.6 200:PRD SAP ECC 6.0NetWeaver AS 7.3 ABAP
CRM Customer Relationship management
• Internal: ERP• Internet: yes• ICS: no• Partners: no• Mobile: no
Very High PROD 10.0.34.5 210:PRD SAP CRM 6.0NetWeaver AS ABAP 7.0
Business Environment 14
• Business Context
• SAP Continuity Plans
• Supplier Catalogue
Identify business context
Prepare SAP Continuity Plans
Maintain supplier catalogue
Implementation: Outcomes:
Purpose: To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships
1
2
3
Business Environment. Business Impact Analysis 15
Process Stakeholder SAP System Outage ImpactsEstimated Downtime
MTD RTO RPO
Pay vendor invoice
Joseph R. ERP Costs: 5.000 $ / dayOperations: moderateImage: moderate
72 hours 48 hours 12 hours (last backup)
Hire to retire Dorothy F. HR Image: High 72 hours 48 hours 12 hours (last backup)
Governance 16
• SAP Cybersecurity Policy
• SAP Security Processes
• Control Procedures
Establish SAP Cybersecurity Policy
Develop SAP security processes
Implement control procedures
Implementation: Outcomes:
Purpose: To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
1
2
3
Governance Structure 17
Vulnerability Management 18
Regularly perform SAP security audits and penetration tests
Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations
Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds
Implementation: Outcomes:
Purpose: To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors
1
2
3
• Scan Plans
• Scan Profiles
• Remediation Plans
Vulnerability Management. Analysis 19
Constraints and requirements (example):• Duration: not more than 60 days• Vulnerability risk level: medium and higher• Allowed remediation types: No kernel patch
Tasks:1. Prioritizing vulnerabilities:
- ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc.;
- impact of a successful exploitation: full disclosure and OS-level access or just revealing of technical data;
- prevalence of the vulnerability in SAP systems;- criticality of the SAP systems with the vulnerability.
2. Filtering vulnerabilities:
Outcome:
• Remediation Plan
20Vulnerability Management. Remediation PlanRemediation
Priority Vulnerability Vulnerability Risk
Remediation Type Remediation
1 SSEA_1000003: External RFC server registration
An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information
High Update configuration
Effort level: medium (~2d, downtime 4h)
To resolve this issue, it is recommended to configure the RFC server correctly
Links:RFC/ICF Security Guide
2 SSCA_00130: SSL encryption for ICM connections
No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack.
Medium Update configuration
Effort level: easy (~4h, downtime 2h)
Set the icm/server_port_NN parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access
3 SSCA_00223: Central application server that maintains the system log
Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks.
Medium Update configuration
Effort level: easy (~4h, downtime 2h)
The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges.
Links:• BOOK "Security, Audit and Control Features (SAP ERP 3rd
edition)" p. 413 check.4.10.2• DOC rslg/collect_daemon/host - Central Log Host
Risk Management 21
• Threat Model
• Risk Register
• Risk Responds
Create threat model for SAP systems
Assess likelihoods and estimate business impacts of cybersecurity risks
Automate risk management and develop risk response plans
Implementation: Outcomes:
Purpose: To make decisions on addressing possible adverse impacts from the operation and use of SAP systems
1
2
3
22Risk Management. Oil & Gas ERP RisksSAP
Module Asset Threat Consequences
SCM Supply chain schema Rerouting supply chain Theft of crude oil and refined products
HRM HR data Stealing employees data (personal, salary, experience, etc.) Identity theft, headhunting
PM Oil and gas gaining systemscontrol data Disrupting SCADA logic and processes Service outage, equipment
damage, workers injuries
MII Field data Stealing coordinates and volumes of exploratory and production wells
Losing competitive advantageous
SCM Midstream and downstream assets
Stealing information about equipment and transportation Facilitating theft and sabotage
PP Production line control data Disrupting SCADA logic and processes Production suspension
SD Prices Stealing price formation schemas Losing partners
FICO Finance transactions Creating fraud transactions Monetary losses
Secure Development 23
• SAP SecurityRequirements
• Development Standards and Processes
• Security Plans
Develop basic security requirements to configuration of servers, networks, SAP applications and endpoints
Create secure development standards and processes
Automate secure development processes
Implementation: Outcomes:
To ensure security during SAP systems development and acquisition
1
2
3
24Secure Development. Code Vulnerability Usage
Type Cause Exploiter
Code Injections Security ignorance Hackers
Backdoors
• Desire to simplify development
• Intent to control a system
Developers
Missing authorization checks Negligence Insiders
Obsolete statements Natural obsolescence of code
Administrators (unintentionally)
PREVENTReduce the surface area of attack
PREVENT 27
Process Purpose
Access Control To limit rights of authorized users and prevent unauthorized use of an SAP system
Awareness and Training To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities
Data Security To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer
Secure Architecture To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls
Access Control 28
Access Rules
Access Mechanisms
Access Control Reports
Secure the network, servers and endpoint devices
Implement role-based access control to SAP functionality
Enforce Segregation of Duties controls according to business process rules
Implementation: Outcomes:
Purpose: To limit rights of authorized users and prevent unauthorized use of an SAP system
1
2
3
Access Control. How to Create a User? 29
Ways to create a user in SAP system:1. Transaction SU01
2. Database table USR02
3. RFC function BAPI_USER_CREATE
4. Web exploit using InvokerServlet feature and CTC servlet
Number of objects:1. More then 300 000 transactions
2. More then 500 000 tables
3. More then 40 000 RFC functions
4. 500 known web exploits
Awareness and Training 30
• Training Materials
• Training Records
• Knowledge Assessment Reports
Enlist commitment of Board and C-level executives
Provide SAP security trainings for BASIS and security teams
Provide awareness trainingto SAP users
Implementation: Outcomes:
Purpose: To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities
1
2
3
Awareness and Training. Commitment 31
Dissatisfaction + Vision + First Steps > Resistance to Change
• SAP security project news• SAP security articles• Board interviews
• Establish security team activities• Hire staff• Purchase tools• Provide trainings• Conduct audits and assessments
Data Security 32
• Data Inventory
• Data Flows
• Data Security Reports
Classify data assets according to its value to organization
Protect data-in-transit using SNC and SSL/TLS
Protect data-at-rest by encryption, secure storage location and tokenization
Implementation: Outcomes:
Purpose: To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer
1
2
3
Data Security. Data Inventory 33
Data Asset Information Asset Type Location Protection
Requirements
Current Level of Protection
At Rest (description)
In Transit (description)
Payments Table Payment Cards Details
Oracle DB Table
DataSource=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)));
GDPR, PCI DSS -
Payments Transaction
Payment Cards Details
SAP Transaction TR12 GDPR, PCI DSS SAP
AuthorizationsCould be exported to NAS
Reports .XLSX Payment Reports
Electronic sheets, files on NAS
nas:\\finance\reports PCI DSS
Stored on NAS, protected by AD politics.
-
Secure Architecture 34
• SAP SecurityArchitecture
• SAP Security Controls
• SAP Technical Solutions
Outcomes:
Purpose: To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls
1
2
3
Protect SAP perimeter
Secure SAP communications
Integrate SAP security and enterprise security
Implementation:
Secure Architecture. System Schema 35
36
DETECTMonitor threats
DETECT 38
Process Purpose
Event Management To collect information on SAP security related events
Threat Detection To detect attacks and possible threats to SAP systems
User Behavior To detect deviations of user behavior from typical in SAP systems
Data Leakage To detect data leakages in SAP systems
Event Management 39
Configure SAP security audit log
Collect SAP security-related events
Monitor SAP related network, systems, personnel and external service provider activities
Implementation: Outcomes:
Purpose: To collect information on SAP security related events
1
2
3
• Audit Events
• Event Databases
• Event CollectingProcedures
Event Management. Event Sources 40
o SAP ABAP Security logo SAP ABAP Audit logo SAP ABAP HTTP logo SAP ABAP ICM Security logo SAP ABAP RFC logo SAP J2EE HTTP logo SAP HANA Security logo SAP HANA log
More than 30 logs
Log Management Solutions
Threat Detection 41
• Threat Catalogue
• Threat Data Sources
• Threat Detection Rules
Implementation: Outcomes:
Purpose: To detect attacks and possible threats to SAP systems
1
2
3
Configure IDS/IPS systems to detect SAP attack signatures
Manually review SAP security events
Monitor potential attacks, security event combinations and anomalies
Threat Detection. Examples 42
• Password brute forcing attempts• Unauthorized access to RFC-services• Attacks on WEB-resources (XSS, SQL Injection, Buffer overflow, etc.)• Attacks via source code vulnerabilities• Authentication bypass (Verb Tampering, Invoker servlet)• Critical actions (transaction, programs, URL’s)• SOD conflicts
User Behavior 43
• Critical Actions Reports
• Baseline Behavior Profiles
• Anomaly Detection Rules
Outcomes:
Purpose: To detect deviations of user behavior from typical in SAP systems
1
2
3
Review privilege accounts activities
Establish profiles for SAP user behavior and detect anomalies
Monitor SAP business activities and SOD conflicts in real time
Implementation:
User Behavior. Examples 44
1. Atypical behavior of users from audit department in Sweden branch in comparison to their USA colleagues.
2. Running an administrative transaction (e.g. SE16) by a non-privileged user.
3. Use of account after the long (e.g. six months) period of inactivity.
4. First change of user location from USA to Egypt
5. Access to risky resources (e.g. financial reports).
6. Change of frequency for downloading reports.
7. User generates unusual amount of traffic, possibly trying to download the whole content of client database.
Data Leakage 45
• Data Marking Practice
• Leakage Conditions
• Leakage Detection Rules
Outcomes:
Purpose: To detect data leakages in SAP systems
1
2
3
Identify data leakage conditions in custom code and configuration
Analyze security events to detect possible data leakage
Monitor data flows and devices to detect data leakage in real time
Implementation:
Data Leakage. Leak Points 46
• Reports
• RFC / database / network connections
• Source code:
• Hardcoded e-mails
• Hardcode hostnames/SIDs
• Log files:
• Session_id in java log traces
47
RESPONDInvestigate, take actions and improve
RESPOND 49
Process Purpose
Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices
Clear Communications To establish structure for SAP security responsibility in a business and provide means for clear communications between its members
Continuous Analysis To continuously monitor effectiveness of SAP security processes and provide insights into state of SAP security
Mitigation To design and model changes to security of SAP systems
Improvements To learn from external events and internal assessments of SAP security controls
Incident Response 50
• Incident Definitions
• Incident Cases
• Incident Response Plans
Develop SAP security event correlation rules and incident alert threshold
Develop SAP incidents response and recovery plans
Automate SAP incident response procedures
Implementation: Outcomes:
Purpose: To systematically respond to violation or threat of violation of SAP security policies and practices
1
2
3
Incident Response. Workflow 51
Collect Correlate Analyze Act
Clear Communication 52
• Security Responsibilities
• Security Roles Delineation
• Cyber Threat Information
Assign responsibilities for ensuring SAP Security
Establish communications between security team and other parties
Establish communications with 3rd party companies and threat intelligence providers
Implementation: Outcomes:
Purpose: To establish structure for SAP security responsibility in a business and provide means for clear communications between its members
1
2
3
Clear Communication. Contacts 53
Research Centers
Peer organizati
ons
CERTs
Vendors
Continuous Analysis 54
• SAP Security Metrics
• SAP Security Dashboards
• Forensic Procedures
Develop SAP security metrics
Automate tracking of SAP security metrics and analyze trends
Develop SAP forensic investigation procedures
Implementation: Outcomes:
Purpose: To provide insights into state of SAP security
1
2
3
Continuous Analysis. Metrics 55
• Percentage (%) of SAP systems that have security plans in place
• Percentage (%) of SAP systems and service acquisition contracts that include SAP security requirements
• Percentage (%) of developers made a vulnerabilities in code
• Percentage (%) of systems with unimplemented SAP Notes with public exploits
• Percentage (%) of users with simple passwords
• Percentage (%) of SAP systems covered by risk assessment
Mitigation 56
• Knowledge Base
• Security CMDB
• Security Workarounds
Develop SAP security controls knowledge base
Implement task and change management practices for SAP systems
Deploy virtual patching and automatic correction tools for SAP security issues
Implementation: Outcomes:
Purpose: To design, model and make changes to security of SAP systems
1
2
3
Mitigation. Virtual Patching 57
Improvements 58
• Improvements Suggestions
• Controls Assessments
Continuously analyze SAP security updates and threats
Attend SAP security events and trainings
Assess effectiveness of SAP security controls
Implementation: Outcomes:
Purpose: To learn from external events and improve SAP security
1
2
3
Improvements. SAP Security Conferences 2017 59
60
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
HQ Netherlands:Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
Thank you
Michael RakutkoHead of Professional [email protected]
61
62