How to Predict SAP Data Breaches? - SAP Cyber Security ... · Respond to SAP Security Incidents. Demo Time. 4. Source: Industry-Focused Data Breach Report 2018. CRITICAL ASSETS. 5.

3

AGENDA

Case for SAP Cybersecurity Framework

Respond to SAP Security Incidents

Demo Time

4Source: Industry-Focused Data Breach Report 2018

CRITICAL ASSETS

5

TYPICAL INCIDENTS

Source: Industry-Focused Data Breach Report 2018

6Security Team

SAP Users

BASIS Administrators

Management

AS IS

May I download BP000 table?

SM20 let us to track every action!

Our SOC monitors all network flows!

SAP_ALL for ALL!

7

CISO CIO

ENTERPRISE SECURITY

Vulnerability Management+ Asset Management+ Risk Management+ Secure Development

SAP BASIS

Patching SAP systems+ Incident Response+ Mitigation+ Improvements

SAP SECURITY

Segregation Of Duties+ Data Security+ Secure Architecture+ Awareness and Training

IT OPERATIONS

Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage

CRO

TO BE

9

50%

80% 99%

3-6 months

6-12 months 12 months

1

23

IMPLEMENTATION TIERS

RESPONDInvestigate, take action, and improve

11

SAP SECURITY INCIDENTSUSECASE EXAMPLE ACTION

CONFIGURATIONS:

Weak Configuration System has configuration issues:security audit log is disabled, encryption of RFC isn’t configured

Create remediation plan for SAP administrators

Vulnerabilities Unpatched SAP SSO component (SAPNote 2389042: A denial of service vulnerability in SAP SSO component)

Install security patch, implement security note

Authorizations Weak passwords, SoD conflicts, critical profiles assignedAnalyze the need for provided access

EVENTS:

Threat Events Successful critical actions (OS command, system configuration, RFC, DB, user management, program, report)

Investigate activity, revoke authorizations, adjust correlation rules

Attack Events• Potential attacks: SQL Injection, XSS, XXE, RCE, DoS, Directory Traversal,

Missing Authorization, Verb Tampering• Real attacks (specific SAP services)

Block access and investigate network activity

Anomaly All actions with transactions and tables (Business Partners, Customers, Documents, Purchase, HR data, Users, Invoices, …)

Review anomalous activity and adjust notification rules

RESPOND

12

PROCESS PURPOSE

Incident Response To systematically respond to violation or threat of violation of SAP security policies and practices

Clear Communications To structure SAP security responsibilities in a business and provide means for clear communications between its members

Continuous Analysis To continuously monitor the effectiveness of SAP security processes and provide insights into the state of SAP security

Mitigation To design and model changes to the security of SAP systems

Improvements To learn from external events and internal assessments of SAP security controls

INCIDENT RESPONSE

13

• Incident Definitions

• Incident Cases

• Incident Response Plans

Develop SAP security event correlation rules and incident alert threshold

Develop SAP incidents response and recovery plans

Automate SAP incident response procedures

Implementation: Outcomes:1

2

3

To systematically respond to violation or threat of violation of SAP security policies and practices

INCIDENT TEMPLATE

14

NAME ADMINISTRATIVE LOGON OUTSIDE OF SPECIFIC SEGMENT OF LAN

DescriptionProductive SAP systems must be administrated from the specific segment of LAN only.All connections outside of the segment are prohibited and shall be investigated in order to prevent future violations of the requirement.

Data Sources Security Audit Logs

ThresholdIP address is not like 172.16.3.%ANDSAP user is in [SAP*, TMSADM, EARLYWATCH]

Response• Notify Network Team to block network access.• Locate hosts involved in action. Check for virus infections and configuration.• Identify responsible individuals. Conduct interviews to avoid recurrence of the incident.

Reporting Notify CISO, include in “non-compliances” section in weekly security report

ENABLE LOGGING• Network Level:

• SAProuter• ICM and WebDispatcher• Message Server• HTTP logs

• SAP system level:• System Log• Security Audit Log• Authorization Traces

• Object level:• Transport System Changes• Table Changes• Document Changes

• Interface level:• Read Access Logging• UI Masking• UI Logging

15

Collect Correlate Analyze Act

INCIDENT RESPONSE. WORKFLOW

16

17

• Security Responsibilities

• Security Roles Delineation

• Cyber Threat Information

Assign responsibilities for ensuring SAP Security

Establish communications between security team and other parties

Establish communications with 3rd party companies and threat intelligence providers

Implementation: Outcomes:1

2

3

CLEAR COMMUNICATIONS

To structure SAP security responsibilities in a business and provide means for clear communications between its members

18

Research Centers

Peer organizati

ons

CERTs

Vendors

CLEAR COMMUNICATIONS. CONTACTS

19

• SAP Security Metrics

• SAP Security Dashboards

• Forensic Procedures

Develop SAP security metrics

Automate tracking of SAP security metrics and analyze trends

Develop SAP forensic investigation procedures

Implementation: Outcomes:1

2

3

To provide insights into the state of SAP security

CONTINUOUS ANALYSIS

20

• Percentage (%) of SAP systems that have security plans in place

• Percentage (%) of SAP systems and service acquisition contracts that include SAP security requirements

• Percentage (%) of developers made vulnerabilities in code

• Percentage (%) of systems with unimplemented SAP Notes with public exploits

• Percentage (%) of users with simple passwords

• Percentage (%) of SAP systems covered by risk assessment

CONTINUOUS ANALYSIS. METRICS

21

• Knowledge Base

• Security CMDB

• Security Workarounds

Develop SAP security controls knowledge base

Implement task and change management practices for SAP systems

Deploy virtual patching and automatic correction tools for SAP security issues

Implementation: Outcomes:1

2

3

To design, model and make changes to the security of SAP systems

MITIGATION

22

MITIGATION. VIRTUAL PATCHING

23

• ImprovementsSuggestions

• Controls Assessments

Continuously analyze SAP security updates and threats

Attend SAP security events and trainings

Assess the effectiveness of SAP security controls

Implementation: Outcomes:1

2

3

To learn from external events and improve SAP security

IMPROVEMENTS

24

IMPROVEMENTSSAP SECURITY CONFERENCES 2018

Demo TimeERPScan Smart Cybersecurity Platform

THANK YOU

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

EU:Štětkova 1638/18, Prague 4 - Nusle,

140 00, Czech Republic

Read our blogerpscan.com/category/press-center/blog/

Join our webinarserpscan.com/category/press-center/events/

Subscribe to our newsletterseepurl.com/bef7h1

erpscan.cominbox@erpscan.com

Michael RakutkoHead of Professional Servicesm.rakutko@erpscan.com