sap security best practices - sap vulnerability management and sap real-time monitoring / siem...

SAP SECURITY BEST PRACTICESFor Protecting Large SAP Implementations

DSAG Annual Congress - 20.09.2016

A. Introduction

B. Tech Data SAP security challenges

C. Our approach and the best practices

D. Measuring our success

E. Q&A

Today’s Agenda

SAP Security Best Practices

Presenter: Jürgen Streit, Director of IT Security, Tech Data

SAP Security Best Practices 3

Tech Data at a Glance

Company

Industry Segment

Annual Revenue

Distribution

Employees

SAP Systems

Tech Data Corporation (Nasdaq: TECD)

Technology distributor

$26.4 Billion (FY-2016)

100+ countries

9,000 worldwide

50+

ALL critical Tech Data business processes run on SAP.

Why We Started This Project

Increasing number of high-profile security breaches in the news

Tech Data’s most sensitive data is stored on SAP systems

Attacks have shifted from network to applications

Legal requirements about data protection (PII) have increased


5

SAP Security Status when We Started


No comprehensive view into SAP security situation

Assessments took more than a week per SAP system (we have 50+)

Monitoring progress was impossible

Incident detection was difficult and slow

6

New Approach to SAP Security

Protection

DetectionResponse

Firefighting is bad, processes are good

Automate as much as possible

Minimize required config changes

Protection and detection must work together


7

Tech Data SAP Landscape Security


(Simplified)

ESNC Security Suite with Enterprise Threat Monitor

ERPBW GRC

HR CRMOther SAP systems

Solution

Manager

E-com systems connected to SAP

Outer DMZ

Outside Tech Data Network

Backend I

Backend II

Outer FirewallSAP GRC

ESNC Security Suite

Enterprise Threat Monitor

Account provisioning, SoD

SAP vulnerability managementABAP code security

SAP real-time monitoringSIEM integration

SAP VULNERABILITY MANAGEMENT

9

Phase I – Low Hanging Fruit

BIZEC-TEC11 is a good benchmark for starters

ESNC Security Suite – Compliance statusSample Results (not TD)

Begin with most common, publicly known vulnerabilities

Details at https://www.esnc.de/bizec

10

Phase II - Holistic SAP Security


Risk analysis & prioritization based on vulnerabilities of connected systems

We uncovered key vulnerabilities that traditional methods and SAP’s own tools didn’t detect

Multivector Threat Analysis

“Where can an attacker get to after hacking system XYZ?”

ESNC Security Suite – Multivector Threat AnalysisSample Results (not TD)

Details at https://www.esnc.de

11

Legacy or Ineffective

Manual work / consultancy-driven vulnerability assessments executed annually

Sample-based scans (some PROD systems and just production client) focused on SoD

In-house developed ABAPs - point tools for security

Best Practice

Automated analysis executed monthly

Full scope (All PROD + non-PROD + all clients) including system security, system interconnectivity and ABAP security

Utilizing best-in-class, professionally updated enterprise solutions


Best Practices in SAP Vulnerability Management

REAL-TIME SAP SECURITY MONITORING AND

SIEM INTEGRATION

SOX requirements and security best practices dictate that SAP systems need to be regularly monitored for security incidents...

But what technology do we use and how do we use it?What do we look for?

Regular Security Monitoring

SAP Security Best Practices 13


Technology Selection

14

Big SIEM solutions focus on network and OS logs

Very limited capabilities for SAP security monitoring

We needed an SAP specific tool. Requirements:Works out-of-the-box with little or no maintenance

Can send pre-correlated SAP security events to ArcSight, Splunk or QRadar for advanced correlation

Quickly adapts to our organization


Threat Monitoring Cases

15

Begin with built-in Enterprise Threat Monitor use cases.Handles more than 300 cases “out-of-the-box” including:

Access/download of sensitive data

Unauthorized change of users’ roles/profiles

Exploiting debugging to get SAP_ALL

Logon by an HR terminated employee’s SAP account

Detection of account sharing

Further configuration for our Z*, Y* tables, reports, and transactions


Our New Approach

16

Start now! Show success now!

ETM implementation required low effort (system was up in a day)

Showing “real events” convinced key stakeholders instantly

Improve the detection and response capabilities over timeProject: Find out most important SM19 event types and determine their storage requirements

Result: Most important ones take 97% of the space, so activate them all.

Analysis details at https://www.enterprise-threat-monitor.com/SAP-log-analysis


Incident or Security Exception?

17

Adding a generic security exception

Issue details

ESR Methodology for Incident Classification

Business process deficiency> Fix process

User working in non-secure/non-compliant way > Guide user

Potential “real” incident: Suspicious activity by user> Trigger incident response

18We use https://www.enterprise-threat-monitor.com/esr-methodology

Three categories

19SAP Security Best Practices

Investigations User Behavior Analytics

Detected anomaly

19SAP Security Best Practices

Investigations User Behavior Analytics

User never logs in on weekends


Finding Source

20

User uses other workstations

JSMITH who works in sales uses this workstation

Tag & trigger incident response


Phase I - Detection and Response Results

Over one billion existing SAP security logs analyzed

143.000+ matches to a predefined threat

Problem: Manual review will take forever!

+change docs and other sources

21

Project will fail if “noise” problem cannot be solved


Phase II - Machine Learning to Solve ProblemsEnterprise Threat Monitor ‘learned’ our organizational patterns and created security exceptions automatically

22

Existing findings

Automatically generated security exceptions

Eliminated noise

Noise reduction ratio

Items left for manual review

143,246

1,105

140,479

98.1 %

2,767 + auto generated


Phase III - Full-Day Workshop

Created 52 manual security exceptions

Average 9.2 mins spent per exception

Reduced remaining findings by half

23


After Four Weeks

24

Machine-generated exceptions saved us ~130 person-days of work

New events per week reduced from ~3000 to 25

Activated real-time email alerting

1,394

2,747

198 25781325200

750

1500

2250

3000

Inci

dent

s

Week 1 Week 2 Week 3 Week 4

Security exceptions

Incidents to be reviewed


SAP Security Monitoring Best Practices

25

Legacy or Ineffective

Manual log reviews

Forwarding raw SAP logs to a SIEM solution and trying to have someone write threat monitoring cases

Activating some SAP security event types on SM19

Focusing on PROD only

Best Practice

Utilizing real-time monitoring and alerting which adapts to the organization

Using proven technology with focus on improving processes

Activating ALL SAP security event types on SM19

Full scope (All PROD + Non-PROD + All SAP clients)

MEASURING SUCCESS


Measuring Our Success

27

Before

Tracking progress

Time to analyze one SAP system in-depth

Detection and response to incidents

Results are incomparable

More than a week

Manual review, few threat cases

Now

Transparency of SAP security posture Limited to handful SAP systems

Complete landscape (with minor exceptions)

Less than an hour

Standardized and trackable/comparable

Real-time, over 300 threat cases


What We Love about Our New Approach

After each ESNC ABAP code scan, vulnerable ABAPs are added to Enterprise Threat Monitor

Builds a safety net until development can create permanent fixes

Perfect collaboration of vulnerability discovery & real-time monitoring

Real-time SAP security configuration monitoring

e.g. accidentally changed login/no_automatic_user_sapstar to 0 (bad)

Detection and alerting within minutes instead of waiting until the next assessment

28

WRAPPING UP


What is the business and legal impact if our SAP systems are hacked?

How soon do we find out if someone changes a critical security parameter?

Can an attacker “jump” from DEV systems to PROD?

Can we detect incidents as they happen?

QUESTIONS TO ASK TO YOURSELVES

30

?Q&A

Jürgen [email protected]

Learn More at

www.enterprise-threat-monitor.com

This document contains references to products of SAP SE. SAP, ABAP, SAPGUI and other named SAP products and associated logos are brand names or registered trademarks of SAP SE in Germany and other countries in the world. HP and ArcSight are registered trademarks of Hewlett-Packard Development Company, L.P. Splunk is a registered trademark of Splunk, Inc. IBM and QRadar are trademarks of International Business Machines Corporation. Enterprise Threat Monitor is a registered trademark of ESNC GmbH, Germany. All other trademarks are the property of their respective owners.