agilesi™ - sap® security · pdf filesolution architecture security audit log system...

Security Monitoring for your SAP Landscape - Challenge accepted!

Thomas Meindl // Senior Consultant IT-Security

10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 2

10 years of strong IT- Security focus

60+ realized SIEM – Integrations 8 years accredited HP ArcSight Partner & Training Center

Deep Knowledge in SAP Security & Development Revolutionary 360° SAP Security Solution

COMPANY OVERVIEW


Agenda

Motivation

SIEM Evolution

The Solution - agileSI 360°

Use Cases

Recap & Benefits


Questions and Answers

Motivation -

SAP Security Status Quo 10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 5

Protect your SAP® data…

SAP RISK

Essential Business Processes

Critical, sensitive data HR, FI, CRM, SRM, PP, PLM

Intellectual property product data, bill of material, CAD data

…“big“ data! big risk!


SAP® tools bypass SAP® security

SAP INHERENT SECURITY & VULNERABILITIES

SAP® GRC SAP® Solution Manager

SAP® IDM

SAP

® STM

S SA

P®

Gatew

ay SAP

® J

CO

SA

P®

OSS

Debugging OS Commands Transports

SAP®

RFC


SIEM Evolution


Logmanagement / Compliance

SIEM EVOLUTION

Log

Dev

ice

Div

ersi

ty

AV / FW

OS / DB

Application Logs

Insider Threat

Detection Threat Detection

System Maturity Sophistication of Use Cases

Identity View, APT, Botnet Detection

Fraud, DLP

SIEM Evolution

VA / IDM/ IAM / Reputation Based

Data


SAP®/SIEM Integration

360° SAP SECURITY MONITORING

Network devices

Security devices

Identity management

Endpoint servers

Databases

Email/Web gateways

Physical Access

The blind spot:

Business Application Runtime


SIEM: (r)evolution in SAP Security Monitoring

Level of automation

Scop

e of

insp

ecti

on

Reports

Manual checks

SAP Security Intelligence

remediation process

THE SOLUTION


The Solution – agileSI™ 360°


SOLUTION ARCHITECTURE

Security Audit Log System Log System Parameters Tables Transport Log Gateway Config &

Log

SAP® Security Sources

HP ArcSight specific content package 100+ Detection Use Cases derived from

− DSAG Audit Guidelines − SAP Security Recommendations − iT-CUBE SAP Security Specialists

(define content package with practical proven knowlegde)

Change Documents (SCDO + UMR)

Table Change Logging

Access Control (SoD) Security Patches Transaction Codes

HP ArcSight

SAP®

SAP® Security Analytics

agileSI™ components data extraction CEF format mapping SIEM visualization


agileSI™‘s wider range of visibility

360° SAP SECURITY MONITORING

Ticketing system intf. Management SAP

Department SOC Audit

SoDConflicts & Access Control SAP Standard Accounts

Authorization Changes

Security Audit Logs & Settings System & Client Changes Table Change Logging

STMS/Transports

OS Command Exec.

Changes to User Master Records Debugging Activities

Export to Excel Detection Logon of virus infected client

RFC connections Application Brute Force attack

Critical transactions, programs, …


Implementation in ArcSight


From raw event to signal – separating the noise

ARCSIGHT IMPLEMENTATION

Case Manager agileSI™

SAP Security

Intelligence


SAP® related devices

SAP® related security incidents…


1 … by agileSI™ HP ArcSight content package

2 … by HP ArcSight standard content [ agileSI™ talks SIEM ]

3 … by HP ArcSight standard content [ agileSI™ Asset/Network Model ]

HP

SAP® failed login

ArcSight auth.

failure




3. Powerful HP ArcSight Content Pack

agileSI™ for HP ArcSight

agileSI™ light [SAP remote connector with

limited security sources]

… for quick wins / proof of value

agileSI™ Extended

… for a maximum in security

agileSI™ SAP Security Intelligence package for 360° SAP Security Monitoring in HP ArcSight SIEM


Use Cases


Use Cases

USE CASE EXAMPLES - EXTENDED

… and many more

•Monitoring of special accounts

• Changes to critical data

• Logon of virus infected clients

•Detect anomalies in workflows

•What if critical data is leaving SAP?

agileSI™ will help…

STMS Transport Management

•SoD conflicts in STMS

• Critical objects imported like assignment of authorization objects

• STMS parameter checks

• Transport at unusual time frame

RFC transparency

•Actually used RFC connections & transparency map (NON-SAP to SAP; NON-PROD. to PROD.)

• RFC settings like SNC, RFC trace, trusted relationships

• RFC user monitoring (accounts and user type used)

Security Logs and Settings

•Control of SAP Security Audit Log and other critical logs like table change logs

• Control of log settings (activation, trace level)

SoD conflicts and Access

Control

•All DSAG (>115!) checks implemented and covered by agileSI™ (SAP & ArcSight)

• Checks are maintainable, customizable, extendable

Continous! Automated! Complete and holistic! In SIEM!


Coming soon… Read Access Logging (free version of SAP UI Logger)

READ ACCESS LOGGING


Customers use agileSI™ for…

WHAT THE CUSTOMER SAYS…

Automated compliance &

security monitoring

•Automation of compliance checks and reports with agileSI™

• Extension of given compliance checks with Security use cases

• Complete system landscape monitoring

• transfer of agileSI™ findings into ticketing system

Access controls and

transaction monitoring

• International operating organization

•Monitoring of international users accessing national-classified data (invoices, CAD, project owners)

• Adhoc monitoring & forensics

• RFC transparency in SAP landscapes (SAP-to-SAP; NonSAP-to-SAP)

• Implementation SAP UI Logger

Control of production

process

•Usage of precious metal in production

• Control of production process via custom applications

• Transfer output of these applications into SIEM

•Continuous control!

•Management reports


License


License: # SID (System Id, database Id)

LICENSE

SID: ECP

[ECC/ERP] central instance

SID: PLP

[PLM] central instance

SID: CRP

[CRM] (central instance)

License # SID = 3

App. Server instances App. Server instances


Recap & Key benefits


Compliance issues at a glance (e.g. Profile Parameter / System Configuration)


Security findings at a glance (Event based, e.g. Security Audit Log and others)


Monitor special accounts


Compliance – Reports (e.g. Profile Parameter / System Configuration)


Key benefits

SUMMARY

Continuous, daily Audit Automated Compliance & Security Monitoring (ready-to-use) Complete SAP system landscape centrally monitored Lower the number of auditor’s findings Reduce compliance and audit costs through automation Improve your SAP® Security & Risk Management


Questions and Answers


© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB4092 Speaker Thomas Meindl

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34

Tonight’s party

Time 7:00 – 10: 00 pm Shuttles run between hotel’s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30 - 10:00 pm Questions? Please visit the Info Desk by registration

@ Newseum

Enjoy food, drinks, company, and a private concert by Counting Crows


Thank you

Optional


SOLUTION DESIGN

AGENT

CORE

AGENT

CORE

AGENT

CORE

Admin Management SAP SOC Audit

Data

Collection

Adm

inistration A

nalysis




Asset Categorization – Information is available in SAP



Asset Categorization - Benefits

… enhances correlation … helps prioritize … adds layer

SIEM

Adaptive monitoring

SIEM automated Threat Response

APPLICATION SECURITY: SIEM THREAT RESPONSE

in case of strong suspicion…

User Audit Trail

User Lock

User Log out

TCP Session termination


THE FRONTEND

AGENT

CORE

AGENT

CORE

AGENT

CORE

SIEM

Admin Management SAP SOC Audit

Data

Collection

Adm

inistration A

nalysis
