sap security best practices - sap vulnerability management and sap real-time monitoring / siem...
TRANSCRIPT
SAP SECURITY BEST PRACTICESFor Protecting Large SAP Implementations
DSAG Annual Congress - 20.09.2016
A. Introduction
B. Tech Data SAP security challenges
C. Our approach and the best practices
D. Measuring our success
E. Q&A
Today’s Agenda
SAP Security Best Practices
Presenter: Jürgen Streit, Director of IT Security, Tech Data
SAP Security Best Practices 3
Tech Data at a Glance
Company
Industry Segment
Annual Revenue
Distribution
Employees
SAP Systems
Tech Data Corporation (Nasdaq: TECD)
Technology distributor
$26.4 Billion (FY-2016)
100+ countries
9,000 worldwide
50+
ALL critical Tech Data business processes run on SAP.
Why We Started This Project
Increasing number of high-profile security breaches in the news
Tech Data’s most sensitive data is stored on SAP systems
Attacks have shifted from network to applications
Legal requirements about data protection (PII) have increased
SAP Security Best Practices
5
SAP Security Status when We Started
SAP Security Best Practices
No comprehensive view into SAP security situation
Assessments took more than a week per SAP system (we have 50+)
Monitoring progress was impossible
Incident detection was difficult and slow
6
New Approach to SAP Security
Protection
DetectionResponse
Firefighting is bad, processes are good
Automate as much as possible
Minimize required config changes
Protection and detection must work together
SAP Security Best Practices
7
Tech Data SAP Landscape Security
SAP Security Best Practices
(Simplified)
ESNC Security Suite with Enterprise Threat Monitor
ERPBW GRC
HR CRMOther SAP systems
Solution
Manager
E-com systems connected to SAP
Outer DMZ
Outside Tech Data Network
Backend I
Backend II
Outer FirewallSAP GRC
ESNC Security Suite
Enterprise Threat Monitor
Account provisioning, SoD
SAP vulnerability managementABAP code security
SAP real-time monitoringSIEM integration
SAP VULNERABILITY MANAGEMENT
9
Phase I – Low Hanging Fruit
BIZEC-TEC11 is a good benchmark for starters
ESNC Security Suite – Compliance statusSample Results (not TD)
Begin with most common, publicly known vulnerabilities
Details at https://www.esnc.de/bizec
10
Phase II - Holistic SAP Security
SAP Security Best Practices
Risk analysis & prioritization based on vulnerabilities of connected systems
We uncovered key vulnerabilities that traditional methods and SAP’s own tools didn’t detect
Multivector Threat Analysis
“Where can an attacker get to after hacking system XYZ?”
ESNC Security Suite – Multivector Threat AnalysisSample Results (not TD)
Details at https://www.esnc.de
11
Legacy or Ineffective
Manual work / consultancy-driven vulnerability assessments executed annually
Sample-based scans (some PROD systems and just production client) focused on SoD
In-house developed ABAPs - point tools for security
Best Practice
Automated analysis executed monthly
Full scope (All PROD + non-PROD + all clients) including system security, system interconnectivity and ABAP security
Utilizing best-in-class, professionally updated enterprise solutions
SAP Security Best Practices
Best Practices in SAP Vulnerability Management
REAL-TIME SAP SECURITY MONITORING AND
SIEM INTEGRATION
SOX requirements and security best practices dictate that SAP systems need to be regularly monitored for security incidents...
But what technology do we use and how do we use it?What do we look for?
Regular Security Monitoring
SAP Security Best Practices 13
SAP Security Best Practices
Technology Selection
14
Big SIEM solutions focus on network and OS logs
Very limited capabilities for SAP security monitoring
We needed an SAP specific tool. Requirements:Works out-of-the-box with little or no maintenance
Can send pre-correlated SAP security events to ArcSight, Splunk or QRadar for advanced correlation
Quickly adapts to our organization
SAP Security Best Practices
Threat Monitoring Cases
15
Begin with built-in Enterprise Threat Monitor use cases.Handles more than 300 cases “out-of-the-box” including:
Access/download of sensitive data
Unauthorized change of users’ roles/profiles
Exploiting debugging to get SAP_ALL
Logon by an HR terminated employee’s SAP account
Detection of account sharing
Further configuration for our Z*, Y* tables, reports, and transactions
SAP Security Best Practices
Our New Approach
16
Start now! Show success now!
ETM implementation required low effort (system was up in a day)
Showing “real events” convinced key stakeholders instantly
Improve the detection and response capabilities over timeProject: Find out most important SM19 event types and determine their storage requirements
Result: Most important ones take 97% of the space, so activate them all.
Analysis details at https://www.enterprise-threat-monitor.com/SAP-log-analysis
SAP Security Best Practices
Incident or Security Exception?
17
Adding a generic security exception
Issue details
ESR Methodology for Incident Classification
Business process deficiency> Fix process
User working in non-secure/non-compliant way > Guide user
Potential “real” incident: Suspicious activity by user> Trigger incident response
18We use https://www.enterprise-threat-monitor.com/esr-methodology
Three categories
19SAP Security Best Practices
Investigations User Behavior Analytics
Detected anomaly
19SAP Security Best Practices
Investigations User Behavior Analytics
User never logs in on weekends
SAP Security Best Practices
Finding Source
20
User uses other workstations
JSMITH who works in sales uses this workstation
Tag & trigger incident response
SAP Security Best Practices
Phase I - Detection and Response Results
Over one billion existing SAP security logs analyzed
143.000+ matches to a predefined threat
Problem: Manual review will take forever!
+change docs and other sources
21
Project will fail if “noise” problem cannot be solved
SAP Security Best Practices
Phase II - Machine Learning to Solve ProblemsEnterprise Threat Monitor ‘learned’ our organizational patterns and created security exceptions automatically
22
Existing findings
Automatically generated security exceptions
Eliminated noise
Noise reduction ratio
Items left for manual review
143,246
1,105
140,479
98.1 %
2,767 + auto generated
SAP Security Best Practices
Phase III - Full-Day Workshop
Created 52 manual security exceptions
Average 9.2 mins spent per exception
Reduced remaining findings by half
23
SAP Security Best Practices
After Four Weeks
24
Machine-generated exceptions saved us ~130 person-days of work
New events per week reduced from ~3000 to 25
Activated real-time email alerting
1,394
2,747
198 25781325200
750
1500
2250
3000
Inci
dent
s
Week 1 Week 2 Week 3 Week 4
Security exceptions
Incidents to be reviewed
SAP Security Best Practices
SAP Security Monitoring Best Practices
25
Legacy or Ineffective
Manual log reviews
Forwarding raw SAP logs to a SIEM solution and trying to have someone write threat monitoring cases
Activating some SAP security event types on SM19
Focusing on PROD only
Best Practice
Utilizing real-time monitoring and alerting which adapts to the organization
Using proven technology with focus on improving processes
Activating ALL SAP security event types on SM19
Full scope (All PROD + Non-PROD + All SAP clients)
MEASURING SUCCESS
SAP Security Best Practices
Measuring Our Success
27
Before
Tracking progress
Time to analyze one SAP system in-depth
Detection and response to incidents
Results are incomparable
More than a week
Manual review, few threat cases
Now
Transparency of SAP security posture Limited to handful SAP systems
Complete landscape (with minor exceptions)
Less than an hour
Standardized and trackable/comparable
Real-time, over 300 threat cases
SAP Security Best Practices
What We Love about Our New Approach
After each ESNC ABAP code scan, vulnerable ABAPs are added to Enterprise Threat Monitor
Builds a safety net until development can create permanent fixes
Perfect collaboration of vulnerability discovery & real-time monitoring
Real-time SAP security configuration monitoring
e.g. accidentally changed login/no_automatic_user_sapstar to 0 (bad)
Detection and alerting within minutes instead of waiting until the next assessment
28
WRAPPING UP
SAP Security Best Practices
What is the business and legal impact if our SAP systems are hacked?
How soon do we find out if someone changes a critical security parameter?
Can an attacker “jump” from DEV systems to PROD?
Can we detect incidents as they happen?
QUESTIONS TO ASK TO YOURSELVES
30
?Q&A
Jürgen [email protected]
Learn More at
www.enterprise-threat-monitor.com
This document contains references to products of SAP SE. SAP, ABAP, SAPGUI and other named SAP products and associated logos are brand names or registered trademarks of SAP SE in Germany and other countries in the world. HP and ArcSight are registered trademarks of Hewlett-Packard Development Company, L.P. Splunk is a registered trademark of Splunk, Inc. IBM and QRadar are trademarks of International Business Machines Corporation. Enterprise Threat Monitor is a registered trademark of ESNC GmbH, Germany. All other trademarks are the property of their respective owners.