Layer Seven Security

SAP CSO Recommends Solution Manager for Security Monitoring

SAP Chief Security Officer, Justin Somaini, opened the first of a series of five webcasts from the America’s SAP User Group (ASUG) on the topic of SAP security. The series is intended to present SAP’s response to the growing concern over cybersecurity by discussing:

The IT threat landscape and SAP’s approach to strategic security;
Best-practices to safeguard both on-premise and cloud SAP landscapes;
Secure configuration and patch management;
Security for SAP HANA; and
SAP’s security portfolio for responding to internal and external attacks.

During the webcast, Somaini contends security is becoming an important differentiator between competitors in all markets, especially within the technology and manufacturing sector. He also acknowledges that SAP systems often store and process some of the most valuable data within organizations and are therefore particularly at risk from cyber threats.  According to Somaini, “the application layer needs to be the first and last line of defence” due to inherent weaknesses in firewalls and other network technologies that cannot protect SAP applications from external threats. In his view, SAP applications should be hardened to build greater resilience against attacks.

Somaini tackles the question of single point versus integrated security solutions by recommending the use of tools that SAP customers already own in platforms such as Solution Manager over a patchwork of external tools. You can view a recording of the webcast and register for other upcoming webcasts in the series by following this link.

Detecting SAP Cyber Attacks with SAP Solution Manager

Despite the $75 billion spent by organizations on security software in 2015, average times to detection for cyber attacks are an astounding 170 days (DBIR, 2016). Most attacks therefore go undetected for almost six months.

An incident response strategy can address this gap by enabling organizations to proactively discover and contain security incidents that could lead to data breaches if left unchecked.  The cornerstone of effective incident response is detection. This involves collecting and analyzing information from a variety of sources to identify signs of abnormal events that could include potential malicious actions. SAP systems capture a variety of security-relevant events across multiple logs. The most significant is the Security Audit Log.

The Security Audit Log should be configured to log successful and unsuccessful logon attempts by privileged and standard users, RFC calls, changes to user records, report and transaction starts, and other critical events. This is performed through filters defined in each system. Log data is stored in local or central files that are read by the Security Monitor of the CCMS. This data is available to Solution Manager for centralized alerting.

Solution Manager should be configured to monitor not just events in the Security Audit Log, but also security-relevant events in logs for the gateway server, message server, SAProuter, Web Dispatcher, system log, UME log and, for HANA systems, syslog servers. This captures critical events such as external programs started through the gateway server, external programs registered with the gateway, HTTP requests from remote or unrecognized IPs, and successful/ unsuccessful connections through application gateways.

The Event Calculation Engine (ECE) within Solution Manager continuously monitors event data recorded in such logs to identify potential attacks based on metrics configured for each log source. This is performed using existing data providers such as Diagnostics Agents and sapstartsrv. Both are automatically installed with SAP systems. The monitoring interval for log sources can be customized but the recommended interval is 60 seconds. The ECE can be configured to perform event correlation for sophisticated pattern analysis.

Alerts are triggered by ECE for events that match a defined pattern or exceed thresholds for specific metrics. The alerts are displayed in the Alert Monitor for Solution Manager. Priority levels can be set for each alert based on a High-Medium-Low scale. Alert data also be transferred to Business Warehouse for detailed reporting and analysis using real-time dashboards.

Solution Manager also channels notifications for alerts to designated Incident Responders through email and text message. Notifications can be grouped to avoid alert flooding. Each notification provides a URL to the relevant alert or alert group within Solution Manager. Incident Responders can add comments to the alert in the Alert Monitor, follow guided procedures for handling alerts, and create and assign tickets for incident management within Solution Manager.

The example below displays the alert details and notifications generated by Solution Manager for a failed logon by the standard SAP* user in a monitored system.

1. Attempted logon using SAP* user in client 001 of system PM1.

SAP Solution Manager Security Alerts

2. Event summary in the Security Audit log.

SAP Solution Manager Security Alerts

3. Event details in the Security Audit Log.

SAP Solution Manager Security Alerts

4. Email notification of event.

SAP Solution Manager Security Alerts

5. The email attachment for the alert notification.

SAP Solution Manager Security Alerts

6. The Alert Inbox in SAP Solution Manager

SAP Solution Manager Security Alerts

7. The details of the alert in the Alert Monitor

SAP Solution Manager Security Alerts

SAP Security Notes – August 2016

Note 2319506 addresses a blind SQL injection vulnerability in Database Monitors for Oracle. The vulnerability impacts all versions of SAP Basis and rates extremely high on the impact scale using the common vulnerability scoring system. Content-based and time-based blind SQL injection is used by attackers to determine when input is interpreted as a SQL statement. The results are used to fingerprint databases, build database schemas and escalate attacks.

The blind SQL injection vulnerability in the Database Monitors is caused by improper validation of user-supplied input in the function modules STUO_GET_ ORA_SYS_ TABLE and STUO_GET_ORA_SYS_TABLE_ 2. The modules are used to read Oracle system tables containing sensitive data including database instances and logical names for database connections. Corrections for the vulnerability are included in support packages for relevant SAP Basis versions detailed in Note 2311011.

Note 2313835 deals with a high risk denial of service vulnerability in the Internet Communication Manager (ICM). The ICM manages client-server communication using Web protocols such as HTTP, HTTP, and HTTPS. For NetWeaver Application Server Java, the ICM also manages communications based on the proprietary SAP P4 protocol.  Note 2313835 provides kernel patches for DOS and DDOS attacks targeted at the P4 port of AS Java that could lead to service disruptions caused by resource exhaustion.

Note 2142551 delivers a framework for protecting AS ABAP against clickjacking attacks. This includes a client-dependent positive whitelist maintained in the HTTP_WHITELIST table. The key data to be maintained for each entry in the whitelist is entry_type and host. The recommended value setting for entry_type is 30 to enable clickjacking protection. Trusted hosts and domains should be defined in the host field.

Note 2012284 provides corrections to extend virus scanning to objects created by Knowledge Provider, a document and content management service within NetWeaver Application Servers.

SAP Security Notes August 2016