Layer Seven Security

U.S Treasury Sanctions ERPScan

Earlier this week, the United States Treasury issued an Executive Order to prohibit U.S organizations from engaging with ERPScan, a subsidiary of Digital Security and a provider of security software and services for SAP systems. According to a press release issued by the Treasury, Digital Security “provided material and technological support to Russia’s Federal Security Service (FSB)” and contributed to efforts to “increase Russia’s offensive cyber capabilities for the Russian Intelligence Services”. Treasury Secretary Steve Mnuchin stated that the Executive Order is driven by the need to “counter the constantly evolving threats emanating from Russia”.

ERPScan has denied any link with the FSB in an official statement. Further, it stated that “it is unfortunate that American companies will not have a competitive market in the ERP Security field, turning our main US competitor into a monopolist without any incentive to innovate.”

There are several competitors in the ERP security market within the United States. Therefore, the withdrawal of ERPScan is unlikely to lead to a monopoly in the market. Furthermore, the solution providers in the market have demonstrated a universal commitment to innovation including advances such as Data Loss Prevention using SAP Solution Manager recently announced by Layer Seven Security. There is no reason to believe that the Executive Order will diminish the level of innovation in the market.

However, the Executive Order has highlighted the risk to SAP customers arising from the dependence on third party security tools for SAP security monitoring. Layer Seven Security is the only solution provider in the market that eliminates this risk by leveraging SAP Solution Manager to protect SAP systems from cyber threats. Solution Manager is supported and maintained directly by SAP. Contact Layer Seven Security to discuss these and other benefits of SAP cybersecurity monitoring with Solution Manager.

Top Five Tips for System Recommendations

System Recommendations in SAP Solution Manager connects directly to SAP Support for real-time patch updates. It also connects to each system within SAP landscapes to monitor patch levels. SysRec downloads corrections for security vulnerabilities from SAP Support to each system and integrates with other areas in Solution Manager for change impact analysis, change management, and test management. SAP customers can therefore discover unapplied patches, bundle patches into change requests, and plan and execute test plans for patch cycles from a single integrated platform.

This article provides suggestions for optimizing System Recommendations to improve the performance of the application and the user experience. The tips will enable you to minimize false positives, identify and troubleshoot errors, and personalize the user interface.

System Recommendations reads the Landscape Management Database (LMDB) to determine the version and support pack levels for installed software components in each system. Therefore, the LMDB should be configured correctly, regularly updated and synchronized with the System Landscape Directory (SLD). This will reduce the likelihood of false positives such as the display of notes for irrelevant components, databases and operating systems. Kernel registration in the SLD will also help to minimize false positives. Alternatively, irrelevant components can be set to inactive in the customizing table AGSSR_OSDB to exclude them from the results returned by SysRec.

The background job SM:SYSTEM RECOMMENDATIONS periodically updates System Recommendations by connecting to SAP support and to managed systems to calculate unapplied notes. Processing errors for the object ASG_SR should be monitored using the Application Log (transaction SLG1). Alerts for job errors including automatic email notifications should be configured using Business Process Monitoring (BPMon) in Solution Manager.

System Recommendations excludes notes that are irrelevant, postponed or discontinued.  Therefore, it displays results for notes that have the implementation status New or New version available. Since the available status options don’t include options for notes with manual corrections that have been implemented, a custom status option for such notes should be configured by maintaining table AGSSR_STATUS. This can be performed using transaction SM30. Customers can also create custom status options to group notes by patch cycle, project or other criteria. In the example below, we’ve assigned a group of notes to the custom status group Q3 2018 and filtered the results to list the notes assigned to the group.

Status changes performed by users for notes are logged by System Recommendations. The changes are tracked in the details section for each note.  This section also tracks comments entered by users for notes. Comments are useful for tracking discussions between users that could impact implementation decisions including the approach, rationale, and timeline for applying security patches. Changes and comments entered by users can be viewed in table AGSSR_SYSNOTEC.

Finally, Fiori tiles can be configured in SysRec to create shortcuts for notes for specific systems, groups, and other variables. The tiles are accessed from the Fiori Launchpad and can be assigned to custom or standard groups. Once saved to the Launchpad, the results for each tile are automatically updated by System Recommendations.