2019 was a stellar year. In case you missed them, check out the enhancements we rolled out during the year
> CVA – SolMan Integration – Monitor vulnerabilities in your custom programs using SAP Code Vulnerability Analyzer and SAP Solution Manager > Fiori Reports & Dashboards – Manage vulnerabilities and threats directly from the SAP Fiori Launchpad for Solution Manager > SolMan – SIEM Integration – Connectors for Splunk, QRadar, ArcSight & LogRhythm to integrate alerts from SAP Solution Manager with SIEM platforms > Database Monitoring – Security frameworks for IBM, Oracle, Microsoft and Sybase databases
We’re hard at work preparing next year’s
enhancements. Watch out for the following in 2020
> Host Security Monitoring – Monitor Linux and Windows hosts for SAP applications with the Remote OS Script Collector in SAP Solution Manager > End User Monitoring – Real-time user monitoring with SAP Focused Run > Machine Learning – Predictive analytics for system anomalies using SAP Focused Run > FRUN – SolMan Integration – Monitor Focused Run alerts for system and user anomalies in SAP Solution Manager
Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.
Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.
Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.
Security Information and Event Management (SIEM) platforms
combine the ability to collect log data from applications, hosts, routers,
switches, firewalls and other endpoints with the ability to analyze events in
real time. They support threat detection, event correlation and incident
response with alerting and reporting capabilities.
SIEM platforms require complete coverage for maximum yield.
In other words, organizations reap the full benefits of SIEM platforms when
monitoring logs throughout the technological infrastructure. This includes SAP
application logs for organizations with SAP systems.
However, there are several challenges with integrating SAP application
logs with SIEM systems. The first is complexity. SAP systems typically contain
multiple logs that capture security-relevant events. The SAP NetWeaver
Application Server ABAP (AS ABAP) alone has at least seven such logs including
the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction
Log, Change Document Log, and the Read Access Log. The logs do not have a
standardized format or structure. Some are captured at the file level and
others are stored in SAP tables. The complexities involved in integrating
multiple and distinct logs from each SAP system should not be underestimated, especially
for large SAP landscapes.
The second is log volume. Raw event logs can grow to gigabytes
and even terabytes within a relatively short period of time in SAP systems that
often support thousands of end users and hundreds of cross-system connections. Transmitting
large volumes of log data from SAP systems to SIEM platforms could consume high
levels of network bandwidth. The need to store such data for analysis could
also increase resource requirements and licensing costs for SIEM systems.
The third challenge with directly integrating SAP logs is
maintenance. Monitoring and supporting the numerous integration points between
SAP systems and SIEM platforms, as well as regular archiving to deal with the
accumulation of log data, could lead to high maintenance costs.
Finally, many SAP logs do not natively include information to support cross-platform correlation using SIEM tools. This includes source and destination IPs for security events. Values for sources and destinations in SAP logs are often terminal names and SAP Systems IDs (SIDs) rather than IP addresses. Therefore, Security Operation Centers (SOCs) are not able to easily correlate SAP events with non-SAP events in SIEM platforms.
The Cybersecurity Extension for SAP Solution Manager overcomes such obstacles by filtering, normalizing and enriching security event data from SAP logs. The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor logs at source without extracting and replicating event logs to external repositories. This reduces both bandwidth and storage requirements. MAI data providers support monitoring for all SAP logs including file and table logs in ABAP, HANA, and Java systems, and standalone components such as the SAProuter. MAI periodically parses event logs using attack detection patterns configured in metrics. The frequency of metric checks is customizable and can range from every 60 seconds to several minutes apart. Intervals can be adjusted at the metric level which means metrics can have different monitoring intervals.
A pattern match triggers the MAI to generate alerts and email or SMS notifications for security events. Security alerts generated by Solution Manager are managed using applications such as Monitor Systems, System Monitoring and the Alert Inbox. Alerts can also be written to an external file by Solution Manager. Solution Manager enriches event data by including source and IP addresses for each alert written to the file. This is intended to support correlation once the data is ingested by SIEM platforms. Event data is also normalized using a standardized structure for all log sources. The fields and separators for event details within each file are customizable and include values for alert name, description, date, time, system, system type, and event details. The event details can include information such as the event ID, username, source and destination IP addresses, and objects accessed by the user such as transactions, reports, function modules or URLs. The example below includes <DATE>::<TIME>::<SYSTEM>::<MANAGED OBJECT TYPE>::<ALERT TYPE>::<PRIORITY>::<ALERT NAME>::<ALERT DESCRIPTION>::<ALERT DETAILS>. Each value is separated by ::
Since event details are written to and stored within alerts
in Solution Manager, attackers will not be able to remove all traces of their
malicious actions by modifying event logs alone. They will also need to delete alerts and stop
the triggering of email/ SMS notifications of alerts in Solution Manager. This
would be challenging since alerts cannot be deleted in Solution Manager. They
can only be confirmed. All alerts are retained and only removed by periodic
housekeeping jobs designed to delete aged alerts.
Event files can be stored on the Solution Manager host or an
external host or file server. A new event file is created by Solution Manager
for each day. The contents of the newest file can be periodically pushed to
SIEM platforms or pulled by SIEM systems directly from relevant directories. Since
there is a single point of integration for event data between SAP and SIEM
systems, maintenance efforts are relatively low.
This article outlines the benefits of integrating security event data from SAP applications with SIEM platforms using the Cybersecurity Extension for Solution Manager. The benefits include lower costs, rapid deployment, ease of maintenance, and the enrichment of event data to support cross-platform correlation. The example below is for SIEM integration with Solution Manager for Splunk Enterprise. However, the approach can also be used to integrate security event data with other SIEM systems including QRadar, ArcSight and Log Rhythm.
Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, the corrections in the note include manual instructions for removing confidential information from insecure locations such as logs and archives, and sensitive data exported from XML files.
Note 2826015 patches a critical missing authentication check in the AS2 Adapter of the B2B Add-On for SAP NetWeaver Process Integration. The Note provides support package patches for AS2 Adapter 1.0 and 2.0. SAP also recommends confirming the property named default.security.provider for the application named com.sap.aii.adapter.as2.app is set to its default value IAIK.
Note 2792430 addresses a high risk binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. The platforms use a file search algorithm that can result in the inadvertent access of files located in directories outside of the paths specified by users. The successful exploitation of binary planting vulnerabilities can lead to information disclosure, file corruption or deletion, privilege elevation and DLL hijacking.
According to the findings of a recent independent survey of 430 IT decision makers, 64 percent of ERP deployments have experienced security breaches in the past 24 months. The findings are published in the report ERP Security: The Reality of Business Application Protection. In the words of the IDC, “ERP applications such as SAP can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays…..Cyber miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”
The survey revealed that of the 64% of organizations that reported security breaches in ERP systems, the majority included the compromise of sensitive data including sales data in 50% of cases, as well as HR data (45%), customer data (41%), financial data (34%) and intellectual property (36%).
The survey also revealed the following:
The estimated cost of downtimes in ERP
applications is $50,000 or more per hour at almost two thirds of organizations
62% of ERP systems may have critical vulnerabilities
74% of ERP applications are accessible from the Internet
56% of executives are concerned or very concerned about moving ERP applications to the cloud
According to the former Chairman of the Global Board of the Institute of Internal Auditors (IIA), “The findings of this independent survey should raise questions at the Board level about the adequacy of internal controls to prevent cyber attacks and the level of auditing taking place. The lack of these controls is one way for cyber insurance companies to deny claims….The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”
SAP ERP installations can be protected against cyber attack using the Cybersecurity Extension for SAP Solution Manager. The extension implements automated vulnerability and patch management, and security incident detection and response for SAP systems, without requiring additional hardware or agents.
Hot News Note 2798336 patches a critical code injection
vulnerability in NetWeaver Application Server for Java (AS Java). A program
error in the Web Container of AS Java could enable attackers to bypass input
validation and execute dynamic content such as malicious code. The note
includes updates for the J2EE Engine and API components.
Note 2823733 includes an important update for Hot News Note 2808158.
The note provides greater coverage for possible attack scenarios targeting an OS
Command Injection vulnerability in the SAP Diagnostics Agent.
Note 2817491 addresses high priority denial of service and information
disclosure vulnerabilities in SAP HANA Extended Application Services (Advanced
Model). Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended
Application Services (Advanced model) to overload the server or enumerate open internal
network ports. The vulnerabilities have been fixed with SAP HANA Extended
Application Services (Advanced model) version 1.0.118.
Vulnerability assessment and penetration testing both serve important functions for protecting business applications against security threats. The approaches are complementary but should be deployed sequentially. Penetration testing against systems and applications that have not been hardened based on the results of vulnerability assessments is inadvisable since the results are predictable. The objective of penetration testing is to assess the strength of security defenses, not to exploit ill-equipped and unprepared systems and processes to prove a point.
Therefore, vulnerability assessments should be performed ahead
of penetration tests. The results of comprehensive vulnerability scans inform organizations
of configuration, program, user and other weaknesses that could be exploited to
compromise systems during real or simulated attacks. The recommendations resulting
from the assessments enable organizations to remediate security weaknesses
using a prioritized approach. It also supports the implementation of counter
measures to detect and respond to potential attacks.
Once systems are hardened and defenses are prepared, performing
a penetration test is a valuable exercise to test the adequacy of security mechanisms.
The lessons learned from the discovery and exploitation of vulnerabilities during
penetration tests can be applied to address areas that may have been overlooked
or inadequately secured after vulnerability assessments. Penetration testing
against hardened systems that are actively monitored for attacks forces pen
testers to exercise more complex and difficult attack vectors. It also compels
pen testers to deploy evasive techniques to avoid detection. This improves the
quality of penetration tests and the reliability of the results, providing a stronger
litmus test for system security, threat detection and incident response.
Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. The NetWeaver UDDI Server is an XML-based registry for Web Services.
Note 2786035 patches another critical remote code execution vulnerability in SAP Commerce Cloud (previously SAP Hybris Commerce). The Mediaconversion and Virtualjdbc extensions in SAP Commerce Cloud could execute malicious code injected by attackers or authenticated users. Note that some of the Mediaconversion Conversion Command parameters may not work after the implementation of the recommended patch until they are added to a whitelist.
Note 2813811 deals with a dangerous Server-Side Request Forgery (SSRF) vulnerability in the Administrator System Overview of SAP NetWeaver Application Server for Java (AS Java). The vulnerability could enable attackers to scan internal networks, perform Remote File Inclusion attacks, retrieve server files including password files, bypass firewalls, and force vulnerable servers to execute malicious requests. Refer to SAP KBA 2577844 to resolve known side-effects of the corrections in Note 2813811.
Hot News Note 2808158 patches a critical code injection vulnerability in the SAP Diagnostics Agent. The Agent is required to monitor operating systems and discover the database cluster topology from SAP Solution Manager. It is not required for monitoring the security of SAP systems with Solution Manager. Security-relevant data is collected or monitored primarily through RFC connections maintained between Solution Manager and managed systems.
The vulnerability impacts the OS Command Plugin in transaction GPA_ADMIN. The transaction is used to create and maintain guided procedures. Note 2808158 provides a patch for the LM_SERVICE in SP levels 05-09 of Solution Manager 7.2.
Note 2774489 addresses a high priority OS command injection vulnerability in SAP Process Integration (PI). ABAP Tests Modules of PI could enable attackers to execute privileged OS commands. The relevant support packages listed in the note should be applied to remove the vulnerable source code in the modules.
There are several apps available in SAP Solution Manager for monitoring security alerts for SAP systems. The most longstanding is the Alert Inbox which provides an overview of alerts by process area. Guided procedures for investigating security alerts are executed from the Alert Inbox. Another option is System Monitoring which provides a more user-friendly interface for navigating incidents than the Alert Inbox. System Monitoring includes the Alert Ticker displayed in the right pane of the app for monitoring incidents in real-time.
SAP Solution Manager 7.2 SP07 introduced a third option for monitoring
alerts called Monitor Systems. The app is delivered in the new work center
Application Operations.
System Monitoring and the Alert Inbox are Web Dynpro applications. Monitor Systems, however, is a SAPUI5 application based on the Fiori framework. Therefore, Monitor Systems delivers exceptional performance with alerts loading and refreshing at much faster rates than both the Alert Inbox and System Monitoring. The performance gains are considerable even for SAP Solution Manager installations running on conventional databases rather than SAP HANA.
You can access Monitor Systems from the SAP Fiori Launchpad using the roles SAP_STUI_APPOPS_AUTH and SAP_STUI_APPOPS_TCR.
The initial screen summarizes alerts open alerts by systems and components.
Results can be filtered or sorted by clicking by system and category.
Systems can also be labeled as favorites for fast selection.
You can view details of open alerts for each system by clicking on the system. Below are alerts for security configuration issues impacting system AS2.
Below are security exceptions detected through real-time monitoring of event logs in the system.
We can drill down into the details of each alert by clicking on Critical Metrics. For example, we can investigate the alert below for the Actions by the Standard SAP* User Alert by reviewing the relevant metric.
The Metric Details reveals that there was an attempted logon with the SAP* user from IP address 10.8.91.2 at 12:51 on 2019-08-14. We can execute a guided procedure that will investigate other actions from the source IP directly in the Security Audit Log.
The results can be shared with security operations teams through email by clicking on the Notify option in the Metric Details.
In another example, we can drill down into the alert for active users logged into the system with SAP_ALL in their user buffer to investigate potential privilege escalation. The profile should not be used in productive systems.
