How to Implement Advanced Security Monitoring Without Third-Party Software
The fear and anxiety driven by the wave of cyber attacks in recent years has led many companies to bolster their security programs. It’s also led to a stream of software solutions from third-party developers offering to solve customers’ cyber security challenges. You may have heard the sales spin, watched the demos, and even considered the proposals. But before you launch the purchase order, ask yourself: Is there an alternative? What if the tools you need to secure your SAP systems were available to you at this very moment?
SAP has equipped customers with a variety of tools to protect against even the most advanced forms of cyber threats. The tools are available in SAP Solution Manager and include:
1. Configuration Validation: Implement automated vulnerability checks across your entire SAP landscape
2. System Recommendations: Detect security-relevant SAP patch day and support package notes
3. Change Analysis: Analyze the root cause of changes in your SAP systems
4. End-to-End (E2E) Alerting: Investigate email and SMS alerts for critical SAP security events
5. Security Dashboards: Monitor the health of your SAP systems in near real time
The need to monitor access to classified data in SAP systems has never been greater. End users are increasingly working with SAP data from outside the borders of corporate networks. Corporate information is also increasingly under threat from cyber criminals, hacktivists, cyber spies and terrorists that seek to exploit classified information for financial gain or to further ideological or national interests.
Read Access Logging (RAL) empowers organizations to combat these threats by providing the ability to detect and contain information leaks before they escalate into large-scale data breaches. This is performed by logging and monitoring access to sensitive data in SAP systems. RAL can also be used to identify malicious changes by tracking old and new values for classified data.
This article will explain how you can enable RAL in your SAP systems. The use-case illustrated in the article is sensitive employee data including social security numbers (SSN), salary and banking information. However, RAL can support any use case including health records, payment data, pricing information, etc. It can also be used to monitor access to custom data fields in your SAP systems.
RAL is accessed using the SRALMANAGER transaction. The screen below displays the options available in the Administration tab of the control panel. You will need the templates roles SAP_BC_RAL_ADMIN_BIZ, SAP_BC_RAL_ADMIN_TEC and/ or SAP_BC_RAL_CONFIGURATOR to administrator RAL.
The options in the Administration tab are organized in line with the sequence of activities performed to configure RAL. The first step is the definition of Logging Purposes. A log purpose is the specific use-case for the log groups you will create in later steps. In the example below, we have created a use-case to group sensitive employee-related data.
Next we must create Log Domains. These are assigned to data fields to support log analysis since many fields are unintelligible when relying on just system identifiers. The screen below captures the log domains we have created for employee data including banking information, salary and SSN.
Once we have defined our log domains, we must configure recordings to capture the data fields that we will assign to the domains. Recordings can be used for SAP GUI (Dynpro) and Web GUI (Web Dynpro) sessions. Below we have created a recording to capture specific types of employee information using SAP GUI. Click on the image to enlarge.
We can choose the data fields to log by selecting the Record Field option in the context menu. The screen below shows that we have selected to record the SSN field during a recording session in an IDES system with mock data using SAP GUI.
The fields captured in RAL during the recording sessions are assigned to log domains during the configuration step. In the example below, we have assigned the SSN field to the SSN log domain. You can choose to record field values in log entries during this step and to include/ exclude initial values. You can also specify whether the trigger for logging should be data entry performed by the end user or data displayed to the user or both. Specific users can be excluded from RAL using the User Exclusion List. Therefore, we can ensure HR and other users that require access to employee information for their role are not included in log results.
The final step is enabling RAL by maintaining the profile parameter sec/ral_enabled_for_rfc in each application server. RAL configuration settings can be transported within your SAP landscape using transaction SRAL_TRANS.
Log analysis is performed using the options in the Monitor tab. This can be performed using the role SAP_BC_RAL_ANALYZER.
The entries for all log domains are displayed below. The first entry in the log reveals that the user SAPADMIN successfully read the SSN of employee ID 109815 at 9.06AM on September 18, 2015.
Other log entries reveal that the user also accessed the bank details and salary information of the employee on the same day. See below.
Changes performed by SAPADMIN for data fields logged by RAL would be displayed as separate log entries if we had selected the option to record field inputs with values.
RAL is available in NetWeaver 7.40 but SAP intends to make it available for earlier releases. For further information including professional services to enable Read Access Logging in your SAP systems, contact Layer Seven Security.
For logging table-level access in SAP systems, we recommended using the Workload Monitor accessible through transaction ST03. You can configure table access logging for up to five transactions including well-known table maintenance transactions such as SE16, SM30 and SM31. The log below from the Workload Monitor displays the number of records viewed or modified using transaction SE16 for the user table USR02 during a specific date. Large record counts could indicate a potential data breach. Correlation with transaction starts performed by users logged in the Security Audit Log or STAD should be possible using conventional SIEM solutions or SAP Enterprise Threat Detection.
Can you trust SAP with your system security? The question is worth pondering, not least since it is one of the key arguments used by third party software vendors to support the use of their security tools over SAP-delivered solutions. Although the argument is usually made in the context of vulnerability management for cybersecurity, the logical extension of this point of view is that SAP shouldn’t be trusted for any security domain, including access control, identity management, program development, and security patching. In this article, we discuss whether SAP has earned the right to your trust and the implications of a low-trust and a high-trust relationship with SAP for your security needs. The discussion will be driven by the notions of trust taxes and trust dividends which can either constrain or multiply your organization’s performance.
But, firstly, what is trust? There are many definitions but they all boil down to a single concept: confidence. Trust is confidence in the integrity, strength or ability of someone or something. By this definition, most economies and societies are low-trust. According to one of the most widely-known studies of global perspectives on trust, confidence in governments, leaders, and organizations has never been lower. The Edelman Trust Barometer has charted the worldwide decline in trust levels over 14 years. In 2014, the study surveyed 33,000 people in 27 countries. Although it revealed a general level of mistrust in people and institutions, it’s important to note that trust is impacted by many factors including geography and industry. Interestingly, companies based in Germany or operating in the technology sector tend to command the highest levels of trust.
Security is driven by mistrust. Therefore, it’s not surprising that organizations are investing in resources, training and technologies to strengthen information security in environments with declining levels of trust. The reaction is understandable and necessary given the dramatic rise in cybercrime, commercial espionage and insider threats. Improved security measures can realize substantial, tangible benefits but there is a cost. This includes not only the direct costs associated with investing in further resources, training programs and security tools, but indirect costs arising from the organizational impact of security measures. Mistrust can be very expensive.
Performance is often measured as the outcome of an organization’s strategy and its ability to execute on the strategy. In other words, strategy + execution = results. However, there are hidden variables that can undermine this equation. The results of a great strategy combined with flawless execution can be undone by low levels of trust which push up costs and reduce the speed of execution. This is known as the so-called Trust Tax. On the other hand, results can be amplified in high trust scenarios since costs are held down and the pace of execution is higher. This is called the Trust Dividend.[1]
Based on this model, organizations that trust SAP-delivered solutions for vulnerability management should be able to realize a trust dividend by minimizing the cost side of the equation: vulnerability management can be performed using standard components in SAP Solution Manager over licensing third party solutions. However, the question remains: can SAP be trusted to provide sound and independent security guidance?
Trust requires creditability. Credibility is based on integrity, intent, capabilities and results. Therefore, to answer this question, we must ask another: is there any reason to doubt the integrity or intent of SAP or question its capabilities and results? I can think of none. SAP’s commitment to educate and empower customers with insight and tools to manage the security of its solutions is undeniable. Its difficult to imagine any benefit SAP could derive from anything other than an honest and transparent approach to security. SAP has demonstrated its commitment to improving software quality by strengthening development procedures to detect and remove program vulnerabilities before general availability. It has also established a robust security response process to deal with vulnerabilities identified by internal teams and external researchers. Finally, SAP continues to deliver innovative solutions to enable customers to deal with today’s threat landscape. This includes tools designed to:
Discover data leaks (Read Access Logging)
Detect system vulnerabilities (Configuration Validation)
Manage security patches (System Recommendations)
Control access to sensitive function modules (Unified Connectivity)
Analyze security-relevant changes (Change Analysis)
Remove redundant custom code (Coverage Analyzer)
Secure custom code (Code Vulnerability Analyzer)
Detect attacks in real-time (Enterprise Threat Detection)
So, can you trust SAP with your system security? The answer is, why not?
According to a recent study performed by the Center of Strategic and International Studies, the annual cost of cybercrime is more than $400 billion. This is equal to almost 1 percent of global income and higher than the national income of most countries. The report states that “The most important loss from cybercrime is in the theft of IP (intellectual property) and business confidential information, as this has the most significant economic implications”. In fact, some estimates place the cost of IP theft higher than the actual returns to IP creators: According to the World Intellectual Property Organization (WIPO), the world IP market generates $180 billion a year in fees and royalties, whereas IP theft costs the US economy alone more than $200 billion. This means that eliminating IP theft could more than double the returns on innovation for IP-generating firms.
Losses can vary significantly between sectors. The risk of IP theft and losses resulting from stolen data is higher in sectors where IP can be more readily monetized such as finance, chemicals, aerospace, energy, defense and IT. The impact of IP theft on individual firms can also fluctuate depending on how closely R&D and innovation-driven IP is tied to profitability. In extreme cases, it can lead to a complete collapse in profits. This is illustrated by the experience of Codan, an Australian technology company that manufactures mining and communications equipment. Codan’s net profit fell by 500 percent in a single year from $45M to $9M following the theft of technology blueprints during a targeted cyber attack. The stolen blueprints were used by counterfeiters to manufacture imitations that substantially undercut the price of genuine products manufactured by Codan. Despite slashing the price of its products, Codan was unable to stem the loss of market share that eventually eroded the company’s profits. The attack against Codan was profiled in a recent episode of Four Corners, a current affairs program aired by the Australian Broadcasting Corporation. The episode can be viewed below and underlines the destructive impact of financially-motivated economic espionage. According to research performed by Symantec and Kaspersky, such attacks are growing in volume and sophistication. They are frequently performed by organized criminal groups that target high-value corporate information that can be exploited for insider trading or other purposes.
Protection against such threats requires a layered security strategy including countermeasures at the network, OS, database and application level. For SAP application stacks, you can refer to Layer Seven’s white paper Protecting SAP Systems from Cyber Attack. The paper outlines a comprehensive approach for securing SAP systems against advanced threats and includes guidance for encrypting sensitive communications, securing access, implementing robust password policies, effectively patching SAP systems, and other areas.
The fallout from the record-breaking breach disclosed by the Office of Personnel Management (OPM) earlier this month reached a low point at a Capitol Hill hearing on June 16. During the hearing, members of the House Committee on Oversight and Government Reform scolded OPM officials and IT executives for their “complete and utter failure” to protect sensitive personal information stored in compromised systems. The breach is estimated to impact at least 3.2M federal employees and contractors. However, the number of breached records may be as high as 14M.
While the root cause of the breach is yet to be disclosed, there are several factors that are suspected to have contributed to the successful attack against the OPM. The first is OPM’s sluggish response to the recommendations of a systems audit performed by the Inspector General last year. The Inspector General Audit Report identified numerous material weaknesses in OPM’s security program and practices, including missing configuration baselines for operating platforms and ineffective security monitoring procedures. OPM has been widely criticized for failing to implement many of the key recommendations made by the Inspector General.
The second is weaknesses in cybersecurity tools put in place by the Department of Homeland Security to detect and contain the type of incident that led to the breach at OPM. The most widely criticized tool is Einstein, the multi-billion dollar intrusion detection system deployed by US-CERT to monitor government Internet gateways for malicious traffic. Einstein is at the cornerstone of the $4.5 billion U.S National Cybersecurity and Protection System (NCPS) program. Despite a recent $200M upgrade, it failed to expose the original attacks that led to the breach at OPM. Yet again, this serves to illustrate known limitations with signature-based intrusion detection systems that can be circumvented by scrambling or encrypting attack payloads. These and other drawbacks have led institutions such as SANS to conclude “It is far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of defense against intruders”.
It also illustrates the broader concern over the effectiveness of cybersecurity solutions, not just network-based IDS or, for that matter, IPS systems. According to a joint study performed by Juniper Networks and RAND earlier this year, worldwide spending on cybersecurity is growing between 10 to 15 percent per year. However, despite investing increasing amounts on cybersecurity tools, most companies report a low level of confidence in the ability of such tools to improve the security of their infrastructure. This sentiment is understandable and is based on the questionable success of conventional tools to combat cyber threats. The irony of sky-rocketing costs for cybersecurity tools against the backdrop of the declining value of such tools is not lost on customers.
For this reason, organizations would be better served by redirecting budgets from dubious investments in redundant tools to tackling the most critical issue in cybersecurity today: the shortage of skilled resources capable of modelling and managing the wide array of risks in complex and evolving threat landscapes. The global cybersecurity skills shortage is borne out by the following startling facts:
83% percent of enterprises lack the skills to protect their IT assets (1)
1 out of 3 security professionals are not familiar with advanced persistent threats (2)
62% of organizations did not increase security training in 2014 (2)
There are 1M unfilled positions for security professionals worldwide (3)
One of the consequences of the skills shortage is that it often leads enterprises to rely on a patchwork of third parties for core security services. OPM, for example, is alleged to have granted privileged access to contractors in China, one of the nation states suspected of perpetrating the attack.
For SAP systems, the aim of fostering an effective security operations center or center of excellence is made easier by the availability of a wide array of powerful monitoring tools in Solution Manager. The most important of these tools is Configuration Validation (ConVal) which can be leveraged to implement automated, policy-based vulnerability management. The accessibility and convenience of tools such as ConVal eliminates the need for third party security software and enables customers to focus more resources on staffing, training and other needs.
ConVal performs system configuration monitoring. It also monitors critical authorizations, transactions and profiles. For security information and event monitoring (SIEM), most existing platforms can analyze event data in SAP log files including the Security Audit Log. Platforms such as HP Arcsight, RSA enVision, McAfee/ Intel, and Splunk can be tuned to review SAP logs using available connectors or modules. For more information on ConVal or integrating SAP systems with your SIEM platform, contact Layer Seven Security.
Sources:
1 ESG, March 2015
2 2014 APT Study, ISACA, April 2014
3 Annual Security Report, Cisco, January 2014
Earlier this month, SAP issued a strongly-worded response to claims made by the software vendor Onapsis in a press release that over 95 percent of SAP systems assessed by Onapsis were exposed to vulnerabilities that could lead to the compromise of SAP systems. According to SAP, “The press release published by Onapsis is aimed at alienating SAP customers while promoting Onapsis’ own products. The assertion that over 95% of SAP systems were exposed to vulnerabilities is false.” In spite of such protests, the claims led to a wave of concern over vulnerabilities in SAP systems. The concerns were deepened by the revelation that the data breach at the government contractor USIS reported in 2014 was caused by a vulnerability in an SAP ERP system. The forensic investigators engaged by USIS to review the breach concluded that attackers were able to gain access to the system by exploiting an undisclosed SAP-level vulnerability or series of vulnerabilities. This assertion was based on evidence contained within SAP application trace logs and other sources. The breach led directly to the leakage of highly sensitive information impacting an estimated 25,000 government employees.
Along with similar incidents experienced by the Greek Ministry of Finance and Nvidia, the breach at USIS has served to illustrate the devastating impact to organizations when SAP systems are not securely configured and monitored to guard against possible cyber attack. Since the news of the source of the breach became public, security researchers have put forward several theories of possible exploits that could have been employed by attackers to compromise SAP systems connected to USIS. The theories include the use of default passwords, vulnerabilities in RFC gateways, remote code execution, and even database-level exploits. The fact that the attackers were presented with such an array of possible vectors is disturbing to say the least and highlights the wide attack surface presented by SAP systems.
Unless the specific SAP vulnerability that was exploited to breach USIS was a zero-day exploit, its likely that the breach could have been prevented through the proper hardening of SAP systems, regular patching, and continuous monitoring using tools provided by SAP in Solution Manager. It should be noted that almost all the attack vectors presented by researchers to explain the attack at USIS can be blocked by either applying applicable SAP patches or by observing the relevant SAP security guidance. This also applies to the so-called ‘Top Three Common Cyber Attack Vectors for SAP Systems’ declared by organizations such as Onapsis. Furthermore, once hardened, SAP systems do not necessarily require third party tools to monitor for possible changes or configuration errors that may expose them to cyber threats. The simplest, quickest and most cost-effective strategy is to leverage tools available in Solution Manager. They include System Recommendations for patch management, Change Analysis for detecting and investigating configuration changes, Alerting for security incident and event management, Dashboards for compliance monitoring and finally, Configuration Validation for comprehensive, automated vulnerability management. In short, both the information and the tools you need to secure your SAP systems against the type of attack that breached USIS are available to you at this very moment.
One of the most striking facts revealed by the 2014 Verizon DBIR is that only one in every six data breaches are detected by organizations that are the victim of such breaches. The statistic revealed that the vast majority of organizations lack the capability to detect incidents that lead to a data breach.
According to an earlier study sponsored by Oracle, organizations that have implemented incident detection capabilities are not necessarily any better off: nearly 70 percent require greater than one day to identify incidents of unauthorized system access. Given that most breaches unfold in less than a single day, organizations could suffer catastrophic losses before they even detect the underlying incident.
The problem is particularly acute for SAP environments. Maintaining a low mean time to detection is one of the key metrics used to measure the effectiveness of threat management programs. This is the gap between the time an incident occurs and the time the threat is detected and contained. While SAP systems generate a large quantity of logs in various formats, collating and parsing such logs presents several technical challenges, as well as consuming an extensive amount of time and resources. Performing such an analysis in near real-time using conventional tools is impractical, especially in high-volume environments that often generate several gigabytes of log data each hour. Hence, means times to detection are generally high for threat management programs encompassing SAP systems. This increases the vulnerability of such systems by providing adversaries with a longer timeframe to attack and compromise systems before detection.
Under these circumstances, the general availability of SAP Enterprise Threat Detection (ETD) on March 16 could not have been timelier. ETD is the only solution capable of providing visibility into potential insider and outsider threats impacting SAP systems in real-time. ETD minimizes mean times to detection and therefore shortens the timeframe that adversaries are provided to compromise and harm systems. It does so by harnessing the data streaming capabilities of the Event Stream Processor (ESP) and the ability of SAP HANA to analyze large and complex data sets instantaneously.
Log data is automatically extracted from monitored systems and components and pushed to a REST-based API exposed by ESP. Log information is harvested from a wide array of sources within each system including Gateway, HTTP, Business Transaction, Change Document, Read Access, System, Security Audit and User Change Logs. ETD SP01 also supports logs that use the UDP-based syslog protocol. Syslog is a common standard for capturing, labelling and transmitting system events for security auditing and other purposes. It is used by a wide variety of systems and components including, most notably, SAP HANA or, more specifically, the SUSE platform supporting HANA.
Once the log data is formatted and normalized by ESP, it is transferred to SAP HANA for storage and made available to ETD for analysis. Threat detection using ETD is performed primarily through pattern recognition. In other words, log data is evaluated by ETD to determine whether logged events match predetermined patterns for suspicious activity. Examples include logon attempts using standard users, multiple and concurrent failed logon attempts in the same system using the identical user, or changes to variables implemented during a debugging session. Patterns are risk-weighted by severity and trigger an alert whenever a match is detected by ETD. Alerts can be viewed through the ETD Dashboard or Launch Pad (see below).
ETD SP01 includes over 50 patterns for ABAP systems based on SAP best practices. However, SAP recommends enabling and tuning patterns to address specific risks within each landscape and developing custom patterns using the Pattern Configuration tool bundled in ETD. Pattern identification and development is also performed by SAP Service Partners such as Layer Seven Security.
Future releases and enhancements of ETD will widen support for Java and cloud-based systems. SAP also intends to integrate ETD with Solution Manager for monitoring and incident management.
SAP ETD closes a critical gap exposed by limitations in existing SIEM and other solutions to absorb and analyze security-relevant event information stored in SAP logs. It also delivers the capability to identify and respond to security threats revealed by event data in real-time. For these reasons, ETD represents one of the most important technological innovations in SAP security in recent years and offers the most effective response to insider and outsider threats impacting SAP systems.
The use-cases for ETD can be illustrated by the recent insider breach at AT&T that led directly to a $25M FCC fine levied against AT&T. The breach centered on the accessing of personally-identifiable customer information by call center employees without authorization. This information was subsequently sold by the employees to third parties. Such a scenario can be mitigated in SAP systems through the integration of Read Access Logs with ETD. Providing the relevant patterns are appropriately configured, ETD would generate an alert when sensitive data fields are accessed by users frequently and in large volumes. Since the alert is generated as the incident is unfolding, it will provide investigators with the opportunity to respond to the incident in real-time and prevent the leakage of sensitive data.
To learn more about Enterprise Threat Detection, you can visit SAP at booth #S216 in the South Expo Hall at the upcoming RSA Conference. You can also contact Layer Seven Security.
One of the most startling facts revealed by the 2015 Cyber Risk Report is that over 44 percent of data breaches stem from the exploitation of known vulnerabilities that are over two years old. This suggests that effective patching can dramatically lower the likelihood of a successful data breach and, when employed with other countermeasures such as system hardening to prevent misconfigurations, it can reduce the risk to negligible levels.
Developing a workable patch management process that addresses the numerous threats confronted by SAP systems presents a formidable challenge for organizations. The need to maintain high levels of availability and control changes that may negatively impact system performance or even lead to software regression often delays the implementation of critical patches. In some cases, it prevents the application of security patches altogether.
The risks posed by weaknesses in patching procedures should not be understated and are borne out by the findings of the HP study. Statistics reveal a direct correlation between ineffective patching and significantly higher levels of susceptibility to security threats that lead to data breaches.
Traditionally, SAP customers have relied upon tools such as RSECNOTE and SAP EarlyWatch Alert (EWA) to identify patches and verify their implementation status. RSECNOTE can be executed using transaction SA38 or ST13. It should return relevant Security Notes and convey whether Notes are successfully implemented, require implementation or are manually confirmed. EWA is a diagnosis report that is run from SAP Solution Manager for managed systems on a weekly schedule. The system configuration checks performed by EWA should include an identification of relevant Security Notes.
EWA, however, no longer performs any meaningful check for security-relevant Notes. Fewer than 10 percent of the 364 Patch Day Notes and Support Pack Notes released by SAP in 2013 were checked and reported through EWA. By 2014, EWA had lost all relevance for security patching: none of the 389 SAP patches released last year were checked by EWA.
RSECNOTE has not fared any better. According to Note 888889 updated in September 2014, the tool is effectively deprecated by SAP and should no longer be relied upon.
RSECNOTE and EWA have been replaced by tools with more powerful calculation engines capable of supporting more detailed analysis of not just Hot News and Security Notes, but also Java patches and Notes for general, performance and legal areas.
These tools include System Recommendations (SysRec), accessible through the Change Management Work Center of SAP Solution Manager. SysRec uses the SAP-OSS RFC destination to connect directly to SAP Global Support and check the status of Notes in managed systems. The results are based on the specific kernel, patch and support package level of systems maintained in the Solution Manager System Landscape (SMSY). This minimizes the risk of both false positives and false negatives.
SysRec can be filtered by SAP system, component and date range. Only components are that are applicable to the selected system are displayed by SysRec.
Priority levels and the implementation status of each Note are displayed in the returned results. The Download Notes option can be used to download all or selected Notes from the SAP Service Marketplace. Click on the image below to enlarge.
SysRec can be used to identify both ABAP and Java patches. However, Java patch notes are displayed in the Corrections tab rather than the tab for Security Notes.
The Create Request for Change option is used to trigger a change request to implement the relevant Notes when using ChaRM.
The automated job SM:SYSTEM RECOMMENDATIONS should be scheduled to collect information on the status of implemented Notes from managed systems. The frequency of the automatic check can be set to daily, weekly or monthly.
Once corrections are identified and applied, the implementation status of the Notes should be validated across all systems in your landscape. This can be performed using Configuration Validation. The implementation status of Notes is recorded in the PRSTATUS field of the ABAP_NOTES store. The PRSTATUS of completely implemented notes should be E. Therefore, you can define operators to search for Notes implemented in a reference system with the identical component and release dependencies that have the same PRSTATUS. Based on the example below, for instance, Configuration Validation will check that version 2 of Note 1922205 for component SAP_BASIS is completely implemented (PRSTATUS = E), taking into account the release dependencies.
Notes that are not completely implemented in comparison systems are flagged as non-compliant in BW reports generated by Configuration Validation.
One of the most important discoveries uncovered by security researchers investigating the recent data breach at Anthem is that the original compromise may have occurred as early as April 2014, nine months before the breach was discovered by the organisation. The attack has led to the loss of personal information impacting over 80 million individuals. The investigation into the impact on health records stored by the organisation is ongoing. Such records have a far higher value in underground markets than financial data including banking and credit card information.
Anthem was alerted of the breach after a system administrator learned that his logon credentials had been compromised and used by attackers to access servers containing sensitive data. The fact that the discovery was made by Anthem itself should be applauded. The majority of breaches are not. Most are detected by law enforcement agencies, third parties, and even customers. However, the time lag between the initial breach and its eventual discovery is a concern and one that is consistent with most other successful attacks. According to the 2014 Verizon Data Breach Investigations Report (DBIR) based on an analysis of 1300 confirmed data breaches and 63,000 security incidents, the gap between the average time taken by attackers to compromise their targets and the time taken by victims to discover a breach has been widening steadily since 2004. This suggests that attackers are developing and exploiting ever more effective methods to compromise organisations at a rate that outstrips the ability of companies to detect and defend against such attacks. This is despite higher spending on both security solutions and personnel.
Protecting information in SAP systems from attack vectors used successfully against organisations such as Anthem requires two critical countermeasures. The first is system hardening. The second is log monitoring. This article focuses on the second of these measures. The effective and timely review of forensic data captured by several SAP logs can enable your organisation to drive back attacks before they lead to a data breach.
The first category of logs covers network traffic patterns. Incoming and outgoing connections registered in ICM/ Web Dispatcher, SAProuter, message server and gateway server logs should be regularly reviewed for suspicious network activity. This includes connection attempts from unknown or unauthorized source IPs or during unusual hours, as well as sessions that involve the transfer of large volumes of bytes to external destinations. The latter is a clear sign of potential data theft.
The second category covers authentication and authorization logs that record logon attempts and the actual resources accessed after successful logons. The main source of such data in SAP systems is the Security Audit Log. However, for more granular information, you should review log entries in the Read Access Log which register views and changes to sensitive data fields. UME log events in the J2EE Engine can be monitored using the NetWeaver Administrator. Within this category, logon attempts using default accounts across multiple systems and during irregular hours are especially suspicious.
The third category covers changes for configuration settings, files, user accounts, documents, programs and tables. Logging such changes will support the reconstruction of events and help contain any breach. Authorization, password and other changes impacting user master records are automatically stored in non-transparent SAP tables which can be viewed using transaction SU01. Change documents can be used to capture changes to sensitive data objects. Changes to critical tables can be logged using SE13 and analyzed through report RSTBHIST. Changes to productive systems implemented through SAP transports are recorded in CTS and TMS logs stored in both transport directories and tables E070 and E071. Changes to profile parameters in managed systems, including security-relevant areas, are logged in Solution Manager and can be analyzed using Configuration Validation or Change Analysis.
The fourth category covers application and system events that are not directly security-relevant but may indicate potential malicious activity. This includes system shutdowns and restarts, unscheduled or unauthorized backups and error messages for the usage of memory, disk, CPU and other system resources. Such information can be collected from Syslog and other host-level event logs. It can also be accessed through local or central SAP System logs using transaction SM21.
The final area covers database-level actions and events, particularly activities performed by privileged non-system users including the execution of ALTER, INSERT and DELETE commands and CREATE and GRANT schema changes. You can minimize the performance impact of database logging in some database versions and releases by creating context-dependant policies that limit logging to precise scenarios. Examples include database connections originating during specific time periods or from outside specific application servers identified by hostname or IP address.
Attackers may attempt to remove evidence of their actions by altering or deleting log records. Therefore, it is important to secure access to SAP tables and OS-level files containing log information. Also, log files should be replicated to independent time-synchronized servers and log data held directly in SAP systems should be periodically archived using the archiving transaction SARA.
Since the official release of the SAP Cybersecurity Framework in 2014, the standard has become the de facto benchmark for securing SAP systems from advanced cyber threats. Drawing upon guidance issued directly by SAP, as well as the real-world experience of front-line SAP security architects and forensic investigators, the framework delivers a single point of reference to harden SAP systems from cyber risks. It enables enterprises to counter weaknesses in perimeter controls such as network firewalls and intrusion detection systems by securing the technical infrastructure of SAP systems. Vulnerabilities in such infrastructure could be exploited to bypass perimeter controls and corrupt or leak sensitive business information or perform denial of service attacks in SAP systems.
The threat posed by attackers that seek out and exploit vulnerabilities has reached epidemic proportions. By all measures, attacks are growing in frequency and sophistication. The number of threat actors is also increasing, ranging from organized gangs of cyber criminals to hacktivist groups and state-sponsored agents. Finally, the impact of cyber attacks has reached new levels. The cost of a successful data breach is no longer measured in purely monetary terms. Recent experience has demonstrated that the impact can be strategic and long-lasting.
The SAP Cybersecurity Framework fills the void created by weaknesses in perimeter security and the limitations of GRC software that focus exclusively on the SAP authorization concept. It empowers organizations to better understand and respond to lesser known risks in the technical components of SAP systems to greatly reduce the likelihood of a system breach. It also enables enterprises to improve breach detection capabilities to respond more rapidly to attacks and contain the impact.
What’s more, the framework provides a clear path for securing SAP systems from cyber threats using only standard SAP-delivered software. It demonstrates that effective strategies are not necessarily tied to licensing third party solutions but leveraging the host of security tools made available by SAP to customers without any additional expense. This includes automated vulnerability detection and alerting tools available in Solution Manager. It therefore provides a powerful and cost-effective alternative to approaches that revolve around purchasing, installing and configuring solutions from independent software vendors.
The SAP Cybersecurity Framework 2.0 improves upon the original standard by incorporating new SAP guidance in areas such as trace functions to identify authorizations required for RFC users, enabling switchable authorization checks, whitelists for RFC callbacks, and approaches for identifying required security patches included in Notes and support packages.
Trace Functions There are several limitations with analyzing log data in event logs configured in the Security Audit Log and transaction STAD for restricting permissions for RFC users. The former only record function groups accessed by users and the latter is resource-intensive. Therefore, SAP recommends using short and long-term trace functions through transactions STAUTHTRACE, STRFCTRACE or STUSOBTRACE. This approach will reveal the function modules accessed by users and consume fewer system resources than STAD.
Switchable Authorization Checks Switchable authorization checks are intended to strengthen security for critical remote-enabled function modules that are used to access or modify sensitive data by requiring additional authorization checks above and beyond the standard S_RFC check. They are delivered via Notes and support packages but should only be enabled after relevant user profiles are updated to include the new authorizations. The DUO and DUQ event logs of the Security Audit Log should be activated and reviewed to identify the specific users requiring the authorizations during a non-disruptive logging phase.
RFC Callbacks Positive whitelists for systems with later versions of SAP Basis have been introduced by SAP to control the dangers posed by RFC callbacks. Callbacks enable servers to open RFC connections in clients during synchronous calls using the privileges of the RFC user in the client system. A new profile parameter rfc_callback_security_method is used to enable the whitelists which are configured using SM59.
Security Notes and Support Packages The framework no longer recommends the use of the EarlyWatch Alert and RSECNOTE for the identification of relevant Notes and support packages. Both components have severe drawbacks and are effectively deprecated by SAP. Security Notes and support packages should be identified using System Recommendations accessed through the Change Management Work Center in Solution Manager or via WDC_NOTE_CENTER through the Easy Access Menu.
SAP Security Architects at Layer Seven Security perform comprehensive gap assessments against the recommendations of the SAP Cybersecurity Framework and enable customers to implement defense in depth by hardening the entire SAP technology stack. The layered control strategy supported by the framework is based on best practices and SAP security recommendations and represents the most comprehensive, efficient and cost-effective approach to secure SAP systems from cyber attack. To learn more, contact Layer Seven Security.
