Layer Seven Security

Code Vulnerability Management with SAP Solution Manager

Custom Code Management (CCM) in SAP Solution Manager can enable you to take control of custom developments by providing transparency into custom objects in your SAP systems and analyzing the usage of custom code. It can also provide insights into security vulnerabilities in custom objects and packages.

CCM provides an overview of the custom developments in systems and identifies unused or redundant code based on usage statistics from Usage and Procedure Logging (UPL). Decommissioning entire programs or specific lines of code within programs if they are unused or redundant can minimize the attack surface and ensure that time and effort is not wasted managing code-level vulnerabilities in custom developments that are not serving a business need.

Decommissioning in CCM is complemented by tools such as the SAP Clone Finder which identifies custom code that is cloned from SAP standard and supports reverting back to standard code, wherever possible.

CCM displays the results of code checks performed using the ABAP Test Cockpit (ATC). This includes findings from SAP Code Vulnerability Analysis (CVA). CVA performs static application security testing for custom ABAP developments. The tool is used by SAP to scan and secure SAP-delivered code. Therefore, it enables SAP customers to enforce equivalent standards for the security of custom code as enforced by SAP for standard code. Note 1921820 provides details of the security checks performed by CVA. The details are also available in the SAP Community Network.

Enabling CCM is a prerequisite for monitoring the results of CVA checks in SAP Solution Manager. However, CCM is only available to Enterprise support customers and therefore is not available for customers on Standard support. Details of usage rights for Solution Manager are available at the SAP Support Portal.

Licensing restrictions prevent all SAP customers from integrating CVA results with Solution Manager to support holistic cybersecurity monitoring that includes managing risks at the system, user, event and code level.

Layer Seven Security’s custom data connector for CVA resolves this issue by integrating CVA findings directly with the Configuration and Change Database (CCDB) in Solution Manager. This avoids the dependency on CCM and Enterprise support. The data is extracted by the connector from each target system to Solution Manager and automatically updated on a daily schedule. The extracted data is integrated with security reports, dashboards and alerts in Solution Manager to support centralized monitoring for cyber risks in SAP systems including vulnerabilities in custom code. The CVA connector is bundled with the Cybersecurity Extension for SAP Solution Manager.

The raw data for CVA results can be viewed in the custom CCDB store ATC_RESULTS. Results include the check ID, object name, package name, developer name, impacted lines, and a description of each finding.

The findings are mapped to service level reports, web-based reports, and security dashboards in Solution Manager.

CVA results are also integrated with security alerts and email/ SMS notifications generated by SAP Solution Manager.

Cyber Espionage Warning: 30% Growth in Targeted Attacks

The findings of the annual Internet Security Threat Report indicate that the number of organizations targeted by advanced hacking groups increased by almost one third between 2015 and 2018. The groups have not only substantially increased their cyber-espionage operations, they are also deploying increasingly sophisticated tactics against a growing number of sectors. National hacking groups such as Chafer and cross-national groups such as Dragonfly are conducting highly targeted campaigns to gather intelligence and exfiltrate data from organizations.

Chafer is linked to the use of leaked NSA exploits and is credited for several attacks against telecoms and transportation companies and their supply chains. Dragonfly has targeted primarily energy and utility companies including infiltrating the control systems of power supply systems. Other groups such as Gallmaker have been responsible for attacks against government institutions and military organizations.

Hacking groups are no longer relying on malware delivered through spear-phishing or other exploits to carry out attacks.  Rather, they are using publicly available tools to execute targeted cyber-espionage campaigns. This includes tools such as Metasploit which provides tools and utilities for exploit development and deployment. Metasploit includes numerous modules for SAP exploits. Approximately 39 percent of intrusions in 2017 did not deploy any malware.  The use of publicly-available tools with legitimate purposes can obfuscate attacks and prevent detection.

Despite the growing sophistication of attacks, average breakout times across all intrusions and threat actors more than doubled between 2017 and 2018 from 1 hour and 58 minutes to 4 hours 37 minutes. This is according to the 2019 Global Threat Report. The breakout metric measures the average time taken by attackers to escalate or propagate an initial compromise to other targets in a network.  The increase in breakout time suggests that organizations are more effectively hardening potential targets against exploits and detecting and isolating attacks. However, the overall average masks substantial differences between threat actors. Russian threat actors have an average breakout time of just 18 minutes and 49 seconds. This means organizations typically have under 20 minutes to discover and contain attacks from Russian hacking groups. Average breakout times are lowest for Russian, North Korean and Chinese hacking groups and highest for cyber criminals.

Successfully detecting and containing cyber intrusions relies not only on speed of detection but also speed of response. Real-time or near-time threat detection should therefore be supported by effective incident response mechanisms to investigate security breaches. SAP Solution Manager provides an integrated platform for both threat detection and incident response. SolMan connects directly to event logs in SAP systems as often as every 5 minutes to detect and alert for security breaches. It also provides automated procedures for investigating and tracking incident response. To learn more, contact Layer Seven Security.

Database Security with the Cybersecurity Extension for SAP

Protecting SAP systems against cyber threats requires integrated measures applied not just within the SAP layer but across the technology stack including network, operating system, and database components.  As repositories of business-critical and sensitive information, databases warrant specific attention for hardening and monitoring efforts. This includes identifying and addressing configuration weaknesses, excessive privileges, and weak audit policies, encrypting data in transit and at rest, removing vulnerable stored procedures, and detecting and responding to privilege abuse or escalations.

SAP Solution Manager is uniquely positioned to monitor the security of SAP databases given its deep connectivity into SAP platforms. This article outlines the architecture and data collection procedures for database monitoring with Solution Manager. Next month’s article will explore database-level security reporting and event monitoring with SolMan.

Establishing connectivity to databases supporting SAP systems is a standard step during the mandatory configuration procedures for Solution Manager. Connection information is entered into the DB Parameters section during the Enter System Parameters step of Managed System Configuration. This includes the database host, port, and user credentials.

The connection supports the DBA Cockpit for database administration and monitoring. It also supports database extractors used by the Extractor Framework. The Extractor Framework performs data collection and distribution for monitoring and alerting in Solution Manager. The framework operates regular extractors to snapshot configuration, user, system, change and event-related data from systems. The snapshots are stored in areas such as the SolMan Configuration and Change Database (CCDB) and queried by other applications in SolMan including Configuration Validation and the Monitoring and Alerting Infrastructure (MAI). The concept of running or scheduling security scans is foreign in Solution Manager. Periodic jobs run the extractors to refresh the data. Therefore, there is no need to schedule scans or connect directly to systems to compile data when reviewing security-related information. Job Monitoring in Solution Manager can be used to monitor the relevant jobs and alert for job errors or warnings.

Solution Manager automatically applies preconfigured templates for databases once they are successfully connected for monitoring. SolMan installations are packaged with templates for all platforms supported by SAP systems including SAP databases such as HANA, Sybase and MaxDB, and third-party databases from Oracle, IBM and Microsoft. Template contents can vary based on the specific version and release of databases.

Templates for HANA platforms including metrics and alerts for monitoring system availability, performance and security. They also include CCDB stores to extract current values for HANA parameters, and details of active users, audit policies and users with critical database and system privileges.

The extractor framework and SAP-delivered templates may not provide coverage for monitoring all the security-related areas for each database platform. Therefore, customers or partners can either define their own templates or create/ modify extractors, metrics, alerts and CCDB stores to extract additional data. In the example below, we’ve added several custom stores to extract and query data for Sybase ASE that is not available in a standard Solution Manager installation.  This includes runtime values for all Sybase parameters, active users, roles assigned to database users, enabled stored procedures, audit settings, and database event logs with event IDs, user IDs, and timestamps.

The stores are assigned to the custom /L7S/ namespace to avoid any conflict with SAP and other namespaces.

The extractor framework regularly refreshes the data through background jobs. Database security policies are then applied by Solution Manager against the CCDB to identify vulnerabilities and security-related events in the platform. The data is also monitored by the MAI which triggers alerts and notifications for critical risks. The results are replicated to an internal Business Warehouse (BW) in Solution Manager.

In next month’s article, we will discuss how you can use Service Level Reporting and BusinessObjects to create detailed and user-freindly reports to convey the results of database security monitoring with SAP Solution Manager.

Layer Seven Security Recognized as an SAP Cybersecurity Leader

Layer Seven Security has been named as the leading SAP cybersecurity provider in the 2018 Top 10 SAP Solution Providers. According to the source of the study,  Layer Seven Security provide a “unique and innovative approach to securing business-critical SAP systems against cyber threats”. The study recognizes Layer Seven as an “innovative force in the SAP cybersecurity industry” for delivering “leading-edge vulnerability management, patch management, threat detection and incident response without requiring customers to license and install complex and expensive new platforms.”

The report also acknowledges the SAP partner’s “extraordinary levels of year-on-year growth”. Layer Seven Security more than doubled it’s customer base and experienced a 350% surge in revenue in 2018. The company recently announced an ambitious 3-year roadmap that includes recent innovations such as interactive security reporting based on SAP Web Intelligence, monitoring for Java users with administrative privileges, and security monitoring for SAP databases including Sybase ASE. Planned innovations include integration between SAP Solution Manager and the NetWeaver add-on for Code Vulnerability Analysis, the development of Fiori applications for embedded security reporting in SAP Solution Manager, and support for OS, cloud and network platforms for end-to-end security monitoring of the SAP technology stack.

 

Webinar Recording: Security Analytics with SAP Web Intelligence

Watch the webinar replay to learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Watch Now

 

 

Webinar: Security Analytics with SAP Web Intelligence

Thu, Dec 13, 2018 11:00 AM – 12:00 PM EST

Learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Register

 

 

Secure, Patch & Respond: Security Analytics with SAP Web Intelligence

SAP Web Intelligence enables users to visualize and manage security risks in SAP systems using interactive reports delivered through an intuitive web interface. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Animated charts summarize risks by system, location, priority and other dimensions. Results can be filtered and sorted to focus on specific areas. Users can comment on report elements for collaboration, decision-making and tracking remediation efforts. Reports can be exported to Excel, HTML and PDF. Reports can also be accessed remotely using the mobile app for SAP BusinessObjects.

The security reports are comprised of five distinct sections. The first section includes a series of charts that summarize risks across three dimensions: vulnerabilities, security notes, and alerts. The results can be filtered to focus on single or multiple systems.

The second section includes trend charts, bar graphs, geo-maps and bubble charts that break down the results for each dimension.

The remaining sections convey detailed findings and empower users to secure SAP systems against cyber threats by discovering and removing vulnerabilities, applying patches, and responding to alerts for suspected security breaches.

To learn more, contact Layer Seven Security. You can also request a free trial for security reporting with SAP Web Intelligence using Layer Seven’s cloud platform.

 

Coming Soon: Security Reporting with SAP Web Intelligence

SAP Web Intelligence (WebI) provides a platform for self-service reporting that enables users to analyze and visualize data from SAP systems using an intuitive, interactive and web-based interface. WebI supports BEx queries to connect to security-related data in Business Warehouse within Solution Manager. Users can create dynamic reports with embedded dashboards to monitor and manage risks and track remediation efforts. Reports are published to the BI Launch Pad to support enterprise-wide access through a web browser. They can also be refreshed, scheduled and broadcast from the Launch Pad.

Stay tuned for more details.

 

How to Comply with the DHS Recommendations for Securing SAP Systems from Cyber Attacks

In response to the dramatic rise of cyber attacks targeting ERP applications, the United States Department of Homeland Security (DHS) issued a warning earlier this year that encouraged organizations to respond to the risks targeted at their business applications by implementing specific measures to secure, patch and monitor SAP systems. The measures included scanning for vulnerabilities and missing security patches, managing SAP interfaces, and monitoring user behaviour, indicators of compromise, and compliance against security baselines for systems.

This article discusses how you can leverage SAP Solution Manager to comply with the DHS recommendations. Solution Manager is installed and available in most SAP landscapes and includes diagnostics and monitoring applications to support cybersecurity. The specific applications are outlined below against each of the DHS recommendations.

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Configuration Validation in Solution Manager can perform automatic daily scans of SAP systems against security benchmarks to identify misconfigurations that could expose systems to cyber threats. The scans are performed against snapshots of systems stored in the Configuration and Change Database (CCDB). The results of the scans are stored in an internal Business Warehouse (BW). Service Level Reports and Security Dashboards connect to BW using BEx queries to read the results of the security scans and report the findings.

System Recommendations (SysRec) in Solution Manager connects directly to SAP Support to discover missing security patches.  SysRec also connects to each system in an SAP landscape to determine the current patch level. It reads the system information in the Landscape and Management Database (LMDB) to identify installed software components and versions. SysRec also integrates with the ABAP Call Monitor, Usage Procedure Logging, and Solution Documentation to perform change impact analysis for security patches.

2. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Interface and Connection Monitoring (ICMon) in Solution Manager automatically maps cross-system interfaces including RFC, HTTP, IDOC and Web Services. This includes internal and external connections. It also monitors real-time traffic patterns to detect and alert for malicious actions including dangerous RFM and URL executions.

3. Analyze systems for malicious or excessive user authorizations.

Solution Manager can detect users with administrative privileges in SAP systems. It flags users with privileged authorizations, profiles, roles, transactions, Java permissions, and HANA system and table privileges. Privileges can include standard and custom objects.

4. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can monitor event logs in SAP systems to detect and alert for indicators of compromise (IOCs). This includes log files and tables such as the Security Audit Log, HTTP Log, System Log, Gateway Server Log, Change Document Log, Read Access Log, Java Security Log, HANA Audit Log, and the SAProuter Log. The MAI triggers alerts and email and text notifications for IOCs. Guided procedures provide a framework for incident response and tracking.

5. Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

MAI monitors user logs to detect and alert for suspicious behavior covering both privileged and non-privileged users. This includes unauthorized access, escalation of privileges and actions that could lead to data leakage.

6. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

SAP Partners periodically update content for Solution Manager to address new vulnerabilities and attack vectors.

7. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Solution Manager continuously monitors for policy violations against security baselines and compliance frameworks such as GDPR, IT-SOX, NIST and PCI-DSS. Service Level Reports and Dashboards provide directions for implementing and tracking remedial actions taken to patch and secure systems. Guided procedures document incident investigation steps performed by responders. The results are archived in Solution Manager.

To learn more about how Solution Manager can help you comply with the DHS recommendations for securing SAP systems, contact Layer Seven Security.

SolMan-SIEM Integration for Advanced Threat Detection

SAP Solution Manager monitors real-time event information in SAP logs to automatically detect and trigger alerts for specific Indicators of Compromise (IOCs).  This includes events written to the security audit log, system log, gateway server log, change document log, HTTP log, transaction log, SAProuter log, Java security log and the HANA audit log. Alerts are managed in the Alert Inbox or the System Monitoring app of SAP Solution Manager and automatic email and SMS notifications are triggered for critical incidents. Alerts are integrated with Guided Procedures to support an end-to-end process for incident detection and response within Solution Manager.

The data collection for event monitoring using Solution Manager is performed using existing RFC connections and Diagnostics Agents installed in managed systems. Since Diagnostics Agents can be installed in both SAP and non-SAP systems and components, Solution Manager can perform many of the functions of a Security Information and Event Management (SIEM) system. SolMan can monitor across the technology stack including database, operating system, and application layers, as well as network components such as routers, switches and firewalls. These areas are often monitored by organizations using existing SIEM platforms. Therefore, SolMan is more commonly used for application-level monitoring.

SIEM platforms support direct monitoring of SAP log files, tables and other data sources. However, there are several drawbacks with this approach. One of the drawbacks is that each data source within every target system must be connected separately to SIEM platforms. This increases deployment times and complexities. Once connected, rules and patterns must be defined in the platforms for every possible event. Also, since SIEM platforms are ingesting raw logs, the cost of monitoring and storing mammoth-sized logs for multiple SAP systems can be prohibitive, especially for large landscapes.

SAP Solution Manager overcomes these drawbacks by parsing log files and tables and filtering events before forwarding alerts to SIEM platforms. This enables the platforms to avoid ingesting raw logs to monitor SAP event information. Since the event data forwarded to SIEM platforms is derived from a single source for all SAP systems in a landscape, deployment is also faster and less complex. Finally, Solution Manager structures and enriches the event data before it reaches SIEM platforms to reduce the need to develop rules and patterns to interpret SAP event information.

Solution Manager can integrate with SIEM platforms through several ways. The most common is using OS commands that are called by SolMan to write event data to external files that are ingested by SIEM solutions. Alerts are written to external files as soon as they are triggered by SolMan. Alert fields can include the alert name, description, priority, date, time, SAP System ID, and other areas.

This process integrates alerts for IOCs and other security risks detected by SolMan for SAP applications with SIEM systems for centralized monitoring and cross-platform correlation. The example below is for Splunk Enterprise. Click on the images below to enlarge.