Layer Seven Security

SAP Solution Manager is ITIL-Certified for Information Security Management

The SAP Integration and Certification Center (ICC) has been validating and certifying solutions from partners and software vendors for over twenty years. The certifications provided by the ICC are based on rigorous testing and enable customers to invest with confidence in technologies that integrate with SAP solutions. This includes technologies that support security scenarios such as automated vulnerability management, code scanning and threat detection.

The ICC cannot certify SAP’s own product offerings since self-certification does not provide the same level of assurance as independent certification. However, SAP platforms are often certified by recognized certification authorities. SAP Solution Manager, for example, is certified by organizations such as SERVIEW. In fact, Solution Manager is one of the most awarded service management platforms in the market and certified for all 18 certifiable processes of the ITIL framework, including Information Security Management.

ITIL is the Information Technology Infrastructure Library and provides best practices to support the design, management and monitoring of IT infrastructure and optimization of service levels for end users. The framework consists of five distinct lifecycle phases for service strategy, design, transition, operations, and continuous improvement. It includes key performance indicators to identify problems, measure performance, and track progress.

IT Security Management is a process within the Service Design lifecycle of the most recent version of the ITIL framework. It includes four sub-processes for the design of security controls, the performance of regular security reviews, and the management of security incidents. The sub-processes are targeted at preventing, detecting and containing security intrusions and breaches. The chart below maps each sub-process to relevant applications available in SAP Solution Manager.

ITIL v3 – IT Security Management

Applications such as Configuration Validation, Service Level Reporting and the Dashboard Builder enable customers to enforce security baselines for SAP landscapes and monitor compliance against security KPIs. System Recommendations automatically detects missing security patches through a direct connection to SAP support. Interface Monitoring detects potential breaches of cross-system connections. Finally, the Monitoring and Alerting Infrastructure and Guided Procedures provide an advanced framework for detecting and responding to security incidents and suspected breaches. Overall, Solution Manager provides a powerful ITIL-compliant platform for defining, implementing and sustaining secure SAP system landscapes.

 

5 Common Myths for Security Monitoring with SAP Solution Manager

Does Solution Manager have a complex installation process? Is it difficult to maintain? Does it create dangerous connections with SAP systems? Is it a high value target for attackers? Does it provide no support for zero-day vulnerabilities?

This article tackles the five most common myths about SAP Solution Manager and reveals the truth behind the fiction.

The first and most common myth is that SAP Solution Manager is complex to install and difficult to maintain. In fact, the installation procedures for Solution Manager are relatively simple and standardized, especially in comparison to other SAP platforms such as ECC. Once installed, guided procedures in Solution Manager track the progress of the setup process across three major areas: System Preparation, Basic Configuration, and Managed System Configuration. Performing the configuration steps in Technical or Application Monitoring is recommended to enable the monitoring capabilities of Solution Manager.

Once configured, security-relevant applications such as System Recommendations, Dashboards, Interface Monitoring and the Monitoring and Alerting Infrastructure are enabled and ready to use. Therefore, the standard setup procedures automatically activate most of the requirements for security monitoring using Solution Manager. Since security applications use existing connections with SAP systems, there is no need to install and configure additional agents in target systems.

Maintenance is relatively straightforward. Support packs for functional enhancements and bug fixes are released at regular intervals and are applied using the Maintenance Optimizer. The guided procedures for SOLMAN_SETUP will flag any configuration issues that need to be tackled after an SP upgrade.

The second myth is that SAP Solution Manager creates dangerous RFC connections with managed systems. The RFC connections created by Solution Manager are no more or less dangerous than similar connections between other systems in SAP landscapes. Also, the risk is not removed if you decide not to perform security monitoring using SAP Solution Manager since the connections will remain in place.

The third myth is that SAP Solution Manager is a high-value target for attackers. In fact, all SAP systems are valuable targets for attackers. Since Solution Manager does not typically store or process sensitive business data, it may be a less valuable target than systems such as ECC, CRM and SRM. Also, Solution Manager performs self-monitoring to detect security vulnerabilities including misconfigurations and missing patches, and potential security breaches captured in SAP logs. In dual landscapes, Solution Manager systems can monitor each other.

Fourthly, it’s often emphasized that Solution Manager is not certified by SAP. SAP certifies third party solutions developed by independent software vendors for integration with platforms including SAP NetWeaver. SAP does not certify it’s own software platforms such as Solution Manager. However, Solution Manager is ITIL-certified by organizations such as SERVIEW for Information Security Management.

The final myth is that Solution Manager does not provide any coverage for zero-day vulnerabilities that are unpatched by SAP. Security researchers choose to deliver virtual patches for zero-day vulnerabilities through third party tools in order to induce SAP customers to subscribe to expensive licenses for such tools. This is a business decision and not due to any technical limitation in Solution Manager. Also, all zero-day vulnerabilities do not pose a critical risk to SAP systems. The fact that patches for vulnerabilities are often released many months after the weaknesses are disclosed by security researchers to SAP does not necessarily mean that SAP systems are at serious risk. SAP’s response to such disclosures depends on an assessment of the risk posed by reported vulnerabilities. This includes factors such as the complexity and range of related exploits and the impact to data confidentiality, integrity and availability.

Featured in SAPinsider: Secure Your SAP Landscapes with SAP Solution Manager 7.2

Firewalls, intrusion detection systems, and antivirus solutions may not protect SAP systems against advanced cyberattacks. However, this does not necessarily mean that SAP customers have to license third-party vulnerability scanning or threat detection solutions to deal with the risk. The answer to their security questions may be closer than they realize. Bundled with standard and enterprise SAP support agreements, SAP Solution Manager 7.2 includes five integrated applications to safeguard SAP systems against cyber threats:

Service Level Reporting (SLR)
Dashboard Builder
System Recommendations
Interface and Connection Monitoring (ICMon)
and the Monitoring and Alerting Infrastructure (MAI)

Read the full article

Monitor Table Access with SAP Solution Manager

There has never been a greater need to monitor access to sensitive data in SAP systems. SAP data is increasingly accessible from access points outside network perimeters. Data in SAP systems is also targeted by attackers for cybercrime and corporate espionage. This article demonstrates how you can use SAP Solution Manager to detect and contain potential information leaks in your SAP systems before they lead to a full-blown data breach. The demonstration leverages the advanced diagnostics capabilities of the Monitoring and Alerting Infrastructure (MAI) in Solution Manager. MAI connects directly to SAP systems to monitor event data in SAP log files and tables.

The specific scenario that will be used to demonstrate the monitoring capabilities of MAI is access to SAP logon data in table USR02 using data browsing transactions such as SE16. However, the scenario can be adapted for other sensitive data including financial, employee and product-related information in SAP tables.

The first step is to configure a logging scenario to log access to table USR02 through SE16. This can be transported from a source system or configured directly in a target system using Read Access Logging (RAL). For the configuration option, we will define a log purpose and domain.

The next step is to create a recording to capture the data fields and values using SAP GUI. Read Access Logging also supports logging scenarios for data accessed through web browsers, web services, remote function calls, and OData services via the SAP Gateway.

Once the recording is completed, we will define the log contexts, groups and conditions in the RAL configuration.

Finally, we will maintain User Exclusion Lists for users that should be excluded from logging and activate the scenario.

The activation of the scenario will trigger logging for access to table USR02 through SE16. The log records can be read using the RAL Monitor.

Although RAL logs access to sensitive data with timestamps and usernames, it does not trigger an alert or notification for logged events. Therefore, the next step is to configure metrics, alerts and notifications using MAI in SAP Solution Manager.

Custom metrics and alerts are defined in the Template Maintenance section of System Monitoring within Solution Manager Configuration. Metrics and alerts can be at the database, host, system or instance level and are contained in monitoring templates. For custom metrics, we need to specify a metric name, data type and unit of measure. We also have to specify options for data collection including collector types and intervals. For the RAL scenario, we will use the RFC option for a table connector with a collection interval of 5 minutes. We will also specify the RAL table and configuration ID in the metric input parameters. Based on the configuration, MAI will connect to the RAL table in each system every 5 minutes and search for the configuration ID of the logging scenario.

For the alert, we will define a custom name and description, select the category and severity, and maintain the notification settings to automatically generate an email and/ or SMS for the alert. We will also maintain recipient lists for the notifications. To avoid alert flooding, we can adjust the interval for follow-up notifications based on number of minutes, hours or days. We can also group multiple alerts into a single notification. To activate the alert, we need to assign the metric to the alert and then assign the template containing the alert to the target systems in the landscape.

Below is the alert and email notification generated by Solution Manager for the RAL event. The alert details include the username and source IP address of the user that accessed table USR02 using transaction SE16. This is displayed in the Text Value.

 

 

 

 

 

The third step is the configuration of a guided procedure to support the investigation of the alert. This can be performed using the Guided Procedure Authoring Tool in Solution Manager. In the example below, we have created a 2-step guided procedure to firstly, access the RAL Monitor in order to review the event and secondly, investigate other actions performed by the user logged in the Security Audit Log. The Guided Procedure includes automatic transaction jumps to the required screens and reports in the target system.

Log settings, monitoring templates and guided procedures can be licensed and transported directly into managed systems and SAP Solution Manager to accelerate the implementation of threat detection using MAI. Contact Layer Seven Security to learn more.

 

Equifax Data Breach: Attackers Exploited an Unapplied Security Patch, not a Zero-Day Vulnerability

On September 15, Equifax released a statement to confirm the initial attack vector that led to the compromise of personal information relating to 143 million consumers in the US, UK and Canada targeted an Apache Struts vulnerability within a web application that supports the organization’s online dispute portal. The patch for the vulnerability had been available since March but had not been applied by Equifax at the time the breach was detected on July 29. The patch was subsequently applied by Equifax but it was too late – the damage had been done.

Predictably, Equifax’s patching procedures have been cast into doubt with many questioning why the organization took four months to patch an external-facing web application that accessed large-volumes of sensitive information.  The doubts were evidently shared by the Board of Directors at Equifax: both the Chief Information Officer and the Chief Security Officer were forced out last week.

Fortunately, few SAP applications are impacted by the Apache Struts vulnerability addressed by CVE-2017-5638. Although many SAP products including Banking, BusinessObjects, and Sybase use the Apache framework, very few products use the Struts library within the framework.

However, SAP customers are strongly advised to review and revise their patching efforts in light of the breach. Despite concerns related to zero-day vulnerabilities, the root cause of the vast majority of breaches remains poor security practices rather than zero-day attacks. This includes ineffective patching procedures that open a wide window of opportunity for attackers to exploit known vulnerabilities before they are patched by organizations. This point was emphasized by a statement from Fortinet with the recent release of the company’s Global Threat Landscape Report. According to Fortinet, “Cybercriminals aren’t breaking into systems using new zero day attacks, they are primarily exploiting already discovered vulnerabilities”.

SAP customers can discover and apply security patches for SAP products using System Recommendations (SysRec). SysRec is an application within SAP Solution Manager that connects directly to SAP Support for real-time patch updates. It also connects directly to each system within SAP landscapes to monitor patch levels. SysRec downloads corrections for security vulnerabilities from SAP Support to each system. It also integrates with other areas in Solution Manager including Usage Logging and Solution Documentation for change impact analysis, Change Request Management (ChaRM) for managing changes, and Test Management for testing and deployment.

Discover Vulnerable System Connections with Interface Monitoring

Interface Monitoring provides the answer to one of the most vexing questions in SAP security: where are our vulnerable cross-system connections and how do we monitor them to ensure they’re not abused by attackers?

Although Interface Monitoring, also known as Interface Channel Monitoring or ICMon, has been available in SAP Solution Manager since version 7.10 SP05, the application has been completely overhauled in version 7.2, especially in SP05, which has been in general availability since June.

ICMon in SolMan 7.2 includes an SAPUI5 graphical display that automatically maps the entire landscape topology in a single screen (see below). Topologies are generated by ICMon based on so-called monitoring scenarios configured in Integration Monitoring within SolMan configuration.

During scenario creation, you specify the systems and channels to monitor in each scenario. Multiple scenarios can be created to monitor different channels, systems, environments or other variables. Scenarios can also be landscape-wide to include all available systems and even cross-landscape to monitor systems located in different SAP landscapes.

Unlike some third party security tools that focus exclusively on RFC communications, ICMon can support monitoring for any SAP-supported protocol. This includes not only RFC, but HTTP, HTTPS, IDoc and Web Services.

Once the scenarios are configured, you can select from the list of available scenarios from Scope Selection in ICMon to monitor the scenario.

ICMon’s ability to automatically generate a graphical topology of cross-system connections enables users to discover vulnerable interfaces between systems including trust RFC relationships between systems in different environments. Trust relationships and stored credentials in RFC destinations could be exploited by attackers to, for example, pivot from vulnerable development or test systems to productive systems.

However, ICMon doesn’t just generate a static topology of system interfaces. It also continuously collects metrics and usage data for each channel to monitor availability, configuration and performance errors. Errors and warnings are displayed in both the ICMon dashboard (see below) and the topology.  Connections with errors or warnings are displayed in red in the topology. Successful connections are displayed in green.

Usage data includes destinations and function modules called through each RFC channel with timestamps.

Alerts configured for metrics and thresholds including security-related scenarios can be viewed in the Alert Ticker from the ICMon home screen. The alerts can also be viewed in the Alert Inbox of SAP Solution Manager. In common with alerts for other application areas, ICMon uses the Monitoring and Alerting Infrastructure (MAI). Therefore, the Guided Procedure Framework can be used to apply standard operating procedures and best practices for incident management and alert handing.

Q&A: Cybersecurity Monitoring with SAP Solution Manager

How does Solution Manager detect threats and vulnerabilities in SAP systems? What specific applications in SolMan are used for vulnerability, patch and threat management? What are the requirements for using these areas? How long does it take to configure? What are the differences between monitoring using SolMan 7.1 and 7.2? What are the benefits of using SolMan versus third party tools? Why should you partner with Layer Seven Security to help you leverage the cybersecurity capabilities of SAP Solution Manager?

Discover the answers to these and many other questions in the new Q&A section and learn how you can immediately protect your SAP systems from advanced threats using tools you already own and an approach recommended by SAP.

Remember to bookmark the page since we will be updating the questions and answers periodically. Also, feel free to submit your questions for our experts in the comments below.

Q: What is SAP Solution Manager?
A: Solution Manager is the most widely deployed SAP product after ECC. It’s installed in almost all SAP landscapes and is used for application lifecycle activities such as system patching and upgrades, change management, incident management, and system monitoring.

Q: How is Solution Manager licensed?
A: Usage rights for Solution Manager are bundled with SAP support and maintenance agreements. SAP Enterprise Support customers can manage their whole IT infrastructure with Solution Manager. Customers with Standard Support can manage SAP products within their IT landscapes with Solution Manager. Licensing for SAP HANA is included with the usage rights for SAP Solution Manager 7.2.

Q: What security tools are available in Solution Manager?
A: There are several applications in Solution Manger that should be used for advanced security monitoring. We recommend Service Level Reporting, Security Dashboards, System Recommendations, Interface Monitoring and Security Alerting.

Q: Why doesn’t Layer Seven Security recommend the EWA and SOS reports?
E: There are drawbacks with both reports. The EarlyWatch Alert (EWA) performs some security checks but is not specifically a security report. Therefore, the range and volume of checks performed by EWA for security is low. The Security Optimization Service (SOS) provides better coverage but is not fully automated. You must submit a service request to run SOS for ABAP systems. Service requests to run SOS for Java systems must be submitted to SAP.

Q: What are Service Level Reports?
A: Service Level Reports (SLR) automate vulnerability reporting for SAP systems. They perform scheduled checks for hundreds of security weaknesses for ABAP, HANA and Java systems and automatically distribute the results via email, SFTP or the Enterprise Portal. SLRs include detailed descriptions for findings, risk ratings, links to relevant SAP Notes and guidance at the SAP Help Portal and compliance scorecards for frameworks such as NIST, PCI DSS and IT-SOX.

Q: How do SLRs work?
A: SLRs read the results of automated daily vulnerability scans performed by Solution Manager for SAP systems. The results are checked against security KPIs during runtime. SLRs are typically scheduled to run on a weekly or monthly schedule.

Q: Are SLRs available in multiple languages?
A: Yes, SLRs can be run in any language including French, German, Spanish, Arabic, Japanese, and Mandarin.

Q: Are SLRs customizable?
A: Yes, you can customize every aspect of service level reports including the design, layout, security checks, and KPI metrics and thresholds.

Q: Can you provide a sample Service Level Report?
A: Yes, submit your request here.

Q: What is System Recommendations?
A: System Recommendations is an application in Solution Manger that performs automated patch management for SAP systems. It connects directly to SAP Support to download required security notes and monitor the status of notes implemented in systems through regular background jobs.

Q: Does System Recommendations also download and apply corrections?
A: Yes, System Recommendations downloads corrections from SAP Support to target systems. The user is automatically directed to SNOTE in the target systems once the corrections are downloaded.

Q: Does System Recommendations identify the impact of security patches?
A: Yes, System Recommendations integrates with applications in Solution Manager to perform change impact analysis and discover programs, function modules, transactions, reports and business processes effected by notes.

Q: Does System Recommendations integrate with Change Request Management (ChaRM)?
A: Yes, System Recommendations includes the option to automatically generate a change request for required notes.

Q: What are Security Dashboards?
A: Security Dashboards monitor critical key performance indicators to track vulnerabilities and threats across SAP landscapes in real-time.

Q: What type of metrics are monitored by Security Dashboards?
A: The Dashboards connect to data stores in Solution Manager for event-driven alerts and system and user level vulnerabilities. Users can drilldown from aggregated results to detailed values.

Q: What type of data visualizations are available in the Security Dashboards?
Users can select from column, line, pie, scatter and other charts and Fiori tiles and tables.

Q: What is Interface Monitoring?
A: Interface Monitoring is used to map and track system interfaces in SAP landscapes including RFC, HTTP, IDoc and Web Service connections. It automatically creates a topology of system interfaces and monitors the usage of the interfaces in real-time. Alerts can be generated for channel metrics including availability, configuration and performance.

Q: What is Security Alerting?
A: Security Alerting is based on the Monitoring and Alerting Infrastructure (MAI) of Solution Manager. MAI connects to data providers including event logs to monitor for security vulnerabilities and incidents. MAI generates automatic notifications for security incidents including emails and text messages.

Q: What type of security vulnerabilities and events are monitored by MAI?
A: MAI monitors system-level vulnerabilities such as the enabling of the invoker servlet in Java systems, insecure entries in access control lists for gateway servers, vulnerable RFC destinations, missing security notes, and many other areas. It also monitors KPIs for user-level security including users with dangerous profiles such as SAP_ALL and unlocked standard users.

Q: Can you perform threat detection using MAI in Solution Manager?
A: Yes, MAI includes file and database connectors for real-time monitoring of event data captured in SAP logs. This includes the security audit log, HANA log, UME log, HTTP log, gateway server log, and the Read Access Log.

Q: Can you integrate MAI alerts with Security Information Event Management (SIEM) and incident management systems?
A: Yes, MAI alerts can be automatically forwarded to SIEM systems such as Splunk, ArcSight, and QRadar for event correlation and forensic analysis. Alerts can also be forwarded to incident management systems such as BMC Remedy and ServiceNow.

Q: Does Solution Manager provide best practices for alert handling?
A: Yes, the Guided Procedure (GP) Framework in Solution Manager provides best practices and standard operating procedures for investigating and resolving security alerts. This standardizes and improves incident management procedures and reduces response times. The guided procedures include automated steps to further improve incident handling.

Q: What are the main differences between SAP Enterprise Threat Detection (ETD) and threat detection using SAP Solution Manager?
A: SAP ETD provides more advanced capabilities for event correlation and forensic analysis. However, Solution Manager can forward event data to SIEM systems that can correlate and analyze data on a wider scale than ETD by combining data from SAP and non-SAP sources. Also, ETD does not monitor for system-level vulnerabilities or provide guided procedures for alert handling.

Q: What are the requirements for using the security applications in Solution Manager?
A: The security applications are available in any SP level of Solution Manager versions 7.1 and 7.2. The only requirements are the completion of the SOLMAN_SETUP procedures for the relevant version.

Q: What are the differences between Solution Manager 7.1 ad 7.2 for security monitoring?
A: The main difference is the user-experience. Solution Manager 7.2 provides the improved Fiori interface including a launchpad for direct access to applications. Some functions such as automatic download of SAP corrections in System Recommendations are only available in Solution Manager 7.2. Also, the dashboarding and interface monitoring capabilities are more advanced in the latest version of Solution Manager.

Q: How many environments and systems can you monitor with Solution Manager?
A: There are no limits on the number of environments or systems that can be monitored by Solution Manager. However, Solution Manager must be appropriately sized to monitor large landscapes.

Q: How long does it take to configure the security applications?
A: Typical implementation timeframes are between 2-4 weeks for mid-sized landscapes.

Q: If security applications are available in standard installations of Solution Manager, why do we need to work with SAP Partners such as Layer Seven Security to configure these components?
A: Solution Manager provides the framework and the tools to perform advanced security monitoring. However, the standard installation of Solution Manager does not provide sufficient content for security monitoring. The content is developed, maintained and supported by Layer Seven Security. This includes patent-pending custom security policies, BW infoproviders, service level reports, monitoring objects and guided procedures. The content is licensed by SAP customers from Layer Seven Security and imported or transported into Solution Manager.

Q: What are the benefits of using Solution Manager for security monitoring versus third party tools ?

A: There are many advantages for using Solution Manager over third party tools. The most significant is lower cost: licensing and importing content for Solution Manager is less expensive than licensing entire platforms and solutions for SAP security monitoring. Solution Manager is also more flexible and customizable. It’s also recommended by SAP and supported and maintained directly by SAP. For further information, download the comparison chart.

Q: Does Layer Seven Security provide online demos for security monitoring using Solution Manager?
A: Yes, you can request a demo here.

Q: Does Layer Seven Security provide free readiness checks and trials for security monitoring using Solution Manager?
A: Yes, we offer free readiness checks to discover and remove any configuration gaps in Solution Manager to support security monitoring. We also provide free trials for Layer Seven’s custom security content. The trials can be performed remotely or on-site for up to 5 systems.

Q: Who shall I contact for further information?
A: Please call Layer Seven Security at 1-647-964-7370 or email info@layersevensecurity.com

Highlights of the 2017 DBIR Report

The Data Breach Investigations Report (DBIR) has chronicled the growth in security and data breaches for over a decade.  The findings of the most recent report released on April 27 are based on the analysis of more than 42,000 security incidents across a variety of industries and countries.

For the first time, the DBIR examines security breaches for key industries to analyze threats confronted by specific verticals. According to the report, attack patterns and motives, as well as susceptibility to different forms of attack vary considerably between industries. For example, manufacturing companies are more likely to fall victim to phishing attacks than public sector organizations. Manufacturers are also more likely to be targeted by attackers motivated by corporate espionage than financial fraud. The industry insights are useful for aligning defense strategies to the risk profiles of each vertical.

Overall, the DBIR revealed that the majority of breaches (75%) are perpetrated by outsiders. Over half of attacks are performed by organized criminal groups and 18% by state-sponsored attackers. Internal resources are detecting a greater proportion of breaches than prior years, pointing to improving detection and response capabilities within organizations.

Hacking and malware remain the leading causes of security breaches. The report revealed a 50% increase in ransomware attacks. Ransomware is now the fifth most common form of malware, up from 22nd in 2014. There was also a noticeable increase in phishing attacks. Phishing is used in 21% of security incidents and has a success rate of 7.3%.

The DBIR analyzed patching processes across industries and concluded that most sectors follow a quarterly patch cycle. However, the percentage of patches implemented on-time varies from a high of 97.5% in the Information sector to a low of 18% in Education.

The findings of the DBIR are summarized below. The full report is available at Verizon Enterprise.

 

Explore Service Level Reporting in SolMan 7.2

Service Level Reporting (SLR) in SAP Solution Manager performs regular checks against key performance indicators using information available from the EarlyWatch Alert (EWA), Business Warehouse (BW) and the Computer Center Management System (CCMS). The checks can be for single systems or systems grouped into solutions. Reports run automatically on a weekly or monthly schedule but can also be triggered manually for on-demand reporting. SLRs can be displayed in HTML or Microsoft Word. SAP Solution Manger automatically distributes SLRs by email to recipients maintained in distribution lists.

Security-related metrics stored in internal or external BW systems can be read by SLR to create dynamic, detailed and user friendly vulnerability reports. This includes areas such as settings for profile parameters, access control lists in gateway security files, trusted RFC connections or destinations with stored logon credentials, unlocked standard users and standard users with default passwords, active ICF services, filter settings in the security audit log, missing security notes, and users with critical authorizations, profiles or transactions. For HANA systems, it includes database parameters, audit policies, the SYSTEM user, and users with critical SQL privileges. For Java systems, it includes properties for the UME and the invoker servlet. Furthermore, since event data from monitored systems is stored in BW and CCMS, SLR can also report on metrics for events in audit logs including the security audit log and syslog. The latter is particularly relevant for HANA systems which can write logs to operating system files.

SLRs are created and customized in the area for SAP Engagement and Service Delivery in the Fiori Launchpad.

Variants need to be maintained for each report including relevant systems, solutions, data sources, metrics, thresholds and schedule (weekly or monthly).

Once activated, the reports are executed by a regular automated job and accessed through the tile for Service Level Reports.

Comments can be included in SLRs before the reports are automatically distributed by email. SLRs include details of each vulnerability check, risk ratings, and links to relevant SAP Notes and documentation at the SAP Help Portal. Reports also include a gap assessment against compliance frameworks such NIST, PCI-DSS and IT-SOX. SLRs are archived by Solution Manager for trend analysis.

Introducing the SAP Cybersecurity Framework 4.0

Cyber attacks are at epidemic levels. According to research performed by 360 Security, there were over 85 billion attacks in 2015, equivalent to 2000 attacks per second. The cost of data breaches continues to grow, year after year, and reached record levels in 2016. Juniper Research estimate that average costs will exceed $150M within three years.

Introduced in 2014, the SAP Cybersecurity Framework provides the most comprehensive benchmark for securing SAP systems against advanced persistent threats. It presents a roadmap for hardening, patching and monitoring SAP solutions using standard SAP-delivered tools.  The newly released fourth edition of the Framework includes important updates in the areas of transport layer security, network segmentation in virtualized environments, and security settings applied through application level gateways.

The Framework no longer recommends the use of the EarlyWatch Alert (EWA) for security monitoring. This is due to concerns related to the updated rating scale used to grade security risks in the EWA. However, the Framework includes an expanded section for security monitoring using SAP Solution Manager including an overview of security-related tools bundled within Solution Manager such as Configuration Validation, System Recommendations, Monitoring and Alerting Infrastructure (MAI), Service Level Reports, Interface Monitoring, and Dashboards.

The SAP Cybersecurity Framework is available in the white paper Protecting SAP Systems from Cyber Attack.