Layer Seven Security

Security with SAP RISE: A Shared Model of Responsibility

SAP RISE is a cloud-based service offering from SAP that includes the private edition of SAP S/4HANA Cloud at the core. As part of the offering, SAP maintains privately-managed, single-tenanted accounts for each customer with hyperscale providers including AWS, Azure and GCP. The accounts are fully managed by SAP. Therefore, SAP acts as a cloud service provider and the customer is essentially a consumer of an SAP cloud service.

SAP customers are responsible for most aspects of security for on-premise deployments or cloud deployments managed directly with hyperscale providers. However, SAP RISE divides the responsibilities between SAP and customers.

As the cloud service provider, SAP assumes many of the responsibilities for security that would otherwise lay with the customer. This includes security at the hyperscaler and network level, as well as security for databases and servers, including operating systems for SAP servers.

Customers are responsible for the application and data layer. However, the responsibility for these areas can also be shared with SAP through optional Cloud Application Services (CAS) that extend the services delivered through SAP RISE. For example, SAP can assume the responsibility for identifying, analyzing, and implementing required security notes. However, this requires an additional CAS package that is not included in standard RISE services. If the customer does not obtain the package, the responsibility for analyzing and selecting notes for implementation lays with the customer. Once selected, the customer can create a service request for SAP to apply the notes.

The security of custom code is also the responsibility of each customer. Customers are encouraged to analyze custom code and remove obsolete, redundant and duplicate code to comply with SAP’s Clean Core principle. The remaining custom developments can be adapted and migrated to systems maintained by SAP Enterprise Cloud Services. However, customers are responsible for ensuring that the developments are secure and do not contain code-level vulnerabilities. RISE customers can secure custom SAP programs and applications using the SAP-certified Cybersecurity Extension for SAP (CES). CES supports the automated detection of code vulnerabilities in ABAP and UI5 applications. It can be used to support S/4HANA migrations and on-going development and maintenance activities for custom applications.

With the exception of SAP HANA, access control is also the responsibility of customers. This includes managing end user permissions and administrative privileges. Customers can opt-in for optional CAS packages that provide SAP managed services for this area. The Cybersecurity Extension for SAP can be used to monitor access privileges for systems in SAP RISE including segregation of duties violations and access to critical roles, profiles, transactions and authorizations at both the functional and technical level. This includes S/4HANA and supporting systems.

Security hardening is applied by SAP through standard builds used for each ABAP system. The builds include mandatory security settings documented in SAP Note 3250501.  This includes areas such as security-relevant profile parameters, securing standard users, deleting unused clients, deactivating vulnerable ICF services, system and client change options, and hardening for the RFC gateway and message server. The settings can be overridden by customers. Therefore, it is important to automate monitoring for compliance with the hardening requirements. This can be performed using the Cybersecurity Extension for SAP. Compliance Reporting in CES will automatically identify compliance gaps for SAP systems against the requirements of SAP Enterprise Cloud Services (ECS) in Note 3250501.

The final area that customers are responsible for is logging and monitoring. SAP provides customers with access to application logs. Customers can request access to OS, DB and network logs. This is provisioned using a premium offering called LogServe. The application and infrastructure logs can be integrated with SIEM solutions to automate threat detection and response. Alternatively, customers can pay for SAP Enterprise Threat Detection (ETD), cloud edition, or opt for a 24/7 or 8/5 managed service from SAP based on ETD. Neither option is included in standard RISE services.

The cloud edition of ETD includes less than 50 patterns for detecting Indicators of Compromise (IOC) in SAP solutions. The Cybersecurity Extension for SAP provides more than 900 patterns to detects IOCs in SAP systems, including patterns for databases, operating systems, and standalone components such as the SAProuter and Web Dispatcher.

Overall, SAP RISE does not delegate the responsibility for security patching, secure development, access control, hardening, and logging and monitoring from customers to SAP. This is possible for some areas but only through the addition of optional packages that are not included in standard RISE services. Customer and SAP responsibilities are detailed in a comprehensive matrix provided by SAP ECS for more than 1000 tasks. The matrix is a reference for standard, optional, and additional services, excluded tasks, and services available through available CAS packages that are subject to additional service fees. Note that the matrix is subject to change by SAP.

Maximize Your SAP Security Budget: How to Cut Costs Without Downgrading Cybersecurity

According to a recent report from SAPinsider, almost two-thirds of organizations are placing cybersecurity projects on hold or scaling back planned investments in cybersecurity due to the current economic climate. 18 percent of organizations are reducing the size of cybersecurity teams. The latter can have a drastic effect on collaboration and morale. The impact is also long-lasting and difficult to reverse. According to the Ponemon Institute, it takes an average of 7.3 months to recruit and train security analysts. The training required by new analysts also draws time from experienced analysts, reducing the overall effectiveness of cybersecurity teams.

Organizations are experiencing budgetary and resource constraints against a background of rising cyber attacks. The SAPinsider report quotes JP Perez-Etchegoyen, CTO of Onapsis, “threat actors aren’t going to slow down because of a recession. The risk is real, and the impact is huge. We see threat actors targeting organizations even more now than before.”

This article discusses several ways organizations can manage cyber threats without increasing cybersecurity budgets or resources. In fact, many of the recommendations will lead directly to cost savings and the more efficient use of resources in cybersecurity teams.

1. Eliminate Duplicate Security Solutions

Based on research performed by IBM Security and the Ponemon Institute, organizations deploy an average of 45 security solutions. The quantity of tools used by organizations does not lead directly to improved cybersecurity. Organizations using 50 or more tools were ranked as less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions creates complexity, requires more employee training, and creates integration issues. Since security solutions can also suffer from software vulnerabilities and widen the attack surface, too many solutions can increase both workloads for regular patching and aggregate risk.

SAP Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and SAP Cloud ALM are widely-used for monitoring and diagnostics scenarios in SAP landscapes. With the exception of SAP Focused Run, usage rights for the platforms are included in SAP support agreements. The platforms include direct connectivity to SAP systems and applications to extract and analyze configuration, software and user-related data in SAP applications, databases and hosts. The platforms also include security tools to support vulnerability management and patch management.

Organizations can leverage these ALM platforms to perform many of the same functions of costly third-party alternatives. This will avoid unnecessary license fees and installing and maintaining hosts, connections, agents and users required by third party tools.

Organizations can extend the capabilities of ALM platforms using addons such as the Cybersecurity Extension for SAP from Layer Seven Security for areas such as threat detection and custom code security. This is less costly and involves less maintenance than third party solutions that require separate servers, infrastructure and connections, including external connections to other networks using Internet protocols.

2. Minimize Manual Steps in SAP Security Patching

Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a wealth of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP. This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE.

Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.

System Recommendations (SysRec) in SAP Solution Manager should be used to automate the discovery and full lifecycle management of SAP security notes. SysRec is a standard application, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager. However, many of the security notes reported by SysRec are false positives. SAP administrators spend a great deal of time manually validating the results of SysRec every month to remove false positives. The workload is especially high in large SAP landscapes with large volumes of systems. The Cybersecurity for SAP automatically identifies and removes false positives in System Recommendations. This improves the quality and reliability of security notes calculated by SysRec and removes the need to manually validate notes before applying corrections.

3. Automate SAP Compliance Audits

SAP solutions often support business-critical processes such as financial reporting, customer relationship management, and human capital management and therefore need to comply with strict standards for information security. This includes requirements for secure configuration, system changes, and administrative access. SAP solutions are subject to regular audits by internal and external auditors and other groups to confirm compliance with such requirements. The audits can place a significant burden on SAP teams. Automating audits can lead to significant improvements in the quality and timeliness of compliance monitoring and lower the manual effort involved in gathering evidence, analyzing results and reporting findings.

Compliance Reporting in the Cybersecurity Extension for SAP automates compliance gap assessments for SAP solutions. This includes regulatory frameworks such as SOX, GDPR and PCI DSS, industry standards such as HIPAA HITRUST and CIP, and security standards such as CIS, NIST and ISO. It also supports SAP frameworks such as the SAP Security Baseline and the S/4HANA Security Guide. Customers can also create and publish custom frameworks for monitoring compliance against company-specific policies and standards. Reports can be scheduled and automatically sent to stakeholders including compliance and audit teams on a regular interval.

4. Tune Security Alerts

Security solutions can trigger alerts and notifications for suspected security incidents that upon further investigation are false positives. Solutions can also overwhelm users with a large volume of alerts that cannot be realistically investigated with available resources. The latter scenario is known is alert flooding. This leads to wasted effort and reduces the confidence level of end users in the underlying solutions. It can also increase infrastructure costs through higher data volumes and events per second.

False positives and alert flooding can be minimized by tuning alerts for specific systems and landscapes. This enables security solutions to learn the unique event and user patterns for each system and exclude the patterns from alerting. The Cybersecurity Extension for SAP supports advanced tuning for event collection and alerting. Users can maintain exclusions for alerts based on user, client, event ID, transaction, source/ destination IP or terminal, and other variables to prevent false positives and alert flooding. Users can also select enable/ disable specific alerts to customize monitoring and focus, for example, on critical or high priority incidents only.

5. Automate Incident Response

Automating incident response for security alerts can improve the efficiency of security operations and response times. It also supports compliance with standard operating procedures for incident management since there is less risk of human error. The guided procedure framework in SAP Solution Manager and SAP Focused Run includes a library of automated alert reaction procedures.  SAP users can also use the framework to author their own procedures as custom guided procedures. The procedures can automate routine tasks such as transaction, program or report execution, as well as more complex tasks such as locking/ unlocking users or restarting systems that may have been disrupted by a denial of service attack.

The Cybersecurity Extension for SAP also includes incident response procedures that users can execute to investigate security alerts. The procedures provide best practices and playbooks for responding to alerts and enable users to document findings, attach evidence, generate reports, and manage the status of alerts. It also provides a complete audit trail for each investigation performed by analysts.

6. Integrate SAP Logs with SIEM Solutions

Security Information and Event Management (SIEM) solutions enable Security Operations Centers (SOC) to ingest and monitor logs from various endpoints in networks. They provide a centralized platform for monitoring multiple assets within an enterprise. Centralized monitoring through a single or multiple SOCs can improve efficiency and lower costs, as well as improve visibility and capability to respond to threats across different assets.

There are inherent challenges with integrating SAP logs with SIEM solutions. The challenges are discussed in detail in the whitepaper SIEM Integration for SAP from Layer Seven Security. The Cybersecurity Extension for SAP supports seamless integration with SIEM solutions. It removes the effort and complexity for successfully ingesting SAP logs. This is achieved through filtering, normalizing and enriching of SAP logs and through the creation of a single point of integration between SIEM solutions and a data source containing event logs from all target SAP systems.

Layer Seven Security Release Updated Ransomware Guide for SAP

Earlier this month, MGM Resorts reported a major cyber attack that severely disrupted its operations including online and payment processing systems. Threat actors are reported to have breached MGM’s network and systems and exfiltrated several terabytes of sensitive data. The company was forced to shut down several key systems as it worked with law enforcement agencies and cybersecurity companies to investigate and contain the breach.

MGM reported the incident in form 8-K filings required by the Securities and Exchange Commission (SEC). New SEC rules effective from September 5 require publicly listed organizations in the U.S to disclose material cybersecurity incidents within four business days.

The hacking group Scattered Spider, part of the ALPHV cyber criminal organization, has claimed responsibility for the breach. Scattered Spider is believed to have breached around 100 organizations within the last two years, mostly in the U.S and Canada. According to statements released by ALPHV, also known as BlackCat, the group was able to breach MGM by exploiting vulnerabilities in an access and identity management provider and cloud tenant. Once they gained administrative access to more than 100 ESXi hypervisors at MGM, ALPHV began deploying ransomware in the compromised systems. Ransomware is a form of malware that encrypts the file system to lock targets until a ransom is paid by the victim.

Caesars Entertainment also reported in September that it had been the victim of a successful ransomware attack that breached personally-identifiable information in it’s loyalty program database including drivers license and social security numbers. Caesars disclosed in it’s 8-K filing with the SEC that the organization paid a $15 million ransom to prevent the disclosure of the stolen data and restore access to its compromised systems.

The business impact of ransomware can be significant in terms of both direct and indirect costs and reputational harm. For example, according to the credit rating agency Moody’s, the cyberattack at MGM could negatively impact the credit rating of the company.

SAP systems are not immune to ransomware. They can be compromised through vulnerable operating systems supporting SAP solutions, insecure protocols, interfaces and cross-system interfaces, and OS commands performed through the application layer that exploit trust relationships between SAP applications and hosts. In response to the recent breaches at Caesars and MGM, Layer Seven Security has released an updated guide for securing SAP solutions from ransomware. Layer Seven Security is an industry-leader in cybersecurity services and solutions for SAP. The guide provides clear and succinct recommendations to prevent and detect ransomware attacks in SAP systems, as well as restore systems during the recovery phase. You can download the guide directly from SAPinsider by following this link.

How to Discover Actively Exploited Vulnerabilities in Your SAP Systems

SAP systems have a wide attack surface. Threat actors can enumerate and exploit multiple known vulnerabilities in SAP components and programs to compromise SAP solutions. Automated vulnerability scans often reveal hundreds of weaknesses in SAP systems. Remediating each vulnerability requires extensive planning and testing for each impacted system.  Most organizations do not have the resources to remediate every vulnerability to close all possible attack vectors in their SAP solutions. A prioritized approach focused on remediating high-risk vulnerabilities can be used to concentrate efforts. Organizations can also focus on vulnerabilities that are being actively exploited in their SAP systems. This involves correlating user and system activity captured in SAP logs with vulnerabilities that have been identified in systems.

This correlation is performed automatically by the Cybersecurity Extension for SAP (CES). CES is an addon for SAP Solution Manager and SAP Focused Run. CES will also be available as an extension for SAP Cloud ALM in 2024.

CES performs daily automated scans to detect over 4000 vulnerabilities in SAP applications and supporting databases and operating systems. The vulnerabilities are analyzed and managed using the Vulnerability Management application in CES. The application displays a summary of vulnerability scan results when accessed. Users can switch between the system card view and the dashboard view in the summary.

System Card View:

Dashboard View:

Users can select one or more system from the Summary to drilldown to the findings.

The Overview section displays the open vulnerabilities for the selected systems. Results can be filtered and sorted by area, environment, rating and other variables.

Responsibility for remediating vulnerabilities can be assigned to specific owners and assignees directly in the Overview. Target dates can also be maintained for the removal of the root causes of issues. Remediation plans can be maintained in the Action Plan tab in the detailed display for each vulnerability.

Actively exploited vulnerabilities are identified and flagged based on automated and continuous correlation with event logs and alerts in CES. Results can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.

In the example below, there is an open alert for the successful call of a vulnerable ICF service in a system. Although the vulnerability is rated as medium-risk, the active exploitation of the vulnerability in the system indicates that the finding should be prioritized for remediation.

The alert for the vulnerability can be analyzed by clicking on the alert icon for the vulnerability. This directs to the details of the alert in the Security Alerts application in CES.

The automated discovery and reporting of actively exploited vulnerabilities is supported in version 5.0 and higher of the Cybersecurity Extension for SAP.

Cybersecurity Threats to SAP Systems Report

Earlier this month, SAPinsider released the 2023 Cybersecurity Threats to SAP Systems Report. Co-sponsored by Layer Seven Security, the report is based on the findings of a survey of more than 205 security professionals in North America, EMEA, APJ, and LATAM, representing SAP customers across nine industries.

The report revealed several trends in 2023 compared to reports for earlier years. Similar to 2022, respondents ranked unpatched systems, ransomware attacks, and credentials compromise as the most significant threats to SAP systems. The exploitation of system interfaces and weak access controls were also identified as important but less significant threats.

Patching and updating SAP systems and enforcing secure password policies were reported as the most important requirements for SAP cybersecurity. Protecting SAP systems from zero-days threats was also identified as an important requirement, even though there is no evidence of the successful exploitation of any zero-day vulnerability for SAP solutions.

This article provides practical recommendations for managing the top five threats to SAP systems presented in the report. The recommendations can be implemented using a combination of the Cybersecurity Extension for SAP and SAP ALM platforms such as Solution Manager, Focused Run, and Cloud ALM. According to the report, 81% of customers are using one or more of these platforms. However, less than half of SAP customers are fully leveraging the capabilities of their ALM investments.

Security Patching

Keeping up with patches is the most significant cybersecurity challenge reported by SAP customers. This is due to reasons such as the volume of patches, difficulties with prioritizing notes and scheduling system downtimes, the reluctance to apply notes that could impact system availability, and issues validating whether patches are correctly implemented. The last is especially challenging for notes with manual corrections.

System Recommendations (SysRec) in SAP Solution Manager automates the discovery and implementation of security notes for SAP solutions. It calculates relevant notes based on the installed software components and versions in systems. Notes can be filtered by priority to focus on hot news and high priority patches. SysRec also identifies objects impacted by security notes and provides usage counts for the objects. This can be used to develop targeted test plans based on the known impact of security notes. Notes impacting unused objects can be implemented with minimal testing.

Automated corrections can be downloaded through SysRec and staged in systems for implementation. Once implemented successfully, the relevant notes are automatically removed from the SysRec results. The implementation status of notes with manual corrections can be maintained using the Status option. False positives in SysRec can occur if notes are released by SAP without software component information. The Cybersecurity Extension for SAP (CES) automatically discovers and removes the false positives to improve the quality and reliability of notes reported by SysRec.


Ransomware can target SAP applications through multiple a­ttack vectors. Unauthorized external program starts through the gateway server should be restricted using the secinfo access control list. Authorizations for OS commands should be restricted. This includes authorizations for RSBDCOS0, SM49 and CG3Z which can be used to download, install and run ransomware tools. Custom ABAP, UI5, Java and SQLScript programs may be exploited to perform arbitrary OS commands. Vulnerable programs can be discovered using code vulnerability scanning solutions. Vulnerable ICF services such as SOAP RFC and WEB RFC should be disabled. The SAP Virus Scan Interface should be enabled to support the detection of malware in file uploads and the propagation of ransomware through file downloads.

Ransomware can also target hosts supporting SAP applications. Therefore, it is important to secure and monitor the operating system layer in SAP systems. Unnecessary ports and services should be closed. Root commands and sudo actions should be closely monitored, particularly wget and bash commands, and the creation and execution of OS files.  The Cybersecurity Extension for SAP is the only security solution that protects and detects against ransomware across application, database and OS layers in SAP systems.

Credentials Compromise

Transport layer security using SNC and SSL for SAP protocols will protect encoded SAP passwords in client-server and server-server communications. Access to password hashes in SAP tables should be restricted and monitored. Downwards-compatible passwords should be disabled since this will prevent the storage of password hashes that use vulnerable algorithms. Strong password policies should be enforced using the relevant settings in systems including login parameters in ABAP systems. Session management should be enabled and logon tickets and cookies should be secured against misuse. Detection and alerting for SAP accounts that may have been compromised can be activated using Anomaly Detection in the Cybersecurity Extension for SAP. Anomaly Detection will detect for unusual user actions such logins from new terminals or IP addresses for each user and the execution of transactions and reports that are not typically accessed by users.

System Interfaces

Program starts, server registrations, and monitor commands should be restricted for the gateway server. The use of RFC destinations with stored credentials should be restricted. The authorizations for RFC users should be provisioned based on the principle of least privilege to minimize the impact if RFC accounts are compromised. RFC user accounts should be system or communication user types, not dialog or reference. Positive whitelists are recommended to prevent the misuse of RFC callbacks. Trusted RFC connections should be used only in the required scenarios and trust relationships should not be configured from lower to higher order environments.

Unified Connectivity (UCON) should be enabled and configured to protect external calls to sensitive remote-enabled function modules (RFMs). Requests blocked by UCON are logged in the Security Audit Log.

Interface and Connection Monitoring (ICMon) in SAP Solution Manager and Integration and Exception Monitoring in SAP Focused Run can be deployed to identify critical internal and external system interfaces. This includes RFC, HTTP, Cloud, IDoc, and Web Service connections. Alerts can be configured for the usage of system interfaces outside of normal scenarios. For example, customers can enable alerting for an RFC destination if it used by a user not included in a permitted whitelist or if the destination is used to call RFMs that are not typically called by the destination. Similar alerting can be enabled for calls to applications, IDocs, cloud services and web services accessed using non-RFC protocols.

Access Controls

Access to administrative profiles, roles, authorizations and transactions should be restricted. This includes roles and permissions in SAP databases and hosts. The SAP_ALL profile should not be used in productive systems. Standard users should be locked and default passwords should be changed. Authorization checks should be enforced for all RFMs and system operations. Switchable authorization checks should be enabled wherever applicable to secure access to sensitive function modules. Conflicting functions should be assigned to separate users to enforce the segregation of duties. This includes user creation/ role maintenance, role maintenance/ role assignment, and transport creation/ transport release.

The Cybersecurity Extension for SAP can be used to discover users with administrative permissions or access to conflicting functions. It can also alert for the execution of sensitive programs, reports and transactions. Exclusions can be maintained for specific users or based on factors such as user group to support whitelisting and prevent false positives or alert flooding.

Is SAP ASE the Most Vulnerable Point in Your SAP Landscape?

SAP Adaptive Server Enterprise (ASE) is a widely-used relational database server for SAP solutions. As part of the drive to HANA, SAP is expected to withdraw support for third party databases including Oracle, IBM and Microsoft. Standard support for Oracle 19c, for example, will end in April 2024. Oracle 19c is the highest release of Oracle certified for SAP.  In contrast, maintenance and support for ASE is expected to continue beyond 2030. This includes both on-premise and cloud deployments. ASE is used within the SAP Cloud Platform and SAP HANA Enterprise Cloud for persistence services.

The database layer in SAP landscapes will increasing comprise of SAP HANA and ASE database systems. However, unlike HANA, security for ASE is often overlooked by SAP customers. As a result, ASE can be a vulnerable target for threat actors in SAP landscapes. This article will discuss the key aspects of ASE security and methods for automating vulnerability management, security patching and threat detection for ASE.

SAP ASE supports both password-based authentication for database users and external authentication using Kerberos, LDAP, or PAM. For password authentication, strict password policies are recommended governing password complexity, failures, expiration, and reuse. The transmission of passwords over the network layer should be secured using SSL through the FIPS 140-2 validated cryptographic module. For external authentication, it is recommended to enable message confidentiality, integrity and origin-checks to secure procedures for remote authentication.

ASE includes several pre-defined roles for provisioning required privileges to database users. They are managed using the sso security officer role. Access to this role should be restricted to authorized users. Other critical roles include the sa security administration role, and roles for operations, replication, job scheduling, web services, and system administration.

ASE also includes multiple default accounts that should be locked if not in use. This includes the accounts probe, sybmail, jstask, and mon_user. The sa account has system-wide privileges. The password for the account is blank on install. The account should be locked after the initial database configuration. The use of the guest account is not recommended since it inherits the permissions of the public role.

Remote users can be authorized to execute remote procedure calls (RPC) in ASE. Remote user IDs are mapped to local IDs by ASE to authorize access to RPCs. The use of remote users should be avoided.

Vulnerable services in ASE should be disabled to reduce the attack surface. This includes the extended stored procedures xp_cmdshell and xp_sendmail. Other stored procedures should be enabled to support enhanced security checks. For example, sp_extrapwdchecks should be activated to check for password reuse.

Column and table-level encryption can be enabled to protect data at rest. Encrypted data is transparent to applications and therefore does not impact operations. ASE supports the Advanced Encryption Standard (AES) encryption algorithm and 256-bit key lengths.  AES is a NIST-approved cipher standard.

Auditing is disabled by default in ASE. Once enabled, audit options should be activated to log specific events to the audit log. This should include auditing of the sa account and critical roles such as sso, configuration changes, login failures, role and account changes including user passwords, and the execution of stored procedures. It is also recommended to enable auditing for data binds, changes to encryption keys, and the importing/ exporting of data to/from external files.

Audit events are written to system audit tables. The tables can be read using SQL commands. Only select and truncate commands are supported for the audit tables. The event details include a unique event ID, timestamp, the ID of the account that performed the audited event, and the details of objects that were accessed or modified.

The Cybersecurity Extension for SAP leverages the database connectivity of SAP Solution Manager (SolMan) and SAP Focused Run (FRUN) to automatically detect security vulnerabilities in ASE installations that could be exploited by threat actors. This includes vulnerabilities in the following areas:

Settings for external authentication
Policies for password authentication
Users with critical roles
Disabling of default accounts
Remote users
Deactivation of vulnerable database services
Transport layer security
Database encryption
Auditing and logging

The Extension provides detailed recommendations to remediate vulnerabilities and harden ASE installations against targeted exploits.

Security notes for ASE are reported by System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to calculate required notes. The Cybersecurity Extension for SAP integrates with SysRec to automatically identify and remove potential false positive notes based on installed application components. You can filters notes in SysRec for the ASE components BC-SYB-*.

The Extension also monitors ASE audit logs in real-time to detect and alert for potential breaches such as the use of default users that should be locked, changes to roles and user permissions, failed logins, locked users, database configuration changes including audit settings, successful calls to sensitive stored procedures, the installation of Java programs, password resets, remote procedure calls to/from external servers, the deployment of web services, and commands that transfer table contents to/ from external files.  

Alerts can be investigated using built-in incident response procedures and workflows.

Audit records are replicated from ASE installations to the Cybersecurity Extension for SAP to support archiving and forensic analysis and to protect against log corruption.

To learn more, contact Layer Seven Security.

Security Analytics with SAP Focused Run

SAP Focused Run delivers real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers that need to monitor customer SAP installations from a central platform. It leverages the power of SAP HANA to support centralized monitoring for thousands of systems in high-volume environments. Focused Run is intended to complement SAP Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. However, Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the capabilities of the Advanced Configuration Monitoring (ACM) scenario in Focused Run. Scenarios such as Advanced Event and Alert Management (AEM), Advanced Integration Monitoring (AIM) and Advanced User Monitoring (AUM) will be discussed in later posts. ACM includes Configuration and Security Analytics (CSA), accessed from the Fiori launchpad of Focused Run. CSA enables SAP users to analyze the configuration of applications, databases and hosts and automate audits for security compliance. The following short video from SAP provides a quick introduction to CSA: Advanced Configuration Monitoring

CSA analyzes configuration data collected and transferred via the Simple Diagnostics Agent (SDA) from SAP systems. Focused Run does not include a built-in Business Warehouse (BW). Therefore, unlike Solution Manager, configuration data is stored in HANA database tables starting with CCDB_DATA_ rather than BW InfoCubes.  This simplifies the architecture and improves the performance for configuration analysis. The tables are read by the Configuration and Change Database (CCDB). Configuration changes are tracked to support change and trend analysis. This includes changes to security-relevant parameters, services, RFC destinations, and user privileges. The CCDB contains snapshots of SAP systems. The configuration data is structured in containers known as config stores. The stores can be updated every hour to maintain up-to-date snapshots of SAP systems. The stores can be queried using the search option in CSA. The config store below displays the current values for all profile parameters in system FR1.

The following store contains details of user assigned critical profiles. User related stores can be customized to extract details for specific profiles, roles, user types, authorizations, and combinations of roles and authorizations.

CSA can be used to configure and apply policies that analyze config stores to audit systems and automate compliance checks. Policy Maintenance in CSA enables users to create XML policies. Policies can also be converted from target systems in Configuration Validation from SAP Solution Manager. Policies can be exported and imported as XML files or transported between Focused Run installations. SAP recommends limiting the number of checks in single policies to 100 to restrict the number of SQL statements. However, single policies can be combined into composite policies to execute thousands of checks in parallel. In the example below, the composite policy ABAP Parameters includes multiple single policies for reviewing security-relevant parameters in ABAP systems.

In order to apply a generated single or composite policy to audit SAP systems, you must first define the scope of systems. Systems can be grouped by Customer ID, Data Center, IT Admin Role (Environment) and other variables (see below). Customer ID can be used to group systems by company or business group.

The next step is to select and apply the required single or composite policy. The results below summarize the compliance status of systems in the L7_FRUN group against the ABAP Parameters composite policy.

Users can drilldown into the findings for each system to focus on parameters that failed the policy check.

You can click on the icon at the end of each rule to view further details.

The current value of the parameter is displayed in the Value column. The results can be exported to Excel for offline analysis.

Policy checks can be scheduled for hourly, daily or weekly intervals in Policy Management.

The results of the scheduled checks can be displayed in Trend Analysis. This provides a graphical analysis of compliance levels for each interval of the report.

Focused Run does not include the equivalent of System Recommendations in SAP Solution Manager for discovering and applying security notes. SAP periodically publishes policies for security notes to GitHub. The policies can be downloaded and imported into Focused Run to check for the implementation status of relevant notes in each system. This approach can lead to inconsistencies between System Recommendations and Focused Run since calculated notes may not align between the solutions. The Cybersecurity Extension for SAP Focused Run from Layer Seven Security integrates System Recommendations with Focused Run to ensure calculated notes are consistent between both platforms. The CSA policy below displays all security notes calculated by System Recommendations. The results can be filtered by system and priority. With this approach, SAP customers do not need to manually update FRUN with new policies for security notes. Calculated notes are updated automatically daily.

The beta release of the Cybersecurity Extension for SAP Focused Run is scheduled for Q3 2022 and will include additional config stores to supplement the security content in the CCDB, preconfigured single and composite policies for ABAP, HANA and Java systems, and monitoring templates to support alerting for SAP logs including the Security Audit Log and the HANA audit log.  

CISA, FBI Warn Organizations to Protect Against State-Sponsored Malware

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint statement to advise organizations to prepare for increased cyber activity in the wake of the Russian invasion of Ukraine. According to the advisory, there is a risk that Russian cyber attacks will spread to government and business networks in the US and other NATO countries as a result of the growing international support for Ukraine and anticipated retaliation for sanctions imposed on Russia.

Threat actors deployed destructive malware against organizations in Ukraine in the lead up to the invasion.  This included the wipers WhisperGate and HermeticWiper, designed to permanently corrupt data in infected hosts, rendering them unbootable.  Both strains of malware masquerade as ransomware but have no decryption or data-recovery capabilities.

In response, CISA and the FBI urge all organizations to adopt a heightened posture towards cybersecurity and protecting their critical assets. Specifically, organizations are advised to secure remote access to networks, patch software to address known vulnerabilities, limit the attack surface by disabling unnecessary ports and services, and monitor, detect and respond to potential intrusions.

During this time of heightened risk, organizations can license the Cybersecurity Extension for SAP from Layer Seven Security free of charge for up to three months. According to Ian Thomson, Chief Operating Officer at Layer7, “Layer Seven Security is committed to supporting organizations protect their crucial SAP assets during this critical period. Our flagship solution the Cybersecurity Extension for SAP will be provided to customers without charge to help them secure mission-critical SAP applications and infrastructure from advanced persistent threats”.   

The Cybersecurity Extension for SAP is an SAP-Certified addon for SAP Solution Manager. It implements leading-edge vulnerability management for SAP applications, databases, hosts and components, including application gateways such as the SAProuter and Web Dispatcher. It integrates with System Recommendations for detecting and managing the lifecycle of SAP security notes. The solution identifies vulnerabilities in custom ABAP code and monitors event logs in SAP systems to detect and alert for over 600 indicators of compromise. The solution also applies advanced anomaly detection powered by SAP HANA to detect unusual system and user behavior.

Contact Layer Seven Security using the link below to discuss licensing the Cybersecurity Extension for SAP free of charge to secure your SAP applications.

Security Advisory for Critical SAP ICMAD Vulnerabilities

International threat intelligence agencies including the U.S Cybersecurity & Infrastructure Security Agency (CISA) and the Computer Emergency Response Team for the EU (CERT-EU) issued security advisories last week for critical vulnerabilities in the SAP Internet Communication Manager (ICM). The ICM supports inbound and outbound communication with SAP systems using the HTTP(S) protocol. It is a standard component of the NetWeaver Application Server ABAP and Java and the SAP Web Dispatcher.

The advisories relate to CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, labelled ICMAD (Internet Communication Manager Advanced Desync). The most critical is CVE-2022-22536: a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers. CVE-2022-22532 impacts AS Java only. This vulnerability has a lower CVSS than CVE-2022-22536 due to a higher attack complexity, but ranks high in terms of impact to Confidentiality, Integrity, and Availability. CVE-2022-22533 is for a lower priority denial of service vulnerability in AS Java triggered by requests that exhaust Memory Pipes (MPI) used for communicating between the ICM and work processes in application servers.

There is evidence of active scanning for ICMAD. SAP systems exposed to the Internet are especially vulnerable. External-facing Web Dispatchers are equally vulnerable. Consequently, it is critical to apply the relevant security notes to patch SAP systems against ICMAD.

Note 3123396 patches AS ABAP and the Web Dispatcher for CVE-2022-22536. SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches AS Java for CVE-2022-22532 and CVE-2022-22533. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The Cybersecurity Extension for SAP discovers vulnerable ABAP, Java and Web Dispatcher installations that have not been successfully patched for ICMAD. It also identifies missing or incorrectly applied workarounds if the corrections in notes 3123396 and 3123427 have not been applied. The SAP-certified solution performs over 1800 checks for known vulnerabilities in SAP applications and components and supporting databases and operating systems.

Securing SAP Systems from Log4J Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has designated the recent Log4J vulnerability as one of the most serious in decades and urged organizations to immediately address the vulnerability in applications.  

Log4j is an open-source logging framework maintained by the Apache Foundation. The framework includes the API Java Naming and Directory Interface (JNDI). Strings passed through JNDI can force Log4J to query remote LDAP or other servers, download serialized Java code from the malicious servers, and execute the code during deserialization if message lookup substitution is enabled. This can lead to the complete compromise of impacted applications and systems. The remote code execution vulnerability impacts all versions of Log4J2 up to and including 2.14.1 in Java 8 or higher.

Message lookup substitution is disabled by default in Log4j 2.15.0. It has been removed altogether from 2.16.0. Therefore, customers should upgrade to the latest version of Log4J. The vulnerability is addressed by CVE-2021-44228 which has a base CVSS score of 10.0.

CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Russia, Iran, and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is included in multiple SAP applications including SAP HANA XSA. The central note 3131047 includes available patches for impacted solutions. Refer to the SAP’s official response for details of all impacted products. Note 3129883 includes manual procedures for a workaround that will disable the loading of external code in Log4J using the J2EE Config Tool.

The Cybersecurity Extension for SAP identifies vulnerable SAP systems that have not been patched for the Log4J vulnerability. It also detects and alerts for suspected exploits targeted against SAP Java and Web Dispatcher installations based on exploit signatures. This includes known obfuscations and bypass methods.