Layer Seven Security

Buyers Guide to SAP Enterprise Threat Detection

SAP Enterprise Threat Detection (ETD) is the premier solution from SAP for identifying and responding to cyber attacks in SAP applications. ETD collects and analyzes log data from SAP systems and uses predefined patterns to detect Indicators of Compromise (IOCs) and trigger alerts for suspected security incidents. ETD includes graphical tools to support log analysis and detailed forensic investigation. Users can also create and publish custom patterns and alerts.

In addition to identifying potential threats, SAP ETD monitors the implementation status of required security notes in SAP solutions. Users can review the details of relevant notes including CVSS information and maintain the processing status of each note.

Anomaly detection is also supported by SAP ETD. The solution includes several patterns for anomalies, defined as events that deviate from normal or usual behavior in system landscapes.

ETD is a powerful solution capable of detecting and responding to cyber threats against SAP solutions in real time. It is available as an on-premise or cloud deployment, and can even be licensed as a managed service.

However, there are several drawbacks with SAP ETD, especially in comparison to alternative solutions available from SAP partners.

Unlike solutions such as the Cybersecurity Extension for SAP that use an addon approach to implementing advanced threat and response for SAP applications, ETD requires additional servers and infrastructure to host required components including SAP HANA, Kafka, Zookeeper, and streaming tools. This leads to more complex installation and maintenance procedures compared to software addons that can be installed and maintained in existing systems within SAP landscapes with comparatively low effort.

ETD is also bundled with relatively few attack detection patterns. The most current version and support package level of the on-premise edition of ETD includes approximately 175 patterns. The cloud edition of ETD provides fewer than 50 patterns. The recent release of the Cybersecurity Extension for SAP delivers far more coverage with over 1000 built-in patterns.

Furthermore, although ETD is capable of monitoring SAP infrastructure including third party databases and operating systems, standard patterns in ETD include very few patterns for the database and OS layer. In contrast, the Cybersecurity Extension for SAP includes hundreds of patterns not only for SAP databases such as HANA and ASE but operating systems including SUSE Enterprise Linux, Red Hat Enterprise Linux, and Windows Server.

However, the most important drawback of SAP ETD is that it does not support the full suite of cybersecurity capabilities to address cyber risks in SAP solutions.  ETD provides coverage for treat detection and patch management. However, it does not provide any support for other important areas such as access control, vulnerability management, custom code security, and compliance monitoring. Coverage for such areas would require the licensing of additional solutions from SAP or integrating capabilities from other platforms such as SAP Solution Manager. Full-suite solutions such as the Cybersecurity Extension for SAP provide integrated capabilities across all cybersecurity scenarios through a single, unified product and license. In addition to comprehensive threat detection and response with anomaly detection, the Cybersecurity Extension for SAP monitors critical access and segregation of duties risks for SAP solutions such as ECC and S/4HANA. It also performs automated vulnerability scans to detect more than 5000 vulnerabilities in SAP applications and infrastructure. Finally, it performs automated audits to detect compliance gaps with more than 15 regulatory and security frameworks and standards, including GDPR, NIST, PCI-DSS and the SAP Security Baseline.

CrowdStrike Outage: Lessons Learned for SAP Solutions

The fallout of the recent worldwide systems outage has far-reaching consequences for cybersecurity. The outage is estimated to impact 8.5 million devices powered by Microsoft Windows operating systems. The cause of the outage is a corrupted update for an agent used for the Falcon security platform from CrowdStrike. Falcon uses a cloud architecture with servers, workstations, containers, virtual machines, and other devices connected directly to CrowdStrike services through an agent installed in each host. The agent operates at the kernel level. The kernel is responsible for managing work processes in operating systems and mediating access to hardware resources.

Operating systems enable applications to run in two modes: user and kernel. Most applications operate in user mode without direct access to the underlying hardware or system resources. Kernel mode is far more privileged and provides applications with unrestricted access to the system including hardware control, memory management, and device drivers. Errors in applications running in user mode are isolated and do not impact the stability of the operating system. However, errors in applications running in kernel mode can crash the operating system. This is exactly what happened with the recent CrowdStrike/ Microsoft outage.

The Falcon agent operates in kernel mode as a device driver. This is most likely because the agent requires privileged access to system data structures to deliver the protection provided by CrowdStrike. Microsoft is well aware of the risk posed by applications running in kernel mode. The Windows Hardware Quality Labs (WHQL) program is intended to test and certify third party device drivers to manage the risk. The driver used by the Falcon agent was WHQL tested and certified. However, security products such as Falcon require continuous updates to counter the latest cyber threats. Since it’s not feasible to recertify the driver for each update, updates are applied through dynamic definition files that can include code executed by the driver. This code is not tested and signed as part of the WHQL program. A software bug in unsigned code packaged in a recent update for the Falcon driver running in kernel mode is the root cause of the large-scale system outage.

There are two obvious questions that arise from the events. The first is why was the software bug not discovered and removed before the update was released by CrowdStrike? This points to concerns around development and release management procedures on the part of the software vendor. Understandably, its not feasible to test software updates against for every possible scenario. For example, past CrowdStrike updates have been known to trigger crashes in the Central Management Console and Central Management Server of SAP BusinessObjects. However, given the widespread impact of the current bug, it’s likely that more comprehensive testing would have revealed the error. It also raises questions around inadequate parameter validation by the Falcon agent that may have detected and blocked errors in arguments passed to kernel functions to prevent system crashes. This points to concerns around software design.

The second question is why didn’t organisations analyze the impact of the updates in test machines or perform a staged rollout? Testing would have most likely revealed the issue and a staged rollout of the update would have lessened the impact even if the update wasn’t tested.

The answer to both questions is that both software vendors and customers are responding to a threat landscape that demands rapid response to new and emerging threats.  Therefore, organizations are prioritizing speed of response for information security over preserving the availability of their systems. The outage provides a stark reminder of the dangers of this approach.

Systems outages can be especially severe if they impact business-critical SAP solutions. SAP customers should identify third party agents and programs that operate in kernel mode in SAP hosts. The continued use of such software should be reviewed in light of recent events, especially if the software is automatically updated by the vendor without any input from the customer.

The Cybersecurity Extension for SAP protects SAP solutions from advanced persistent threats without the use of kernel-level agents or programs. The solution operates in user mode to monitor and secure the application, database and operating system layers in SAP hosts.

Artificial Intelligence Exploits Vulnerabilities in Systems with a 87 percent Success Rate

Based on a newly-released paper published by researchers at the University of Illinois, AI agents can combine large language models with automation software to autonomously analyze and exploit security vulnerabilities. During the research, OpenAI’s GPT-4 large language model was able to successfully exploit 87 percent of vulnerabilities when provided with a CVE advisory describing the flaws. The dataset included 15 one-day vulnerabilities taken from the Common Vulnerabilities and Exposures (CVE) database. One-day vulnerabilities are vulnerabilities that have been disclosed but not patched. More than 50 percent of the dataset were critical or high-rated vulnerabilities.  Vulnerability exploitation was performed by GPT-4 using the ReAct automation framework.

Large language models are AI programs that use deep learning to recognize and interpret complex data such as human language. GPT-4 failed to exploit just two of the 15 vulnerabilities in the dataset. This included CVE-2023-51653 for Hertzbeat RCE. The cause of the failure to exploit this particular CVE was due to differences between the language available for the detailed description of the vulnerability and the language deployed for the AI agent.

Researchers calculated the cost of successful AI agent attacks at just $8.80 per exploit. The agent consists of only 91 lines of code and has not been publicly released at the request of OpenAI.

The ground-breaking research demonstrates the risk posed by AI to automate the discovery and exploitation of security vulnerabilities.  It reduces the complexity and cost of vulnerability exploitation and increases the reach of threat actors.

The details of SAP vulnerabilities are publicly available in sources such as the CVE database and the NIST National Vulnerability Database (NVD).  AI agents using large language models can analyze CVEs in the databases including details revealed in links for each CVE. SAP vulnerabilities are also documented and explained in depth in security forums. This often includes disclosure of sample code for vulnerability exploitation.

According to another recent study performed by Flashpoint and Onapsis, ransomware incidents impacting SAP systems increased by 400% over the last three years. Conversations on SAP vulnerabilities and exploits increased by 490% across the open, deep, and dark web between 2021 and 2023.

SAP customers can actively manage the risk of the successful discovery and exploitation of vulnerabilities including attacks leveraging artificial intelligence by regularly patching SAP solutions and through on-going vulnerability management. The Cybersecurity Extension for SAP automates the detection of both required SAP security notes and vulnerabilities in SAP solutions and infrastructure. It also detects vulnerabilities in custom SAP applications and programs.

Security with SAP RISE: A Shared Model of Responsibility

SAP RISE is a cloud-based service offering from SAP that includes the private edition of SAP S/4HANA Cloud at the core. As part of the offering, SAP maintains privately-managed, single-tenanted accounts for each customer with hyperscale providers including AWS, Azure and GCP. The accounts are fully managed by SAP. Therefore, SAP acts as a cloud service provider and the customer is essentially a consumer of an SAP cloud service.

SAP customers are responsible for most aspects of security for on-premise deployments or cloud deployments managed directly with hyperscale providers. However, SAP RISE divides the responsibilities between SAP and customers.

As the cloud service provider, SAP assumes many of the responsibilities for security that would otherwise lay with the customer. This includes security at the hyperscaler and network level, as well as security for databases and servers, including operating systems for SAP servers.

Customers are responsible for the application and data layer. However, the responsibility for these areas can also be shared with SAP through optional Cloud Application Services (CAS) that extend the services delivered through SAP RISE. For example, SAP can assume the responsibility for identifying, analyzing, and implementing required security notes. However, this requires an additional CAS package that is not included in standard RISE services. If the customer does not obtain the package, the responsibility for analyzing and selecting notes for implementation lays with the customer. Once selected, the customer can create a service request for SAP to apply the notes.

The security of custom code is also the responsibility of each customer. Customers are encouraged to analyze custom code and remove obsolete, redundant and duplicate code to comply with SAP’s Clean Core principle. The remaining custom developments can be adapted and migrated to systems maintained by SAP Enterprise Cloud Services. However, customers are responsible for ensuring that the developments are secure and do not contain code-level vulnerabilities. RISE customers can secure custom SAP programs and applications using the SAP-certified Cybersecurity Extension for SAP (CES). CES supports the automated detection of code vulnerabilities in ABAP and UI5 applications. It can be used to support S/4HANA migrations and on-going development and maintenance activities for custom applications.

With the exception of SAP HANA, access control is also the responsibility of customers. This includes managing end user permissions and administrative privileges. Customers can opt-in for optional CAS packages that provide SAP managed services for this area. The Cybersecurity Extension for SAP can be used to monitor access privileges for systems in SAP RISE including segregation of duties violations and access to critical roles, profiles, transactions and authorizations at both the functional and technical level. This includes S/4HANA and supporting systems.

Security hardening is applied by SAP through standard builds used for each ABAP system. The builds include mandatory security settings documented in SAP Note 3250501.  This includes areas such as security-relevant profile parameters, securing standard users, deleting unused clients, deactivating vulnerable ICF services, system and client change options, and hardening for the RFC gateway and message server. The settings can be overridden by customers. Therefore, it is important to automate monitoring for compliance with the hardening requirements. This can be performed using the Cybersecurity Extension for SAP. Compliance Reporting in CES will automatically identify compliance gaps for SAP systems against the requirements of SAP Enterprise Cloud Services (ECS) in Note 3250501.

The final area that customers are responsible for is logging and monitoring. SAP provides customers with access to application logs. Customers can request access to OS, DB and network logs. This is provisioned using a premium offering called LogServe. The application and infrastructure logs can be integrated with SIEM solutions to automate threat detection and response. Alternatively, customers can pay for SAP Enterprise Threat Detection (ETD), cloud edition, or opt for a 24/7 or 8/5 managed service from SAP based on ETD. Neither option is included in standard RISE services.

The cloud edition of ETD includes less than 50 patterns for detecting Indicators of Compromise (IOC) in SAP solutions. The Cybersecurity Extension for SAP provides more than 900 patterns to detects IOCs in SAP systems, including patterns for databases, operating systems, and standalone components such as the SAProuter and Web Dispatcher.

Overall, SAP RISE does not delegate the responsibility for security patching, secure development, access control, hardening, and logging and monitoring from customers to SAP. This is possible for some areas but only through the addition of optional packages that are not included in standard RISE services. Customer and SAP responsibilities are detailed in a comprehensive matrix provided by SAP ECS for more than 1000 tasks. The matrix is a reference for standard, optional, and additional services, excluded tasks, and services available through available CAS packages that are subject to additional service fees. Note that the matrix is subject to change by SAP.

Maximize Your SAP Security Budget: How to Cut Costs Without Downgrading Cybersecurity

According to a recent report from SAPinsider, almost two-thirds of organizations are placing cybersecurity projects on hold or scaling back planned investments in cybersecurity due to the current economic climate. 18 percent of organizations are reducing the size of cybersecurity teams. The latter can have a drastic effect on collaboration and morale. The impact is also long-lasting and difficult to reverse. According to the Ponemon Institute, it takes an average of 7.3 months to recruit and train security analysts. The training required by new analysts also draws time from experienced analysts, reducing the overall effectiveness of cybersecurity teams.

Organizations are experiencing budgetary and resource constraints against a background of rising cyber attacks. The SAPinsider report quotes JP Perez-Etchegoyen, CTO of Onapsis, “threat actors aren’t going to slow down because of a recession. The risk is real, and the impact is huge. We see threat actors targeting organizations even more now than before.”

This article discusses several ways organizations can manage cyber threats without increasing cybersecurity budgets or resources. In fact, many of the recommendations will lead directly to cost savings and the more efficient use of resources in cybersecurity teams.

1. Eliminate Duplicate Security Solutions

Based on research performed by IBM Security and the Ponemon Institute, organizations deploy an average of 45 security solutions. The quantity of tools used by organizations does not lead directly to improved cybersecurity. Organizations using 50 or more tools were ranked as less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions creates complexity, requires more employee training, and creates integration issues. Since security solutions can also suffer from software vulnerabilities and widen the attack surface, too many solutions can increase both workloads for regular patching and aggregate risk.

SAP Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and SAP Cloud ALM are widely-used for monitoring and diagnostics scenarios in SAP landscapes. With the exception of SAP Focused Run, usage rights for the platforms are included in SAP support agreements. The platforms include direct connectivity to SAP systems and applications to extract and analyze configuration, software and user-related data in SAP applications, databases and hosts. The platforms also include security tools to support vulnerability management and patch management.

Organizations can leverage these ALM platforms to perform many of the same functions of costly third-party alternatives. This will avoid unnecessary license fees and installing and maintaining hosts, connections, agents and users required by third party tools.

Organizations can extend the capabilities of ALM platforms using addons such as the Cybersecurity Extension for SAP from Layer Seven Security for areas such as threat detection and custom code security. This is less costly and involves less maintenance than third party solutions that require separate servers, infrastructure and connections, including external connections to other networks using Internet protocols.

2. Minimize Manual Steps in SAP Security Patching

Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a wealth of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP. This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE.

Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.

System Recommendations (SysRec) in SAP Solution Manager should be used to automate the discovery and full lifecycle management of SAP security notes. SysRec is a standard application, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager. However, many of the security notes reported by SysRec are false positives. SAP administrators spend a great deal of time manually validating the results of SysRec every month to remove false positives. The workload is especially high in large SAP landscapes with large volumes of systems. The Cybersecurity for SAP automatically identifies and removes false positives in System Recommendations. This improves the quality and reliability of security notes calculated by SysRec and removes the need to manually validate notes before applying corrections.

3. Automate SAP Compliance Audits

SAP solutions often support business-critical processes such as financial reporting, customer relationship management, and human capital management and therefore need to comply with strict standards for information security. This includes requirements for secure configuration, system changes, and administrative access. SAP solutions are subject to regular audits by internal and external auditors and other groups to confirm compliance with such requirements. The audits can place a significant burden on SAP teams. Automating audits can lead to significant improvements in the quality and timeliness of compliance monitoring and lower the manual effort involved in gathering evidence, analyzing results and reporting findings.

Compliance Reporting in the Cybersecurity Extension for SAP automates compliance gap assessments for SAP solutions. This includes regulatory frameworks such as SOX, GDPR and PCI DSS, industry standards such as HIPAA HITRUST and CIP, and security standards such as CIS, NIST and ISO. It also supports SAP frameworks such as the SAP Security Baseline and the S/4HANA Security Guide. Customers can also create and publish custom frameworks for monitoring compliance against company-specific policies and standards. Reports can be scheduled and automatically sent to stakeholders including compliance and audit teams on a regular interval.

4. Tune Security Alerts

Security solutions can trigger alerts and notifications for suspected security incidents that upon further investigation are false positives. Solutions can also overwhelm users with a large volume of alerts that cannot be realistically investigated with available resources. The latter scenario is known is alert flooding. This leads to wasted effort and reduces the confidence level of end users in the underlying solutions. It can also increase infrastructure costs through higher data volumes and events per second.

False positives and alert flooding can be minimized by tuning alerts for specific systems and landscapes. This enables security solutions to learn the unique event and user patterns for each system and exclude the patterns from alerting. The Cybersecurity Extension for SAP supports advanced tuning for event collection and alerting. Users can maintain exclusions for alerts based on user, client, event ID, transaction, source/ destination IP or terminal, and other variables to prevent false positives and alert flooding. Users can also select enable/ disable specific alerts to customize monitoring and focus, for example, on critical or high priority incidents only.

5. Automate Incident Response

Automating incident response for security alerts can improve the efficiency of security operations and response times. It also supports compliance with standard operating procedures for incident management since there is less risk of human error. The guided procedure framework in SAP Solution Manager and SAP Focused Run includes a library of automated alert reaction procedures.  SAP users can also use the framework to author their own procedures as custom guided procedures. The procedures can automate routine tasks such as transaction, program or report execution, as well as more complex tasks such as locking/ unlocking users or restarting systems that may have been disrupted by a denial of service attack.

The Cybersecurity Extension for SAP also includes incident response procedures that users can execute to investigate security alerts. The procedures provide best practices and playbooks for responding to alerts and enable users to document findings, attach evidence, generate reports, and manage the status of alerts. It also provides a complete audit trail for each investigation performed by analysts.

6. Integrate SAP Logs with SIEM Solutions

Security Information and Event Management (SIEM) solutions enable Security Operations Centers (SOC) to ingest and monitor logs from various endpoints in networks. They provide a centralized platform for monitoring multiple assets within an enterprise. Centralized monitoring through a single or multiple SOCs can improve efficiency and lower costs, as well as improve visibility and capability to respond to threats across different assets.

There are inherent challenges with integrating SAP logs with SIEM solutions. The challenges are discussed in detail in the whitepaper SIEM Integration for SAP from Layer Seven Security. The Cybersecurity Extension for SAP supports seamless integration with SIEM solutions. It removes the effort and complexity for successfully ingesting SAP logs. This is achieved through filtering, normalizing and enriching of SAP logs and through the creation of a single point of integration between SIEM solutions and a data source containing event logs from all target SAP systems.

Layer Seven Security Release Updated Ransomware Guide for SAP

Earlier this month, MGM Resorts reported a major cyber attack that severely disrupted its operations including online and payment processing systems. Threat actors are reported to have breached MGM’s network and systems and exfiltrated several terabytes of sensitive data. The company was forced to shut down several key systems as it worked with law enforcement agencies and cybersecurity companies to investigate and contain the breach.

MGM reported the incident in form 8-K filings required by the Securities and Exchange Commission (SEC). New SEC rules effective from September 5 require publicly listed organizations in the U.S to disclose material cybersecurity incidents within four business days.

The hacking group Scattered Spider, part of the ALPHV cyber criminal organization, has claimed responsibility for the breach. Scattered Spider is believed to have breached around 100 organizations within the last two years, mostly in the U.S and Canada. According to statements released by ALPHV, also known as BlackCat, the group was able to breach MGM by exploiting vulnerabilities in an access and identity management provider and cloud tenant. Once they gained administrative access to more than 100 ESXi hypervisors at MGM, ALPHV began deploying ransomware in the compromised systems. Ransomware is a form of malware that encrypts the file system to lock targets until a ransom is paid by the victim.

Caesars Entertainment also reported in September that it had been the victim of a successful ransomware attack that breached personally-identifiable information in it’s loyalty program database including drivers license and social security numbers. Caesars disclosed in it’s 8-K filing with the SEC that the organization paid a $15 million ransom to prevent the disclosure of the stolen data and restore access to its compromised systems.

The business impact of ransomware can be significant in terms of both direct and indirect costs and reputational harm. For example, according to the credit rating agency Moody’s, the cyberattack at MGM could negatively impact the credit rating of the company.

SAP systems are not immune to ransomware. They can be compromised through vulnerable operating systems supporting SAP solutions, insecure protocols, interfaces and cross-system interfaces, and OS commands performed through the application layer that exploit trust relationships between SAP applications and hosts. In response to the recent breaches at Caesars and MGM, Layer Seven Security has released an updated guide for securing SAP solutions from ransomware. Layer Seven Security is an industry-leader in cybersecurity services and solutions for SAP. The guide provides clear and succinct recommendations to prevent and detect ransomware attacks in SAP systems, as well as restore systems during the recovery phase. You can download the guide directly from SAPinsider by following this link.

How to Discover Actively Exploited Vulnerabilities in Your SAP Systems

SAP systems have a wide attack surface. Threat actors can enumerate and exploit multiple known vulnerabilities in SAP components and programs to compromise SAP solutions. Automated vulnerability scans often reveal hundreds of weaknesses in SAP systems. Remediating each vulnerability requires extensive planning and testing for each impacted system.  Most organizations do not have the resources to remediate every vulnerability to close all possible attack vectors in their SAP solutions. A prioritized approach focused on remediating high-risk vulnerabilities can be used to concentrate efforts. Organizations can also focus on vulnerabilities that are being actively exploited in their SAP systems. This involves correlating user and system activity captured in SAP logs with vulnerabilities that have been identified in systems.

This correlation is performed automatically by the Cybersecurity Extension for SAP (CES). CES is an addon for SAP Solution Manager and SAP Focused Run. CES will also be available as an extension for SAP Cloud ALM in 2024.

CES performs daily automated scans to detect over 4000 vulnerabilities in SAP applications and supporting databases and operating systems. The vulnerabilities are analyzed and managed using the Vulnerability Management application in CES. The application displays a summary of vulnerability scan results when accessed. Users can switch between the system card view and the dashboard view in the summary.

System Card View:

Dashboard View:

Users can select one or more system from the Summary to drilldown to the findings.

The Overview section displays the open vulnerabilities for the selected systems. Results can be filtered and sorted by area, environment, rating and other variables.

Responsibility for remediating vulnerabilities can be assigned to specific owners and assignees directly in the Overview. Target dates can also be maintained for the removal of the root causes of issues. Remediation plans can be maintained in the Action Plan tab in the detailed display for each vulnerability.

Actively exploited vulnerabilities are identified and flagged based on automated and continuous correlation with event logs and alerts in CES. Results can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.

In the example below, there is an open alert for the successful call of a vulnerable ICF service in a system. Although the vulnerability is rated as medium-risk, the active exploitation of the vulnerability in the system indicates that the finding should be prioritized for remediation.

The alert for the vulnerability can be analyzed by clicking on the alert icon for the vulnerability. This directs to the details of the alert in the Security Alerts application in CES.

The automated discovery and reporting of actively exploited vulnerabilities is supported in version 5.0 and higher of the Cybersecurity Extension for SAP.

Cybersecurity Threats to SAP Systems Report

Earlier this month, SAPinsider released the 2023 Cybersecurity Threats to SAP Systems Report. Co-sponsored by Layer Seven Security, the report is based on the findings of a survey of more than 205 security professionals in North America, EMEA, APJ, and LATAM, representing SAP customers across nine industries.

The report revealed several trends in 2023 compared to reports for earlier years. Similar to 2022, respondents ranked unpatched systems, ransomware attacks, and credentials compromise as the most significant threats to SAP systems. The exploitation of system interfaces and weak access controls were also identified as important but less significant threats.

Patching and updating SAP systems and enforcing secure password policies were reported as the most important requirements for SAP cybersecurity. Protecting SAP systems from zero-days threats was also identified as an important requirement, even though there is no evidence of the successful exploitation of any zero-day vulnerability for SAP solutions.

This article provides practical recommendations for managing the top five threats to SAP systems presented in the report. The recommendations can be implemented using a combination of the Cybersecurity Extension for SAP and SAP ALM platforms such as Solution Manager, Focused Run, and Cloud ALM. According to the report, 81% of customers are using one or more of these platforms. However, less than half of SAP customers are fully leveraging the capabilities of their ALM investments.

Security Patching

Keeping up with patches is the most significant cybersecurity challenge reported by SAP customers. This is due to reasons such as the volume of patches, difficulties with prioritizing notes and scheduling system downtimes, the reluctance to apply notes that could impact system availability, and issues validating whether patches are correctly implemented. The last is especially challenging for notes with manual corrections.

System Recommendations (SysRec) in SAP Solution Manager automates the discovery and implementation of security notes for SAP solutions. It calculates relevant notes based on the installed software components and versions in systems. Notes can be filtered by priority to focus on hot news and high priority patches. SysRec also identifies objects impacted by security notes and provides usage counts for the objects. This can be used to develop targeted test plans based on the known impact of security notes. Notes impacting unused objects can be implemented with minimal testing.

Automated corrections can be downloaded through SysRec and staged in systems for implementation. Once implemented successfully, the relevant notes are automatically removed from the SysRec results. The implementation status of notes with manual corrections can be maintained using the Status option. False positives in SysRec can occur if notes are released by SAP without software component information. The Cybersecurity Extension for SAP (CES) automatically discovers and removes the false positives to improve the quality and reliability of notes reported by SysRec.

Ransomware

Ransomware can target SAP applications through multiple a­ttack vectors. Unauthorized external program starts through the gateway server should be restricted using the secinfo access control list. Authorizations for OS commands should be restricted. This includes authorizations for RSBDCOS0, SM49 and CG3Z which can be used to download, install and run ransomware tools. Custom ABAP, UI5, Java and SQLScript programs may be exploited to perform arbitrary OS commands. Vulnerable programs can be discovered using code vulnerability scanning solutions. Vulnerable ICF services such as SOAP RFC and WEB RFC should be disabled. The SAP Virus Scan Interface should be enabled to support the detection of malware in file uploads and the propagation of ransomware through file downloads.

Ransomware can also target hosts supporting SAP applications. Therefore, it is important to secure and monitor the operating system layer in SAP systems. Unnecessary ports and services should be closed. Root commands and sudo actions should be closely monitored, particularly wget and bash commands, and the creation and execution of OS files.  The Cybersecurity Extension for SAP is the only security solution that protects and detects against ransomware across application, database and OS layers in SAP systems.

Credentials Compromise

Transport layer security using SNC and SSL for SAP protocols will protect encoded SAP passwords in client-server and server-server communications. Access to password hashes in SAP tables should be restricted and monitored. Downwards-compatible passwords should be disabled since this will prevent the storage of password hashes that use vulnerable algorithms. Strong password policies should be enforced using the relevant settings in systems including login parameters in ABAP systems. Session management should be enabled and logon tickets and cookies should be secured against misuse. Detection and alerting for SAP accounts that may have been compromised can be activated using Anomaly Detection in the Cybersecurity Extension for SAP. Anomaly Detection will detect for unusual user actions such logins from new terminals or IP addresses for each user and the execution of transactions and reports that are not typically accessed by users.

System Interfaces

Program starts, server registrations, and monitor commands should be restricted for the gateway server. The use of RFC destinations with stored credentials should be restricted. The authorizations for RFC users should be provisioned based on the principle of least privilege to minimize the impact if RFC accounts are compromised. RFC user accounts should be system or communication user types, not dialog or reference. Positive whitelists are recommended to prevent the misuse of RFC callbacks. Trusted RFC connections should be used only in the required scenarios and trust relationships should not be configured from lower to higher order environments.

Unified Connectivity (UCON) should be enabled and configured to protect external calls to sensitive remote-enabled function modules (RFMs). Requests blocked by UCON are logged in the Security Audit Log.

Interface and Connection Monitoring (ICMon) in SAP Solution Manager and Integration and Exception Monitoring in SAP Focused Run can be deployed to identify critical internal and external system interfaces. This includes RFC, HTTP, Cloud, IDoc, and Web Service connections. Alerts can be configured for the usage of system interfaces outside of normal scenarios. For example, customers can enable alerting for an RFC destination if it used by a user not included in a permitted whitelist or if the destination is used to call RFMs that are not typically called by the destination. Similar alerting can be enabled for calls to applications, IDocs, cloud services and web services accessed using non-RFC protocols.

Access Controls

Access to administrative profiles, roles, authorizations and transactions should be restricted. This includes roles and permissions in SAP databases and hosts. The SAP_ALL profile should not be used in productive systems. Standard users should be locked and default passwords should be changed. Authorization checks should be enforced for all RFMs and system operations. Switchable authorization checks should be enabled wherever applicable to secure access to sensitive function modules. Conflicting functions should be assigned to separate users to enforce the segregation of duties. This includes user creation/ role maintenance, role maintenance/ role assignment, and transport creation/ transport release.

The Cybersecurity Extension for SAP can be used to discover users with administrative permissions or access to conflicting functions. It can also alert for the execution of sensitive programs, reports and transactions. Exclusions can be maintained for specific users or based on factors such as user group to support whitelisting and prevent false positives or alert flooding.

Is SAP ASE the Most Vulnerable Point in Your SAP Landscape?

SAP Adaptive Server Enterprise (ASE) is a widely-used relational database server for SAP solutions. As part of the drive to HANA, SAP is expected to withdraw support for third party databases including Oracle, IBM and Microsoft. Standard support for Oracle 19c, for example, will end in April 2024. Oracle 19c is the highest release of Oracle certified for SAP.  In contrast, maintenance and support for ASE is expected to continue beyond 2030. This includes both on-premise and cloud deployments. ASE is used within the SAP Cloud Platform and SAP HANA Enterprise Cloud for persistence services.

The database layer in SAP landscapes will increasing comprise of SAP HANA and ASE database systems. However, unlike HANA, security for ASE is often overlooked by SAP customers. As a result, ASE can be a vulnerable target for threat actors in SAP landscapes. This article will discuss the key aspects of ASE security and methods for automating vulnerability management, security patching and threat detection for ASE.

SAP ASE supports both password-based authentication for database users and external authentication using Kerberos, LDAP, or PAM. For password authentication, strict password policies are recommended governing password complexity, failures, expiration, and reuse. The transmission of passwords over the network layer should be secured using SSL through the FIPS 140-2 validated cryptographic module. For external authentication, it is recommended to enable message confidentiality, integrity and origin-checks to secure procedures for remote authentication.

ASE includes several pre-defined roles for provisioning required privileges to database users. They are managed using the sso security officer role. Access to this role should be restricted to authorized users. Other critical roles include the sa security administration role, and roles for operations, replication, job scheduling, web services, and system administration.

ASE also includes multiple default accounts that should be locked if not in use. This includes the accounts probe, sybmail, jstask, and mon_user. The sa account has system-wide privileges. The password for the account is blank on install. The account should be locked after the initial database configuration. The use of the guest account is not recommended since it inherits the permissions of the public role.

Remote users can be authorized to execute remote procedure calls (RPC) in ASE. Remote user IDs are mapped to local IDs by ASE to authorize access to RPCs. The use of remote users should be avoided.

Vulnerable services in ASE should be disabled to reduce the attack surface. This includes the extended stored procedures xp_cmdshell and xp_sendmail. Other stored procedures should be enabled to support enhanced security checks. For example, sp_extrapwdchecks should be activated to check for password reuse.

Column and table-level encryption can be enabled to protect data at rest. Encrypted data is transparent to applications and therefore does not impact operations. ASE supports the Advanced Encryption Standard (AES) encryption algorithm and 256-bit key lengths.  AES is a NIST-approved cipher standard.

Auditing is disabled by default in ASE. Once enabled, audit options should be activated to log specific events to the audit log. This should include auditing of the sa account and critical roles such as sso, configuration changes, login failures, role and account changes including user passwords, and the execution of stored procedures. It is also recommended to enable auditing for data binds, changes to encryption keys, and the importing/ exporting of data to/from external files.

Audit events are written to system audit tables. The tables can be read using SQL commands. Only select and truncate commands are supported for the audit tables. The event details include a unique event ID, timestamp, the ID of the account that performed the audited event, and the details of objects that were accessed or modified.

The Cybersecurity Extension for SAP leverages the database connectivity of SAP Solution Manager (SolMan) and SAP Focused Run (FRUN) to automatically detect security vulnerabilities in ASE installations that could be exploited by threat actors. This includes vulnerabilities in the following areas:

Settings for external authentication
Policies for password authentication
Users with critical roles
Disabling of default accounts
Remote users
Deactivation of vulnerable database services
Transport layer security
Database encryption
Auditing and logging

The Extension provides detailed recommendations to remediate vulnerabilities and harden ASE installations against targeted exploits.

Security notes for ASE are reported by System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to calculate required notes. The Cybersecurity Extension for SAP integrates with SysRec to automatically identify and remove potential false positive notes based on installed application components. You can filters notes in SysRec for the ASE components BC-SYB-*.

The Extension also monitors ASE audit logs in real-time to detect and alert for potential breaches such as the use of default users that should be locked, changes to roles and user permissions, failed logins, locked users, database configuration changes including audit settings, successful calls to sensitive stored procedures, the installation of Java programs, password resets, remote procedure calls to/from external servers, the deployment of web services, and commands that transfer table contents to/ from external files.  

Alerts can be investigated using built-in incident response procedures and workflows.

Audit records are replicated from ASE installations to the Cybersecurity Extension for SAP to support archiving and forensic analysis and to protect against log corruption.

To learn more, contact Layer Seven Security.

Security Analytics with SAP Focused Run

SAP Focused Run delivers real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers that need to monitor customer SAP installations from a central platform. It leverages the power of SAP HANA to support centralized monitoring for thousands of systems in high-volume environments. Focused Run is intended to complement SAP Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. However, Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the capabilities of the Advanced Configuration Monitoring (ACM) scenario in Focused Run. Scenarios such as Advanced Event and Alert Management (AEM), Advanced Integration Monitoring (AIM) and Advanced User Monitoring (AUM) will be discussed in later posts. ACM includes Configuration and Security Analytics (CSA), accessed from the Fiori launchpad of Focused Run. CSA enables SAP users to analyze the configuration of applications, databases and hosts and automate audits for security compliance. The following short video from SAP provides a quick introduction to CSA: Advanced Configuration Monitoring

CSA analyzes configuration data collected and transferred via the Simple Diagnostics Agent (SDA) from SAP systems. Focused Run does not include a built-in Business Warehouse (BW). Therefore, unlike Solution Manager, configuration data is stored in HANA database tables starting with CCDB_DATA_ rather than BW InfoCubes.  This simplifies the architecture and improves the performance for configuration analysis. The tables are read by the Configuration and Change Database (CCDB). Configuration changes are tracked to support change and trend analysis. This includes changes to security-relevant parameters, services, RFC destinations, and user privileges. The CCDB contains snapshots of SAP systems. The configuration data is structured in containers known as config stores. The stores can be updated every hour to maintain up-to-date snapshots of SAP systems. The stores can be queried using the search option in CSA. The config store below displays the current values for all profile parameters in system FR1.

The following store contains details of user assigned critical profiles. User related stores can be customized to extract details for specific profiles, roles, user types, authorizations, and combinations of roles and authorizations.

CSA can be used to configure and apply policies that analyze config stores to audit systems and automate compliance checks. Policy Maintenance in CSA enables users to create XML policies. Policies can also be converted from target systems in Configuration Validation from SAP Solution Manager. Policies can be exported and imported as XML files or transported between Focused Run installations. SAP recommends limiting the number of checks in single policies to 100 to restrict the number of SQL statements. However, single policies can be combined into composite policies to execute thousands of checks in parallel. In the example below, the composite policy ABAP Parameters includes multiple single policies for reviewing security-relevant parameters in ABAP systems.

In order to apply a generated single or composite policy to audit SAP systems, you must first define the scope of systems. Systems can be grouped by Customer ID, Data Center, IT Admin Role (Environment) and other variables (see below). Customer ID can be used to group systems by company or business group.

The next step is to select and apply the required single or composite policy. The results below summarize the compliance status of systems in the L7_FRUN group against the ABAP Parameters composite policy.

Users can drilldown into the findings for each system to focus on parameters that failed the policy check.

You can click on the icon at the end of each rule to view further details.

The current value of the parameter is displayed in the Value column. The results can be exported to Excel for offline analysis.

Policy checks can be scheduled for hourly, daily or weekly intervals in Policy Management.

The results of the scheduled checks can be displayed in Trend Analysis. This provides a graphical analysis of compliance levels for each interval of the report.

Focused Run does not include the equivalent of System Recommendations in SAP Solution Manager for discovering and applying security notes. SAP periodically publishes policies for security notes to GitHub. The policies can be downloaded and imported into Focused Run to check for the implementation status of relevant notes in each system. This approach can lead to inconsistencies between System Recommendations and Focused Run since calculated notes may not align between the solutions. The Cybersecurity Extension for SAP Focused Run from Layer Seven Security integrates System Recommendations with Focused Run to ensure calculated notes are consistent between both platforms. The CSA policy below displays all security notes calculated by System Recommendations. The results can be filtered by system and priority. With this approach, SAP customers do not need to manually update FRUN with new policies for security notes. Calculated notes are updated automatically daily.

The beta release of the Cybersecurity Extension for SAP Focused Run is scheduled for Q3 2022 and will include additional config stores to supplement the security content in the CCDB, preconfigured single and composite policies for ABAP, HANA and Java systems, and monitoring templates to support alerting for SAP logs including the Security Audit Log and the HANA audit log.