Layer Seven Security

Database Security with the Cybersecurity Extension for SAP

Layer Seven on January 30, 2019

Protecting SAP systems against cyber threats requires integrated measures applied not just within the SAP layer but across the technology stack including network, operating system, and database components.  As repositories of business-critical and sensitive information, databases warrant specific attention for hardening and monitoring efforts. This includes identifying and addressing configuration weaknesses, excessive privileges, and weak audit policies, encrypting data in transit and at rest, removing vulnerable stored procedures, and detecting and responding to privilege abuse or escalations.

SAP Solution Manager is uniquely positioned to monitor the security of SAP databases given its deep connectivity into SAP platforms. This article outlines the architecture and data collection procedures for database monitoring with Solution Manager. Next month’s article will explore database-level security reporting and event monitoring with SolMan.

Establishing connectivity to databases supporting SAP systems is a standard step during the mandatory configuration procedures for Solution Manager. Connection information is entered into the DB Parameters section during the Enter System Parameters step of Managed System Configuration. This includes the database host, port, and user credentials.

The connection supports the DBA Cockpit for database administration and monitoring. It also supports database extractors used by the Extractor Framework. The Extractor Framework performs data collection and distribution for monitoring and alerting in Solution Manager. The framework operates regular extractors to snapshot configuration, user, system, change and event-related data from systems. The snapshots are stored in areas such as the SolMan Configuration and Change Database (CCDB) and queried by other applications in SolMan including Configuration Validation and the Monitoring and Alerting Infrastructure (MAI). The concept of running or scheduling security scans is foreign in Solution Manager. Periodic jobs run the extractors to refresh the data. Therefore, there is no need to schedule scans or connect directly to systems to compile data when reviewing security-related information. Job Monitoring in Solution Manager can be used to monitor the relevant jobs and alert for job errors or warnings.

Solution Manager automatically applies preconfigured templates for databases once they are successfully connected for monitoring. SolMan installations are packaged with templates for all platforms supported by SAP systems including SAP databases such as HANA, Sybase and MaxDB, and third-party databases from Oracle, IBM and Microsoft. Template contents can vary based on the specific version and release of databases.

Templates for HANA platforms including metrics and alerts for monitoring system availability, performance and security. They also include CCDB stores to extract current values for HANA parameters, and details of active users, audit policies and users with critical database and system privileges.

The extractor framework and SAP-delivered templates may not provide coverage for monitoring all the security-related areas for each database platform. Therefore, customers or partners can either define their own templates or create/ modify extractors, metrics, alerts and CCDB stores to extract additional data. In the example below, we’ve added several custom stores to extract and query data for Sybase ASE that is not available in a standard Solution Manager installation.  This includes runtime values for all Sybase parameters, active users, roles assigned to database users, enabled stored procedures, audit settings, and database event logs with event IDs, user IDs, and timestamps.

The stores are assigned to the custom /L7S/ namespace to avoid any conflict with SAP and other namespaces.

The extractor framework regularly refreshes the data through background jobs. Database security policies are then applied by Solution Manager against the CCDB to identify vulnerabilities and security-related events in the platform. The data is also monitored by the MAI which triggers alerts and notifications for critical risks. The results are replicated to an internal Business Warehouse (BW) in Solution Manager.

In next month’s article, we will discuss how you can use Service Level Reporting and BusinessObjects to create detailed and user-freindly reports to convey the results of database security monitoring with SAP Solution Manager.

Webinar Recording: Security Analytics with SAP Web Intelligence

Layer Seven on December 17, 2018

Watch the webinar replay to learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Watch Now

 

 

Webinar: Security Analytics with SAP Web Intelligence

Layer Seven on November 27, 2018

Thu, Dec 13, 2018 11:00 AM – 12:00 PM EST

Learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Register

 

 

Secure, Patch & Respond: Security Analytics with SAP Web Intelligence

Layer Seven on November 20, 2018

SAP Web Intelligence enables users to visualize and manage security risks in SAP systems using interactive reports delivered through an intuitive web interface. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Animated charts summarize risks by system, location, priority and other dimensions. Results can be filtered and sorted to focus on specific areas. Users can comment on report elements for collaboration, decision-making and tracking remediation efforts. Reports can be exported to Excel, HTML and PDF. Reports can also be accessed remotely using the mobile app for SAP BusinessObjects.

The security reports are comprised of five distinct sections. The first section includes a series of charts that summarize risks across three dimensions: vulnerabilities, security notes, and alerts. The results can be filtered to focus on single or multiple systems.

The second section includes trend charts, bar graphs, geo-maps and bubble charts that break down the results for each dimension.

The remaining sections convey detailed findings and empower users to secure SAP systems against cyber threats by discovering and removing vulnerabilities, applying patches, and responding to alerts for suspected security breaches.

To learn more, contact Layer Seven Security. You can also request a free trial for security reporting with SAP Web Intelligence using Layer Seven’s cloud platform.

 

Coming Soon: Security Reporting with SAP Web Intelligence

Layer Seven on October 16, 2018

SAP Web Intelligence (WebI) provides a platform for self-service reporting that enables users to analyze and visualize data from SAP systems using an intuitive, interactive and web-based interface. WebI supports BEx queries to connect to security-related data in Business Warehouse within Solution Manager. Users can create dynamic reports with embedded dashboards to monitor and manage risks and track remediation efforts. Reports are published to the BI Launch Pad to support enterprise-wide access through a web browser. They can also be refreshed, scheduled and broadcast from the Launch Pad.

Stay tuned for more details.

 

How to Comply with the DHS Recommendations for Securing SAP Systems from Cyber Attacks

Layer Seven on October 16, 2018

In response to the dramatic rise of cyber attacks targeting ERP applications, the United States Department of Homeland Security (DHS) issued a warning earlier this year that encouraged organizations to respond to the risks targeted at their business applications by implementing specific measures to secure, patch and monitor SAP systems. The measures included scanning for vulnerabilities and missing security patches, managing SAP interfaces, and monitoring user behaviour, indicators of compromise, and compliance against security baselines for systems.

This article discusses how you can leverage SAP Solution Manager to comply with the DHS recommendations. Solution Manager is installed and available in most SAP landscapes and includes diagnostics and monitoring applications to support cybersecurity. The specific applications are outlined below against each of the DHS recommendations.

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Configuration Validation in Solution Manager can perform automatic daily scans of SAP systems against security benchmarks to identify misconfigurations that could expose systems to cyber threats. The scans are performed against snapshots of systems stored in the Configuration and Change Database (CCDB). The results of the scans are stored in an internal Business Warehouse (BW). Service Level Reports and Security Dashboards connect to BW using BEx queries to read the results of the security scans and report the findings.

System Recommendations (SysRec) in Solution Manager connects directly to SAP Support to discover missing security patches.  SysRec also connects to each system in an SAP landscape to determine the current patch level. It reads the system information in the Landscape and Management Database (LMDB) to identify installed software components and versions. SysRec also integrates with the ABAP Call Monitor, Usage Procedure Logging, and Solution Documentation to perform change impact analysis for security patches.

2. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Interface and Connection Monitoring (ICMon) in Solution Manager automatically maps cross-system interfaces including RFC, HTTP, IDOC and Web Services. This includes internal and external connections. It also monitors real-time traffic patterns to detect and alert for malicious actions including dangerous RFM and URL executions.

3. Analyze systems for malicious or excessive user authorizations.

Solution Manager can detect users with administrative privileges in SAP systems. It flags users with privileged authorizations, profiles, roles, transactions, Java permissions, and HANA system and table privileges. Privileges can include standard and custom objects.

4. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can monitor event logs in SAP systems to detect and alert for indicators of compromise (IOCs). This includes log files and tables such as the Security Audit Log, HTTP Log, System Log, Gateway Server Log, Change Document Log, Read Access Log, Java Security Log, HANA Audit Log, and the SAProuter Log. The MAI triggers alerts and email and text notifications for IOCs. Guided procedures provide a framework for incident response and tracking.

5. Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

MAI monitors user logs to detect and alert for suspicious behavior covering both privileged and non-privileged users. This includes unauthorized access, escalation of privileges and actions that could lead to data leakage.

6. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

SAP Partners periodically update content for Solution Manager to address new vulnerabilities and attack vectors.

7. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Solution Manager continuously monitors for policy violations against security baselines and compliance frameworks such as GDPR, IT-SOX, NIST and PCI-DSS. Service Level Reports and Dashboards provide directions for implementing and tracking remedial actions taken to patch and secure systems. Guided procedures document incident investigation steps performed by responders. The results are archived in Solution Manager.

To learn more about how Solution Manager can help you comply with the DHS recommendations for securing SAP systems, contact Layer Seven Security.

SolMan-SIEM Integration for Advanced Threat Detection

Layer Seven on August 26, 2018

SAP Solution Manager monitors real-time event information in SAP logs to automatically detect and trigger alerts for specific Indicators of Compromise (IOCs).  This includes events written to the security audit log, system log, gateway server log, change document log, HTTP log, transaction log, SAProuter log, Java security log and the HANA audit log. Alerts are managed in the Alert Inbox or the System Monitoring app of SAP Solution Manager and automatic email and SMS notifications are triggered for critical incidents. Alerts are integrated with Guided Procedures to support an end-to-end process for incident detection and response within Solution Manager.

The data collection for event monitoring using Solution Manager is performed using existing RFC connections and Diagnostics Agents installed in managed systems. Since Diagnostics Agents can be installed in both SAP and non-SAP systems and components, Solution Manager can perform many of the functions of a Security Information and Event Management (SIEM) system. SolMan can monitor across the technology stack including database, operating system, and application layers, as well as network components such as routers, switches and firewalls. These areas are often monitored by organizations using existing SIEM platforms. Therefore, SolMan is more commonly used for application-level monitoring.

SIEM platforms support direct monitoring of SAP log files, tables and other data sources. However, there are several drawbacks with this approach. One of the drawbacks is that each data source within every target system must be connected separately to SIEM platforms. This increases deployment times and complexities. Once connected, rules and patterns must be defined in the platforms for every possible event. Also, since SIEM platforms are ingesting raw logs, the cost of monitoring and storing mammoth-sized logs for multiple SAP systems can be prohibitive, especially for large landscapes.

SAP Solution Manager overcomes these drawbacks by parsing log files and tables and filtering events before forwarding alerts to SIEM platforms. This enables the platforms to avoid ingesting raw logs to monitor SAP event information. Since the event data forwarded to SIEM platforms is derived from a single source for all SAP systems in a landscape, deployment is also faster and less complex. Finally, Solution Manager structures and enriches the event data before it reaches SIEM platforms to reduce the need to develop rules and patterns to interpret SAP event information.

Solution Manager can integrate with SIEM platforms through several ways. The most common is using OS commands that are called by SolMan to write event data to external files that are ingested by SIEM solutions. Alerts are written to external files as soon as they are triggered by SolMan. Alert fields can include the alert name, description, priority, date, time, SAP System ID, and other areas.

This process integrates alerts for IOCs and other security risks detected by SolMan for SAP applications with SIEM systems for centralized monitoring and cross-platform correlation. The example below is for Splunk Enterprise. Click on the images below to enlarge.

U.S Treasury Sanctions ERPScan

Layer Seven on June 14, 2018

Earlier this week, the United States Treasury issued an Executive Order to prohibit U.S organizations from engaging with ERPScan, a subsidiary of Digital Security and a provider of security software and services for SAP systems. According to a press release issued by the Treasury, Digital Security “provided material and technological support to Russia’s Federal Security Service (FSB)” and contributed to efforts to “increase Russia’s offensive cyber capabilities for the Russian Intelligence Services”. Treasury Secretary Steve Mnuchin stated that the Executive Order is driven by the need to “counter the constantly evolving threats emanating from Russia”.

ERPScan has denied any link with the FSB in an official statement. Further, it stated that “it is unfortunate that American companies will not have a competitive market in the ERP Security field, turning our main US competitor into a monopolist without any incentive to innovate.”

There are several competitors in the ERP security market within the United States. Therefore, the withdrawal of ERPScan is unlikely to lead to a monopoly in the market. Furthermore, the solution providers in the market have demonstrated a universal commitment to innovation including advances such as Data Loss Prevention using SAP Solution Manager recently announced by Layer Seven Security. There is no reason to believe that the Executive Order will diminish the level of innovation in the market.

However, the Executive Order has highlighted the risk to SAP customers arising from the dependence on third party security tools for SAP security monitoring. Layer Seven Security is the only solution provider in the market that eliminates this risk by leveraging SAP Solution Manager to protect SAP systems from cyber threats. Solution Manager is supported and maintained directly by SAP. Contact Layer Seven Security to discuss these and other benefits of SAP cybersecurity monitoring with Solution Manager.

Top Five Tips for System Recommendations

Layer Seven on June 12, 2018

System Recommendations in SAP Solution Manager connects directly to SAP Support for real-time patch updates. It also connects to each system within SAP landscapes to monitor patch levels. SysRec downloads corrections for security vulnerabilities from SAP Support to each system and integrates with other areas in Solution Manager for change impact analysis, change management, and test management. SAP customers can therefore discover unapplied patches, bundle patches into change requests, and plan and execute test plans for patch cycles from a single integrated platform.

This article provides suggestions for optimizing System Recommendations to improve the performance of the application and the user experience. The tips will enable you to minimize false positives, identify and troubleshoot errors, and personalize the user interface.

System Recommendations reads the Landscape Management Database (LMDB) to determine the version and support pack levels for installed software components in each system. Therefore, the LMDB should be configured correctly, regularly updated and synchronized with the System Landscape Directory (SLD). This will reduce the likelihood of false positives such as the display of notes for irrelevant components, databases and operating systems. Kernel registration in the SLD will also help to minimize false positives. Alternatively, irrelevant components can be set to inactive in the customizing table AGSSR_OSDB to exclude them from the results returned by SysRec.

The background job SM:SYSTEM RECOMMENDATIONS periodically updates System Recommendations by connecting to SAP support and to managed systems to calculate unapplied notes. Processing errors for the object ASG_SR should be monitored using the Application Log (transaction SLG1). Alerts for job errors including automatic email notifications should be configured using Business Process Monitoring (BPMon) in Solution Manager.

System Recommendations excludes notes that are irrelevant, postponed or discontinued.  Therefore, it displays results for notes that have the implementation status New or New version available. Since the available status options don’t include options for notes with manual corrections that have been implemented, a custom status option for such notes should be configured by maintaining table AGSSR_STATUS. This can be performed using transaction SM30. Customers can also create custom status options to group notes by patch cycle, project or other criteria. In the example below, we’ve assigned a group of notes to the custom status group Q3 2018 and filtered the results to list the notes assigned to the group.

Status changes performed by users for notes are logged by System Recommendations. The changes are tracked in the details section for each note.  This section also tracks comments entered by users for notes. Comments are useful for tracking discussions between users that could impact implementation decisions including the approach, rationale, and timeline for applying security patches. Changes and comments entered by users can be viewed in table AGSSR_SYSNOTEC.

Finally, Fiori tiles can be configured in SysRec to create shortcuts for notes for specific systems, groups, and other variables. The tiles are accessed from the Fiori Launchpad and can be assigned to custom or standard groups. Once saved to the Launchpad, the results for each tile are automatically updated by System Recommendations.

Monitoring the SAProuter with SAP Solution Manager

Layer Seven on May 18, 2018

The SAProuter performs a pivotal role in SAP landscapes by filtering SAP traffic using a more granular approach than is possible with conventional network-level firewalls. As a stand-alone program, it is commonly installed in DMZ servers that support network services rather than SAP applications.

The SAProuter is often targeted by attackers given it’s function as the gateway to SAP systems. There are several attack vectors targeting known vulnerabilities in earlier versions of the program. Therefore, it’s important to regularly update the SAProuter to the latest release and patch level. You can refer to note 1897597 for release information and note 1921693 for instructions for updating the program. Other recommendations include changing the well-known default port and blocking remote access to the SAProuter. This could be abused to control the SAProuter from external clients or hosts. It can also be exploited to modify the route permission table.

The route permission table is maintained in the saprouttab file stored in the working directory of the SAProuter and controls route strings between hosts.  It applies an access control list to permit or reject connections between source and target systems through the SAProuter. Standard entries in the route permission table have the syntax P (Permit) /S (Secure) /D (Deny) <source-host> <destination-host> <destination-port or service> <password>. The password option for permitted connections is optional.

The access control list should be as restrictive as possible and only permit the necessary connections. Wildcards (*) should not be used in the destination host and port fields. The rule D * * * * should be included as the last entry in the list to explicitly deny all connections that are not defined in the route permission table.

Lastly, the access list should be configured to support only authenticated and encrypted connections using the K prefix for positive entries. This requires the configuration of Secure Network Communications (SNC) for the SAProuter. For detailed instructions, refer to the SAP guide for SAProuter SNC Configuration.

The SAProuter can be monitored with SAP Solution Manager. The Solution Manager Diagnostics (SMD) agent should be installed on the server hosting the SAProuter. The Remote OS Script Collector (ROSCC) is also required to run OS commands through the Monitoring and Alerting Infrastructure (MAI) of Solution Manager. The next steps are the registration of the SAProuter in Solution Manager and the execution of the steps for managed system setup. Once completed, the SAProuter is available for monitoring.

The route permission table can be monitored by Solution Manager to automatically detect insecure entries including unauthenticated and unencrypted connections and entries with wildcards in the destination and port fields. An example is provided below.

 

The release and patch level of the SAProuter can be checked using the ROSCC. The port used by the SAProuter and whether the program accepts commands from remote hosts can also be monitored with the ROSCC.

The SAProuter log can be read to detect connections rejected by the SAProuter based on the route permission table. An example of an alert is provided below. Click on the image to enlarge.

Email notifications are automatically triggered by Solution Manager for alerts. See below.

 

Analysts can execute guided procedures in Solution Manager to investigate alerts and document findings. An example is provided below for Securing the Route Permission Table.

The guided procedure provides a framework for discovering insecure entries in the saprouttab file, identifying required entries, maintaining the route permission table and finally, monitoring the SAProuter log for rejected connections.

Detailed reference documentation is included for each step in the procedure.