Layer Seven Security

Secure, Patch & Respond: Security Analytics with SAP Web Intelligence

SAP Web Intelligence enables users to visualize and manage security risks in SAP systems using interactive reports delivered through an intuitive web interface. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Animated charts summarize risks by system, location, priority and other dimensions. Results can be filtered and sorted to focus on specific areas. Users can comment on report elements for collaboration, decision-making and tracking remediation efforts. Reports can be exported to Excel, HTML and PDF. Reports can also be accessed remotely using the mobile app for SAP BusinessObjects.

The security reports are comprised of five distinct sections. The first section includes a series of charts that summarize risks across three dimensions: vulnerabilities, security notes, and alerts. The results can be filtered to focus on single or multiple systems.

The second section includes trend charts, bar graphs, geo-maps and bubble charts that break down the results for each dimension.

The remaining sections convey detailed findings and empower users to secure SAP systems against cyber threats by discovering and removing vulnerabilities, applying patches, and responding to alerts for suspected security breaches.

To learn more, contact Layer Seven Security. You can also request a free trial for security reporting with SAP Web Intelligence using Layer Seven’s cloud platform.

 

How to Comply with the DHS Recommendations for Securing SAP Systems from Cyber Attacks

In response to the dramatic rise of cyber attacks targeting ERP applications, the United States Department of Homeland Security (DHS) issued a warning earlier this year that encouraged organizations to respond to the risks targeted at their business applications by implementing specific measures to secure, patch and monitor SAP systems. The measures included scanning for vulnerabilities and missing security patches, managing SAP interfaces, and monitoring user behaviour, indicators of compromise, and compliance against security baselines for systems.

This article discusses how you can leverage SAP Solution Manager to comply with the DHS recommendations. Solution Manager is installed and available in most SAP landscapes and includes diagnostics and monitoring applications to support cybersecurity. The specific applications are outlined below against each of the DHS recommendations.

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Configuration Validation in Solution Manager can perform automatic daily scans of SAP systems against security benchmarks to identify misconfigurations that could expose systems to cyber threats. The scans are performed against snapshots of systems stored in the Configuration and Change Database (CCDB). The results of the scans are stored in an internal Business Warehouse (BW). Service Level Reports and Security Dashboards connect to BW using BEx queries to read the results of the security scans and report the findings.

System Recommendations (SysRec) in Solution Manager connects directly to SAP Support to discover missing security patches.  SysRec also connects to each system in an SAP landscape to determine the current patch level. It reads the system information in the Landscape and Management Database (LMDB) to identify installed software components and versions. SysRec also integrates with the ABAP Call Monitor, Usage Procedure Logging, and Solution Documentation to perform change impact analysis for security patches.

2. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Interface and Connection Monitoring (ICMon) in Solution Manager automatically maps cross-system interfaces including RFC, HTTP, IDOC and Web Services. This includes internal and external connections. It also monitors real-time traffic patterns to detect and alert for malicious actions including dangerous RFM and URL executions.

3. Analyze systems for malicious or excessive user authorizations.

Solution Manager can detect users with administrative privileges in SAP systems. It flags users with privileged authorizations, profiles, roles, transactions, Java permissions, and HANA system and table privileges. Privileges can include standard and custom objects.

4. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can monitor event logs in SAP systems to detect and alert for indicators of compromise (IOCs). This includes log files and tables such as the Security Audit Log, HTTP Log, System Log, Gateway Server Log, Change Document Log, Read Access Log, Java Security Log, HANA Audit Log, and the SAProuter Log. The MAI triggers alerts and email and text notifications for IOCs. Guided procedures provide a framework for incident response and tracking.

5. Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

MAI monitors user logs to detect and alert for suspicious behavior covering both privileged and non-privileged users. This includes unauthorized access, escalation of privileges and actions that could lead to data leakage.

6. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

SAP Partners periodically update content for Solution Manager to address new vulnerabilities and attack vectors.

7. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Solution Manager continuously monitors for policy violations against security baselines and compliance frameworks such as GDPR, IT-SOX, NIST and PCI-DSS. Service Level Reports and Dashboards provide directions for implementing and tracking remedial actions taken to patch and secure systems. Guided procedures document incident investigation steps performed by responders. The results are archived in Solution Manager.

To learn more about how Solution Manager can help you comply with the DHS recommendations for securing SAP systems, contact Layer Seven Security.

DHS Issues Warning for Cyber Attacks Targeting SAP Applications

The United States Department of Homeland Security issued a warning this week for malicious cyber activity targeting ERP applications including SAP. The warning is based on the findings of a recent report issued by Digital Shadows. The report discusses the dramatic rise in cyber attacks on widely used ERP applications. The report echoes the findings of an earlier study by Gartner that predicted a growth in attacks targeted at business applications.

The findings of the report are summarized below.

– The number of publicly available exploits for SAP applications has doubled in the past three years and there has been a 160% increase in the activity and interest in ERP-specific vulnerabilities between 2016-17

– Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations

– Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications

– Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage

– There has been a dramatic increase in the interest in exploits for SAP applications, including SAP HANA, in dark web and cybercriminal forums

– Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days

– Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

– Leaked information by third parties and employees can expose internal ERP applications.

In response, the report recommends the following actions to protect SAP applications from cyber attack.

– Identify and mitigate ERP application layer vulnerabilities, insecure configurations and excessive user privileges

–  Identify and remove dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and that are internet-facing

–  Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise

–  Monitor for leaked ERP data and user credentials

The recommended actions can be applied using SAP Solution Manager. System and user-level vulnerabilities can be identified using Service Level Reporting and Dashboards in Solution Manager. System Recommendations can be used to discover and apply security patches. Vulnerable cross-system connections including external connections can be discovered and monitored using Interface and Connection Monitoring (ICMon). The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor SAP logs to detect indicators of compromise including the leakage of sensitive data. Finally, the Guided Procedure Framework provides a platform for incident response using standard operating procedures for alert investigation.

Top Five Tips for System Recommendations

System Recommendations in SAP Solution Manager connects directly to SAP Support for real-time patch updates. It also connects to each system within SAP landscapes to monitor patch levels. SysRec downloads corrections for security vulnerabilities from SAP Support to each system and integrates with other areas in Solution Manager for change impact analysis, change management, and test management. SAP customers can therefore discover unapplied patches, bundle patches into change requests, and plan and execute test plans for patch cycles from a single integrated platform.

This article provides suggestions for optimizing System Recommendations to improve the performance of the application and the user experience. The tips will enable you to minimize false positives, identify and troubleshoot errors, and personalize the user interface.

System Recommendations reads the Landscape Management Database (LMDB) to determine the version and support pack levels for installed software components in each system. Therefore, the LMDB should be configured correctly, regularly updated and synchronized with the System Landscape Directory (SLD). This will reduce the likelihood of false positives such as the display of notes for irrelevant components, databases and operating systems. Kernel registration in the SLD will also help to minimize false positives. Alternatively, irrelevant components can be set to inactive in the customizing table AGSSR_OSDB to exclude them from the results returned by SysRec.

The background job SM:SYSTEM RECOMMENDATIONS periodically updates System Recommendations by connecting to SAP support and to managed systems to calculate unapplied notes. Processing errors for the object ASG_SR should be monitored using the Application Log (transaction SLG1). Alerts for job errors including automatic email notifications should be configured using Business Process Monitoring (BPMon) in Solution Manager.

System Recommendations excludes notes that are irrelevant, postponed or discontinued.  Therefore, it displays results for notes that have the implementation status New or New version available. Since the available status options don’t include options for notes with manual corrections that have been implemented, a custom status option for such notes should be configured by maintaining table AGSSR_STATUS. This can be performed using transaction SM30. Customers can also create custom status options to group notes by patch cycle, project or other criteria. In the example below, we’ve assigned a group of notes to the custom status group Q3 2018 and filtered the results to list the notes assigned to the group.

Status changes performed by users for notes are logged by System Recommendations. The changes are tracked in the details section for each note.  This section also tracks comments entered by users for notes. Comments are useful for tracking discussions between users that could impact implementation decisions including the approach, rationale, and timeline for applying security patches. Changes and comments entered by users can be viewed in table AGSSR_SYSNOTEC.

Finally, Fiori tiles can be configured in SysRec to create shortcuts for notes for specific systems, groups, and other variables. The tiles are accessed from the Fiori Launchpad and can be assigned to custom or standard groups. Once saved to the Launchpad, the results for each tile are automatically updated by System Recommendations.

Monitoring the SAProuter with SAP Solution Manager

The SAProuter performs a pivotal role in SAP landscapes by filtering SAP traffic using a more granular approach than is possible with conventional network-level firewalls. As a stand-alone program, it is commonly installed in DMZ servers that support network services rather than SAP applications.

The SAProuter is often targeted by attackers given it’s function as the gateway to SAP systems. There are several attack vectors targeting known vulnerabilities in earlier versions of the program. Therefore, it’s important to regularly update the SAProuter to the latest release and patch level. You can refer to note 1897597 for release information and note 1921693 for instructions for updating the program. Other recommendations include changing the well-known default port and blocking remote access to the SAProuter. This could be abused to control the SAProuter from external clients or hosts. It can also be exploited to modify the route permission table.

The route permission table is maintained in the saprouttab file stored in the working directory of the SAProuter and controls route strings between hosts.  It applies an access control list to permit or reject connections between source and target systems through the SAProuter. Standard entries in the route permission table have the syntax P (Permit) /S (Secure) /D (Deny) <source-host> <destination-host> <destination-port or service> <password>. The password option for permitted connections is optional.

The access control list should be as restrictive as possible and only permit the necessary connections. Wildcards (*) should not be used in the destination host and port fields. The rule D * * * * should be included as the last entry in the list to explicitly deny all connections that are not defined in the route permission table.

Lastly, the access list should be configured to support only authenticated and encrypted connections using the K prefix for positive entries. This requires the configuration of Secure Network Communications (SNC) for the SAProuter. For detailed instructions, refer to the SAP guide for SAProuter SNC Configuration.

The SAProuter can be monitored with SAP Solution Manager. The Solution Manager Diagnostics (SMD) agent should be installed on the server hosting the SAProuter. The Remote OS Script Collector (ROSCC) is also required to run OS commands through the Monitoring and Alerting Infrastructure (MAI) of Solution Manager. The next steps are the registration of the SAProuter in Solution Manager and the execution of the steps for managed system setup. Once completed, the SAProuter is available for monitoring.

The route permission table can be monitored by Solution Manager to automatically detect insecure entries including unauthenticated and unencrypted connections and entries with wildcards in the destination and port fields. An example is provided below.

 

The release and patch level of the SAProuter can be checked using the ROSCC. The port used by the SAProuter and whether the program accepts commands from remote hosts can also be monitored with the ROSCC.

The SAProuter log can be read to detect connections rejected by the SAProuter based on the route permission table. An example of an alert is provided below. Click on the image to enlarge.

Email notifications are automatically triggered by Solution Manager for alerts. See below.

 

Analysts can execute guided procedures in Solution Manager to investigate alerts and document findings. An example is provided below for Securing the Route Permission Table.

The guided procedure provides a framework for discovering insecure entries in the saprouttab file, identifying required entries, maintaining the route permission table and finally, monitoring the SAProuter log for rejected connections.

Detailed reference documentation is included for each step in the procedure.

GDPR Compliance with SAP Solution Manager 7.2

The General Data Protection Regulation (GDPR) will be enforceable throughout the European Union in less than a month. The regulation specifies how personal data should be managed and applies to organizations that collect data on EU citizens, regardless of whether or not they are located within the EU. GDPR requirements include data protection measures to secure systems that store or process personal data (privacy by design). They also include breach notification requirements that oblige organizations to notify customers within 72 hours of any compromise of their personal data.  Organizations may be fined up to €20 million or 4% of global turnover for non-compliance, whichever is greater. Therefore, GDPR is regarded as the most stringent data security framework to date.

In SAP environments, the requirement for privacy by design can be met by hardening and patching systems using Service Level Reporting, Security Dashboards, and System Recommendations, available in SAP Solution Manager. This will support automated monitoring for security vulnerabilities and missing security patches that could be exploited to target SAP systems and compromise personal data. Interface Monitoring and the Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to perform event monitoring to detect potential attacks in near-time.

The requirement for breach notification can be met through systematic monitoring of access to personal data, supported by incident response procedures aligned to GDPR disclosure standards. This can also be performed using SAP Solution Manager. The flowchart below summarizes the process for logging access to personal data in SAP systems, automatically monitoring logs for access violations and finally, responding to potential breaches using guided procedures.

The logging for access to personal data is performed using SAP Read Access Logging (RAL). RAL supports logging for access and changes to sensitive data fields in SAP systems, including custom fields. It can also be used to log access to SAP tables containing bulk records of sensitive data. Data fields and tables are tagged for logging using RAL scenarios. Once configured, RAL configurations can be transported across systems within a landscape. User exclusion lists can be maintained to exclude authorized users from logging. The RAL recording below captures access to banking information accessed through vendor maintenance in SAP ERP.

Access violations are logged in RAL tables. The raw log can be viewed using SRALMONITOR. In the example below, RAL has logged access to banking data belonging to vendor number 1752249 by the user ATTACKER on April 24, 2018 at 1.39 PM. Click on each image to enlarge.

The next step involves automated monitoring of RAL logs and triggering alerts and notifications for suspected breaches to personal data. This is performed using the MAI in SAP Solution Manager. MAI continuously monitors the contents of RAL tables as often as every minute. The MAI Event Calculation Engine alerts for each incident recorded in RAL tables and triggers email notifications to security analysts.

The alert details include the date and time of the event, the impacted system and client, and the name of the user that accessed the personal data.

The final step involves incident response. Analysts can execute guided procedures to investigate suspected breaches of personal data directly from each alert. Once executed, guided procedures provide standard operating procedures including automated steps for security investigations.

Guided procedures provide a framework for ensuring incident response procedures are aligned with GDPR requirements including disclosures to impacted customers, employees or other parties within the reporting window mandated by the regulation. Completed guided procedures are archived to provide an audit trail for compliance purposes.

The comprehensive coverage provided by SAP Solution Manager for the privacy by design and monitoring and disclosure requirements of GDPR presents a powerful alternative to third party software platforms.  Contact Layer Seven Security to discuss how Solution Manager can help your organization become and stay GDPR-compliant.

Webinar: Threat Detection with SAP Solution Manager 7.2

How does Solution Manager perform threat detection for SAP systems? What type of events are detected? Which logs are monitored? Is this real-time or near-time monitoring?  Do you receive email and SMS notifications for alerts? How do you prevent alert flooding? How do you use guided procedures for alert handling and forensic investigations? Is it possible to customize workflows in guided procedures? How do you integrate SolMan alerts with SIEM platforms for event correlation? What are the differences between threat detection with SAP Solution Manager and SAP Enterprise Threat Detection?

Discover the answer to these and many more questions by joining Layer Seven’s webinar on March 30. Gain valuable insights that will empower you to unlock the potential of your SAP platforms from the global leaders in cybersecurity monitoring using SAP Solution Manager.

 

REGISTER

SAP Solution Manager is ITIL-Certified for Information Security Management

The SAP Integration and Certification Center (ICC) has been validating and certifying solutions from partners and software vendors for over twenty years. The certifications provided by the ICC are based on rigorous testing and enable customers to invest with confidence in technologies that integrate with SAP solutions. This includes technologies that support security scenarios such as automated vulnerability management, code scanning and threat detection.

The ICC cannot certify SAP’s own product offerings since self-certification does not provide the same level of assurance as independent certification. However, SAP platforms are often certified by recognized certification authorities. SAP Solution Manager, for example, is certified by organizations such as SERVIEW. In fact, Solution Manager is one of the most awarded service management platforms in the market and certified for all 18 certifiable processes of the ITIL framework, including Information Security Management.

ITIL is the Information Technology Infrastructure Library and provides best practices to support the design, management and monitoring of IT infrastructure and optimization of service levels for end users. The framework consists of five distinct lifecycle phases for service strategy, design, transition, operations, and continuous improvement. It includes key performance indicators to identify problems, measure performance, and track progress.

IT Security Management is a process within the Service Design lifecycle of the most recent version of the ITIL framework. It includes four sub-processes for the design of security controls, the performance of regular security reviews, and the management of security incidents. The sub-processes are targeted at preventing, detecting and containing security intrusions and breaches. The chart below maps each sub-process to relevant applications available in SAP Solution Manager.

ITIL v3 – IT Security Management

Applications such as Configuration Validation, Service Level Reporting and the Dashboard Builder enable customers to enforce security baselines for SAP landscapes and monitor compliance against security KPIs. System Recommendations automatically detects missing security patches through a direct connection to SAP support. Interface Monitoring detects potential breaches of cross-system connections. Finally, the Monitoring and Alerting Infrastructure and Guided Procedures provide an advanced framework for detecting and responding to security incidents and suspected breaches. Overall, Solution Manager provides a powerful ITIL-compliant platform for defining, implementing and sustaining secure SAP system landscapes.

 

5 Common Myths for Security Monitoring with SAP Solution Manager

Does Solution Manager have a complex installation process? Is it difficult to maintain? Does it create dangerous connections with SAP systems? Is it a high value target for attackers? Does it provide no support for zero-day vulnerabilities?

This article tackles the five most common myths about SAP Solution Manager and reveals the truth behind the fiction.

The first and most common myth is that SAP Solution Manager is complex to install and difficult to maintain. In fact, the installation procedures for Solution Manager are relatively simple and standardized, especially in comparison to other SAP platforms such as ECC. Once installed, guided procedures in Solution Manager track the progress of the setup process across three major areas: System Preparation, Basic Configuration, and Managed System Configuration. Performing the configuration steps in Technical or Application Monitoring is recommended to enable the monitoring capabilities of Solution Manager.

Once configured, security-relevant applications such as System Recommendations, Dashboards, Interface Monitoring and the Monitoring and Alerting Infrastructure are enabled and ready to use. Therefore, the standard setup procedures automatically activate most of the requirements for security monitoring using Solution Manager. Since security applications use existing connections with SAP systems, there is no need to install and configure additional agents in target systems.

Maintenance is relatively straightforward. Support packs for functional enhancements and bug fixes are released at regular intervals and are applied using the Maintenance Optimizer. The guided procedures for SOLMAN_SETUP will flag any configuration issues that need to be tackled after an SP upgrade.

The second myth is that SAP Solution Manager creates dangerous RFC connections with managed systems. The RFC connections created by Solution Manager are no more or less dangerous than similar connections between other systems in SAP landscapes. Also, the risk is not removed if you decide not to perform security monitoring using SAP Solution Manager since the connections will remain in place.

The third myth is that SAP Solution Manager is a high-value target for attackers. In fact, all SAP systems are valuable targets for attackers. Since Solution Manager does not typically store or process sensitive business data, it may be a less valuable target than systems such as ECC, CRM and SRM. Also, Solution Manager performs self-monitoring to detect security vulnerabilities including misconfigurations and missing patches, and potential security breaches captured in SAP logs. In dual landscapes, Solution Manager systems can monitor each other.

Fourthly, it’s often emphasized that Solution Manager is not certified by SAP. SAP certifies third party solutions developed by independent software vendors for integration with platforms including SAP NetWeaver. SAP does not certify it’s own software platforms such as Solution Manager. However, Solution Manager is ITIL-certified by organizations such as SERVIEW for Information Security Management.

The final myth is that Solution Manager does not provide any coverage for zero-day vulnerabilities that are unpatched by SAP. Security researchers choose to deliver virtual patches for zero-day vulnerabilities through third party tools in order to induce SAP customers to subscribe to expensive licenses for such tools. This is a business decision and not due to any technical limitation in Solution Manager. Also, all zero-day vulnerabilities do not pose a critical risk to SAP systems. The fact that patches for vulnerabilities are often released many months after the weaknesses are disclosed by security researchers to SAP does not necessarily mean that SAP systems are at serious risk. SAP’s response to such disclosures depends on an assessment of the risk posed by reported vulnerabilities. This includes factors such as the complexity and range of related exploits and the impact to data confidentiality, integrity and availability.

Featured in SAPinsider: Secure Your SAP Landscapes with SAP Solution Manager 7.2

Firewalls, intrusion detection systems, and antivirus solutions may not protect SAP systems against advanced cyberattacks. However, this does not necessarily mean that SAP customers have to license third-party vulnerability scanning or threat detection solutions to deal with the risk. The answer to their security questions may be closer than they realize. Bundled with standard and enterprise SAP support agreements, SAP Solution Manager 7.2 includes five integrated applications to safeguard SAP systems against cyber threats:

Service Level Reporting (SLR)
Dashboard Builder
System Recommendations
Interface and Connection Monitoring (ICMon)
and the Monitoring and Alerting Infrastructure (MAI)

Read the full article