Layer Seven Security

Get Ready for SAP Solution Manager 7.2: What to Expect

SAP Solution Manager 7.2

It’s well known that licenses for SAP Solution Manager are included in SAP maintenance and support agreements. However, with the release of version 7.2 next year, SAP will take this a step further by providing free licenses for SAP HANA for use with SolMan 7.2. Customer’s will still have to pay for hardware costs but HW costs have been falling and there is the option for cloud services to avoid hardware costs altogether.

Other improvements in SolMan 7.2 include a streamlined architecture requiring fewer integrations and system resources and delivering faster processing times. Depending upon the implementation scenario, customers will be able to lower SolMan running costs by up to 70 percent.

SolMan will also provide a vastly improved UI based on the Fiori Lauchpad and support access through Apple, Android and Windows mobile devices. Click on the images below to enlarge.

SAP Solution Manager 7.2

SAP Solution Manager 7.2

SAP Solution Manager 7.2

SolMan 7.2 will provide full support for HANA, S/4HANA, Cloud and Hybrid solutions, enabling customers to manage and monitor all SAP on-premise and cloud systems.

For security monitoring, we can expect improved reporting capabilities based on UI5 that do not require embedded BI or Flash, tighter integration between the SolMan frontend and BW Query Designer to support highly customizable reports, upgraded dashboards and alerts, and the ability to not only discover missing Security Notes for systems using SysRec but also identify the business processes impacted by the planned implementation of Notes. The latter will rely on solution documentation maintained directly in SolMan and a much improved Business Process Change Analyzer application that will integrate with Test Management to enable customers to develop, execute and review the results of test cases for planned changes.

SAP Solution Manager 7.2

SAP Solution Manager 7.2

SAP will remove maintenance for the current version of Solution Manager at the close 2017. Customers will have around 18 months to upgrade their Solution Manager platforms. The advanced performance and analytical capabilities offered by SAP HANA together with the major enhancements in Solution Manager 7.2 suggest that most customers will opt for early adoption. This will strengthen SolMan’s position as the premier solution for monitoring the security of SAP systems, providing the lowest total cost of ownership, unlimited flexibility and scalability, and unrivalled performance.

Are your System Users Vulnerable to SAP Hacks?

One of the most telling statistics revealed at BlackHat USA earlier this year was the fact that 84 percent of InfoSec professionals regard unmanaged privileged credentials as the biggest cyber security vulnerability within their organizations. For SAP environments, the dangers posed by abusing user accounts with privileged access are well-known and can include shutting down SAP servers to interrupt the availability of services, reading or modifying sensitive information, and performing unauthorized changes to system configurations, programs, users, and other areas. For this reason, privileged access is carefully granted and vigilantly monitored in most systems, especially productive systems.  This includes privileges assigned through powerful authorization profiles such as SAP_ALL, SAP_NEW, S_ABAP_ALL and S_A.SYSTEM.

However, countermeasures to prevent abuses of privileged credentials in SAP systems are usually focused upon dialog users since interactive logon is not possible with most other user types. This includes system users that are used for background processing. Therefore, it’s common to find system users with privileged access in productive systems, especially when such users support several cross-system connections and integration scenarios.

The risks posed by system users with privileged credentials should not be overlooked and can be as grave as those posed by dialog users. Attackers are able to modify user types from system to dialog in several ways. The most common method is through the Function Builder used to build, test and manage function modules.

Attackers can access the Function Builder through transaction SE37 in a connecting system to execute the BAPI_USER_CHANGE remote-enabled function module (RFM). This RFM can be used to implement user changes in destination systems. The changes are applied using a privileged system user in the destination system. The credentials for such users are often stored in RFC destinations configured in connecting systems. The relevant RFC destination is entered in the field RFC target sys of the Function Builder (see below). The username of the system user configured for the RFC connection is entered in the USERNAME import parameter. Finally, the values of the LOGONDATA and LOGONDATAX are maintained to specify the dialog user type.

BAPI_USER_CHANGE

Once executed from the connecting system, BAPI_USER_CHANGE will change the system user to a dialog user type in the destination system through a remote function call. This will enable the attacker to logon to the destination system through methods such as the Remote Logon option in the RFC destination maintained in the connecting system (see below).

SAP RFC Destination - Remote Logon

Since attackers can bypass the restrictions placed on system users by abusing the privileged credentials provided to such users, it stands to reason that super user privileges should be managed for all user types, not just dialog users. This should include minimizing privileges for technical system and communication users to the minimum required for each scenario. Trace tools such as STAUTHTRACE, STRFCTRACE and STUSOBTRACE can be used to identify the authorization objects required for each user. This should be supported by enabling switchable authorization checks for sensitive function modules such as BAPI_USER_CHANGE, BAPI_USER_CREATE1 and BAPI_USER_PROFILES_ASSIGN, and, in NetWeaver releases 7.4X, enabling Unified Connectivity (UCON) to restrict external access to remote-enabled function modules.

RFC destinations with stored logon credentials can be identified using the config store RFCDES_TYPE_3 in Configuration Validation (ConVal). RFC users with critical profiles such as SAP_ALL can be identified using the store RFCDES_TYPE_3_CHECK. See below.

SAP Configuration Validation RFCDES_TYPE_3

SAP Configuration Validation RFCDES_TYPE_3_CHECK

Monitoring SAP Security Metrics with SolMan Dashboards

SAP Solution Manager (SolMan) includes a complete dashboard framework for visualizing data metrics and KPIs across a wide variety of areas. This includes areas such as availability, performance, service delivery, and crucially, system security. What’s more, the process for enabling and customizing dashboards is relatively quick and simple. This short guide walks through the steps to leverage the SAP-delivered dashboard apps in SolMan for security monitoring.

The first step is creating a link to the dashboard in the SAP Easy Access menu. Once you have logged into SolMan, right click on the Favorites folder and select Add Other Objects.

SAP Solution Manager Security Dashboard

From the list in the Restrictions screen, choose Web-Dynpro Application.

SAP Solution Manager Security Dashboard

Enter GENERIC_DASHBOARD_VIEWER in the Web Dynpro Applicat. field of the Web Dynpro Application screen.

Enter Security Dashboard in the description field.

Select HTTPS if applicable.

Within the Parameter table, enter ALIAS in the Name column and CIO_PERSONAL in the Value column. Click Save when complete.

SAP Solution Manager Security Dashboard

The Security Dashboard link will now appear in your Favorites menu. Double click on the link to launch the dashboard in a browser. You will require the role SAP_SM_DASHBOARDS_DISP to access the dashboard, including the auth object SM_DBSINST.

SAP Solution Manager Security Dashboard

The second step is configuring security apps in the dashboard. The welcome screen below is displayed the first time you access the dashboard. Select Configure in the top right of the screen and then Add new App.

SAP Solution Manager Security Dashboard 15

Select the Cross-Application category. Click on the image below to enlarge.

SAP Solution Manager Security Dashboard

 

Select and configure the following apps in sequence: Security Overview, Security Details, and Security List. You can learn more about these dashboard security apps at the SAP Help Portal.

Follow the steps below for each app.

Select one of the specified apps and click OK.

SAP Solution Manager Security Dashboard

Enter a title for the app in the Header field. In the example below, we have configured the Security List app which displays the compliance status of systems by Software, Configuration, and User areas. The Software group includes checks for the release and support pack level of critical software components, kernel levels, and unapplied Security Notes. The Configuration group includes checks for security-relevant profile parameters, access control filters in operating system files such as sec_info and reg_info, client change settings, Security Audit Log filters, RFC destinations with stored logon credentials, trusted RFC connections, and active Web services. Finally, the Authorization group includes checks for users with critical authorization objects or combinations of auth objects, sensitive transactions, and powerful SAP-delivered profiles such as SAP_ALL. It also includes checks for standard users with default passwords.

The next step is to select the target system. This is the template that contains the baseline security policy used to check the compliance levels of systems in your landscape. You can select default templates such as 0SEC_NEW. However, best practice is to develop custom templates to perform checks for a wider array of vulnerabilities in SAP systems than covered by SAP-delivered defaults. Templates developed by Layer Seven Security, for example, perform over 500 vulnerability checks for ABAP, Java and HANA systems.

Once you have selected the target system, specify the comparison systems that should be monitored using the dashboard security app. In the example below, we’ve chosen to monitor the ABAP stack of the system SMP using the custom template in the virtual target system SEC_ABAP.  This is a simplified example. In most cases, multiple systems should be selected for monitoring at the same time against a single target system.

SAP Solution Manager Security Dashboard

Select Preview to sample the dashboard and then click Apply when done. Perform the configuration steps for the other security apps available in the SolMan dashboard. Save the Dashboard. Once complete, the dashboard should resemble the following:

SAP Solution Manager Security Dashboard

The final step is to set the Auto Refresh frequency in the drop-down menu positioned in the top right of the dashboard. Once set, the dashboard will refresh as often as every 5 minutes for near real-time security monitoring.

SAP Solution Manager Security Dashboard

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Earlier this month, the New York Stock Exchange released a definitive guide to cybersecurity targeted at directors and officers of public companies. Developed with Palo Alto Networks, the guide includes contributions from over thirty-five industry experts and contends with a wide range of questions including legal and regulatory issues, cyber insurance, supplier risks, and incident detection and response. It also discusses investor perspectives towards cybersecurity and cites a recent survey of 130 global institutional investors with an estimated $3 trillion under management that reveals 4 out of 5 institutions would blacklist the stocks of hacked organizations. The full report can be downloaded here.

According to the guide, cybersecurity risk management plans should include several critical countermeasures.  One of the most important is effective patch management. In fact, the report points out that “system compromise and data breach are rarely the result of some sophisticated attack that no one has ever been seen before. The bulk of effective attacks use vulnerabilities that have been known for years…..Lack of patching and other standard security issues are normally the culprits” (p95).

This suggests that more active and rapid patching can significantly lower the risk of successful cyber attack. For SAP customers, this calls for the regular application of SAP-delivered security patches to address programming and other flaws. Security fixes are generally released by SAP on Security Patch Day, scheduled for the second Tuesday of every month. Corrections are packaged in Hot News, Security and Support Package Notes that are available through the SAP Support Portal.

There are several options for discovering relevant Security Notes for SAP systems. The first is directly through the SAP Support Portal using preconfigured filters for registered systems and products. Automatic email notifications can be setup through the Portal for newly released Notes.

The second is System Recommendations (SysRec). You can refer to our earlier post for guidance on how to Discover Security Patches for your SAP Systems using System Recommendations.

The third is a standard report available in Configuration Validation (ConVal). Although this approach draws upon SysRec, it consolidates missing SAP patches for all systems across landscapes. This is useful if you need to check the patch status of several systems at the same time. The instructions below provide a step-by-step guide for detecting unapplied SAP Security Notes using ConVal.

Step 1. Open Configuration Validation from the Root Cause Analysis or Change Management work center in SAP Solution Manager. Click on the image below to enlarge.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 2. Select the Reporting Templates option from the Report Execution tab.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 3. Select the report highlighted below and click ‘Start configuration reporting’.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 4. Maintain the filters for the report by selecting specific SAP System IDs (SIDs), system types, areas, and the date range. In the example below, we have selected Hot News and Security Notes released between Jan-Sep 2015 for all ABAP systems in the landscape. Click Execute when you are done.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Step 5. Analyze the results. In the report below, the table on the left provides a count of missing Notes by SID. The table on the right displays the unapplied Notes in each row against SIDs in each column.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

The details of each unapplied Note are provided in the lower section of report. This includes version, description, priority level, and impacted application components. The results can be filtered by priority level to focus on Hot News and High Priority patches. Results can also be exported to .xls and other file formats for further analysis.

How to Discover Missing Security Notes for Your SAP Systems using ConVal

Featured in SAPinsider: Unlocking the Cyber Security Toolkit in SAP Solution Manager

How to Implement Advanced Security Monitoring Without Third-Party Software

The fear and anxiety driven by the wave of cyber attacks in recent years has led many companies to bolster their security programs. It’s also led to a stream of software solutions from third-party developers offering to solve customers’ cyber security challenges. You may have heard the sales spin, watched the demos, and even considered the proposals. But before you launch the purchase order, ask yourself: Is there an alternative? What if the tools you need to secure your SAP systems were available to you at this very moment?

SAP has equipped customers with a variety of tools to protect against even the most advanced forms of cyber threats. The tools are available in SAP Solution Manager and include:

1. Configuration Validation: Implement automated vulnerability checks across your entire SAP landscape

2. System Recommendations: Detect security-relevant SAP patch day and support package notes

3. Change Analysis: Analyze the root cause of changes in your SAP systems

4. End-to-End (E2E) Alerting: Investigate email and SMS alerts for critical SAP security events

5. Security Dashboards: Monitor the health of your SAP systems in near real time

Read more at SAPinsider

Cyber Security Monitoring using SAP Solution Manager

How to Protect Sensitive Data in Your SAP Systems with Read Access Logging

The need to monitor access to classified data in SAP systems has never been greater. End users are increasingly working with SAP data from outside the borders of corporate networks. Corporate information is also increasingly under threat from cyber criminals, hacktivists, cyber spies and terrorists that seek to exploit classified information for financial gain or to further ideological or national interests.

Read Access Logging (RAL) empowers organizations to combat these threats by providing the ability to detect and contain information leaks before they escalate into large-scale data breaches. This is performed by logging and monitoring access to sensitive data in SAP systems. RAL can also be used to identify malicious changes by tracking old and new values for classified data.

This article will explain how you can enable RAL in your SAP systems. The use-case illustrated in the article is sensitive employee data including social security numbers (SSN), salary and banking information. However, RAL can support any use case including health records, payment data, pricing information, etc. It can also be used to monitor access to custom data fields in your SAP systems.

RAL is accessed using the SRALMANAGER transaction. The screen below displays the options available in the Administration tab of the control panel. You will need the templates roles SAP_BC_RAL_ADMIN_BIZ, SAP_BC_RAL_ADMIN_TEC and/ or SAP_BC_RAL_CONFIGURATOR to administrator RAL.

Administration 2

The options in the Administration tab are organized in line with the sequence of activities performed to configure RAL. The first step is the definition of Logging Purposes. A log purpose is the specific use-case for the log groups you will create in later steps. In the example below, we have created a use-case to group sensitive employee-related data.

Logging Purpose Creation

Next we must create Log Domains. These are assigned to data fields to support log analysis since many fields are unintelligible when relying on just system identifiers. The screen below captures the log domains we have created for employee data including banking information, salary and SSN.

Log Domains 2

Once we have defined our log domains, we must configure recordings to capture the data fields that we will assign to the domains. Recordings can be used for SAP GUI (Dynpro) and Web GUI (Web Dynpro) sessions. Below we have created a recording to capture specific types of employee information using SAP GUI. Click on the image to enlarge.

Recording 2

We can choose the data fields to log by selecting the Record Field option in the context menu. The screen below shows that we have selected to record the SSN field during a recording session in an IDES system with mock data using SAP GUI.

Recording Session 2

The fields captured in RAL during the recording sessions are assigned to log domains during the configuration step. In the example below, we have assigned the SSN field to the SSN log domain.  You can choose to record field values in log entries during this step and to include/ exclude initial values. You can also specify whether the trigger for logging should be data entry performed by the end user or data displayed to the user or both. Specific users can be excluded from RAL using the User Exclusion List. Therefore, we can ensure HR and other users that require access to employee information for their role are not included in log results.

Configuration 2 (SSN)

The final step is enabling RAL by maintaining the profile parameter sec/ral_enabled_for_rfc in each application server. RAL configuration settings can be transported within your SAP landscape using transaction SRAL_TRANS.

Log analysis is performed using the options in the Monitor tab. This can be performed using the role SAP_BC_RAL_ANALYZER.

Monitor

The entries for all log domains are displayed below. The first entry in the log reveals that the user SAPADMIN successfully read the SSN of employee ID 109815 at 9.06AM on September 18, 2015.

Log Results - Details 2 (SSN)

Other log entries reveal that the user also accessed the bank details and salary information of the employee on the same day. See below.

Log Results - Details 2 (Bank)

Log Results - Details 2 (SALARY)

Changes performed by SAPADMIN for data fields logged by RAL would be displayed as separate log entries if we had selected the option to record field inputs with values.

RAL is available in NetWeaver 7.40 but SAP intends to make it available for earlier releases. For further information including professional services to enable Read Access Logging in your SAP systems, contact Layer Seven Security.

For logging table-level access in SAP systems, we recommended using the Workload Monitor accessible through transaction ST03. You can configure table access logging for up to five transactions including well-known table maintenance transactions such as SE16, SM30 and SM31. The log below from the Workload Monitor displays the number of records viewed or modified using transaction SE16 for the user table USR02 during a specific date. Large record counts could indicate a potential data breach. Correlation with transaction starts performed by users logged in the Security Audit Log or STAD should be possible using conventional SIEM solutions or SAP Enterprise Threat Detection.

ST03 - Table Access Log by Transaction and Table

Can You Trust SAP with Your System Security?

Can you trust SAP with your system security? The question is worth pondering, not least since it is one of the key arguments used by third party software vendors to support the use of their security tools over SAP-delivered solutions. Although the argument is usually made in the context of vulnerability management for cybersecurity, the logical extension of this point of view is that SAP shouldn’t be trusted for any security domain, including access control, identity management, program development, and security patching. In this article, we discuss whether SAP has earned the right to your trust and the implications of a low-trust and a high-trust relationship with SAP for your security needs. The discussion will be driven by the notions of trust taxes and trust dividends which can either constrain or multiply your organization’s performance.

But, firstly, what is trust? There are many definitions but they all boil down to a single concept: confidence. Trust is confidence in the integrity, strength or ability of someone or something. By this definition, most economies and societies are low-trust. According to one of the most widely-known studies of global perspectives on trust, confidence in governments, leaders, and organizations has never been lower. The Edelman Trust Barometer has charted the worldwide decline in trust levels over 14 years. In 2014, the study surveyed 33,000 people in 27 countries. Although it revealed a general level of mistrust in people and institutions, it’s important to note that trust is impacted by many factors including geography and industry. Interestingly, companies based in Germany or operating in the technology sector tend to command the highest levels of trust.

Security is driven by mistrust. Therefore, it’s not surprising that organizations are investing in resources, training and technologies to strengthen information security in environments with declining levels of trust. The reaction is understandable and necessary given the dramatic rise in cybercrime, commercial espionage and insider threats. Improved security measures can realize substantial, tangible benefits but there is a cost. This includes not only the direct costs associated with investing in further resources, training programs and security tools, but indirect costs arising from the organizational impact of security measures. Mistrust can be very expensive.

Performance is often measured as the outcome of an organization’s strategy and its ability to execute on the strategy. In other words, strategy + execution = results. However, there are hidden variables that can undermine this equation. The results of a great strategy combined with flawless execution can be undone by low levels of trust which push up costs and reduce the speed of execution. This is known as the so-called Trust Tax. On the other hand, results can be amplified in high trust scenarios since costs are held down and the pace of execution is higher. This is called the Trust Dividend.[1]

Based on this model, organizations that trust SAP-delivered solutions for vulnerability management should be able to realize a trust dividend by minimizing the cost side of the equation: vulnerability management can be performed using standard components in SAP Solution Manager over licensing third party solutions. However, the question remains: can SAP be trusted to provide sound and independent security guidance?

Trust requires creditability. Credibility is based on integrity, intent, capabilities and results. Therefore, to answer this question, we must ask another: is there any reason to doubt the integrity or intent of SAP or question its capabilities and results? I can think of none. SAP’s commitment to educate and empower customers with insight and tools to manage the security of its solutions is undeniable. Its difficult to imagine any benefit SAP could derive from anything other than an honest and transparent approach to security. SAP has demonstrated its commitment to improving software quality by strengthening development procedures to detect and remove program vulnerabilities before general availability. It has also established a robust security response process to deal with vulnerabilities identified by internal teams and external researchers. Finally, SAP continues to deliver innovative solutions to enable customers to deal with today’s threat landscape. This includes tools designed to:

Discover data leaks (Read Access Logging)
Detect system vulnerabilities (Configuration Validation)
Manage security patches (System Recommendations)
Control access to sensitive function modules (Unified Connectivity)
Analyze security-relevant changes (Change Analysis)
Remove redundant custom code (Coverage Analyzer)
Secure custom code (Code Vulnerability Analyzer)
Detect attacks in real-time (Enterprise Threat Detection)

So, can you trust SAP with your system security? The answer is, why not?

[1] The Speed of Trust, Stephen Covey (2008)

Are 95 percent of SAP systems really vulnerable to cyber attack?

Earlier this month, SAP issued a strongly-worded response to claims made by the software vendor Onapsis in a press release that over 95 percent of SAP systems assessed by Onapsis were exposed to vulnerabilities that could lead to the compromise of SAP systems. According to SAP, “The press release published by Onapsis is aimed at alienating SAP customers while promoting Onapsis’ own products. The assertion that over 95% of SAP systems were exposed to vulnerabilities is false.” In spite of such protests, the claims led to a wave of concern over vulnerabilities in SAP systems. The concerns were deepened by the revelation that the data breach at the government contractor USIS reported in 2014 was caused by a vulnerability in an SAP ERP system. The forensic investigators engaged by USIS to review the breach concluded that attackers were able to gain access to the system by exploiting an undisclosed SAP-level vulnerability or series of vulnerabilities. This assertion was based on evidence contained within SAP application trace logs and other sources. The breach led directly to the leakage of highly sensitive information impacting an estimated 25,000 government employees.

Along with similar incidents experienced by the Greek Ministry of Finance and Nvidia, the breach at USIS has served to illustrate the devastating impact to organizations when SAP systems are not securely configured and monitored to guard against possible cyber attack. Since the news of the source of the breach became public, security researchers have put forward several theories of possible exploits that could have been employed by attackers to compromise SAP systems connected to USIS. The theories include the use of default passwords, vulnerabilities in RFC gateways, remote code execution, and even database-level exploits. The fact that the attackers were presented with such an array of possible vectors is disturbing to say the least and highlights the wide attack surface presented by SAP systems.

Unless the specific SAP vulnerability that was exploited to breach USIS was a zero-day exploit, its likely that the breach could have been prevented through the proper hardening of SAP systems, regular patching, and continuous monitoring using tools provided by SAP in Solution Manager. It should be noted that almost all the attack vectors presented by researchers to explain the attack at USIS can be blocked by either applying applicable SAP patches or by observing the relevant SAP security guidance. This also applies to the so-called ‘Top Three Common Cyber Attack Vectors for SAP Systems’ declared by organizations such as Onapsis. Furthermore, once hardened, SAP systems do not necessarily require third party tools to monitor for possible changes or configuration errors that may expose them to cyber threats. The simplest, quickest and most cost-effective strategy is to leverage tools available in Solution Manager. They include System Recommendations for patch management, Change Analysis for detecting and investigating configuration changes, Alerting for security incident and event management, Dashboards for compliance monitoring and finally, Configuration Validation for comprehensive, automated vulnerability management. In short, both the information and the tools you need to secure your SAP systems against the type of attack that breached USIS are available to you at this very moment.

Turn the Tide against Cyber Attacks with SAP Enterprise Threat Detection

One of the most striking facts revealed by the 2014 Verizon DBIR is that only one in every six data breaches are detected by organizations that are the victim of such breaches. The statistic revealed that the vast majority of organizations lack the capability to detect incidents that lead to a data breach.

According to an earlier study sponsored by Oracle, organizations that have implemented incident detection capabilities are not necessarily any better off: nearly 70 percent require greater than one day to identify incidents of unauthorized system access. Given that most breaches unfold in less than a single day, organizations could suffer catastrophic losses before they even detect the underlying incident.

The problem is particularly acute for SAP environments. Maintaining a low mean time to detection is one of the key metrics used to measure the effectiveness of threat management programs. This is the gap between the time an incident occurs and the time the threat is detected and contained. While SAP systems generate a large quantity of logs in various formats, collating and parsing such logs presents several technical challenges, as well as consuming an extensive amount of time and resources. Performing such an analysis in near real-time using conventional tools is impractical, especially in high-volume environments that often generate several gigabytes of log data each hour. Hence, means times to detection are generally high for threat management programs encompassing SAP systems. This increases the vulnerability of such systems by providing adversaries with a longer timeframe to attack and compromise systems before detection.

Under these circumstances, the general availability of SAP Enterprise Threat Detection (ETD) on March 16 could not have been timelier. ETD is the only solution capable of providing visibility into potential insider and outsider threats impacting SAP systems in real-time. ETD minimizes mean times to detection and therefore shortens the timeframe that adversaries are provided to compromise and harm systems. It does so by harnessing the data streaming capabilities of the Event Stream Processor (ESP) and the ability of SAP HANA to analyze large and complex data sets instantaneously.

Log data is automatically extracted from monitored systems and components and pushed to a REST-based API exposed by ESP. Log information is harvested from a wide array of sources within each system including Gateway, HTTP, Business Transaction, Change Document, Read Access, System, Security Audit and User Change Logs. ETD SP01 also supports logs that use the UDP-based syslog protocol. Syslog is a common standard for capturing, labelling and transmitting system events for security auditing and other purposes. It is used by a wide variety of systems and components including, most notably, SAP HANA or, more specifically, the SUSE platform supporting HANA.

Once the log data is formatted and normalized by ESP, it is transferred to SAP HANA for storage and made available to ETD for analysis. Threat detection using ETD is performed primarily through pattern recognition. In other words, log data is evaluated by ETD to determine whether logged events match predetermined patterns for suspicious activity. Examples include logon attempts using standard users, multiple and concurrent failed logon attempts in the same system using the identical user, or changes to variables implemented during a debugging session. Patterns are risk-weighted by severity and trigger an alert whenever a match is detected by ETD. Alerts can be viewed through the ETD Dashboard or Launch Pad (see below).

Screenshot Launchpad

 

ETD SP01 includes over 50 patterns for ABAP systems based on SAP best practices. However, SAP recommends enabling and tuning patterns to address specific risks within each landscape and developing custom patterns using the Pattern Configuration tool bundled in ETD. Pattern identification and development is also performed by SAP Service Partners such as Layer Seven Security.

Future releases and enhancements of ETD will widen support for Java and cloud-based systems. SAP also intends to integrate ETD with Solution Manager for monitoring and incident management.

SAP ETD closes a critical gap exposed by limitations in existing SIEM and other solutions to absorb and analyze security-relevant event information stored in SAP logs. It also delivers the capability to identify and respond to security threats revealed by event data in real-time. For these reasons, ETD represents one of the most important technological innovations in SAP security in recent years and offers the most effective response to insider and outsider threats impacting SAP systems.

The use-cases for ETD can be illustrated by the recent insider breach at AT&T that led directly to a $25M FCC fine levied against AT&T. The breach centered on the accessing of personally-identifiable customer information by call center employees without authorization. This information was subsequently sold by the employees to third parties. Such a scenario can be mitigated in SAP systems through the integration of Read Access Logs with ETD. Providing the relevant patterns are appropriately configured, ETD would generate an alert when sensitive data fields are accessed by users frequently and in large volumes. Since the alert is generated as the incident is unfolding, it will provide investigators with the opportunity to respond to the incident in real-time and prevent the leakage of sensitive data.

To learn more about Enterprise Threat Detection, you can visit SAP at booth #S216 in the South Expo Hall at the upcoming RSA Conference. You can also contact Layer Seven Security.

Discover Security Patches for your SAP Systems using System Recommendations

One of the most startling facts revealed by the 2015 Cyber Risk Report is that over 44 percent of data breaches stem from the exploitation of known vulnerabilities that are over two years old. This suggests that effective patching can dramatically lower the likelihood of a successful data breach and, when employed with other countermeasures such as system hardening to prevent misconfigurations, it can reduce the risk to negligible levels.

Developing a workable patch management process that addresses the numerous threats confronted by SAP systems presents a formidable challenge for organizations. The need to maintain high levels of availability and control changes that may negatively impact system performance or even lead to software regression often delays the implementation of critical patches. In some cases, it prevents the application of security patches altogether.

The risks posed by weaknesses in patching procedures should not be understated and are borne out by the findings of the HP study. Statistics reveal a direct correlation between ineffective patching and significantly higher levels of susceptibility to security threats that lead to data breaches.

Traditionally, SAP customers have relied upon tools such as RSECNOTE and SAP EarlyWatch Alert (EWA) to identify patches and verify their implementation status. RSECNOTE can be executed using transaction SA38 or ST13. It should return relevant Security Notes and convey whether Notes are successfully implemented, require implementation or are manually confirmed.  EWA is a diagnosis report that is run from SAP Solution Manager for managed systems on a weekly schedule. The system configuration checks performed by EWA should include an identification of relevant Security Notes.

EWA, however, no longer performs any meaningful check for security-relevant Notes. Fewer than 10 percent of the 364 Patch Day Notes and Support Pack Notes released by SAP in 2013 were checked and reported through EWA. By 2014, EWA had lost all relevance for security patching: none of the 389 SAP patches released last year were checked by EWA.

RSECNOTE has not fared any better.  According to Note 888889 updated in September 2014, the tool is effectively deprecated by SAP and should no longer be relied upon.

Note 888889

RSECNOTE and EWA have been replaced by tools with more powerful calculation engines capable of supporting more detailed analysis of not just Hot News and Security Notes, but also Java patches and Notes for general, performance and legal areas.

These tools include System Recommendations (SysRec), accessible through the Change Management Work Center of SAP Solution Manager. SysRec uses the SAP-OSS RFC destination to connect directly to SAP Global Support and check the status of Notes in managed systems. The results are based on the specific kernel, patch and support package level of systems maintained in the Solution Manager System Landscape (SMSY). This minimizes the risk of both false positives and false negatives.

SysRec can be filtered by SAP system, component and date range. Only components are that are applicable to the selected system are displayed by SysRec.

SysRec2

Priority levels and the implementation status of each Note are displayed in the returned results. The Download Notes option can be used to download all or selected Notes from the SAP Service Marketplace. Click on the image below to enlarge.

SAP System Recommendations

SysRec can be used to identify both ABAP and Java patches. However, Java patch notes are displayed in the Corrections tab rather than the tab for Security Notes.

The Create Request for Change option is used to trigger a change request to implement the relevant Notes when using ChaRM.

The automated job SM:SYSTEM RECOMMENDATIONS should be scheduled to collect information on the status of implemented Notes from managed systems. The frequency of the automatic check can be set to daily, weekly or monthly.

SysRec4

Once corrections are identified and applied, the implementation status of the Notes should be validated across all systems in your landscape. This can be performed using Configuration Validation. The implementation status of Notes is recorded in the PRSTATUS field of the ABAP_NOTES store. The PRSTATUS of completely implemented notes should be E. Therefore, you can define operators to search for Notes implemented in a reference system with the identical component and release dependencies that have the same PRSTATUS. Based on the example below, for instance, Configuration Validation will check that version 2 of Note 1922205 for component SAP_BASIS  is completely implemented (PRSTATUS = E), taking into account the release dependencies.

SAP System Recommendations

Notes that are not completely implemented in comparison systems are flagged as non-compliant in BW reports generated by Configuration Validation.

SAP System Recommendations