The new release of the Cybersecurity Extension for SAP is scheduled for general availability in October and includes several important enhancements.
Version 5.2 includes 40+ alerts for security related incidents in SAP BTP. This includes application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts monitor events logged in the BTP central audit log. Events in the log are replicated to the Cybersecurity Extension for SAP to support forensic analysis. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. Similar to existing alerts for ABAP, HANA, and Java system types, as well as databases, operating systems, and SAProuter and Web Dispatcher installations, BTP alerts can be integrated with SIEM solutions for centralized monitoring.
Earlier releases provided coverage for business-level critical access and segregation of duties in SAP S/4HANA. The new release extends the coverage to SAP ECC. Despite the scheduled end of mainstream maintenance for SAP ECC in 2027, many SAP customers have yet to migrate to S/4HANA and therefore ECC will be a mainstay within SAP landscapes of many organizations for several more years. Version 5.2 of the Cybersecurity Extension for SAP includes 350+ functional checks for access to sensitive ECC transactions and conflicting combinations of transactions. The checks cover processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in ECC. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for ECC. Users and user groups can be excluded for specific checks to tune the coverage and prevent false positives. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.
The new release also includes checks and alerts for the deactivation of SAP UI Masking & UI Data Protection Masking solutions. The solutions protect access to sensitive data in SAP user interfaces by masking or clearing fields. The contents of the fields containing sensitive data are only revealed to users with the required roles or attributes.
Finally, version 5.2 includes alerts for the execution of new ICF services with known security vulnerabilities. The services are not yet widely known or included in the scope of vulnerable ICF services that should be deactivated based on SAP recommendations in frameworks such as the SAP Security Baseline. There are also additional checks for the Secure Storage in the File System (SSFS), new sensitive transaction codes, dangerous function modules and external programs, and dynamic changes for specific security-related profile parameters.
SAP Focused Run (FRUN) is a Application Lifecycle Management (ALM) solution designed for real-time and high-volume system monitoring. It benefits from a more simplified and scalable architecture than other ALM platforms such as SAP Solution Manager (SolMan). Also, unlike SolMan, it runs exclusively with SAP HANA.
System monitoring using FRUN is supported through the deployment of the Simple Diagnostics Agent (SDA) to target systems. The SDA is integrated with the SAP Host Agent in SAP solutions. It collects and forwards metrics from systems to FRUN using HTTPS. System connections are routed through reverse proxies such as the Web Dispatcher. The SAP Host Agent, SDA and Web Dispatcher are included in RISE system builds and landscapes. Therefore, RISE systems can be monitored by both customers and service providers using SAP Focused Run.
FRUN supports monitoring for all SAP solutions and cloud services. This includes the public and private editions of SAP S/4HANA, SAP Business Suite, ECC, HANA platform, SAP Cloud, SuccessFactors/ HXM, Ariba, Concur, AS ABAP/ Java, Cloud Connector, Business Objects, Enterprise Portal, Mobile Platform, CRM, Business Warehouse, PI/PO, MII and Web Dispatcher. It also supports monitoring for OS and database platforms, and SAP BTP. Steps for monitoring the ABAP, Cloud Foundry, and Neo environments of BTP are detailed in the FRUN Expert Portal.
SAP Focused Run supports advanced monitoring capabilities such as Real User Monitoring. This can be used to monitor user actions for detailed forensics. It also supports System Anomaly Prediction for detecting and investigating anomalies based on predefined models and risks, and advanced Integration and Exception Monitoring for analyzing the usage of system interfaces.
The Cybersecurity Extension for SAP integrates with FRUN to perform advanced security monitoring for SAP solutions, including vulnerability and compliance management, patch management, custom code scanning, and threat detection and response. The SAP-certified solution leverages FRUN applications and components to discover system, code and user-related vulnerabilities, calculate required security notes, and detect security incidents and anomalies.
The Cybersecurity Extension for SAP is accessed from the Fiori launchpad for SAP Focused Run. FRUN users with the required roles can access the solution using the workgroup below. Systems are automatically mapped from the Landscape and Management Database (LMDB). Also, multi-tenancy for customer separation is automatically enforced through network and customer IDs configured by service providers in FRUN.
Deploying the Cybersecurity Extension for SAP to FRUN provides a more reliable and scalable option than deploying to Solution Manager. It also delivers improved performance with lower maintenance in comparison to SolMan. SAP Focused Run and SAP Solution Manager are the current deployment options supported for the standard edition of the Cybersecurity Extension for SAP. A third option is planned for early 2025 that would enable SAP customers to deploy the solution to NetWeaver AS ABAP systems such as SAP GRC. For SAP RISE customers, the cloud edition of the Cybersecurity Extension for SAP provides a SaaS option that does not require deployment to an SAP system.
S/4HANA Access Risk Analysis, SAP RISE Compliance, SAP ETD Benchmarking and More
The new release of the Cybersecurity Extension for SAP is scheduled for general availability in May and includes several important enhancements.
Version 5.1 includes coverage for critical access and segregation of duties in SAP S/4HANA. It performs more than 700 checks for access to sensitive transactions and conflicting combinations of transactions for business processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in S/4HANA. Exclusions can be maintained for users and groups to tune checks and exclude permitted users. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for S/4HANA. The checks are included in the new areas S/4HANA Critical Access and S/4HANA Segregation of Duties. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.
The new release also includes support for monitoring the compliance of SAP RISE systems with information security standards defined by SAP Enterprise Cloud Services (ECS) in note 3250501. The standards include required settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must comply with for RISE solutions managed by ECS.
Version 5.1 includes several new threat detection patterns to bridge the gap with SAP Enterprise Threat Detection Cloud Edition (ETD CE). As a result, the Cybersecurity Extension for SAP now provides coverage for the same patterns as ETD CE. It also includes more than 750 patterns that are not included in ETD CE. Similar to ETD CE, the Cybersecurity Extension for SAP is available as Software-as-a-Service (SaaS) for RISE customers.
Finally, the new release includes new tiles for Actively Exploited Vulnerabilities and Known Exploited Vulnerabilities. The former can be used to display open vulnerabilities that have associated alerts. The latter can display calculated security notes for systems that are required to address Known Exploited Vulnerabilities (KEV) for SAP solutions in the CISA KEV catalog.
S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).
The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.
The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.
SAP RISE should be selected from the framework selection screen.
Once the framework is selected, you can select a target system from the available systems in your SAP RISE landscape and click on Execute.
The results are summarized for each requirement and an overall compliance score is calculated for the system.
You can drilldown into each requirement to navigate the detailed findings.
You can click on the > icon for each finding to view further information and create an action plan to manage the remediation of compliance issues.
The report filters can be used to focus on specific requirements or results. For example, you can suppress compliant areas to isolate compliance failures.
Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results.
The shortcuts can be published as custom tiles to existing or new work groups.
Compliance reports can also be scheduled to run on regular intervals. The reports are automatically distributed in PDF or CSV to recipients by email during each run.
The Cybersecurity Extension for SAP is an SAP-certified addon for SAP Solution Manager and SAP Focused Run. An addon version for other SAP NetWeaver AS ABAP systems such as SAP GRC is expected in Q4 this year.
The SAP Cybersecurity Buyers Guide from SAPinsider provides a valuable, independent assessment of the capabilities of technology vendors and consultants for SAP security solutions and services. The guide reviews key solution providers and consultants in the cybersecurity domain for SAP. It performs a Vendor Capability Assessment across the following areas:
Threat Intelligence and Detection Access and Identity Management Data Protection and Encryption Vulnerability Management Incident Response and Forensics Cloud Security and Compliance Secure Code and Application Review
The Cybersecurity Extension for SAP is a featured vendor in the Buyers Guide and acknowledged in the review for its strong coverage in all areas. The solution is also cited for its support for S/4HANA and cross-stack security in SAP systems including application, database and host layers, rapid deployment, and lower costs and maintenance compared to alternatives.
Usage rights for SAP Solution Manager are included in SAP support and maintenance agreements for on-premise SAP solutions. The rights include database licenses for SAP HANA and ASE. Customers with Enterprise Support agreements have usage rights for all functional areas of Solution Manager, whereas customers with Standard Support agreements have restricted rights that include commonly used areas such as Change and Release Management (ChaRM), System Recommendations, and System Monitoring, but excludes areas such as Custom Code Management and Business Process Analytics.
SAP Cloud ALM is an alternative Application Lifecycle Management (ALM) solution that is provided to SAP customers with active cloud services. It can be used for both cloud and on-premise SAP solutions. Enterprise Support customers have usage rights for Cloud ALM but customers with cloud services and no on-premise solution supported by SAP do not have usage rights for Solution Manager.
There is currently no feature parity between Cloud ALM and Solution Manager. In other words, Cloud ALM does not support the same scenarios as Solution Manager. Since many customers require ALM functions that are not provided by Cloud ALM, SAP provides cloud-only customers with the option to subscribe to SAP Solution Manager, Private Cloud Edition (PCE).
Solution Manager PCE is the successor to SAP Solution Manager for SAP S/4HANA Cloud and like its predecessor, it is available in two versions: Project Documentation and Full. The main difference between the two versions is that the project documentation version is deployed as a single-system landscape, whereas the full version is deployed as a dual-system landscape, similar to on-premise installations. The full version is required to support the deployment of agents to managed systems.
Cloud-only customers can order the full version of SolMan PCE from SAP Enterprise Cloud Services (ECS) using SKU 8014172 providing they are using SAP S/4HANA or ERP on RISE. It is provisioned by SAP ECS within 30-40 days and includes SAP HANA.
The Cybersecurity Extension for SAP can be deployed to both on-premise and cloud installations of SAP Solution Manager. This includes SolMan PCE for RISE customers. Layer Seven Security provides a fully managed service for RISE customers that includes setup and maintenance of SolMan PCE.
According to a recent report from SAPinsider, almost two-thirds of organizations are placing cybersecurity projects on hold or scaling back planned investments in cybersecurity due to the current economic climate. 18 percent of organizations are reducing the size of cybersecurity teams. The latter can have a drastic effect on collaboration and morale. The impact is also long-lasting and difficult to reverse. According to the Ponemon Institute, it takes an average of 7.3 months to recruit and train security analysts. The training required by new analysts also draws time from experienced analysts, reducing the overall effectiveness of cybersecurity teams.
Organizations are experiencing budgetary and resource constraints against a background of rising cyber attacks. The SAPinsider report quotes JP Perez-Etchegoyen, CTO of Onapsis, “threat actors aren’t going to slow down because of a recession. The risk is real, and the impact is huge. We see threat actors targeting organizations even more now than before.”
This article discusses several ways organizations can manage cyber threats without increasing cybersecurity budgets or resources. In fact, many of the recommendations will lead directly to cost savings and the more efficient use of resources in cybersecurity teams.
1. Eliminate Duplicate Security Solutions
Based on research performed by IBM Security and the Ponemon Institute, organizations deploy an average of 45 security solutions. The quantity of tools used by organizations does not lead directly to improved cybersecurity. Organizations using 50 or more tools were ranked as less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions creates complexity, requires more employee training, and creates integration issues. Since security solutions can also suffer from software vulnerabilities and widen the attack surface, too many solutions can increase both workloads for regular patching and aggregate risk.
SAP Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and SAP Cloud ALM are widely-used for monitoring and diagnostics scenarios in SAP landscapes. With the exception of SAP Focused Run, usage rights for the platforms are included in SAP support agreements. The platforms include direct connectivity to SAP systems and applications to extract and analyze configuration, software and user-related data in SAP applications, databases and hosts. The platforms also include security tools to support vulnerability management and patch management.
Organizations can leverage these ALM platforms to perform many of the same functions of costly third-party alternatives. This will avoid unnecessary license fees and installing and maintaining hosts, connections, agents and users required by third party tools.
Organizations can extend the capabilities of ALM platforms using addons such as the Cybersecurity Extension for SAP from Layer Seven Security for areas such as threat detection and custom code security. This is less costly and involves less maintenance than third party solutions that require separate servers, infrastructure and connections, including external connections to other networks using Internet protocols.
2. Minimize Manual Steps in SAP Security Patching
Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a wealth of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP. This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE.
Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.
System Recommendations (SysRec) in SAP Solution Manager should be used to automate the discovery and full lifecycle management of SAP security notes. SysRec is a standard application, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager. However, many of the security notes reported by SysRec are false positives. SAP administrators spend a great deal of time manually validating the results of SysRec every month to remove false positives. The workload is especially high in large SAP landscapes with large volumes of systems. The Cybersecurity for SAP automatically identifies and removes false positives in System Recommendations. This improves the quality and reliability of security notes calculated by SysRec and removes the need to manually validate notes before applying corrections.
3. Automate SAP Compliance Audits
SAP solutions often support business-critical processes such as financial reporting, customer relationship management, and human capital management and therefore need to comply with strict standards for information security. This includes requirements for secure configuration, system changes, and administrative access. SAP solutions are subject to regular audits by internal and external auditors and other groups to confirm compliance with such requirements. The audits can place a significant burden on SAP teams. Automating audits can lead to significant improvements in the quality and timeliness of compliance monitoring and lower the manual effort involved in gathering evidence, analyzing results and reporting findings.
Compliance Reporting in the Cybersecurity Extension for SAP automates compliance gap assessments for SAP solutions. This includes regulatory frameworks such as SOX, GDPR and PCI DSS, industry standards such as HIPAA HITRUST and CIP, and security standards such as CIS, NIST and ISO. It also supports SAP frameworks such as the SAP Security Baseline and the S/4HANA Security Guide. Customers can also create and publish custom frameworks for monitoring compliance against company-specific policies and standards. Reports can be scheduled and automatically sent to stakeholders including compliance and audit teams on a regular interval.
4. Tune Security Alerts
Security solutions can trigger alerts and notifications for suspected security incidents that upon further investigation are false positives. Solutions can also overwhelm users with a large volume of alerts that cannot be realistically investigated with available resources. The latter scenario is known is alert flooding. This leads to wasted effort and reduces the confidence level of end users in the underlying solutions. It can also increase infrastructure costs through higher data volumes and events per second.
False positives and alert flooding can be minimized by tuning alerts for specific systems and landscapes. This enables security solutions to learn the unique event and user patterns for each system and exclude the patterns from alerting. The Cybersecurity Extension for SAP supports advanced tuning for event collection and alerting. Users can maintain exclusions for alerts based on user, client, event ID, transaction, source/ destination IP or terminal, and other variables to prevent false positives and alert flooding. Users can also select enable/ disable specific alerts to customize monitoring and focus, for example, on critical or high priority incidents only.
5. Automate Incident Response
Automating incident response for security alerts can improve the efficiency of security operations and response times. It also supports compliance with standard operating procedures for incident management since there is less risk of human error. The guided procedure framework in SAP Solution Manager and SAP Focused Run includes a library of automated alert reaction procedures. SAP users can also use the framework to author their own procedures as custom guided procedures. The procedures can automate routine tasks such as transaction, program or report execution, as well as more complex tasks such as locking/ unlocking users or restarting systems that may have been disrupted by a denial of service attack.
The Cybersecurity Extension for SAP also includes incident response procedures that users can execute to investigate security alerts. The procedures provide best practices and playbooks for responding to alerts and enable users to document findings, attach evidence, generate reports, and manage the status of alerts. It also provides a complete audit trail for each investigation performed by analysts.
6. Integrate SAP Logs with SIEM Solutions
Security Information and Event Management (SIEM) solutions enable Security Operations Centers (SOC) to ingest and monitor logs from various endpoints in networks. They provide a centralized platform for monitoring multiple assets within an enterprise. Centralized monitoring through a single or multiple SOCs can improve efficiency and lower costs, as well as improve visibility and capability to respond to threats across different assets.
There are inherent challenges with integrating SAP logs with SIEM solutions. The challenges are discussed in detail in the whitepaper SIEM Integration for SAP from Layer Seven Security. The Cybersecurity Extension for SAP supports seamless integration with SIEM solutions. It removes the effort and complexity for successfully ingesting SAP logs. This is achieved through filtering, normalizing and enriching of SAP logs and through the creation of a single point of integration between SIEM solutions and a data source containing event logs from all target SAP systems.
Version 5.0 of the Cybersecurity Extension for SAP (CES) is scheduled for general availability in September. It includes several enhancements, configuration checks and new patterns to improve vulnerability management and threat detection for SAP solutions. This article discusses some of the key changes.
Trend Analysis Trend Analysis is a new application in CES that tracks changes in vulnerabilities, security notes, and alerts over two years. It can be used to monitor security results across periods. For example, the number of vulnerabilities in the current period can be compared with results from the prior month to assess the effectiveness of remediation activities. Results can be analyzed using daily, weekly, monthly, or quarterly intervals, as well as custom date ranges. Results are visualized using multiple charts and tables with the option to export results. The advanced filter can be used to focus trend analysis for specific business units, areas, landscapes, systems, priorities, and other variables.
Systems Systems is another new application in CES. It displays system information for targets that are monitored by CES. Target systems are selected from the available managed systems in SAP Solution Manager and SAP Focused Run. System information is displayed in cards for each system. The information includes attributes such as the SAP System ID, landscape, environment, priority and group. Groups are typically business units that are maintained during the installation phase. The application includes a filter to search for specific systems based on attributes.
Actively Exploited Vulnerabilities CES version 5.0 automatically detects actively exploited vulnerabilities. The vulnerabilities are identified and flagged based on automated correlation with event logs and alerts in CES. Results in Vulnerability Management can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.
SAP GRC Integration SAP GRC identifies users with access to sensitive functions and conflicting functions that should segregated between users. It also detects if the functions that comprise an access risk are executed by users. CES v5.0 integrates with SAP GRC to report and alert for access risks where the relevant sensitive or conflicting functions are executed by users. This enables organizations to be notified immediately for access violations and investigate the risks using the incident response capabilities of the Cybersecurity Extension for SAP.
Report Scheduling The Cybersecurity Extension for SAP supports export to PDF, CSV and Excel for compliance, vulnerability and other security reports, including reports related to security notes, events and alerts. In earlier versions, the reports were exported on demand. Version 5.0 supports the scheduling and automatic distribution of reports by email. Users can customize email settings including the subject and text. Distribution lists are supported.
User Experience CES v5.0 includes a redesigned application launchpad.
Vulnerability Management includes a card view for system selection. Users can switch to the dashboard view supported in earlier versions, if preferred.
Compliance Reporting also includes a redesigned interface for selecting frameworks and systems and navigating results.
Security Alerts includes a heat map for analyzing alerts by system and column charts for analyzing alerts by 24 hour, 7 day, and 30 day intervals.
SAP ASE The Cybersecurity Extension for SAP supports full-stack monitoring for SAP systems including application, database and host layers. SAP ASE is a widely-used relational database server for SAP solutions. Version 5.0 includes extended support for ASE monitoring including new vulnerability checks for checking logon settings, remote logins, password policies, database users including default and inactive users, critical database roles, database encryption, and audit settings. It also delivers alerts for critical database events such as failed logons, locked users, logons by default users such as sa, changes to the database configuration including disabling auditing, role and user changes, new procedures or services, remote procedure calls, the execution of stored procedures, and table contents transferred to/ from external files.
SUSE Linux Enterprise Server Version 5.0 includes several new alerts for SLES operating systems supporting SAP solutions. This includes alerts for locked and unlocked users, new users, login failures, password changes, replay attacks, users that switch to root, and threats from the execution of malicious programs in SAP hosts.
The new release of the Cybersecurity Extension for SAP (CES) is scheduled for general availability on April 24. It includes several important enhancements, configuration checks and patterns for threat detection to further protect SAP solutions from advanced cyber threats.
The prior release of the CES provided capabilities for SAP customers to automatically discover and remove false positive security notes calculated by System Recommendations (SysRec) in SAP Solution Manager. This improved the quality and reliability of results in SysRec and reduced the manual effort required by SAP administrators to analyze security patches. The new release of CES extends the enhancements for SysRec by including CVE, CVSS and vector information for calculated security notes.
The new release also includes configuration checks for protection against directory traversal in ABAP systems. The checks review path validation for files with no defined physical paths and the definition of physical file paths for logical paths. Checks are also applied for settings in SAP Virus Scan Interface (VSI) profiles and supported MIME types. SAP VSI integrates with scanning engines to discover and block malware in file uploads and downloads from SAP solutions.
The new release includes extended checks for Unified Connectivity (UCON) including HTTP whitelists for protection against clickjacking attacks and relevant background jobs. It also includes extended checks for Read Access Logging including log domains, groups and fields. In addition, checks for the masking and encryption of payment card data are included in the new release.
There are over 210 checks for critical transactions in S/4HANA included in the release. Future releases will rollout authorization checks for solutions such as S/4HANA, ECC, BW/4HANA, BW, CRM. The checks will enable customers to use the Cybersecurity Extension for SAP to monitor critical access and segregation of duties in lieu of SAP Governance, Risk & Compliance (GRC), given the scheduled end of maintenance of GRC.
There are several new checks for code vulnerabilities in custom SAP programs. This includes checks for XSRF protection and the forceEncode attribute.
New patterns for detecting Indicators of Compromise (IOCs) in SAP solutions include successful and unsuccessful program installations, uninstallations and changes in Microsoft Server platforms for SAP. Similar patterns were included in earlier versions of CES for Linux platforms to support the detection of potential ransomware attacks.
IOCs are also included for the detection of changes to specific security-relevant parameters in SAP ABAP and HANA systems.
A new security framework has been added to CES for S/4HANA. The framework will enable customers to automatically check the compliance of S/4HANA systems with SAP requirements in the Security Guide for S/4HANA.
The new release of CES deprecates custom infocubes and process chains used in earlier versions. This dramatically improves the stability and performance of CES and the ability of the solution to rapidly process large data sets with minimal resources.
Security alerts for multiple hosts can be mapped to specific SAP System IDs in the new release. Also, filters for security alerts include a new field to support searching of security alerts based on time ranges using the format HH:MM:SS for start and end times.
Finally, vulnerability details now include tables containing the complete fields and values from source CCDB stores. The tables support data filtering and export.
The next release of the Cybersecurity Extension for SAP is scheduled for June 2023 and will include support for detecting IOCs in logs for SAP ASE databases, vulnerability and event correlation, and trend analysis for tracking changes in vulnerabilities, patches and alerts for periods covering up to two years.
SAP Focused Run supports real-time monitoring for high-volume SAP landscapes and customers with advanced requirements for system management, user and integration monitoring, and vulnerability management. Configuration and Security Analytics (CSA) in SAP Focused Run applies security policies to discover vulnerabilities in SAP systems. The policies read the contents of configuration, software and user-related stores in the Configuration and Change Database (CCDB). The CCDB stores are refreshed daily using the Simple Diagnostics Agent (SDA), installed in SAP systems monitored by Focused Run.
This article explores capabilities in CSA for tuning security checks using exclusions, configuring alerts for critical vulnerabilities, and investigating security-related changes reported by CSA.
Exclusions can be applied to exclude specific checks in security policies. In the example below, we have applied an exclusion to exclude a check that validates the status of the standard DDIC user. The first step is to open to CSA in the Advanced Configuration Monitoring workgroup.
The next step is to select the relevant policy and select Exemption for Policies.
Select Create to add the exemption. Select the Check ID based on the available checks in the policy and add an Exception ID and Description.
You can add a date range if the exclusion is temporary and should be automatically removed after a target date. Once saved, the check will be excluded from the policy. Exemptions can be maintained and deleted after they are applied.
Alerts for systems that fail checks in security policies can be configured using Configuration Validation Alert Management.
Select Create and add an Alert ID and Description. The Alert Source should be set to Configuration Validation – Policy. Select the Policy and maintain options for Aggregation Level, Scope, Frequency and Severity. Select ON and click on Save to activate the alert.
Alerts can be configured for specific systems or groups based on Customer ID, Data Center, IT Admin Role, Lifecyle Status, or Networks.
IT Admin Role can be used to apply alerts for systems based on environments.
Email and SMS options for alert notifications can be maintained using Outbound Variants.
Alerts can be investigated and managed using Alert Management. In the example below, we can see the alert configured in CSA for changes to standard users. Alerts in Alert Management be integrated with SIEM and service desk solutions. For detailed information, refer to the SAP Help Portal.
Changes in SAP systems are captured and logged in CSA. This includes areas such as parameter settings, RFC destinations, ICF services, and user authorizations, profiles, roles, and transactions. The details of the changes can be viewed using the option to display change of configuration items. Select a time frame for changes using Time Frame Selection.
You can also maintain a custom time frame.
Select a system to view to view a summary of the changes.
Select a store to view the details of changes. In the example below, we can see the details of users that were assigned the SAP_ALL profile in a system over the last three months.
The details can be filtered, sorted and exported to Excel.
The Cybersecurity Extension for SAP integrates with CSA in Focused Run to apply thousands of security checks for known vulnerabilities in SAP solutions. It also integrates with System Monitoring in Focused Run to detect and alert for more than 600 indicators of compromise in SAP event logs. To learn how you can protect your SAP systems from cyber threats using the Cybersecurity Extension for SAP, contact Layer Seven Security.