According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders.
Compliance Reporting in SAP Solution Manager enables organizations to automate audits for SAP systems and reallocate resources to projects and audits focused on other organizational goals. The continuous monitoring powered by the application also enables auditors to identify compliance gaps immediately rather than at the end of a reporting period. This can reduce regulatory risk by providing owners with more time to remediate control gaps.
Compliance Reporting is accessed from the Fiori launchpad in SAP Solution Manager. Results are automatically updated by daily scheduled scans.
Compliance frameworks and systems are selected in the report filter. There are optional filters to select specific control requirements and systems based on environment or priority. Reports can also be filtered to include or exclude controls based on risk rating and compliance result.
Compliance Reporting currently supports the frameworks below. This includes CIS, IT-SOX, NIST and PCI-DSS. Support for additional frameworks including GDPR and NERC CIP is expected at the end of Q2 2020. Customers can import custom frameworks to automate auditing for internal security policies and other requirements.
Results for applications and databases are reported in separate columns. The report provides an overall compliance score based on the selected framework and systems. Results are summarized for each requirement.
Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.
Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.
Layer Seven Security has been selected by a panel of experts and members of the CIO Applications editorial board for inclusion in the Top 25 Cyber Security Companies for 2020. The annual list is compiled by CIO Applications to recognize and promote organizations that provide cutting-edge cybersecurity solutions. CIO Applications is a Silicon Valley industry publication based in San Francisco, California. The recognition is based on an evaluation of Layer Seven Security’s innovative Cybersecurity Extension for SAP Solution Manager. The Extension is an add-on for the Solution Manager platform, delivering automated vulnerability management, threat detection and incident response for business-critical SAP systems. Read the full article at CIO Applications.
Security Forensics in SAP Solution Manager supports centralized log monitoring for SAP landscapes. The Fiori application from Layer Seven Security enables users to analyze incidents across multiple logs and systems directly from Solution Manager, helping organizations to detect and respond to security breaches. It also protects against anti-forensics. Since event logs are replicated to a central log, attackers can not remove all traces of their actions to avoid detection.
Security Forensics is accessed from the Fiori launchpad for SAP Solution Manager.
The application currently supports the Security Audit Log, Gateway
Server log, HTTP log, Transaction log, Read Access Log, System Log, User Change
logs, and the HANA Audit log. Support for the Java Security Log and SAProuter
log is scheduled for Q3 2020.
Advanced Search supports complex queries based on system, log source, date, time, user, source terminal/ IP address, and event ID.
Log Source:
Source terminal/ IP address:
Date/Time:
The query below filters log events to isolate actions performed by the SAP* user. The query results reveal that the SAP* user was locked due to failed logon attempts in system AS2 at 10:30:00 on 23.03.2020.
The results can be exported to a csv file to support offline analysis and collaboration. Event details can also be appended directly to an email by selecting the Notify option from the drilldown.
Personalized alarms for events can be configured using the Save As Tile option for filter selections.
Alarms are displayed as custom tiles in the launchpad. Below we have added an alarm for log events related to the SAP* user in production systems. The tile will automatically update to display the number of matching records. Users can click on the alarm to view the details of the events.
Security Forensics is available for SAP Solution Manager 7.2 SP07 or higher. The application is available for both HANA and conventional database platforms. For the latter, customizing options are provided to activate log monitoring for only specific managed systems and adjust the log retention period.
Security Information and Event Management (SIEM) systems support centralized security monitoring across networks. They ingest and analyze data from hosts, routers, switches, firewalls and other components to identify and respond to security threats.
SIEM systems can ingest data directly from SAP application
logs. However, direct integration is complex and laborious. It also requires
high maintenance and may substantially increase costs if SIEM licensing is tied
to log size or events per second.
This challenge can be overcome by integrating SAP logs with
SIEM systems using SAP Solution Manager, a management server in SAP landscapes.
Solution Manager filters, structures and enriches security event data in SAP
logs to support fast, seamless integration with SIEM systems.
This webinar recording discusses the challenges of direct ingestion of SAP logs and the benefits of integration using Solution Manager. It also provides recommendations for configuring audit settings and policies for the following data sources in SAP:
Security Audit Log System Log ICM Log Business Transaction Analysis Gateway Log Change Documents Read Access Log Java Security Log HANA Audit Log SAProuter Log
The webinar is a digest of the whitepaper SIEM Integration
for SAP.
Maintaining system security in dynamic SAP environments is a constant challenge. New users are added every day. Permissions for existing users are constantly updated to keep up with changing requirements. Software updates, transports and other changes introduce new components or developments and often necessitate changes to system settings. With each change, even hardened systems can become less secure and more vulnerable to intrusion.
To some extent, the risk of configuration drift can be
managed through regular vulnerability scanning. However, scan results only identify
the consequences of changes, not the root cause. Periodic audits of system and
user changes can also help to address the risk. Audits can uncover compliance gaps
against change management protocols, but are limited in scope since they are usually
performed manually.
Change Analysis in SAP Solution Manager provides an
automated response to the risk of configuration drift in SAP systems. The
application tracks changes in systems including ABAP, HANA, Java parameters, database
and operating system settings, user privileges, notes, software updates, and transport
requests. The tool maintains a history of changes performed in each system for two
years.
Change Analysis is accessed from the Root Cause Analysis
work center in the Fiori launchpad for SAP Solution Manager.
Scope selection supports filtering of changes by system, type or environment.
Results can be filtered further to focus on changes within a specific time frame.
The filtered results are summarized in the dashboard below.
The dashboard supports drilldown from summarized results by system and category into detailed changes. In the example below, the results reveal that the value of parameter gw/accept_timeout was modified in system AS2 at 3.00PM on February 11, 2020.
In another example, the results reveal that the profile SAP_ALL was assigned to the user ATTACKER9 on the same day in the identical system.
Notifications for changes to critical areas can be configured using the monitoring and alerting framework within Solution Manager. The notification below is an alert for changes to RFC destinations. Email and SMS notifications for changes are also supported. Alerts can be integrated with SIEM systems or incident management systems for automated ticketing.
Change Reporting can be used to compare the configuration of different systems.
It can also be used to compare the configuration of the same system using different timestamps. In the example below, we are comparing the configuration of system ECP on February 6 with January 22 to identify changes that occurred in the system during the interval.
The comparison tool is useful for identifying not only changes that may lead to configuration drift within systems but also differences between settings in production environments and other environments such as quality or development. The comparison results are displayed in the Result Details and can be exported for analysis. According to the results below, the SAP_UI component was upgraded in ECP from version 751 to 753 during the interval.
Download the new whitepaper for SAP-SIEM integration from Layer Seven Security. The whitepaper outlines recommended settings for the Security Audit Log, HANA audit log, and other logs to support advanced threat detection. It discusses the challenges of direct integration of SAP logs with SIEM systems in terms of complexity, log volume, maintenance, and event correlation.
The whitepaper advocates SIEM integration using SAP Solution Manager based on benefits such as lower complexity, rapid deployment, reduced costs, ease of maintenance, and the enrichment of event data to support cross-platform correlation.
The SIEM Integrator for SAP is a software add-on for SAP Solution Manager that delivers automated threat detection for SAP systems. The add-on supports integration with SIEM platforms including Splunk, QRadar, ArcSight, LogRhythm and SolarWinds. The Integrator includes 300+ attack detection patterns for SAP platforms and logs.
Security Information and Event Management (SIEM) platforms
combine the ability to collect log data from applications, hosts, routers,
switches, firewalls and other endpoints with the ability to analyze events in
real time. They support threat detection, event correlation and incident
response with alerting and reporting capabilities.
SIEM platforms require complete coverage for maximum yield.
In other words, organizations reap the full benefits of SIEM platforms when
monitoring logs throughout the technological infrastructure. This includes SAP
application logs for organizations with SAP systems.
However, there are several challenges with integrating SAP application
logs with SIEM systems. The first is complexity. SAP systems typically contain
multiple logs that capture security-relevant events. The SAP NetWeaver
Application Server ABAP (AS ABAP) alone has at least seven such logs including
the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction
Log, Change Document Log, and the Read Access Log. The logs do not have a
standardized format or structure. Some are captured at the file level and
others are stored in SAP tables. The complexities involved in integrating
multiple and distinct logs from each SAP system should not be underestimated, especially
for large SAP landscapes.
The second is log volume. Raw event logs can grow to gigabytes
and even terabytes within a relatively short period of time in SAP systems that
often support thousands of end users and hundreds of cross-system connections. Transmitting
large volumes of log data from SAP systems to SIEM platforms could consume high
levels of network bandwidth. The need to store such data for analysis could
also increase resource requirements and licensing costs for SIEM systems.
The third challenge with directly integrating SAP logs is
maintenance. Monitoring and supporting the numerous integration points between
SAP systems and SIEM platforms, as well as regular archiving to deal with the
accumulation of log data, could lead to high maintenance costs.
Finally, many SAP logs do not natively include information to support cross-platform correlation using SIEM tools. This includes source and destination IPs for security events. Values for sources and destinations in SAP logs are often terminal names and SAP Systems IDs (SIDs) rather than IP addresses. Therefore, Security Operation Centers (SOCs) are not able to easily correlate SAP events with non-SAP events in SIEM platforms.
The Cybersecurity Extension for SAP Solution Manager overcomes such obstacles by filtering, normalizing and enriching security event data from SAP logs. The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor logs at source without extracting and replicating event logs to external repositories. This reduces both bandwidth and storage requirements. MAI data providers support monitoring for all SAP logs including file and table logs in ABAP, HANA, and Java systems, and standalone components such as the SAProuter. MAI periodically parses event logs using attack detection patterns configured in metrics. The frequency of metric checks is customizable and can range from every 60 seconds to several minutes apart. Intervals can be adjusted at the metric level which means metrics can have different monitoring intervals.
A pattern match triggers the MAI to generate alerts and email or SMS notifications for security events. Security alerts generated by Solution Manager are managed using applications such as Monitor Systems, System Monitoring and the Alert Inbox. Alerts can also be written to an external file by Solution Manager. Solution Manager enriches event data by including source and IP addresses for each alert written to the file. This is intended to support correlation once the data is ingested by SIEM platforms. Event data is also normalized using a standardized structure for all log sources. The fields and separators for event details within each file are customizable and include values for alert name, description, date, time, system, system type, and event details. The event details can include information such as the event ID, username, source and destination IP addresses, and objects accessed by the user such as transactions, reports, function modules or URLs. The example below includes <DATE>::<TIME>::<SYSTEM>::<MANAGED OBJECT TYPE>::<ALERT TYPE>::<PRIORITY>::<ALERT NAME>::<ALERT DESCRIPTION>::<ALERT DETAILS>. Each value is separated by ::
Since event details are written to and stored within alerts
in Solution Manager, attackers will not be able to remove all traces of their
malicious actions by modifying event logs alone. They will also need to delete alerts and stop
the triggering of email/ SMS notifications of alerts in Solution Manager. This
would be challenging since alerts cannot be deleted in Solution Manager. They
can only be confirmed. All alerts are retained and only removed by periodic
housekeeping jobs designed to delete aged alerts.
Event files can be stored on the Solution Manager host or an
external host or file server. A new event file is created by Solution Manager
for each day. The contents of the newest file can be periodically pushed to
SIEM platforms or pulled by SIEM systems directly from relevant directories. Since
there is a single point of integration for event data between SAP and SIEM
systems, maintenance efforts are relatively low.
This article outlines the benefits of integrating security event data from SAP applications with SIEM platforms using the Cybersecurity Extension for Solution Manager. The benefits include lower costs, rapid deployment, ease of maintenance, and the enrichment of event data to support cross-platform correlation. The example below is for SIEM integration with Solution Manager for Splunk Enterprise. However, the approach can also be used to integrate security event data with other SIEM systems including QRadar, ArcSight and Log Rhythm.
Vulnerability assessment and penetration testing both serve important functions for protecting business applications against security threats. The approaches are complementary but should be deployed sequentially. Penetration testing against systems and applications that have not been hardened based on the results of vulnerability assessments is inadvisable since the results are predictable. The objective of penetration testing is to assess the strength of security defenses, not to exploit ill-equipped and unprepared systems and processes to prove a point.
Therefore, vulnerability assessments should be performed ahead
of penetration tests. The results of comprehensive vulnerability scans inform organizations
of configuration, program, user and other weaknesses that could be exploited to
compromise systems during real or simulated attacks. The recommendations resulting
from the assessments enable organizations to remediate security weaknesses
using a prioritized approach. It also supports the implementation of counter
measures to detect and respond to potential attacks.
Once systems are hardened and defenses are prepared, performing
a penetration test is a valuable exercise to test the adequacy of security mechanisms.
The lessons learned from the discovery and exploitation of vulnerabilities during
penetration tests can be applied to address areas that may have been overlooked
or inadequately secured after vulnerability assessments. Penetration testing
against hardened systems that are actively monitored for attacks forces pen
testers to exercise more complex and difficult attack vectors. It also compels
pen testers to deploy evasive techniques to avoid detection. This improves the
quality of penetration tests and the reliability of the results, providing a stronger
litmus test for system security, threat detection and incident response.
There are several apps available in SAP Solution Manager for monitoring security alerts for SAP systems. The most longstanding is the Alert Inbox which provides an overview of alerts by process area. Guided procedures for investigating security alerts are executed from the Alert Inbox. Another option is System Monitoring which provides a more user-friendly interface for navigating incidents than the Alert Inbox. System Monitoring includes the Alert Ticker displayed in the right pane of the app for monitoring incidents in real-time.
SAP Solution Manager 7.2 SP07 introduced a third option for monitoring
alerts called Monitor Systems. The app is delivered in the new work center
Application Operations.
System Monitoring and the Alert Inbox are Web Dynpro applications. Monitor Systems, however, is a SAPUI5 application based on the Fiori framework. Therefore, Monitor Systems delivers exceptional performance with alerts loading and refreshing at much faster rates than both the Alert Inbox and System Monitoring. The performance gains are considerable even for SAP Solution Manager installations running on conventional databases rather than SAP HANA.
You can access Monitor Systems from the SAP Fiori Launchpad using the roles SAP_STUI_APPOPS_AUTH and SAP_STUI_APPOPS_TCR.
The initial screen summarizes alerts open alerts by systems and components.
Results can be filtered or sorted by clicking by system and category.
Systems can also be labeled as favorites for fast selection.
You can view details of open alerts for each system by clicking on the system. Below are alerts for security configuration issues impacting system AS2.
Below are security exceptions detected through real-time monitoring of event logs in the system.
We can drill down into the details of each alert by clicking on Critical Metrics. For example, we can investigate the alert below for the Actions by the Standard SAP* User Alert by reviewing the relevant metric.
The Metric Details reveals that there was an attempted logon with the SAP* user from IP address 10.8.91.2 at 12:51 on 2019-08-14. We can execute a guided procedure that will investigate other actions from the source IP directly in the Security Audit Log.
The results can be shared with security operations teams through email by clicking on the Notify option in the Metric Details.
In another example, we can drill down into the alert for active users logged into the system with SAP_ALL in their user buffer to investigate potential privilege escalation. The profile should not be used in productive systems.
The Cybersecurity Extension for SAP Solution Manager monitors SAP event logs to automatically detect and alert for indicators of compromise. The monitoring interval can be customized for each security metric based on risk and sizing. An interval of 60 seconds, for example, can support real-time threat detection. However, real-time detection is only useful when supported by real-time incident response. Organizations that lack rapid response capabilities should opt for collection intervals of 10-15 minutes to balance the need to minimize the mean to detect (MTTD) with the system impact of continuous monitoring.
Log settings also need to be carefully maintained to capture
security-relevant events while preventing the accumulation of log data and the consumption
of excessive disk or table space. The recommended settings and archiving
procedures below for each log area will enable you to maintain comprehensive
forensic logs with minimal system impact.
Security Audit Log Maintain static filters to log all actions by the standard SAP* user, logons and transaction starts by the DDIC user, and Severe and Critical events for all audit classes and users. Also create a static filter to log the non-critical event IDs BU4, CUY, DU9, DUI, and FU1. The filters should be applied to all clients. If you have yet to remove the EarlyWatch client, also create a filter to monitor events for all audit classes and users in client 066.
Periodically export events older than 30 days using
transaction SM20. Once the events are successfully exported and backed-up to a
file server, trigger the background job RSAUPURG to delete events older than 30
days using transaction SM18.
Read Access Log Configure or import logging purposes to log access to sensitive fields and tables including user tables. Archive SRAL objects using transaction SARA. RAL archives can exported and stored offline.
Change Documents Change documents for user changes are triggered automatically. Similar to the Read Access Log, change documents are archived using transaction SARA.
Business Transaction Log There are no specific settings required for STAD. Since data is retained for only 48 hours, STAD archiving is also not required.
System Log Similarly, the system log does not require any specific settings or archiving. The system log is a ring buffer. When the log file reaches its maximum size, the system overwrites the oldest data.
HTTP Log The LOGFORMAT option for HTTP logging should specify a format that includes the URL in log entries. An example is the CLF format. HTTP log files in the /usr/sap/SID/instance/work directory can be exported and archived offline.
Gateway Server The ACTION option for gateway logging should include the actions SsZMP to capture security events, configuration changes, and monitor commands. Gateway log files are can also be found in the work directory of each instance and archived to an external location.
Java Security Log The value of the following properties should be set to TRUE to include the client host address, object name and actor in logged events: ume.logon.security_policy.log_client_hostaddress, ume.secaudit.get_object_name, and ume.secaudit.log_actor. Automatic archiving should be activated using the Log Manager. Once activated, the compressed archives can be found in usr\sap\<SID>\JC<Instance number>\j2ee\cluster\<Dispatcher or server>\log\archive.
HANA Audit Log The target audit trails should be set to CSTABLE and SYSLOGPROTOCOL to log events simultaneously to internal tables and the OS-level system log. Audit policies should be configured to log critical actions including all actions performed by the SYSTEM user, system changes, user changes, role changes, repository changes, and unsuccessful logons.
The contents of the AUDIT_LOG table can be exported using the AUDIT OPERATOR privilege in the HANA Studio. Once exported, navigate to the Auditing tab in the Security section and select the option to truncate the audit trail.
For detailed step-by-step instructions, refer to the section on Log Settings and Maintenance in the user manual for the Cybersecurity Extension for SAP Solution Manager.
