Layer Seven Security

Database Security with the Cybersecurity Extension for SAP

Layer Seven on January 30, 2019

Protecting SAP systems against cyber threats requires integrated measures applied not just within the SAP layer but across the technology stack including network, operating system, and database components.  As repositories of business-critical and sensitive information, databases warrant specific attention for hardening and monitoring efforts. This includes identifying and addressing configuration weaknesses, excessive privileges, and weak audit policies, encrypting data in transit and at rest, removing vulnerable stored procedures, and detecting and responding to privilege abuse or escalations.

SAP Solution Manager is uniquely positioned to monitor the security of SAP databases given its deep connectivity into SAP platforms. This article outlines the architecture and data collection procedures for database monitoring with Solution Manager. Next month’s article will explore database-level security reporting and event monitoring with SolMan.

Establishing connectivity to databases supporting SAP systems is a standard step during the mandatory configuration procedures for Solution Manager. Connection information is entered into the DB Parameters section during the Enter System Parameters step of Managed System Configuration. This includes the database host, port, and user credentials.

The connection supports the DBA Cockpit for database administration and monitoring. It also supports database extractors used by the Extractor Framework. The Extractor Framework performs data collection and distribution for monitoring and alerting in Solution Manager. The framework operates regular extractors to snapshot configuration, user, system, change and event-related data from systems. The snapshots are stored in areas such as the SolMan Configuration and Change Database (CCDB) and queried by other applications in SolMan including Configuration Validation and the Monitoring and Alerting Infrastructure (MAI). The concept of running or scheduling security scans is foreign in Solution Manager. Periodic jobs run the extractors to refresh the data. Therefore, there is no need to schedule scans or connect directly to systems to compile data when reviewing security-related information. Job Monitoring in Solution Manager can be used to monitor the relevant jobs and alert for job errors or warnings.

Solution Manager automatically applies preconfigured templates for databases once they are successfully connected for monitoring. SolMan installations are packaged with templates for all platforms supported by SAP systems including SAP databases such as HANA, Sybase and MaxDB, and third-party databases from Oracle, IBM and Microsoft. Template contents can vary based on the specific version and release of databases.

Templates for HANA platforms including metrics and alerts for monitoring system availability, performance and security. They also include CCDB stores to extract current values for HANA parameters, and details of active users, audit policies and users with critical database and system privileges.

The extractor framework and SAP-delivered templates may not provide coverage for monitoring all the security-related areas for each database platform. Therefore, customers or partners can either define their own templates or create/ modify extractors, metrics, alerts and CCDB stores to extract additional data. In the example below, we’ve added several custom stores to extract and query data for Sybase ASE that is not available in a standard Solution Manager installation.  This includes runtime values for all Sybase parameters, active users, roles assigned to database users, enabled stored procedures, audit settings, and database event logs with event IDs, user IDs, and timestamps.

The stores are assigned to the custom /L7S/ namespace to avoid any conflict with SAP and other namespaces.

The extractor framework regularly refreshes the data through background jobs. Database security policies are then applied by Solution Manager against the CCDB to identify vulnerabilities and security-related events in the platform. The data is also monitored by the MAI which triggers alerts and notifications for critical risks. The results are replicated to an internal Business Warehouse (BW) in Solution Manager.

In next month’s article, we will discuss how you can use Service Level Reporting and BusinessObjects to create detailed and user-freindly reports to convey the results of database security monitoring with SAP Solution Manager.

Layer Seven Security Recognized as an SAP Cybersecurity Leader

Layer Seven on December 17, 2018

Layer Seven Security has been named as the leading SAP cybersecurity provider in the 2018 Top 10 SAP Solution Providers. According to the source of the study,  Layer Seven Security provide a “unique and innovative approach to securing business-critical SAP systems against cyber threats”. The study recognizes Layer Seven as an “innovative force in the SAP cybersecurity industry” for delivering “leading-edge vulnerability management, patch management, threat detection and incident response without requiring customers to license and install complex and expensive new platforms.”

The report also acknowledges the SAP partner’s “extraordinary levels of year-on-year growth”. Layer Seven Security more than doubled it’s customer base and experienced a 350% surge in revenue in 2018. The company recently announced an ambitious 3-year roadmap that includes recent innovations such as interactive security reporting based on SAP Web Intelligence, monitoring for Java users with administrative privileges, and security monitoring for SAP databases including Sybase ASE. Planned innovations include integration between SAP Solution Manager and the NetWeaver add-on for Code Vulnerability Analysis, the development of Fiori applications for embedded security reporting in SAP Solution Manager, and support for OS, cloud and network platforms for end-to-end security monitoring of the SAP technology stack.

 

Webinar Recording: Security Analytics with SAP Web Intelligence

Layer Seven on December 17, 2018

Watch the webinar replay to learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Watch Now

 

 

Webinar: Security Analytics with SAP Web Intelligence

Layer Seven on November 27, 2018

Thu, Dec 13, 2018 11:00 AM – 12:00 PM EST

Learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Register

 

 

Secure, Patch & Respond: Security Analytics with SAP Web Intelligence

Layer Seven on November 20, 2018

SAP Web Intelligence enables users to visualize and manage security risks in SAP systems using interactive reports delivered through an intuitive web interface. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Animated charts summarize risks by system, location, priority and other dimensions. Results can be filtered and sorted to focus on specific areas. Users can comment on report elements for collaboration, decision-making and tracking remediation efforts. Reports can be exported to Excel, HTML and PDF. Reports can also be accessed remotely using the mobile app for SAP BusinessObjects.

The security reports are comprised of five distinct sections. The first section includes a series of charts that summarize risks across three dimensions: vulnerabilities, security notes, and alerts. The results can be filtered to focus on single or multiple systems.

The second section includes trend charts, bar graphs, geo-maps and bubble charts that break down the results for each dimension.

The remaining sections convey detailed findings and empower users to secure SAP systems against cyber threats by discovering and removing vulnerabilities, applying patches, and responding to alerts for suspected security breaches.

To learn more, contact Layer Seven Security. You can also request a free trial for security reporting with SAP Web Intelligence using Layer Seven’s cloud platform.

 

Coming Soon: Security Reporting with SAP Web Intelligence

Layer Seven on October 16, 2018

SAP Web Intelligence (WebI) provides a platform for self-service reporting that enables users to analyze and visualize data from SAP systems using an intuitive, interactive and web-based interface. WebI supports BEx queries to connect to security-related data in Business Warehouse within Solution Manager. Users can create dynamic reports with embedded dashboards to monitor and manage risks and track remediation efforts. Reports are published to the BI Launch Pad to support enterprise-wide access through a web browser. They can also be refreshed, scheduled and broadcast from the Launch Pad.

Stay tuned for more details.

 

How to Comply with the DHS Recommendations for Securing SAP Systems from Cyber Attacks

Layer Seven on October 16, 2018

In response to the dramatic rise of cyber attacks targeting ERP applications, the United States Department of Homeland Security (DHS) issued a warning earlier this year that encouraged organizations to respond to the risks targeted at their business applications by implementing specific measures to secure, patch and monitor SAP systems. The measures included scanning for vulnerabilities and missing security patches, managing SAP interfaces, and monitoring user behaviour, indicators of compromise, and compliance against security baselines for systems.

This article discusses how you can leverage SAP Solution Manager to comply with the DHS recommendations. Solution Manager is installed and available in most SAP landscapes and includes diagnostics and monitoring applications to support cybersecurity. The specific applications are outlined below against each of the DHS recommendations.

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Configuration Validation in Solution Manager can perform automatic daily scans of SAP systems against security benchmarks to identify misconfigurations that could expose systems to cyber threats. The scans are performed against snapshots of systems stored in the Configuration and Change Database (CCDB). The results of the scans are stored in an internal Business Warehouse (BW). Service Level Reports and Security Dashboards connect to BW using BEx queries to read the results of the security scans and report the findings.

System Recommendations (SysRec) in Solution Manager connects directly to SAP Support to discover missing security patches.  SysRec also connects to each system in an SAP landscape to determine the current patch level. It reads the system information in the Landscape and Management Database (LMDB) to identify installed software components and versions. SysRec also integrates with the ABAP Call Monitor, Usage Procedure Logging, and Solution Documentation to perform change impact analysis for security patches.

2. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Interface and Connection Monitoring (ICMon) in Solution Manager automatically maps cross-system interfaces including RFC, HTTP, IDOC and Web Services. This includes internal and external connections. It also monitors real-time traffic patterns to detect and alert for malicious actions including dangerous RFM and URL executions.

3. Analyze systems for malicious or excessive user authorizations.

Solution Manager can detect users with administrative privileges in SAP systems. It flags users with privileged authorizations, profiles, roles, transactions, Java permissions, and HANA system and table privileges. Privileges can include standard and custom objects.

4. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can monitor event logs in SAP systems to detect and alert for indicators of compromise (IOCs). This includes log files and tables such as the Security Audit Log, HTTP Log, System Log, Gateway Server Log, Change Document Log, Read Access Log, Java Security Log, HANA Audit Log, and the SAProuter Log. The MAI triggers alerts and email and text notifications for IOCs. Guided procedures provide a framework for incident response and tracking.

5. Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

MAI monitors user logs to detect and alert for suspicious behavior covering both privileged and non-privileged users. This includes unauthorized access, escalation of privileges and actions that could lead to data leakage.

6. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

SAP Partners periodically update content for Solution Manager to address new vulnerabilities and attack vectors.

7. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Solution Manager continuously monitors for policy violations against security baselines and compliance frameworks such as GDPR, IT-SOX, NIST and PCI-DSS. Service Level Reports and Dashboards provide directions for implementing and tracking remedial actions taken to patch and secure systems. Guided procedures document incident investigation steps performed by responders. The results are archived in Solution Manager.

To learn more about how Solution Manager can help you comply with the DHS recommendations for securing SAP systems, contact Layer Seven Security.

SolMan-SIEM Integration for Advanced Threat Detection

Layer Seven on August 26, 2018

SAP Solution Manager monitors real-time event information in SAP logs to automatically detect and trigger alerts for specific Indicators of Compromise (IOCs).  This includes events written to the security audit log, system log, gateway server log, change document log, HTTP log, transaction log, SAProuter log, Java security log and the HANA audit log. Alerts are managed in the Alert Inbox or the System Monitoring app of SAP Solution Manager and automatic email and SMS notifications are triggered for critical incidents. Alerts are integrated with Guided Procedures to support an end-to-end process for incident detection and response within Solution Manager.

The data collection for event monitoring using Solution Manager is performed using existing RFC connections and Diagnostics Agents installed in managed systems. Since Diagnostics Agents can be installed in both SAP and non-SAP systems and components, Solution Manager can perform many of the functions of a Security Information and Event Management (SIEM) system. SolMan can monitor across the technology stack including database, operating system, and application layers, as well as network components such as routers, switches and firewalls. These areas are often monitored by organizations using existing SIEM platforms. Therefore, SolMan is more commonly used for application-level monitoring.

SIEM platforms support direct monitoring of SAP log files, tables and other data sources. However, there are several drawbacks with this approach. One of the drawbacks is that each data source within every target system must be connected separately to SIEM platforms. This increases deployment times and complexities. Once connected, rules and patterns must be defined in the platforms for every possible event. Also, since SIEM platforms are ingesting raw logs, the cost of monitoring and storing mammoth-sized logs for multiple SAP systems can be prohibitive, especially for large landscapes.

SAP Solution Manager overcomes these drawbacks by parsing log files and tables and filtering events before forwarding alerts to SIEM platforms. This enables the platforms to avoid ingesting raw logs to monitor SAP event information. Since the event data forwarded to SIEM platforms is derived from a single source for all SAP systems in a landscape, deployment is also faster and less complex. Finally, Solution Manager structures and enriches the event data before it reaches SIEM platforms to reduce the need to develop rules and patterns to interpret SAP event information.

Solution Manager can integrate with SIEM platforms through several ways. The most common is using OS commands that are called by SolMan to write event data to external files that are ingested by SIEM solutions. Alerts are written to external files as soon as they are triggered by SolMan. Alert fields can include the alert name, description, priority, date, time, SAP System ID, and other areas.

This process integrates alerts for IOCs and other security risks detected by SolMan for SAP applications with SIEM systems for centralized monitoring and cross-platform correlation. The example below is for Splunk Enterprise. Click on the images below to enlarge.

DHS Issues Warning for Cyber Attacks Targeting SAP Applications

Layer Seven on July 26, 2018

The United States Department of Homeland Security issued a warning this week for malicious cyber activity targeting ERP applications including SAP. The warning is based on the findings of a recent report issued by Digital Shadows. The report discusses the dramatic rise in cyber attacks on widely used ERP applications. The report echoes the findings of an earlier study by Gartner that predicted a growth in attacks targeted at business applications.

The findings of the report are summarized below.

– The number of publicly available exploits for SAP applications has doubled in the past three years and there has been a 160% increase in the activity and interest in ERP-specific vulnerabilities between 2016-17

– Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations

– Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications

– Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage

– There has been a dramatic increase in the interest in exploits for SAP applications, including SAP HANA, in dark web and cybercriminal forums

– Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days

– Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

– Leaked information by third parties and employees can expose internal ERP applications.

In response, the report recommends the following actions to protect SAP applications from cyber attack.

– Identify and mitigate ERP application layer vulnerabilities, insecure configurations and excessive user privileges

–  Identify and remove dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and that are internet-facing

–  Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise

–  Monitor for leaked ERP data and user credentials

The recommended actions can be applied using SAP Solution Manager. System and user-level vulnerabilities can be identified using Service Level Reporting and Dashboards in Solution Manager. System Recommendations can be used to discover and apply security patches. Vulnerable cross-system connections including external connections can be discovered and monitored using Interface and Connection Monitoring (ICMon). The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor SAP logs to detect indicators of compromise including the leakage of sensitive data. Finally, the Guided Procedure Framework provides a platform for incident response using standard operating procedures for alert investigation.

U.S Treasury Sanctions ERPScan

Layer Seven on June 14, 2018

Earlier this week, the United States Treasury issued an Executive Order to prohibit U.S organizations from engaging with ERPScan, a subsidiary of Digital Security and a provider of security software and services for SAP systems. According to a press release issued by the Treasury, Digital Security “provided material and technological support to Russia’s Federal Security Service (FSB)” and contributed to efforts to “increase Russia’s offensive cyber capabilities for the Russian Intelligence Services”. Treasury Secretary Steve Mnuchin stated that the Executive Order is driven by the need to “counter the constantly evolving threats emanating from Russia”.

ERPScan has denied any link with the FSB in an official statement. Further, it stated that “it is unfortunate that American companies will not have a competitive market in the ERP Security field, turning our main US competitor into a monopolist without any incentive to innovate.”

There are several competitors in the ERP security market within the United States. Therefore, the withdrawal of ERPScan is unlikely to lead to a monopoly in the market. Furthermore, the solution providers in the market have demonstrated a universal commitment to innovation including advances such as Data Loss Prevention using SAP Solution Manager recently announced by Layer Seven Security. There is no reason to believe that the Executive Order will diminish the level of innovation in the market.

However, the Executive Order has highlighted the risk to SAP customers arising from the dependence on third party security tools for SAP security monitoring. Layer Seven Security is the only solution provider in the market that eliminates this risk by leveraging SAP Solution Manager to protect SAP systems from cyber threats. Solution Manager is supported and maintained directly by SAP. Contact Layer Seven Security to discuss these and other benefits of SAP cybersecurity monitoring with Solution Manager.