L’impresa non può essere Intelligente senza essere

PUBLIC

Enable the Intelligent Enterprise with SAP Services

Chiara De Maria – Business Development Consultant, SAP Services

Sandro Coco – Principal Technology Architect, SAP Services

May 7th, 2020

L’impresa non può essereIntelligente senza esseresicura

2PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ



Today's Speakers

Chiara De Maria

Business Development Consultant

SAP Services

Sandro Coco

Principal Technology Architect

SAP Services




Let's Build the Intelligent Enterprise Together!

Aprile: il mese dei dati

Il valore dei dati

nell'Intelligent Enterprise

2 aprile

Come costruire un Enteprise Data

Warehouse: il punto di vista

SAP Service

7 aprile

SAP Analytics Cloud.

L'innovazione delle Analytics App

23 aprile

L'oceano dei dati aziendali, immergersi

per scoprire i mondi sommersi: Data

Science e Data Management

28 aprile

Il valore dell'innovazione

portato da BW/4 2.0

30 aprile

Gennaio: il mese della Customer Experience Febbraio: il mese di S/4 Marzo: il mese del Manufacturing e della Supply Chain

Maggio: il mese delle Intelligent Technologies

Giugno: Il mese dell'Application Development & Integration

L'impresa non può

essere intelligente

senza essere sicura

7 maggio

Non scivolare sull'hyperscaler:

percorsi di evoluzione verso

architetture ibride

14 maggio

Approcci progettuali

consolidati nell’utilizzo del

Machine Learning

21 maggio

Chi ben monitora è già a

metà dell’opera

26 maggio

Utilizzare in modo consapevole la

SAP Cloud Platform per disegnare

l'Intelligent Enterprise Architecture

4 giugno

Rendere il codice ABAP al passo con i

tempi grazie all’ABAP Environment di

SAP Cloud Platform

11 giugno

Estendere le funzionalità e

costruire applicazioni innovative

con SAP Cloud Platform

18 giugno

Soddisfare le esigenze di

integrazione dell'Intelligent

Enterprise con SAP Cloud Platform

25 giugno

Innovate and accelerate time to

value with a subscription based SAP

Commerce Cloud implementation

26 maggio




SAP Services Italia

Il Gruppo Jam dedicato ai clienti di SAP Services Italia

Il sito SAP Jam dedicato ai clienti italiani di SAP

Services è il punto di partenza per

✓ Vedere le registrazioni delle passate edizioni

dei nostri webinar e le relative presentazioni

✓ Consultare il materiale condiviso durante i

nostri eventi

✓ Esplorare ulteriore materiale che riteniamo di

tuo interesse

https://jam4.sapjam.com/groups/nA8T7UIpk7YdGoDJH39Oqd/overview_page/C7dpOnRY2vHGlWtVePVgEx



INTELLIGENT ENTERPRISE

INNOVATION DAY#VIRTUAL_EVENT

SUPPLY CHAIN, MANUFACTURING &

MAINTENANCE INNOVATION DAY

#VIRTUAL_EVENT

9 LUGLIO

BUSINESS INTELLIGENCE & DATA

MANAGEMENT INNOVATION DAY

17 SETTEMBRE

CUSTOMER EXPERIENCE

INNOVATION DAY

“Together, we make it happen”

51 participants

71 participants




The Intelligent Enterprise framework




Modern SAP Landscape

Past SAP Security breaches/exposures

10KBLAZE

Keep calm and…

How can we help you…?

Q&A

Agenda





▪ Opportunities, complexities, challenges


10KBLAZE

Keep calm and…


Q&A

Agenda

76% of the world’s transaction revenue

83% of the world’s business-to-business transaction revenue

$22 trillion of consumer purchases around the world

If our economy is to thrive, our commitment to cybersecurity must match

our commitment to innovation.

… are touched by SAP software systems.




Security risks increasing with Digital Transformation

Digital technologies are here to stay

Predictive analytics

Internet of Things

Cybersecurity

Hyperconnectivity

Big Data

Mobile

Artificial Intelligence

Machine Learning

Cloud

Value of dataData has value, both in terms of the

value companies are able to extract

and the value a potential hacker

could exploit.

Volume of dataCompanies are collecting and

storing more data than ever before.

Vulnerabiliy of endopointsNo longer does data remain locked

inside a mainframe, as it has proliferated

outside of the four walls of a company

business.

The sheer number and

sophistication of attacks are

at an all-time high.

Security risk Value to

attacker




• Intellectual property

• Treasury and cash

• Financial reporting insights

• Business trade secrets

• Sensitive customer information

• Sensitive employee information

• …

SAP Intelligent Suite: hosting your «crown jewels»

Ugly truth is many customers are protectingtheir most valuable information assetsbehind… myths

• «Internal SAP Security team has SoD topic under full control»

• «SAP ERP platform is accessible only throughinternal network, and we have strong perimetersecurity»

• «We’re moving to Cloud so security is no more ourconcern»

• «We regularly patch our systems so it can’t be vulnerable»




SAP Application Landscape is dramatically evolving…


On-Prem applications

(SAP & non-SAP)




Digital transformation leads to an explosion of connected environments where perimeter

protection doesn’t help any more.

In the past, legacy enterprise software gained its level of security by means of the

customer’s implementation of security on its network.

In a digital world, this classical enterprise network doesn’t really exist any longer.

Attackers and other malicious individuals will continue to compromise weak links in

customers’ enterprises, resulting in deep access to their systems and networks.

SAP applications must employ all aspects of security since they can be much more

exposed than you think.

Modern Landscape: Digital Transformation




We must take into account that SAP Landscape and SAP Technology have evolved with time.

Threats have evolved the same. This doesn’t mean modern landscapes are inherently less secure,

it means you have to adapt your security approach.

• Hybrid/Multicloud scenarios → endpoint security

• Access to applications anytime, anywhere → does «on Premise» still have a meaning?

• Attacks can come from inside:

• unfaithful employees

• spear phishing attacks

According to security researchers scanning deep web, interest into SAP vulnerability has greatly

increased in the last 5 years*

*source: Digital Shadows Ltd. and Onapsis Inc. , “ERP Applications Under Fire” – July 2018

Modern SAP Landscape: challenges






▪ …you definitely don’t want to be next

10KBLAZE

Keep calm and…


Q&A

Agenda




Past SAP Security breaches…yes, it’s awfully real




2012 – Anonymous claimed breach to Greek Ministry of Finance using SAP zero day exploit

2013 – Banking Trojan found to target also SAP Clients (SAPGUI detection + screenshot capture + keylogger)

2014 – Chinese hackers break into NVidia Customer portal through SAP Netweaver vulnerability –related SAP Security note was available since 2011

2015 – Chinese hackers break into USIS, largest USA DHS contractor, and steal thousands of sensitive personal information leveraging vulnerability of a poorly managed SAP system (probably standard password). USIS controlling company filed for bankruptcy after this

2016 – 1st DHS US-CERT Alert for SAP Business Applications (36 Multinationals breached leveraging SAP J2EE invoker servlet vulnerability closed by SAP since 2010)

2018 – 2nd DHS US-CERT Alert for SAP Business Applications (warning on increased interest into SAP exploitation techniques)

2019 – 10KBLAZE 3rd US-CERT Alert for SAP Business Applications (Gateway/Message Server misconfiguration vulnerability)







10KBLAZE

▪ You can always insecurely manage a security-by-design product

Keep calm and…


Q&A

Agenda




“In April 2019, several new exploits targeting two technical components of SAP® applications were

released after being presented in a session at the OPCDE Security Conference. These exploits,

dubbed 10KBLAZE, can lead to full compromise of SAP applications, including deletion of

all business application data” – quote from Onapsis’ 10KBLAZE Threat report introduction

Yes it is as scary as it sounds… a PC with a Python interpreter inside your network (...you don’texpose your gateway nor message server directly to public internet, do you?!?) and the attacker can take complete control of your production SAP system: exfiltrate/change/delete/create data, create administrative users, shutdown application servers…

10KBLAZE is also perfect example to explain the need of Secure Configuration of an SAP system.

If you’re vulnerable due to 10KBLAZE, this is due to a system misconfiguration, not to a defect into SAP software.

(if you found question about exposing GW/MS to internet offending… YES there are SAP systems directlyexposed to public network)

Onapsis’ 10KBLAZE: Gateway/Message Server combined vulnerability




Onapsis’ 10KBLAZE: what we are dealing with (demo)

USE THE FOLLOWING LINKS

TO VIEW THE VIDEOS

• 10KBLAZE demo 1

• 10KBLAZE demo 2

• 10KBLAZE demo 3

https://jam4.sapjam.com/groups/nA8T7UIpk7YdGoDJH39Oqd/documents/egBBHJaaANb0pRaCzvb1od/video_viewer

https://jam4.sapjam.com/groups/nA8T7UIpk7YdGoDJH39Oqd/documents/utdVO6Jr3AeLX37SBoH65E/video_viewer

https://jam4.sapjam.com/groups/nA8T7UIpk7YdGoDJH39Oqd/documents/cvk1noi0BGpbZOIa6PoSHf/video_viewer




10KBLAZE demo 1




10KBLAZE demo 2




10KBLAZE demo 3




10KBLAZE is based on SAP Message Server and SAP Gateway vulnerability.

• Message Server vulnerability is dealt with SAP Note 821875 - Security settings in the message server – 1st released March 8, 2005. Further details are in SAP note 1421005 - Secure configuration of the message server – 1st released July 23rd, 2010.

• Gateway vulnerability is dealt with SAP Note 1408081 - Basic settings for reg_info and sec_info– 1st released December 4th, 2009.

• On May 9th, 2019 as further help to customer to deal with 10KBLAZE publication, SAP released Security Spotlight News ” Securely Configuring SAP Gateway and SAP Message Server” –https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html#section_1090235729

• SAP Note 2795681 - Securing SAP RFC Gateway and SAP Message Server – 1st released on May 30th, 2019 can be used as starting point with all needed links to detailed configuration guides to securely configure both SAP Gateway and SAP Message Server

Onapsis’ 10KBLAZE: history and remediations

https://launchpad.support.sap.com/#/notes/821875



https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html#section_1090235729







10KBLAZE

Keep calm and…

▪ Define a reaction strategy

▪ Become aware of your attack surface

▪ Design an hardening roadmap

▪ Define a patch strategy


Q&A

Agenda




What if you suffer a major security breach… tonight?!?




WHAT IF you suffer a major security breach TONIGHT?!?

That’s bad… but it’s even worse if you have no idea what to do next.

• Understand the risk: know your SAP systems and assign each a criticality score – take into account bothEconomic, Compliance (e.g. GDPR) and Reputation impact caused by outage, data leak or sabotage

• Identify all involved actors: internal key responsibles, business partners, customers, cloud providers…

• Prepare a reaction/remediation plan:

• Save all information that could be used for forensic analysis

• Execute what is needed to be operative again e.g. trigger system restore or disaster recovery (time to review backup/DR policies?)

• Inform authorities/customers/business partners

• Start working on legal and/or reputational consequences

• Document all findings and start preemptive plan to avoid it happens again

This what-if simulation is first step to really understand what you’re dealing with.

Define a reaction strategy




Know your SAP Landscape: interfaces with third parties, cloud connectors, internet-facing

systems…

Collect all needed information from third parties/contractors (roles/responsibilities, compliance,

technical security measures in place)

Bring Security and SAP Basis team to same table – too often SAP systems are a «Black box» to

security teams: specific knowledge is needed to understand their vulnerabilities

Create a «Heat Map»

likelihood vs. severity of risks identified

mapped on relevant SAP system

Report on your findings to CIO/CISO and get proper attention to SAP security topic – you need

empowerment to be able to create/enhance a SAP Security governance team

Become aware of your attack surface

1 2 3 4 5

1 1 2 3 4 5

2 2 4 6 8 10

3 3 6 9 12 15

4 4 8 12 16 20

5 5 10 15 20 25

Likelihood

Severity




• Start with hottest SAP systems in your heatmap

• Assess security status with Security and SAP Basis teams and prioritize remediations – don’t forget to leverageon SAP Solution Manager to accomplish this (SOS, System recommendations…)

• Assess logging/auditing status of SAP systems and their interfaced systems

• Define security test phase and benchmark results (planning external audit and/or penetration testing can help in this)

• Execute remediations and match results against defined security KPIs

• Document security test results, report to internal stakeholders, and start back with assessment part – be awarehardening any infrastructure is an iterative process!

• Don’t miss to leverage on existing transformation projects! Including major security measures in an alreadyplanned change will save you both time and money during testing phase!

• Include security review as basic part of any future landscape evolution: security planning/development/realizationalways costs less than security remediation (and guess what… it’s less risky)

Design an hardening roadmap




SAP released more and more security notes according to increased technology complexity and evolution of threat landscape

SAP Security Patch Day – 2° Tuesday every month https://launchpad.support.sap.com/#/securitynotes

Review relevant patch for your systems and be sure to apply Hotnews timely

Take care your SP level is sufficient to allow Hotnews to be installed! Consider the 18-months-rule!!!

https://blogs.sap.com/2012/03/27/security-patch-process-faq/#jive_content_id_40

BE AWARE: patching alone is no security guarantee – carefully review needed post-patching manualactions/configurations (10KBLAZE docet)

Define a patching strategy

First presentation on

SAP Security

at Black Hat

https://launchpad.support.sap.com/#/securitynotes

https://blogs.sap.com/2012/03/27/security-patch-process-faq/#jive_content_id_40






10KBLAZE

Keep calm and…


▪ Security-enabling SAP products

▪ SAP Services

Q&A

Agenda




UI Logging: enables logging of any data access performed at UI level while keeping data accessible

• Much richer detail than standard SAL

• Reporting enabled to identify & prove irregular data access

• Prevents illegitimate data access and theft by inducing compliant behavior

UI Masking: enables concealing specific data (values in fields/columns) unless required for business tasks

• Unmasking based on specific access rights on top of existing roles/authorization setup

Enterprise Threat Detection

• Provides insight into suspicious activities in your SAP software–centric landscape enabling to identify security breaches in real time

• SAP’s own internal solution to protect SAP

• Central collector of all your security logs

• Leveraging HANA’s AI/ML capabilities to identify activity correlation/patterns that could lead to a security violation

Security-enabling SAP products




SAP Services: Your Journey to the Intelligent Enterprise…

…and How We Help You Succeed

Project Success

Premium Success

Continuous Success

• Premium Success Engagements

• SAP MaxAttention

• SAP ActiveAttention

• Support, Adoption, and Optimization

• SAP Preferred Success

• SAP Enterprise Support

• Value Adoption

• Managed Services

• SAP HANA Enterprise Cloud

• SAP Cloud Application Services

• Innovation and Advisory

• SAP Advisory Services

• SAP Innovation Services

• SAP Innovative Business Solutions

• Implementation and Deployment

• SAP Value Assurance

• SAP Advanced Deployment

• Technology

• Platform Services

• Cloud and Integration

• Data Services

• Training Services

• Learning and Enablement Products

SAP Model

Company

Training and

Enablement

Lifetime Customer andEcosystem Success




SAP Security recommendations

10 focus areas for customers (for details, visit www.sap.com/security)

As SAP continues to secure its internal operations, we have captured our best-practice approach to share with our customers.

Emergency

concept

▪ Define emergency, backup,

and disaster recovery concepts

to ensure business continuity

▪ Consider preparation of

complete fallback systems for

business-critical processes and

applications

Users and

authorizations

▪ Security awareness

▪ User authorizations clearly

defined and managed

Custom code

security

▪ Establish custom code lifecycle

management processes

▪ Use security source code scan

tools to identify vulnerabilities in

your custom coding

Secure

configuration

▪ Password security

▪ Authentication

▪ Encryption of data and

communication

Secure

maintenance

of SAP software

code

▪ Regularly update all SAP

software

▪ Review common

vulnerabilities and exposures

(CVE) disclosures monthly to

assess risks to your SAP

software landscape

OS and database

security

Network

security

▪ Define a network concept

with clearly structured

different zones

▪ Separate high-security

areas

▪ Determine concepts for

dedicated servers and

administrative roles

Front-end

security

▪ Deploy security configuration

for both clients and mobile

endpoints

▪ Distribute and activate

administrator rules

▪ Activate access control lists

(ACLs)

Security

audit log

▪ Monitor all systems

▪ Activate the security audit log

(SAL)

▪ Activate filters for critical users

Communication

security

▪ Use encrypted communication

- Secure sockets layer (SSL),

transport layer security (TLS),

or secure network

communications (SNC)

▪ Secure all remote function call

(RFC) connections

▪ Implement dedicated security

requirements for all operating

systems

▪ Implement restrictive database

access mechanisms

http://www.sap.com/security




SAP Services: Cybersecurity & Compliance Services Offering Areas

Strategy and architecture

Continual improvement

Transparency and mitigation

Awareness

Securing a landscape is a continuous, iterative process.

Take advantage of SAP Services to:

• Gain awareness of current situation

• Identify top priority remediations

• Learn how to make the most of tools you already have

• Improve your competence in securely running your

SAP landscape

• Safeguard your investments including security in your

next implementation projects

• Define/refine an hardening roadmap for your landscape

• Plan how to deal with your Digital Transformation with a

security-compliant methodology




SAP Services: Cybersecurity & Compliance Services Offering Portfolio

SAP Roles & Authorizations

• Roles & Authorizations Concept Workshop

• Roles & Authorizations Review

SAP Access Control

• Ruleset Review

• Solution Design Review

• Solution Design & Implementation

• SuccessFactors Integration PoC

• SuccessFactors HR Automation PoC

SAP Identity Management

• Overview Infosession

• Solution Design Assessment

• Solution Design & PoC Implementation

• System Health Check

• Sizing Check

Core Empowerment• Security Planning

• S/4HANA Roles & Authorizations Migration Planning

• SAP Identity & Access Management Planning

• SAP Access Control Custom Solution Discovery

• SAP Cloud Platform Security Planning

• GDPR Discovery

Security in Cloud & Hybrid Landscapes

• Cloud Authentication & Provisioning Workshop

• Securing the Cloud Connector

Communication Channel Security

• Communication Channel Security Workshop

• Securing the RFC Gateway

Authentication & Single Sign-On

• SSO Evaluation Workshop

• Single Sign-On Workshop

Technical & Custom Code Security

• Configuration Validation Workshop

• Patch Management Workshop

• Custom Code Security Infosession

Awareness

• Security Pulse Check

Data Privacy & Protection• UI Logging & UI Masking Empowering Session

• GDPR Technical Basic Check

Security Review & Monitoring

• Logging & Forensic Analysis Infosession

• SAP Enterprise Threat Detection Infosession

• SAP Enterprise Threat Detection Pilot To Production

• SAP Enterprise Threat Detection Health Check

Security Architect

• Dedicated Security Architect (fTQM)




Awareness: Security Pulse Check

Objectives

SAP to obtain an overview on the customer’s situation regarding SAP security by reviewing current solution landscape and

previously executed Service Reports (EWA, SOS)

Identify needs, options and next steps to improve the security of the customer’s SAP environments, summarized in a

customized Action Plan

Activities

Remote analysis of the systems in scope (directly and leveraging Solution Manager tools)

Onsite workshop to share the analysis findings and assess the customer's scenario with both BASIS and Security customer’s teams

Final report and Action Plan draw up

Onsite workshop to discuss the Action Plan and define the next steps

Outcomes

Wrap-up report, containing the remote analysis and onsite workshop findings

Action Plan containing action items and recommended course of action to resolve gaps as discussed and aligned during

onsite workshop

Prerequisites and constraints

Maximum 3 systems in scope

Systems in scope already configured in Solution Manager (customer can ask for SAP support if this is still to be done)

Remote access provided to SAP consultants to systems in scope and to Solution Manager




Suggested OpenSAP courses:

▪ Information Security Management in a Nutshell

▪ Cybersecurity – The Essential Challenge for Digital Transformation

Useful information available on SAP Web sites:

▪ Security guides – https://help.sap.com

Provides security guide documentation

▪ Security on sap.com – https://sap.com/security

Provides information on security at SAP and on security products from SAP

▪ SAP Security Notes – https://launchpad.support.sap.com/#/securitynotes

Provides information on SAP Security Notes

▪ Security optimization services landing page – https://support.sap.com/sos

Provides information on tools and services in the context of your maintenance contract

▪ SAP Cloud Trust Center site – https://sap.com/cloud-trust-center

Provides information on cloud security and security certifications at SAP

▪ Security community – https://www.sap.com/community/topic/security.html

Gives access to the security community at SAP with information, blogs, and forums

Further Info

https://open.sap.com/courses/ism1-tl/

https://open.sap.com/courses/cs1-tl

https://help.sap.com/

https://sap.com/security

https://launchpad.support.sap.com/#/securitynotes

https://support.sap.com/sos

https://sap.com/cloud-trust-center

https://www.sap.com/community/topic/security.html






10KBLAZE

Keep calm and…


Q&A

Agenda




Source: xkcd.com

Q&A

https://webinars.sap.com/it/sap-Services-italy-for-intelligent-

enterprise/it/home


https://webinars.sap.com/it/sap-Services-italy-for-intelligent-

enterprise/it/home

Contact information:

Sandro Coco

Principal Technology Architect

[email protected]

+393357749886

Thank you.

https://webinars.sap.com/it/sap-dbs-italy-for-intelligent-enterprise/it/home

https://webinars.sap.com/it/sap-dbs-italy-for-intelligent-enterprise/it/home

mailto:[email protected]

L’impresa non può essere Intelligente senza essere

Documents

Transcript of L’impresa non può essere Intelligente senza essere