© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Monitoring for your SAP Landscape - Challenge accepted!
Thomas Meindl // Senior Consultant IT-Security
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 2
10 years of strong IT- Security focus
60+ realized SIEM – Integrations 8 years accredited HP ArcSight Partner & Training Center
Deep Knowledge in SAP Security & Development Revolutionary 360° SAP Security Solution
COMPANY OVERVIEW
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 3
Agenda
Motivation
SIEM Evolution
The Solution - agileSI 360°
Use Cases
Recap & Benefits
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 4
Questions and Answers
Protect your SAP® data…
SAP RISK
Essential Business Processes
Critical, sensitive data HR, FI, CRM, SRM, PP, PLM
Intellectual property product data, bill of material, CAD data
…“big“ data! big risk!
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 6
SAP® tools bypass SAP® security
SAP INHERENT SECURITY & VULNERABILITIES
SAP® GRC SAP® Solution Manager
SAP® IDM
SAP
® STM
S SA
P®
Gatew
ay SAP
® J
CO
SA
P®
OSS
Debugging OS Commands Transports
SAP®
RFC
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 7
Logmanagement / Compliance
SIEM EVOLUTION
Log
Dev
ice
Div
ersi
ty
AV / FW
OS / DB
Application Logs
Insider Threat
Detection Threat Detection
System Maturity Sophistication of Use Cases
Identity View, APT, Botnet Detection
Fraud, DLP
SIEM Evolution
VA / IDM/ IAM / Reputation Based
Data
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 9
SAP®/SIEM Integration
360° SAP SECURITY MONITORING
Network devices
Security devices
Identity management
Endpoint servers
Databases
Email/Web gateways
Physical Access
The blind spot:
Business Application Runtime
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 10
SIEM: (r)evolution in SAP Security Monitoring
Level of automation
Scop
e of
insp
ecti
on
Reports
Manual checks
SAP Security Intelligence
remediation process
THE SOLUTION
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 11
SOLUTION ARCHITECTURE
Security Audit Log System Log System Parameters Tables Transport Log Gateway Config &
Log
SAP® Security Sources
HP ArcSight specific content package 100+ Detection Use Cases derived from
− DSAG Audit Guidelines − SAP Security Recommendations − iT-CUBE SAP Security Specialists
(define content package with practical proven knowlegde)
Change Documents (SCDO + UMR)
Table Change Logging
Access Control (SoD) Security Patches Transaction Codes
HP ArcSight
SAP®
SAP® Security Analytics
agileSI™ components data extraction CEF format mapping SIEM visualization
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 13
agileSI™‘s wider range of visibility
360° SAP SECURITY MONITORING
Ticketing system intf. Management SAP
Department SOC Audit
SoDConflicts & Access Control SAP Standard Accounts
Authorization Changes
Security Audit Logs & Settings System & Client Changes Table Change Logging
STMS/Transports
OS Command Exec.
Changes to User Master Records Debugging Activities
Export to Excel Detection Logon of virus infected client
RFC connections Application Brute Force attack
Critical transactions, programs, …
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 14
From raw event to signal – separating the noise
ARCSIGHT IMPLEMENTATION
Case Manager agileSI™
SAP Security
Intelligence
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 16
SAP® related devices
SAP® related security incidents…
ARCSIGHT IMPLEMENTATION
1 … by agileSI™ HP ArcSight content package
2 … by HP ArcSight standard content [ agileSI™ talks SIEM ]
3 … by HP ArcSight standard content [ agileSI™ Asset/Network Model ]
HP
SAP® failed login
ArcSight auth.
failure
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 17
ARCSIGHT IMPLEMENTATION
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 18
3. Powerful HP ArcSight Content Pack
agileSI™ for HP ArcSight
agileSI™ light [SAP remote connector with
limited security sources]
… for quick wins / proof of value
agileSI™ Extended
… for a maximum in security
agileSI™ SAP Security Intelligence package for 360° SAP Security Monitoring in HP ArcSight SIEM
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 19
Use Cases
USE CASE EXAMPLES - EXTENDED
… and many more
•Monitoring of special accounts
• Changes to critical data
• Logon of virus infected clients
•Detect anomalies in workflows
•What if critical data is leaving SAP?
agileSI™ will help…
STMS Transport Management
•SoD conflicts in STMS
• Critical objects imported like assignment of authorization objects
• STMS parameter checks
• Transport at unusual time frame
RFC transparency
•Actually used RFC connections & transparency map (NON-SAP to SAP; NON-PROD. to PROD.)
• RFC settings like SNC, RFC trace, trusted relationships
• RFC user monitoring (accounts and user type used)
Security Logs and Settings
•Control of SAP Security Audit Log and other critical logs like table change logs
• Control of log settings (activation, trace level)
SoD conflicts and Access
Control
•All DSAG (>115!) checks implemented and covered by agileSI™ (SAP & ArcSight)
• Checks are maintainable, customizable, extendable
Continous! Automated! Complete and holistic! In SIEM!
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 21
Coming soon… Read Access Logging (free version of SAP UI Logger)
READ ACCESS LOGGING
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 22
Customers use agileSI™ for…
WHAT THE CUSTOMER SAYS…
Automated compliance &
security monitoring
•Automation of compliance checks and reports with agileSI™
• Extension of given compliance checks with Security use cases
• Complete system landscape monitoring
• transfer of agileSI™ findings into ticketing system
Access controls and
transaction monitoring
• International operating organization
•Monitoring of international users accessing national-classified data (invoices, CAD, project owners)
• Adhoc monitoring & forensics
• RFC transparency in SAP landscapes (SAP-to-SAP; NonSAP-to-SAP)
• Implementation SAP UI Logger
Control of production
process
•Usage of precious metal in production
• Control of production process via custom applications
• Transfer output of these applications into SIEM
•Continuous control!
•Management reports
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 23
License: # SID (System Id, database Id)
LICENSE
SID: ECP
[ECC/ERP] central instance
SID: PLP
[PLM] central instance
SID: CRP
[CRM] (central instance)
License # SID = 3
App. Server instances App. Server instances
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 25
Compliance issues at a glance (e.g. Profile Parameter / System Configuration)
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 27
Security findings at a glance (Event based, e.g. Security Audit Log and others)
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 28
Compliance – Reports (e.g. Profile Parameter / System Configuration)
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 30
Key benefits
SUMMARY
Continuous, daily Audit Automated Compliance & Security Monitoring (ready-to-use) Complete SAP system landscape centrally monitored Lower the number of auditor’s findings Reduce compliance and audit costs through automation Improve your SAP® Security & Risk Management
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 31
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB4092 Speaker Thomas Meindl
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34
Tonight’s party
Time 7:00 – 10: 00 pm Shuttles run between hotel’s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30 - 10:00 pm Questions? Please visit the Info Desk by registration
@ Newseum
Enjoy food, drinks, company, and a private concert by Counting Crows
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
SOLUTION DESIGN
AGENT
CORE
AGENT
CORE
AGENT
CORE
Admin Management SAP SOC Audit
Data
Collection
Adm
inistration A
nalysis
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 37
ARCSIGHT IMPLEMENTATION
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 38
Asset Categorization – Information is available in SAP
ARCSIGHT IMPLEMENTATION
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 39
Asset Categorization - Benefits
… enhances correlation … helps prioritize … adds layer
SIEM
Adaptive monitoring
SIEM automated Threat Response
APPLICATION SECURITY: SIEM THREAT RESPONSE
in case of strong suspicion…
User Audit Trail
User Lock
User Log out
TCP Session termination
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 40
THE FRONTEND
AGENT
CORE
AGENT
CORE
AGENT
CORE
SIEM
Admin Management SAP SOC Audit
Data
Collection
Adm
inistration A
nalysis
10.09.2014 © iT-CUBE SYSTEMS GmbH 2014 41
Top Related