Transcription
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Monitoring for your SAP Landscape - Challenge accepted!Thomas Meindl// Senior Consultant IT-Security10.09.2014 iT-CUBE SYSTEMS GmbH 20142
COMPANY OVERVIEW10 years of strong IT- Security focus60 realized SIEM – Integrations8 years accredited HP ArcSight Partner & Training CenterDeep Knowledge in SAP Security & DevelopmentRevolutionary 360 SAP Security Solution10.09.2014 iT-CUBE SYSTEMS GmbH 20143
AgendaMotivationSIEM EvolutionThe Solution - agileSI 360 Use CasesRecap & BenefitsQuestions and Answers10.09.2014 iT-CUBE SYSTEMS GmbH 20144
Motivation SAP Security Status Quo10.09.2014 iT-CUBE SYSTEMS GmbH 20145
SAP RISKProtect your SAP data Essential Business ProcessesCritical, sensitive dataHR, FI, CRM, SRM, PP, PLMIntellectual propertyproduct data, bill of material, CAD data “big“ data! big risk!10.09.2014 iT-CUBE SYSTEMS GmbH 20146
SAP INHERENT SECURITY & VULNERABILITIESSAP RFCSAP Solution ManagerSAP GRCSAP IDMSAP GatewaySAP JCO SAP OSSSAP tools bypass SAP securitySAP STMSDebugging10.09.2014 iT-CUBE SYSTEMS GmbH 2014OS CommandsTransports7
SIEM Evolution10.09.2014 iT-CUBE SYSTEMS GmbH 20148
Log Device DiversitySIEM EVOLUTIONSIEMEvolutionApplicationLogsVA / IDM/ IAM /Reputation BasedDataOS / DBAV / FWThreatDetectionInsiderThreatDetectionIdentity View,APT, BotnetDetectionFraud, DLPLogmanagement / Compliance10.09.2014 iT-CUBE SYSTEMS GmbH 2014System MaturitySophistication of Use Cases9
360 SAP SECURITY MONITORINGSAP /SIEM IntegrationSecurity devicesIdentity managementThe blind spot:BusinessApplication RuntimeEndpoint serversDatabasesEmail/Web gatewaysNetwork devicesPhysical Access10.09.2014 iT-CUBE SYSTEMS GmbH 201410
THE SOLUTIONSIEM: (r)evolution in SAP Security MonitoringScope of inspectionSAP Security IntelligenceReportsManual checksremediation processLevel of automation10.09.2014 iT-CUBE SYSTEMS GmbH 201411
The Solution – agileSI 360 10.09.2014 iT-CUBE SYSTEMS GmbH 201412
SOLUTION ARCHITECTUREagileSI componentsdata extractionCEF format mappingSIEM visualizationHPSAP ArcSightSAP Security Sources Security Audit Log System Log System Parameters Tables Transport Log Gateway Config &Log Change Documents(SCDO UMR) Table ChangeLogging Access Control (SoD) Security Patches Transaction Codes10.09.2014 iT-CUBE SYSTEMS GmbH 2014SAP Security Analytics HP ArcSight specific content package 100 Detection Use Cases derived from DSAG Audit Guidelines SAP Security Recommendations iT-CUBE SAP Security Specialists(define content package with practical provenknowlegde)13
360 SAP SECURITY MONITORINGagileSI ‘s wider range of visibilityAuditLogon of virus infected clientSAP Standard AccountsChanges to User Master RecordsSystem & Client ChangesSOCSTMS/TransportsTable Change Logging10.09.2014 iT-CUBE SYSTEMS GmbH 2014SAPDepartmentManagementSoDConflicts & Access ControlAuthorization ChangesSecurity Audit Logs & SettingsTicketingsystem intf.Export to Excel DetectionDebugging ActivitiesRFC connectionsOS Command Exec.Critical transactions, programs, Application Brute Force attack14
Implementation in ArcSight10.09.2014 iT-CUBE SYSTEMS GmbH 201415
ARCSIGHT IMPLEMENTATIONFrom raw event to signal – separating the noiseagileSI Case ManagerSAPSecurityIntelligence10.09.2014 iT-CUBE SYSTEMS GmbH 201416
ARCSIGHT IMPLEMENTATIONSAP related security incidents 1 by agileSI HP ArcSight content package2 by HP ArcSight standard content[ agileSI talks SIEM ]3 by HP ArcSight standard content[ agileSI Asset/Network Model ]10.09.2014 iT-CUBE SYSTEMS GmbH 2014HPSAP failedloginArcSightauth.failureSAP relateddevices17
ARCSIGHT IMPLEMENTATION3. Powerful HP ArcSight Content Pack10.09.2014 iT-CUBE SYSTEMS GmbH 201418
agileSI for HP ArcSightagileSI SAP Security Intelligence package for360 SAP Security Monitoring in HP ArcSight SIEMagileSI ExtendedagileSI light[SAP remote connector withlimited security sources] for a maximum insecurity10.09.2014 iT-CUBE SYSTEMS GmbH 2014 for quick wins /proof of value19
Use Cases10.09.2014 iT-CUBE SYSTEMS GmbH 201420
USE CASE EXAMPLES - EXTENDEDUse CasesSoD conflictsand AccessControlSecurity Logsand SettingsRFCtransparency All DSAG ( 115!)checks implementedand covered byagileSI (SAP &ArcSight) Control of SAPSecurity Audit Logand other criticallogs like tablechange logs Actually used RFCconnections &transparency map(NON-SAP to SAP;NON-PROD. toPROD.) Checks aremaintainable,customizable,extendable Control of logsettings (activation,trace level) RFC settings likeSNC, RFC trace,trusted relationships RFC user monitoring(accounts and usertype used)STMS TransportManagement and manymore SoD conflicts inSTMS Monitoring of specialaccounts Critical objectsimported likeassignment ofauthorization objects Changes to criticaldata STMS parameterchecks Transport at unusualtime frame Logon of virusinfected clients Detect anomalies inworkflows What if critical datais leaving SAP?agileSI will help Continous! Automated! Complete and holistic! In SIEM!10.09.2014 iT-CUBE SYSTEMS GmbH 201421
READ ACCESS LOGGINGComing soon Read Access Logging (free version of SAP UI Logger)10.09.2014 iT-CUBE SYSTEMS GmbH 201422
WHAT THE CUSTOMER SAYS Customers use agileSI for Automated compliance &security monitoring Automation of compliancechecks and reports withagileSI Extension of given compliancechecks with Security use cases Complete system landscapemonitoring transfer of agileSI findings intoticketing systemControl of productionprocessAccess controls andtransaction monitoring Usage of precious metal inproduction International operatingorganization Control of production processvia custom applications Monitoring of international usersaccessing national-classified data(invoices, CAD, project owners) Transfer output of theseapplications into SIEM Continuous control! Management reports Adhoc monitoring & forensics RFC transparency in SAPlandscapes (SAP-to-SAP;NonSAP-to-SAP) Implementation SAP UI Logger10.09.2014 iT-CUBE SYSTEMS GmbH 201423
License10.09.2014 iT-CUBE SYSTEMS GmbH 201424
LICENSELicense: # SID (System Id, database Id)License# SID 3SID: ECPSID: PLPSID: CR P[ECC/ERP]central instance[PLM]central instance[CRM](central instance)App. Server instancesApp. Server instances10.09.2014 iT-CUBE SYSTEMS GmbH 201425
Recap & Key benefits10.09.2014 iT-CUBE SYSTEMS GmbH 201426
Compliance issues at a glance(e.g. Profile Parameter / System Configuration)10.09.2014 iT-CUBE SYSTEMS GmbH 201427
Security findings at a glance(Event based, e.g. Security Audit Log and others)10.09.2014 iT-CUBE SYSTEMS GmbH 201428
Monitor special accounts10.09.2014 iT-CUBE SYSTEMS GmbH 201429
Compliance – Reports (e.g. Profile Parameter / SystemConfiguration)10.09.2014 iT-CUBE SYSTEMS GmbH 201430
SUMMARYKey benefits Continuous, daily Audit Automated Compliance & Security Monitoring (ready-to-use) Complete SAP system landscape centrally monitored Lower the number of auditor’s findings Reduce compliance and audit costs through automation Improve your SAP Security & Risk Management10.09.2014 iT-CUBE SYSTEMS GmbH 201431
Questions and Answers10.09.2014 iT-CUBE SYSTEMS GmbH 201432
Please give me your feedbackSession TB4092Speaker Thomas MeindlPlease fill out a survey.Hand it to the door monitor on your way out.Thank you for providing your feedback, whichhelps us enhance content for future events.33 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Tonight’s party@ NewseumEnjoy food, drinks, company, and aprivate concert by Counting CrowsTime7:00 – 10: 00 pmShuttles run betweenhotel’s Porte Cochere(Terrace Level, byregistration) and Newseumfrom 6:30 - 10:00 pmQuestions?Please visit the Info Desk byregistration34 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Optional10.09.2014 iT-CUBE SYSTEMS GmbH 201436
SOLUTION ectionAGENTAnalysisAudit10.09.2014 iT-CUBE SYSTEMS GmbH 2014SOCSAPManagementAdmin37
ARCSIGHT IMPLEMENTATIONAsset Categorization – Information is available in SAP10.09.2014 iT-CUBE SYSTEMS GmbH 201438
ARCSIGHT IMPLEMENTATIONAsset Categorization - Benefits enhances correlation helps prioritize adds layer10.09.2014 iT-CUBE SYSTEMS GmbH 201439
APPLICATION SECURITY: SIEM THREAT RESPONSESIEM automated Threat Responsein case of strong suspicion SIEMUser Audit TrailUser Log outAdaptivemonitoringUser LockTCP Sessiontermination10.09.2014 iT-CUBE SYSTEMS GmbH 201440
THE llectionAGENTSIEMAnalysisAudit10.09.2014 iT-CUBE SYSTEMS GmbH 2014SOCSAPManagementAdmin41
10.09.2014 iT-CUBE SYSTEMS GmbH 201442
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SAP Security Recommendations iT-CUBE SAP Security Specialists (define content package with practical proven knowlegde) Change Documents (SCDO UMR) Table Change Logging Access Control (SoD) Security Patches Transaction Codes HP ArcSight . SAP SAP Security Analytics .