Agenda 3

IntroductionCase for SAP Cybersecurity Framework

Current state 5

CISO

CIO

PATCHING SAP SYSTEMS

SAP BASIS

SAP SECURITY

SEGREGATION OF DUTIES

IT OPERATIONS

MONITORING SAP SYSTEMS

ENTERPRISE SECURITY

VULNERABILITY MANAGEMENT

NO EFFECTIVE OVERSIGHT

NO VISIBILITY

COMPLEXITYPOOR

INTEGRATION

SLIPPED THROUGH THE CRACKS

Future state 6

CISO CIO

ENTERPRISE SECURITY

Vulnerability Management+ Asset Management+ Risk Management+ Secure Development

SAP BASIS

Patching SAP systems+ Incident Response+ Mitigation+ Improvements

SAP SECURITY

Segregation Of Duties+ Data Security+ Secure Architecture+ Secure

IT OPERATIONS

Monitoring SAP systems+ Threat Detection+ User Behavior+ Data Leakage

CRO

7History

Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks

Source: https://www.gartner.com/doc/2665515/

EAS-SEC

Process Description 9

Category PREDICT

Process Secure Development

Purpose To ensure security during SAP systems development and acquisition

Outcomes• Security Requirements• Development Standards and Processes• Security Plans

Implementation tiers

1. Develop basic security requirements for configuration of servers, networks, SAP applications and client stations

2. Create secure development standards and processes3. Automate secure development processes

Implementation Tiers 10

50%

80% 99%

3-6 months

6-12 months 12 months

1

23

PREVENTReduce the surface area of attack

Prevent SAP Security Incidents 12

ACCESS CONTROLAWARENESS AND TRAINING

DATA SECURITY SECURE ARCHITECTURE

To ensure personnel and contractors have the necessary cybersecurity knowledge in order to perform their duties and responsibilities

To limit user privileges and prevent unauthorized use of an SAP systems

To enforce confidentiality, integrity and availability requirements on the data layer

To ensure security through-out all SAP components, connections, infrastructure facilities and enterprise security controls

Implementation: Outcomes:

13Access Control

• Access Rules

• Access Mechanisms

• Access Control Reports

To limit user privileges and prevent unauthorized use of an SAP systems

Secure the network, servers and endpoint devices

Implement role-based access control to SAP functionality

Enforce Segregation of Duties controls according to business process rules

1

2

3

Access Control. How to Create a User? 14

Ways to create a user in SAP system:1. Transaction SU01

2. Database table USR02

3. RFC function BAPI_USER_CREATE

4. Web exploit using InvokerServlet feature and CTC servlet

Number of objects:1. More then 300 000 transactions

2. More then 500 000 tables

3. More then 40 000 RFC functions

4. 500 known web exploits

Common SOD issuesHow to analyze SOD rules without interview?

1. Authorization objects with * field values (i.e. S_TABU_DIS)

2. Distribution of users by roles

3. Profiling of user access (transaction traces)

15

37%

31%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

2

% of users with given roles

SAP_RCF_INTERNAL_CANDIDATE ZRCFUIX_WEB_SERVICES_INT_CND IDESUS_HR_ESS_MENU

VS::FI_DISPLAY_LINE_ITEMS VS::OM_DISPLAY SAP_DAL_ADMIN

SAP_LO_EMPLOYEE VS_MM_IM_DISPLAY IDES_XRPM_ADMINISTRATOR

VS_FI_GE_GLDISPLAY /0CUST/WELCOME_NWBC30 SAP_RCF_MANAGER

VS_HR_PA20_REPORTS ZIDES_PLMWUI_DISCRETE_MENU VS::SD_SALES_DISPLAY

Implementation: Outcomes:

16Awareness and Training

• Training Materials

• Training Records

• Knowledge Assessment Reports

To ensure personnel and contractors have the necessary cybersecurity knowledge in order to perform their duties and responsibilities

Enlist commitment of Board and C-level executivesProvide SAP security trainings for BASIS and security teams

Provide awareness trainingto SAP users

1

2

3

Board Commitment 17

Dissatisfaction + Vision + First Steps > Resistance to Change

• SAP security project news• SAP security articles• Board interviews

• Establish security team activities• Hire staff• Purchase tools• Provide trainings• Conduct audits and assessments

Top SAP Security Websites 18

• darkreading.com

• sapsecuritypages.com

• websmp108.sap-ag.de/public/security

• erpscan.com/press-center/blog/what-is-sap-security-2/

• cert-devoteam.fr/publications/en/category/securite-sap-en/

• resources.infosecinstitute.com/sap-security-for-beginners-part-4-sap-risks-espionage/

• udemy.com/sap-cyber-security-training/

• SAP Security and Risk Management 2nd Editionby Mario Linkies, Horst Karin

SAP Security for Users 19

Consequences

• blocked data (ransomware)

• compromised reports

• spread of infection

Attack Vectors

Implementation: Outcomes:

20Data Security

• Data Inventory

• Data Flows

• Data Security Reports

To enforce confidentiality, integrity and availability requirements on the data layer

Classify data assets according to its value to organization

Protect data-in-transit using SNC and SSL/TLS

Protect data-at-rest by encryption, secure storage location and tokenization

1

2

3

Data Security. Data Inventory 21

Information Asset Data Asset Type Location Protection

Requirements

Current Level of Protection

At Rest (description)

In Transit (description)

Payment Cards Details

Payments Table

Oracle DB Table

DataSource=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MyHost)(PORT=MyPort))(CONNECT_DATA=(SERVICE_NAME=MyOracleSID)));

GDPR, PCI DSS -

Payment Cards Details

Payments Transaction

SAP Transaction TR12 GDPR, PCI DSS SAP

Authorizations

Could be exported to NAS

Payment Reports Reports .XLSX

Electronic sheets, files on NAS

nas:\\finance\reports PCI DSS

Stored on NAS, protected by AD politics.

-

GDPR Security Tasks 22

• Identify data items• Find users having access to personal data• Evaluate security controls• Assess risks to data subjects

• Restrict access to personal data• Implement and describe security controls

to demonstrate compliance• Manage personal data lifecycle

• Monitor personal data access• Detect SAP security threats• Implement SAP incident response capabilities

GDPR Explained: What are the security requirements?Source: erpscan.com/press-center/blog/gdpr-explained-security-requirements/

SAP HANA Encryption 23

Implementation: Outcomes:

24Secure Architecture

• SAP SecurityArchitecture

• SAP Security Controls

• SAP Technical Solutions

To ensure security through-out all SAP components, connections, infrastructure facilities and enterprise security controls

Protect SAP perimeter

Secure SAP communications

Integrate SAP security and enterprise security

1

2

3

Secure Architecture. System Schema 25

Secure Communications 26

Secure Architecture 27

Further ActionsHow to use SAP Cybersecurity Framework?

How secure we are? Do we meet GDPR requirements? Carry out SAP security audit!

For Industry 29

How to get budget and implement security processes?Assess your SAP security capabilities &

Make business case for SAP security initiative!

How to ensure business systems follow business rules?Profile and enhance SoD rules!

For Consulting

1. Include SAP systems in scope of your existing services• GDPR audit• ISMS implementation for SAP systems in scope• Threat detection and SAP – SIEM integration

2. Prove your selling proposition is unique with ROI of SAP security

3. Create a 360-degree image of an SAP security provider

30

31

Professional ServicesPredict SAP data breach

SAP Penetration Testing

SAP Security Audit

SAP Vulnerability Management as a Service

32

Thank you

Join our grouplinkedin.com/groups/13543110

Join our webinarserpscan.com/category/press-center/events/

Subscribe to our newsletterseepurl.com/bef7h1

USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255

EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892

erpscan.cominbox@erpscan.com

Parmesh PillaiSenior Manager at Commercial Departmentp.pillai@erpscan.com

Michael RakutkoHead of Professional Servicesm.rakutko@erpscan.com

33