eas-sec sap cybersecurity framework - cloudinary · eas-sec sap cybersecurity framework is intended...
TRANSCRIPT
EAS-SEC SAP CYBERSECURITY FRAMEWORK
2
Contents
Contents .................................................................................................................................................... 2
Introduction .............................................................................................................................................. 3
PREDICT ..................................................................................................................................................... 6
Asset management ................................................................................................................................ 7
Business Environment ........................................................................................................................... 8
Governance ........................................................................................................................................... 9
Vulnerability Management..................................................................................................................10
Risk Management ................................................................................................................................ 11
Secure Development ........................................................................................................................... 12
PREVENT .................................................................................................................................................. 13
Access Control ..................................................................................................................................... 14
Awareness and Training ...................................................................................................................... 15
Data Security ....................................................................................................................................... 16
Secure Architecture ............................................................................................................................. 17
DETECT .................................................................................................................................................... 18
Event Management ............................................................................................................................. 19
Threat Detection ................................................................................................................................. 20
User Behavior ...................................................................................................................................... 21
Data Leakage ....................................................................................................................................... 22
RESPOND ................................................................................................................................................. 23
Incident Response ............................................................................................................................... 24
Clear Communications ........................................................................................................................ 25
Continuous Analysis ............................................................................................................................ 26
Mitigation ............................................................................................................................................ 27
Improvements ..................................................................................................................................... 28
About EAS-SEC.........................................................................................................................................29
About ERPScan ..................................................................................................................................... ..30
3
Introduction
EAS-SEC SAP Cybersecurity Framework is intended to systemize all the necessary activities to secure business applications such as ERP systems from cyberattacks, espionage, sabotage and fraud.
The growing number of incidents against ERP systems and constant flow of weaknesses demand a change in approach to security. The tendency to tackle myriad cybersecurity challenges in a piecemeal manner could expose organizations to significant security risks. An enterprise security team without C-level guidance working with a disintegrated security solution stack, cloud applications, and an eroding system boundaries cannot keep up with the growing number of attacks.
Security managers need to solve the problem of disintegrated security and create the strategic options and environment to ensure the security of business applications.
They should shift from overly relying on blocking and preventing mechanisms of access controls and Segregation of Duties to integrative approaches. Security managers should assume the preventing mechanisms could and do fail, so ERP systems require continuous monitoring and remediation.
Security managers should ensure that protection of business application combines predictive, preventive, detective and response capabilities and seamlessly integrates with enterprise security processes like incident, risk and compliance management.
We’ve created an SAP Cybersecurity Framework to form a conceptual bridge between integrated adaptive security architecture and actions. The framework articulates critical areas of action for establishing security of ERP systems, describes desired outcomes and provides 3-step approach to succeed in each area.
SAP Cybersecurity Framework implements EAS-SEC approach to unify completeness of the coverage and priority of implementation. The framework provides you guidance on how achieve in all protection areas with minimum effort for maximum effect.
SAP Cybersecurity Framework implements Gartner’s approach to adaptive security architecture in area of ERP security and describes four categories for ERP protection processes: predictive, preventive, detective and responsive.
Each category describes specific protection processes, like asset management, incident management or threat intelligence. All the processes are in line with industry recognized frameworks and approaches from NIST, SANS, ISO, CIS, but reflects the specifics of ERP systems.
SAP Cybersecurity Framework provides you a three-step roadmap towards the realization of each of ERP security processes:
• Implementing the first step is the minimum that lets you set up the basis for protection andsolve the most critical issues.
• Second step provides you with the sufficient level of security and requires medium level ofeffort.
• Third step includes all the advanced things like automation, forensic, collaboration and otherstuff, that provides you the cutting-edge security capabilities.
Regardless of the degree of effort you are ready to put in, the framework articulates the outcomes you are expected to archive: be it an Inventory of Assets, SAP Continuity Plans, SAP Risk Register or SAP Security Metrics. The difference is in an extent of details.
4
We encourage you to start small and implement first steps for each of the processes: choose a category, implement first step for one of the processes and switch to another category and process. This gradually let you to cover all of the processes at the very basic level. After that you will be ready to take ERP security to the next level by executing second steps and finally third steps. At the very moment of this building process you have all the capabilities you need to effectively secure enterprise systems.
We believe the security of ERP system shouldn’t longer be the poor cousin of enterprise security any longer and should receive due attention and strategic management as it ensures resiliency of core enterprise operations.
SAP Cybersecurity Framework is developed under the EAS-SEC initiative. Security professionals are welcome to participate to get a common, agreed and efficient standard of ERP security operations.
5
TO UNDERSTAND SAP SYSTEM'S
ENVIRONMENT, PROACTIVELY
PRIORITIZE AND ADDRESS
SYSTEM EXPOSURES
7
PREDICT
ASSET MANAGEMENT
• Inventory of Assets. The SAP systems, servers, applications, informationassets, personnel and devices, related information systems andinformation flows are identified and updated on a regular manner.
• Criticality Assessments. Assets are prioritized according to theirimportance to business.
• Acceptable Use Requirements. Rules, responsibilities of and requirementsto the acceptable use of the SAP systems are developed.
To communicate information about assets in SAP systems, security PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
1. Create an Inventory of Assets:
• Develop a classification schema and templates to describe different types of SAP assets:systems, servers, applications, services, information assets and devices.
• Establish procedures for creating and updating Inventory of Assets during procurement, usingand retention of the assets.
• Inventory assets and identify stakeholders of the assets: administrators, owners, us ersand third-parties.
2. Assess criticality of the assets:
• Elicit and document contractual, regulatory and internal requirements to information assetsinside the SAP systems.
• Develop an approach and procedure to assign and review criticality level of assets.• Mark assets according to their criticality level.• Document requirements to acceptable use of assets of different types and criticalities during
the lifecycle of assets.• Develop guidelines and controls for protecting assets according to their criticality level.
3. De velop complete specification of the SAP systems:• Inventory all modules, services and software on assets.• Determine connections and information flows between assets, internal and external
information systems and data providers for each of the SAP system.
• Establish requirements to third parties, vendors, contracts and contractors regarding securityof SAP systems.
REFERENCES•
•
NIST FIPS Publication 199, Standards for Security Categorization of FederalInformation and Information Systems, February 2004.NIST SP 800-60, Revision 1, Guide for Mapping Types of Information andInformation Systems to Security Categories, August 2008.
• NIST SP 800-53 Rev. 4 CM-8
To communicate information about assets in SAP systems, security category of the assets, rules of acceptable use and protection requirements.
8
PREDICT
BUSINESS ENVIRONMENT
• Business Context: organization’s business processes, activities,stakeholders and resilience requirements to SAP systems are identifiedand prioritized.
• SAP Continuity Plans: SAP cybersecurity continuity requirements areidentified and addressed by cybersecurity continuity controls.
• Supplier Catalogue: suppliers and associated contracts are identified,cybersecurity requirements to suppliers are established and monitored incontracts and service deliveries.
To provide SAP business context, ensure cybersecurity continuity of SAP systems and address cybersecurity in supplier relationships. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• ISO/IEC 27001:2013 15.1, 15.2, 17• NIST SP 800-53 Rev. 4 CP-2, PM-8, SA-12, PM-11, SA-14• NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal
Information Systems
1. Identify Business Context:
• Identify organization’s activities and business processes (procurement to pay, order to cashand so on), corresponding SAP systems, external information systems and services required to achieve organization’s purposes.
• Identify stakeholders of business processes.• Gather resilience requirements to SAP systems that support organization’s activities.• Inform assessment of asset criticality by performing criticality analysis of corresponded
business functions.
• Develop requirements for cybersecurity of SAP system in adverse situations: e.g. under attackor during recovery.
• Document plans, response and recovery procedures for maintaining cybersecurity of SAPsystem in case of disruptive event.
• Integrate cybersecurity continuity controls with organization’s business continuity or disasterrecovery activities.
3. Maintain Supplier Catalogue:
• Identify and mandate cybersecurity controls and requirements (notification, incidentmanagement, screening, audit, compliance and so on) to contracts to specifically addresssupplier access to the organization's SAP systems.
• Establish and agree cybersecurity requirements with each supplier that may access SAPsystems. Review requirements during changes to supplier agreements, development of anynew application and systems.
• Establish, Monitor, review and audit supplier adherence to agreements regarding SAPcybersecurity. Implement monitoring process for managing supplier audit trails, records ofsecurity events, operational problems and failures disruptions related to the service delivered.
REFERENCES
2. Prepare SAP Continuity Plans:
9
PREDICT
GOVERNANCE
• SAP Cybersecurity Policy. Organizational information security policyaddresses SAP cybersecurity objectives, threat environment and controls.
• SAP Security Processes. Cybersecurity processes and procedures, rolesand responsibilities are established and aligned with internal roles andexternal partners.
• SAP Control Procedures. Legal, regulatory and operational requirementsregarding cybersecurity of SAP systems are identified, enforced andcontrolled in SAP systems.
To develop cybersecurity policies, roles, responsibilities and procedures to ensure SAP cybersecurity is understood and integrated to organization operational and management processes
PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• ISO/IEC 27001:2013 – Information technology -- Security techniques --Information security management systems -- Requirements.International Organization for Standardization
• NIST Framework for Improving Critical InfrastructureCybersecurity, 2014.
• MacDonald, N. and Firstbrook, P. (2017). Designing an Adaptive SecurityArchitecture for Protection From Advanced Attacks. [online]Gartner.com. Available at: https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection
1. Establish SAP Cybersecurity Policy:
• Define SAP cybersecurity objectives and guiding principles, assign general responsibilities forSAP cybersecurity and communicate them to employees and relevant external parties.
• Establish an approach to communicate and address risks associated with the operation anduse of SAP applications in context of organizational operations risk management.
• Demonstrate top management leadership and commitment with respect to the SAPcybersecurity.
2. Develop SAP security processes:
• Develop descriptions for all relevant to organization SAP Security Processes.
• Define SAP cybersecurity roles and responsibilities. Assign them to internal roles,organizational positions and external parties.
• Implement SAP cybersecurity review in all management phases of SAP projects: projectobjectives should include cybersecurity goals; necessary security controls are identified andsecurity assessment is a part of acceptance and testing of SAP systems.
3. Imp lement control procedures:
• Document and keep up to date all relevant to SAP systems legislative statutory, regulatoryand contractual requirements.
• Develop specific controls and individual responsibilities to meet relevant compliancerequirements.
• Prepare questionnaires and technical procedures to evaluate compliance of SAP securitycontrols and processes.
REFERENCES
10
PREDICT
VULNERABILITY MANAGEMENT
To provide cybersecurity assurance in SAP systems by assessing vulnerabilities and reducing attack vectors PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• NIST SP 800-4 Version 2.0, Creating a Patch and VulnerabilityManagement Program, November 2005
• NIST IR 7435 The Common Vulnerability Scoring System (CVSS) and ItsApplicability to Federal Agency Systems
• The SAP NetWeaver ABAP platform vulnerability assessmentguide, 2014
1. Regularly perform SAP security audits and penetration tests:
• Develop an annual scan plan to ensure gradual coverage of all SAP systems.• Conduct vulnerability assessments and security audits for SAP systems in use, before
acceptance and in development.• Systematically assess SAP security controls through internal and external penetration tests.• Communicate security assessments results in terms of security breach, fraud and compliance
risks.2. Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations:
• Prepare and maintain scan profiles for assets according to applicable compliancerequirements, security policies and protection guidelines.
• Prioritize remediation activities according to asset criticality, vulnerability risk and estimatedeffort.
• Develop remediation plans to address security issues in SAP applications, security controlsand infrastructure.
• Maintain remediation knowledge database with description of executed corrections, appliedpatches, secure configurations and context considerations.
3. M onitor vulnerabilities, remediations and threats online from public and privatesources and threat intelligence feeds
• Monitor information about SAP vulnerabilities, new remediations and threats on vendor andthird-parties web-sites, mailing lists, newsgroups and other notification services
• Collect Threat Intelligence feeds and review them in regards to ERP Security threats.• Stay up to date with latest research publications and security events.
REFERENCES
• Scan Plans. Security testing covers all SAP systems.
• Scan Profiles. Relevant SAP risks, compliance and technical policies aretranslated into scan profiles and technical checks.
• Remediation Plans. Organization develops and implementsremediation plans to address vulnerabilities in SAP systems.
11
PREDICT
RISK MANAGEMENT
• Threat Model. The organizational approach to SAP cybersecurity risks isestablished.
• Risk Register. Risks from operation and use of SAP systems areidentified, prioritized and estimated.
• Risk Responds. Appropriate courses of actions to accept, avoid, mitigateor transfer SAP cybersecurity risk are identified, evaluated andimplemented.
To make decisions on addressing possible adverse impacts from the operation and use of SAP systems PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
•
•
• COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
1. Create threat model for SAP systems:
• Identify scope (organizational entities, SAP systems, etc.) for SAP cybersecurity riskmanagement activities and align them with enterprise risk management.
• Create threat model for SAP systems: document and approve risks assessment
methodology: threat sources, vulnerabilities, attack scenarios and impacts.• Develop risk assessment and response guidance.
3. Automate risk management and develop risk response plans:
• Automate risk management by integrating Vulnerability Management, GRC platforms andIncident Response solutions.
• Identify and implement alternative courses of actions to respond to SAP cybersecurity risksdetermined during the risk assessment.
• Create plans for monitoring the effectiveness of risk response measures and risk monitoringtriggers.
REFERENCES
2. Assess likelihoods and estimate business impacts of cybersecurity risks:
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments September 2012
• Identify threats to and vulnerabilities in SAP systems and infrastructure.• Analyze likelihood of cybersecurity risks using vulnerability assessment results,
surveying subject matter experts and business impact analysis.• Determine the risk to organizational operations if identified threats exploit
identified vulnerabilities.
12
PREDICT
SECURE DEVELOPMENT
To ensure security during SAP systems development and acquisition.
OUTCOMES
• NIST SP 800-64 Rev. 2, Security Considerations in the SystemDevelopment Life Cycle, October 2008
• NIST SP 800-37, Revision 1, Guide for Applying the Risk ManagementFramework to Federal Information Systems: A Security Life CycleApproach, February 2010.
• NIST SP 800-18, Rev. 1, Guide for Developing Security Plans forFederal Information Systems, February 2006
1. Develop basic security requirements to configuration of servers, networks, SAP applications and endpoints:
• Separate development, testing and production environments.• Develop secure transport procedures.• Assign and control access rights of developers (developer access keys and developer
authorizations).
2. Cre ate secure development standards and processes:
• Prepare development and coding standards, which includes checking of developed systemsfor SAP vulnerabilities (code issues, obsolete statements, missing authorization checks, etc.)
• Provide security trainings for development team.
• Ensure quality assurance plans address SAP security requirements: adherence to standards,passing of security assessments, proper documentation.
3. Automate secure development processes:
• Automate secure development process in ITSM. Integrate code scanning tools intoautomated development workflow.
• Use virtual patching for code issues which can’t be quickly patched due to resourceconstrains. Document these issues, applied remediations and future considerations.
• Require developers and contractors to prepare security plans for each SAP systems andauthorize using of SAP systems on the basis of risk management and security controlassessment results.
REFERENCES
PURPOSE
IMPL
EMEN
TATI
ON
STE
PS
•
•
•
SAP Security Requirements. Cybersecurity requirements to the SAP systems in d evelopment are identified and addressed by security controls.
Developmen t Standards and Processes: SAP system development occur with standard processes that consider secure practices and are documented and repeatable.
Security Plans . All SAP systems have security plans in place describing implemented security controls and solutions.
TO REDUCE ATTACK
SURFACE AREA AND BLOCK
ATTACKERS BEFORE THEY
IMPACT THE COMPANY
PROCESS
ACCESS CONTROL I
AWARENESS AND TRAINING
DATA SECURITY
SECURE ARCHITECTURE
14
PREVENT
ACCESS CONTROL
To limit rights of authorized users and prevent unauthorized use of an SAP system.
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• NIST Interagency Report 7316, Assessment of Access Control Systems,September 2006
• SAP NetWeaver Security Guide, Network and Communication Security• Wagener, M. (2008). Practical Guide for SAP Security
1. Se cure the network, servers and endpoint devices:
• Establish procedures and baseline security requirements to users and applications forgranting access to SAP systems services and endpoint devices.
• Implement two-factor authentication.• Restrict access to administrative SAP services and anonymous access to critical web-
services.
2. Implement role-based access control to SAP functionality:
• Define user and administrative roles to communicate with SAP systems. Establishorganization subjects that may occupy the role, objects and actions that will available forthe role. Document privileges that may be granted to defined roles.
• Restrict access to admin profiles such as SAP_ALL profile to administrators.• Restrict unauthorized access to critical transactions, programs, remote function calls,
database tables, web-services and other entities.
3. Enf orce Segregation of Duties controls according to business process rules:
• Create SOD matrix according to business process rules and best practices• Enforce SOD controls in SAP systems• Audit override of access control mechanisms: SOD conflicts, role based access conflicts.
REFERENCES
PURPOSE
•
•
•
Access Rules. Users and application access to SAP systems is based on need, docume nted and implements principles of least privileges and segregation o f duties.
Access Mech anisms. Procedures for granting, changing and revoking access to SAP systems are established throw-out the network, OS, DBMS and applicat ion layers.
Access Control Reports. Access control mechanisms are continuously tested and c omply to access rules.
15
PREVENT
AWARENESS AND TRAINING
To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
•
•
NIST SP 800-50, Building an Information Technology SecurityAwareness and Training ProgramNIST SP 800-16 DRAFT A Role-Based Model for FederalInformation Technology/Cybersecurity Training, March 2014
1. Enlist commitment of Board and C-level executives:
• Choose an SAP security education provider and organize SAP security awareness workshop.• Maintain cybersecurity awareness of managers and senior executives by regular digest of
recent news.• Demonstrate commitment of senior executives to secure operation of SAP systems by
personal example and budget allocation.
2. Provide SAP security trainings for BASIS and security teams:
• Identify education goals and provide role-based security trainings and practical exercises toBASIS team.
• Identify education goals and provide role-based security trainings and practical exercises tosecurity team.
• Test security awareness of BASIS and security team by periodic assessments and simulationof SAP system anomalous behavior.
3. Provide awareness training to SAP users:• Prepare trainings materials, choose courses and third-party education providers.• Provide basic and refresher security awareness training to SAP systems users and
contractors.• Monitor awareness of SAP users by regular tests, simulating insider threats and anomalous
SAP system behavior.
REFERENCES
• Training Materials. Training goals are identified for each category of SAPsystems stakeholders and adequately addressed by awareness trainingand education materials.
• Training Records. Education and trainings are tracked and provided onregular bases and in case of SAP system changes.
• Knowledge Assessment Reports. Level of cybersecurity awareness isidentified and managed for SAP stakeholders.
16
PREVENT
DATA SECURITY
To enforce requirements to confidentiality, integrity and availability of information in SAP systems on the data layer. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1,A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
• COBIT 5 APO01.06, DSS06.06• NIST SP 800-154 (DRAFT), Guide to Data-Centric System Threat
Modeling, March 2016
1. Classify data assets according to its value to organization
• Identify data representing information assets in SAP systems, their location and relatedcontractual, regulatory and legal requirements influencing security of the data.
• Establish an approach to label security attributes of data in SAP systems: metadata, visualmarking, handling rules, etc.
• Develop data handling rules and procedures for enforcing data security during acquiring,modification, removal, transfers, and disposition of SAP system assets.
2. Protect data-in-transit using SNC and SSL/TLS
• Document data flows between SAP systems and external systems along with requirementssecurity requirements to the connections.
• Implement cryptographic mechanisms to prevent unauthorized disclosure and detectchanges to data.
• Authenticate connected parties using certificates and PKI services, network controls andadditional safeguards.
3. Pr otect data-at-rest by encryption, secure storage location and tokenization
• Employ cryptographic mechanisms to prevent unauthorized disclosure and detect changesin stored data and system configuration.
• Remove from online storage and store off-line in a secure location defined data assets.• Conduct regular audits of SAP configuration, data security controls and handling procedures.
REFERENCES
• Data Inventory. Data assets are identified and linked to relevantorganization’s information assets.
• Data Flows. Data flows between SAP systems and external systems areidentified along with requirements to protection of the representedinformation.
• Data Security Reports. Organization receives assurance the data in SAPsystem at rest and in transit is protected in accordance with the value ofrepresented information.
17
PREVENT
SECURE ARCHITECTURE
To ensure security of all SAP solutions through-out all SAP components, connections, infrastructure and security controls. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• Sherwood Applied Business Security Architecture• Security Architecture Design Process for Health Information
Exchanges (HIEs)• NIST SP 800-53 Rev. 4, Assessing Security and Privacy Controls in
Federal Information Systems and Organizations, December 2014
1. Protect SAP perimeter:
• Protect and configure SAP Router. Use SAP Web Dispatcher for external connections.• Secure connections between SAP systems and external systems (OT/ICS): proxy, SSO, etc.• Choose an approach to document architecture of SAP systems: users, data, connections,
security domains, security controls and services, technical solutions.
2. Secure SAP communications:
• Create SAP communication schema.
• Ensure that SAP RFC connections are documented and secured (access is limited andconnection credentials are stored securely).
• Review that other connections to SAP systems (database, XI, SOAP, J2EE, HANA, etc.) arejustified by need and securely configured.
3. Integrate SAP security and enterprise security:
• Categorize SAP systems and identify boundaries between SAP systems and other enterprisesubsystems.
• Allocate and implement in SAP systems common security controls according to enterprisesecurity policy.
• Examine all SAP connections, interfaces, security-relevant dependencies among subsystemsand select security controls for interconnections.
REFERENCES
• SAP Security Architecture. SAP systems components andinterdependencies are identified and documented.
• SAP Security Controls. Common security services and specific SAPsecurity controls are documented.
• SAP Technical Solutions. Technical solutions for SAP security controlsare selected.
DETECT TO RECOGNIZE THREATS,
CONDITIONS AND POSSIBLE
SIGNS OF COMPROMISE
PROCESS
EVENT MANAGEMENT l
�HREAT DETECTION
USER BEHAVIOR
DATA iEAKAG�
19
DETECT
EVENT MANAGEMENT
• Audit Events. The list of events to monitor is identified.
• Event Databases. Event data is collected inside data stores.
• Event Collecting Procedures. Procedures for collecting required set ofevents are established for all source systems.
To collect information on SAP security related events. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• NIST SP 800-184 Guide for Cybersecurity Event Recovery,December 2016
• NIST SP 800-92 Guide to Computer Security Log Management,September 2006
REFERENCES
1. Configure SAP security audit log:
2. Collect SAP security-related events:
• Document auditable events, processing rules and event sources.• Create event database, store data from diverse event sources
and enrich it by context information.• Protect security-related data: encrypt event records, move data to separate location
or third party storage provider, ensure non-repudiation and long-time preservationof event records.
• Aggregate data related to specific event from different sources (SAP logs, HTTP,Gateways logs and connected systems).
• Convert event records to standardized format.• Establish thresholds and alert rules for specific combination of events.
• Identify set of events to monitor inside SAP systems.• Configure SAP systems to store data related to identified set of security events.• Regularly review security events and disseminate findings among interested parties.
3. Monitor SAP related network, systems, personnel and external service provider activities:
20
DETECT
THREAT DETECTION
To detect attacks and possible threats to SAP systems. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• NIST SP 800-154 (DRAFT), Guide to Data-Centric SystemThreat Modeling, March 2016
1. Configure IDS/IPS systems to detect SAP attack signatures:
• Acquire and maintain updated attack signatures database for IDS/IPS system.• Subscribe to threat feeds from vendors and research teams for 0-day attack signatures.• Ensure traffic of all SAP systems is monitored by IDS/IPS solutions.
2. Manually review SAP security events:
• Select threats to monitor inside SAP and identify data sources for them.
• Rev iew SAP logs, traces and special reports to detect attacks.• Use information about security attacks to assess SAP cybersecurity risks.
3. Monitor p otential attacks, security event combinations and anomalies:
REFERENCES
• Threat Catalogue. List of possible threats and attacks is identified.
• Threat Data Sources. For each threat data collection rules aredocumented and implemented.
• Threat Detection Rules. For each threat detection rules are created.
• Document detection rules for discovering attacks and potential threats to information assets inside SAP systems and infrastructure components.
• Automate continuous gathering threat data, applying detection rules and generatingthreat notification.
• Integrate threat detection capabilities with incident respond process and automatecreation of incidents.
21
DETECT
USER BEHAVIOR
To detect deviations of user behavior from typical in SAP systems. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• Litan, A. and Phillips, T. (2017). Market Guide for User and EntityBehavior Analytics. [online] Gartner.com. Available at: https:/www.gartner.com/doc/3538217/market-guide-user-entity-behavior
1. Review privilege accounts activities:
• Identify privilege accounts and critical actions to monitor in SAP systems: account and roleoperations, creation of data connections, modifying transactions, etc.
• Create list of reports and logs to monitor privileged account actions.• Configure automated notification of the critical events.
2. Es tablish profiles for SAP user behavior and detect anomalies:
• Baseline behavior profiles for SAP users and roles.
• Establish anomaly behavior thresholds and notification rules.
• Report anomalous SAP user’s behavior to responsible personnel or roles.
3. Monitor SAP business activities and SOD conflicts in real time:
• Implement automated process of anomalous behavior detection and notification.• Audit override of access control mechanisms: SOD conflicts, role based access conflicts
in real time.• Augment anomaly detection rules by business context from external sources: HR data,
DLP, IAM, endpoint solutions and physical access control systems.
REFERENCES
• Critical Actions Reports. Information on the actions with critical SAPsystem objects is collected.
• Baseline Behavior Profiles. Normal behavior profiles of SAP users aredetermined.
• Anomaly Detection Rules. Signs of suspicious behavior are identified.
•
22
DETECT
DATA LEAKAGE
To detect data leakages in SAP systems. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• NIST SP 800-94 Rev. 1, DRAFT Guide to Intrusion Detection andPrevention Systems (IDPS), July 2012
1. Identify data leakage conditions in custom code and configuration:
• Identify pre-disposing data leakage configuration settings of an SAP system or services.• Review custom developed code for possible data leakage conditions.• Implement visual marking of exported reports from SAP systems.
2. Ana lyze security events to detect possible data leakage:
• Develop an approach to trace security attributes of data records in logs.• Define leakage detection rules on the basis of collected security events.
3. Moni tor data flows and devices to detect data leakage in real time:
• Monitor data flows on a network level.• Monitor endpoint devices and servers for presence of sensitive data exported
from SAP systems.• Automate detection and notifying of possible data leakage event combinations.
REFERENCES
• Data Marking Practice. The order of marking exported data reports anddata flows is defined.
• Leakage Conditions. The configuration settings that create conditions todata leakage are defined.
• Leakage Detection Rules. Signs of possible data leakage are identified andconfigured.
• Regularly review reports and event records to discover data leakage.
TO INVESTIGATE ISSUES, DESIGN
AND IMPLEMENT CHANGES TO
SECURITY CONTROLS, AND
LEARN FROM EXTERNAL
ENVIRONMENT
PROCESS
INCIDENT RESPONSE
CLEAR COMMUNICATIONS
CONTINUOUS ANALYSIS
MITIGATION
IMPROVEMENTS
24
RESPOND
INCIDENT RESPONSE
• Incident Definitions. Possible SAP security incidents are identified,categorized, have assigned data sources and correlation rules.
• Incident Cases. Information on detection and responding to securityincidents is stored and tracked.
• Incident Response Plans. Plans of actions to respond most significant andcommon incidents are prepared.
To systematically respond to violation or threat of violation of SAP security policies and practices.
OUTCOMES
• NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide,August 2012
• NIST SP 800-86 Guide to Integrating Forensic Techniques into IncidentResponse, August 2006
REFERENCES
IMPL
EMEN
TATI
ON
STE
PS
1. Develop SAP security event correlation rules and incident alert threshold:
• Define possible attack vectors, select related signs of an incident and sources: alerts, logs,publicly available information and people.
• Establish incident response team and staff it with people with appropriate skills. Provide themways and means of communication, proper hardware and software.
• Profile networks and SAP systems, understand normal behavior and perform eventcorrelation.
2. Develop SAP incidents response and recovery plans:
• Define factors for prioritizing incidents: functional, security and recoverability of incidents.• Develop incidents response procedures for various kinds of SAP cybersecurity incidents:
containment, eradication, recovery and investigation.
• Establish rules for notification of different parties: C-level executives, system owners, systemand network administrators, other incident response teams, legal department (ifappropriate).
3. Au tomate SAP incident response procedures:
• Implement automated process of incident response: security event analysis, incidentidentification, response and investigation.
• Regularly review effectiveness, analyze and improve incident response procedures andcorrelation rules.
• Prepare to consult with external resources: CERTs, peer organizations, contractors with SAPincident response and forensic expertise.
PURPOSE
25
RESPOND
CLEAR COMMUNICATIONS
• Security Responsibilities. Responsibilities on secure operating of SAPsystems are identified and assigned.
• Security Roles Delineation. Security roles and responsibilities of BASIS,security team and other parties are delineated.
• Cyber Threat Information. Information about cyber security threats isshared with external parties.
PURPOSE
OUTCOMESS
IMPL
EMEN
TATI
ON
STE
PS
••
ISO27002:2013 5.1 Management direction for information security NIST SP800-150 Guide to Cyber Threat Information Sharing, October 2016
1. Assign responsibilities for ensuring SAP Security:
• Assign general and specific responsibilities for SAP security to C-level executives.
• Define business security responsibilities on business unit level and establishSAP assets owners.
• Describe personnel responsibility regarding access and use of SAP systems.
2. Establish communications between security teams and other parties:
• D elineate SAP security responsibilities between Security and other parties(BASIS team, Audit, Network, etc.).
• Assign specific tasks to Security and BASIS teams
• Establish ways and means of communication between all parties and establishconflict resolution procedures.
3. Establi sh communications with 3rd party companies and threat intelligence providers:
• Identify existing internal sources of cyber threat information and establish informationsharing rules.
• Join and participate in information sharing efforts with vendors, peer organizations andresearch centers.
• Use secure, automated workflows to publish, consume, analyze, and act upon cyber threatinformation.
REFERENCES
To establish structure for SAP security responsibility in a business and
provide means for clear communications between its members.
26
RESPOND
CONTINUOUS ANALYSIS
To provide insights into state of SAP security. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
•
•
NIST SP800-55 Rev. 1. Performance Measurement Guide for InformtionSecurity, July 2008NIST SP800-86 Guide to Integrating Forensic Techniques into IncidentResponse, August 2006
1. Develop SAP security metrics:
• Identify stakeholders of security measures and goals of measurement.• Document security metrics: goals, formulas, targets, implementation evidences,
frequencies, responsible parties, data sources, etc.• Report on a regular basis on the state of SAP security to stakeholders using security
metrics.2. Automate tracking of SAP security metrics and analyze trends:
• Implement automated process of collecting, calculating and tracing of SAP security trends.
• Create SAP security dashboards and notifications for various parties.• Use security metrics to manage SAP security processes: connect metrics to process goals,
collect data and analyze results, identify and apply corrective actions, set new target levelsfor metrics.
3. Develop SAP forensic investigation procedures:• Prepare SAP systems for data collection: perform regular backups, enable auditing,
forward critical event records to centralized log servers, maintain baseline systemconfigurations.
• Identify forensic goals and create guidelines for carrying out common forensic procedures:acquiring the data from SAP systems, preserving integrity of evidence, examining andanalyzing SAP data, case reporting.
• Build and maintain skill of forensic team by ongoing trainings, education and hands-onexercises.
REFERENCES
• SAP Security Metrics. Metrics for SAP security controls and processes areidentified.
• SAP Security Dashboards. Security data is analyzed and presented indashboards.
• Forensic Procedures. Guidelines on gathering evidence from SAP systemsare prepared.
27
RESPOND
MITIGATION
• Knowledge Base. Information on SAP security controls and best practicesis collected, stored and provided to all stakeholders.
• Security CMDB. Changes to SAP security configuration are managedconsistently.
• Security Workarounds. Security workarounds and their implications areidentified.
To design, model and make changes to security of SAP systems. PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
• Linkies, M. and Off, F. (2006). SAP security and authorizations.1st ed. Fort Lee (NJ): Galileo Press.
1. Develop SAP security controls knowledge base:
• Compile SAP security guidelines, recommendations and standards for SAP developers,administrators and users.
• Create collaborative environment for sharing experience and knowledge managementon the SAP security and administrative topics (company portal, forum, Wikipedia, etc.)
• Encourage personnel to share knowledge and learn SAP security topics.
2. Implement task and change management practices for SAP systems:
• Baseline SAP system configurations and maintain versions of configuration.• Implement formal change management for SAP configuration and track change
requests and approvals.• Detect unapproved changes in configuration and investigate reasons for them.
3. Deploy virtual patching and automatic correction tools for SAP security issues:
• Document security issues, which are unable to be resolved at the time.• Develop workarounds: virtual patching, network filtering, event detection controls, etc.• Automate mitigation of detected issues with corrective controls.
REFERENCES
28
RESPOND
IMPROVEMENTS
To learn from external events and improve SAP security processes PURPOSE
OUTCOMES
IMPL
EMEN
TATI
ON
STE
PS
•
•
support.sap.com. (2017). Support Portal. [online] Available at:https://support.sap.com/securitynotesSP 800-53 Rev. 4, Assessing Security and Privacy Controls inFederal Information Systems and Organizations, December2014
1. Continuously analyze SAP security updates and threats:
• Analyze SAP security updates and disseminate security notifications and security alerts tomembers of Security and BASIS teams.
• Study announcements about successful attacks and threats to SAP systems and redistributeit over organization.
• Monitor security bulletin boards, hacker forums and hacker underground (P2P networks,community forums and social networks).
2. Attend SAP security events and trainings:
• Join SAP security communities and follow up security vendors, research centersand most recognizable security professionals.
• Participate in security conferences, online events and meetups.• Attend trainings and courses, choose certification tracks for key security staff.
3. Assess effectiveness of SAP security controls:
• Prepare questionnaires, tools and guidelines to assess SAP security controlsand effectiveness and efficiency of security processes.
• Map automatic technical checks to SAP security controls and use automated tools toobtain assessment results.
• Use security controls assessment results to improve SAP systems security plans and carryout corrective actions.
• Improvements Suggestions. Suggestions on improvement of SAPsecurity controls based on security events and news.
• Controls Assessments. Results of assessment efficiency of SAPsecurity controls.
REFERENCES
29
About EAS-SEC
The EAS-SEC (Enterprise Application Systems Security) is an international organization established to develop and implement security enabling practices for acquiring, operating, and maintaining enterprise business applications.
EAS-SEC has several ongoing projects:
• Enterprise Application Security: Development Issues
• Enterprise Application Security: Vulnerability Assessment
• Enterprise Application Security: Awareness
EAS-SEC is an open community of security professionals and organizations willing to ensure security of their business application. EAS-SEC provides the following forms of participation for EAS-SEC members:
• developing guidelines, tools and reports;
• providing professional expertise;
• conducting implementation case-studies.
The framework provides you with guidance on how to achieve maximum protection in all security areas with minimum effort.Research results are distributed freely for large community. Members of EAS-SEC benefit from collaborative sharing of experience and voluntary consulting during case studies.
eas-sec.org
ABOUT ERPScan
ERPScan is the most respected and credible Business Application Security provider. Named as an ‘Emerging vendor’ in Security by CRN and distinguished by more than 40 other awards - ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-attacks as well as internal fraud.We use ‘follow the sun’ principle and function in two hubs, located in the Netherlands and the US to operate local offices and partner network spanning 20+ countries around the globe.
30
erpscan.com