sensage solution for sap - ittoolboxhosteddocs.ittoolbox.com/sensagesapwpfeb.pdf · sensage...

SenSage Solution for SAP Detailed Solution Description

February 2010


2

Table of Contents

Table of Contents............................................................................................................ 2

Executive Summary ........................................................................................................ 3

The Need for SAP Monitoring........................................................................................ 5

Security Threat and Fraud Detection ........................................................................ 5

Compliance ................................................................................................................ 5

Controls Testing and Compensating Controls........................................................... 6

Forensics and Investigations ..................................................................................... 7

Challenges of Comprehensive SAP Monitoring............................................................. 8

Massive Data Volume ................................................................................................ 8

Heterogeneous Data .................................................................................................. 8

Complex Analysis....................................................................................................... 9

The SenSage Security Intelligence Solution................................................................. 11

SAP Integration............................................................................................................. 14

SAP-Focused Analytics ............................................................................................ 15

Conclusion .................................................................................................................... 26

About SenSage, Inc...................................................................................................... 27


3

Executive Summary Organizations rely on SAP to run their most critical business processes, from managing manufacturing and purchasing to processing sales transactions, collecting payments, and preparing financial statements. Thousands of SAP users across an organization use the system to perform their duties and keep the business functioning. Given the breadth of users, roles and activities across the SAP environment, the potential for costly errors, misuse, fraud, and compliance violations is vast. SAP offers many capabilities to limit and prevent potential security and business threats, including setting policies, restricting access, reviewing sensitive transactions, and flagging conflicting roles. Even with these measures, the ability for users to misuse the system, create errors, and even inflict malicious damage is not eliminated. Organizations are concerned with addressing three critical areas: Security threats – Analyzing and correlating user and transaction activity from start to finish, discovering potential security risks, and performing forensics and investigations when needed. Monitoring business risks – Analyzing transactions and processes within the SAP environment to identify potential business risks. Regulatory compliance – Meeting the requirement to demonstrate that the organization’s SAP system is being monitored appropriately for regulatory compliance purposes. To mitigate these risks and to satisfy compliance requirements, organizations require comprehensive, granular monitoring of all SAP activity. This monitoring capability must also correlate disparate events to identify threats that otherwise could not be detected. With this capability, organizations can address a host of critical questions such as:

• Are there expired roles within my SAP environment? If so, are they active? • Are users accessing sensitive data from foreign locations? • Are users accessing SAP from potentially compromised workstations? • Are users sharing login credentials? If so, what transactions are they performing? • Is the same user involved in multiple approvals for the same transaction? • Are basis administrators creating accounts? If so, what have those accounts done? • Are database administrators (DBAs) modifying SAP tables, creating users, or

inserting/deleting records? • Which users are creating and paying vendors? • What are the high-severity events in my SAP environment and what actions need to be

taken on them? Achieving this level of SAP visibility is challenging. First, given the number of users, transactions, and system events across the SAP environment, the volume of activity data can quickly reach terabytes. Most organizations need to retain all of this information for one year or even longer to satisfy compliance reporting requirements, run trend analysis, and perform forensics and investigations.


4

Second, comprehensive SAP monitoring must not only extract user and transaction data from myriad SAP modules but also incorporate the broader IT infrastructure. Transactions can originate outside of SAP, and threats to the SAP environment can emerge from external sources such as compromised workstations and careless or malicious DBAs. Third, the user, transaction, and system activity can be extremely difficult to understand and analyze. Organizations need a flexible, intelligent solution that can collect and interpret the data from all sources – millions of individual records – and can analyze that data to provide meaningful intelligence that can be used to make informed decisions. The Continuous Monitoring and Auditing for ERP solution from SenSage provides organizations with comprehensive monitoring and analysis capabilities and full visibility into all SAP activity and the surrounding IT infrastructure. The SenSage engine gathers the key activity and transaction information from SAP and from the IT systems and stores all of this information in a powerful event data warehouse, making it possible to retain years’ worth of information in a highly compressed format. This SenSage solution is SAP-certified. It integrates directly with the SAP environment and extracts and analyzes the data with no impact on the production system. This innovative solution allows organizations to address critical requirements, enabling them to detect security and business risks, automate SAP activity reporting, and satisfy compliance requirements.


5

The Need for SAP Monitoring Organizations rely on SAP to run their most critical business processes. Employees, partners, consultants and others must be allowed access and trusted with certain permissions, rights and privileges within the SAP environment in order to complete specific tasks and ensure that operations run smoothly. With this access comes increased vulnerability. In addition, today’s increased reliance on IT, networked systems, and web and email communication also opens up new security vulnerabilities and the potential for fraud.

Security Threat and Fraud Detection Enterprises must provide users with IDs and passwords to access SAP and must assign roles and authorizations to allow those users to execute specific actions within SAP. These users have email accounts that can be used to communicate internally and externally, and they often have full Internet access as well. The tools employees are provided with to do their jobs can also be used to perpetrate fraud, harvest intellectual property, or sabotage operations. The damage may not be intentional. Well-meaning users can unintentionally misuse their privileges while trying to achieve a seemingly valid goal. For example, while trying to address a payroll issue, an HR representative may access that employee’s information, download protected information, and forward it to the IT department via email for troubleshooting. Or a manager on vacation may log in via the VPN from a foreign country to address an HR issue with an employee. Without realizing it, that manager may violate corporate policy and federal regulations. These brief examples highlight the need to monitor user activity within SAP. However, comprehensive security and fraud detection requires a much broader view as well. To function properly, the SAP environment relies on databases, applications servers, workstations, switches, firewalls, VPNs, email, the Internet, proxy servers, and many other IT systems. Security threats may not be visible by auditing SAP alone. For example, an SAP user’s workstation may be compromised due to unfiltered web surfing, dictionary password attacks, malware, poor password management, or other endpoint attack vectors. If that workstation has access to SAP, the potential vulnerability to SAP will never be detected by monitoring SAP in isolation. To identify the threat one would need to have detected the compromise at the workstation level first. Another example relates to the database systems supporting SAP. DBAs are entrusted with extremely powerful privileges to enable them to ensure the SAP system runs efficiently and effectively. However, these privileges also enable DBAs to make direct SAP table manipulations with no evidence of the modification captured within SAP. For example, a DBA can change financial posting tables directly while bypassing SAP business logic and security. This type of activity also must be monitored outside of SAP.

Compliance Beyond the need to mitigate security and fraud risks, enterprises also face regulatory compliance and audit drivers that mandate in-depth monitoring of the full SAP environment. Sarbanes Oxley requires CFOs and CEOs to personally attest to the integrity of financial statements. PCI


6

establishes credit card user and data protection standards and imposes significant financial and business penalties for failure to satisfy all requirements.

During the first phase of compliance companies tended to focus on securing and monitoring the outer layers of their networks, such as firewalls and intrusion detection systems, to address compliance requirements. The primary goal of this focus was to protect against external threats. However, auditors are increasingly focusing attention on core internal applications and business processes. These systems often contain the most valuable corporate assets, and they are accessed daily by insiders (employees, partners, consultants) for legitimate purposes. The measures taken to address external threats, such as firewalling and authentication, cannot be used to mitigate insider threats. Again, comprehensive and sophisticated monitoring of user activity is needed to ensure proper use of SAP and to address audit and regulatory compliance requirements. Auditors also look to see that monitoring all critical IT systems is a routine daily process. It is not sufficient to have the ability to manually sift through terabytes of user activity data when needed. Monitoring must be part of daily business operations so that threats can be detected and remediated proactively. Many organizations have resorted to highly manual processes to satisfy initial compliance audits, but they quickly realize the ROI of investing in more capable, automated monitoring solutions.

Controls Testing and Compensating Controls SAP implementations can be highly complex, comprising thousands of users and roles, myriad processes spanning the entire enterprise, and massive infrastructure requirements. Organizations create and deploy various controls to ensure that their SAP environment functions as intended. For example, controls can:

• Prevent the same user from creating a vendor and paying that vendor • Ensure that basis administrators do not create users or modify permissions • Review user privileges and ensure that only needed rights are authorized

Organizations must not only implement these types of controls but also test the controls for their effectiveness. In some cases the control can be automated. For example, with products like SAP Access Control an organization can flag any user that can both create a vendor and also pay that vendor, a common segregation-of-duties (SoD) conflict. Other controls can be harder to automate. For example, basis administrators, by definition, have elevated privileges and can add, modify and delete users. However, standard segregation-of-duties policies indicate that basis administrators should not create or modify user accounts. In this case, organizations need a means to monitor the basis user activity to identify violations of this policy. Compensating controls allow organizations to remain protected in cases where the control cannot be enforced, or when enforcement requires an additional process to achieve the goal. For example, organizations often must temporarily assign roles to users, and these temporary roles may violate the SoD control. This may be necessitated by a limited staff situation; for example an employee on vacation may result in insufficient staff to enable separating roles among different users. In these cases the organization may elect to override the control in order to meet a necessary business objective, such as continuing to both create and pay vendors. To compensate for this potential vulnerability it now becomes necessary to monitor that user’s activity for potential abuse of the exceptional but intended temporary role assignment.


7

Forensics and Investigations Organizations often need to investigate past activity to understand the scope of an incident, retrace the steps of an event, and uncover other potential threats. Compliance regulations recognize this and often mandate that all user and system activity data for up to five years or even longer be retained. This data often totals a terabyte or more and must be maintained in a repository that allows flexible querying. An incident may require retrieving all activity performed by a specific user, or related to a set of transactions, or coming from a specific set of IP addresses. It may require more complex correlation analysis as well, such as identifying any user who accessed a specific sensitive record and then emailed that information through a private account.


8

Challenges of Comprehensive SAP Monitoring These examples highlight the need for comprehensive, 360-degree monitoring of SAP and the supporting IT environment. However, this comprehensive monitoring creates a new set of challenges including processing huge volumes of data, analyzing heterogeneous data, and extracting meaningful information that guides the necessary response.

Massive Data Volume At its core, comprehensive SAP monitoring requires capturing all user and transaction activity within SAP, pulling this information into an analytics engine, and then applying intelligence to analyze the data. Considering the number of users accessing SAP, the number of transactions processed, and the number of SAP application interactions necessary to process each transaction, this is a daunting challenge. For true 360-degree visibility, organizations must also examine activity in core databases, the SAP application servers and even the users’ workstations. The total volume of event data that must be gathered and analyzed on a daily basis can easily run between 10-100 gigabytes per day, and can be substantially more. This data is often the single fastest growing data source in the enterprise. It is also necessary to retain all this information in its raw, original form for years in order to satisfy forensics and investigations demands as well as compliance requirements. When stored for a year or more, the total data volume runs into tens or hundreds of terabytes. The data cannot be processed once and thrown away, or aggregated and summarized. Event data represents historical records of activity and one cannot know in advance which records will be needed at a later date. Further, this data may be necessary in legal proceedings and must therefore be kept unaltered, with all the original detail maintained, and protected from tampering.

Heterogeneous Data Depending on what system, application or device is being monitored, the event data produced has different information, fields, formats and forms. SAP itself has thousands of different event types, each containing a distinct set of relevant information. To begin with, you need visibility into key SAP business processes such as Order-to-Cash and Procure-to-Pay. But you also need to be able to see the core SAP modules such as Change Document and Security Audit. Each of these systems contains critical user and transaction activity information that, when analyzed properly, can alert you to suspicious transactions, potential fraud, and other threats. Within SAP, your monitoring program should cover, at minimum, the following modules:

• Sales and Distribution • Materials Management • Financial and Accounting • Change Document • Security Audit Log • User Access


9

As discussed earlier, it is also necessary to monitor SAP in the context of its surrounding IT infrastructure. This means collecting event data or log data from numerous systems, including:

• Databases • Operating systems • Networking equipment (e.g., routers, switches) • Security devices (e.g., firewalls, intrusion detection and prevention systems) • Email and web activity (e.g., Exchange, proxy servers) • Other corporate applications

This data heterogeneity presents serious analysis challenges. The first challenge is simply collecting the event data from the appropriate sources. Some systems stream this data in real time to standard protocols like syslog. Others log the data to a flat file or write the events to a database. Some applications do not write events at all and must be queried directly from tables or accessed via proprietary APIs. The next challenge is to interpret the highly variant data. Each individual data source has its own format and “schema,” and each field must be parsed and understood by the analytics engine.

Complex Analysis Once the data has been collected and parsed, the next challenge is to turn terabytes of this raw data into meaningful business information that can be used to make informed decisions. The type of information being sought can vary, and that dictates the event data analysis requirements. Correlations Events in SAP may involve many disparate individual actions which, taken together, identify the full scope of the event. For example, a change in a vendor’s bank information followed by a change back may not be especially noteworthy. Nor would a single payment to that vendor. However, the fact that a change was made, immediately followed by a payment (even by a different user), may indicate something more serious. This type of analysis, known as event correlation, is a critical capability for identifying and preventing serious threats as quickly as possible. Summaries and trends Given the millions of user, system, and transaction events occurring daily, a key reporting requirement is to condense this information into useful daily/weekly/monthly metrics and summaries. These reports can be simple counts of specific events (such as the number of failed logins) or complex analysis spanning multiple sources (such as the number of logins from users authenticating through VPN from foreign locations, executing specific sensitive transactions). To identify growing sources of risk, analysts will need to see the trend line of these metrics over long periods of time. For example, a 25% increase in Severity 9 events in SAP may signal a deeper issue that requires senior management involvement. Forensics, investigations, and drill-downs Based on the information in the daily summaries, or from an event correlation alert, there will often be a need to investigate further. Organizations may need to retrace all the actions of a particular user over a period of time, or look at all the events associated with a particular transaction, or investigate all the information downloaded from SAP and compare this with the


10

user’s workstation activity (such as USB downloads or emails to private accounts or FTP uploads to external servers). Given these significant data collection, management, and analysis challenges, new technical approaches are needed. Traditional security information and event management (SIEM) and data warehousing products are ill-suited to address these requirements given the massive volumes of data to be managed, the complex data warehouse tuning required, and the high total cost to implement and manage them.


11

The SenSage Security Intelligence Solution The SenSage Continuous Monitoring and Auditing for ERP solution provides unequalled visibility into user, system, and transaction activity within SAP as well as into the entire IT infrastructure. This solution, built on the patented SenSage event data warehouse architecture, is fully SAP-certified, powered by NetWeaver, and offers out-of-the-box reports and analytics targeted to SAP users, auditors, and risk managers. The SenSage SAP solution is part of a platform of Security Intelligence solutions from SenSage. These solutions provide organizations with enterprise-wide, essential decision support for security, risk management, and compliance operations. SenSage Security Intelligence delivers strong real-time threat detection combined with a patented event data warehouse that provides superior long-term analysis and retention – all accessible through an easy-to-use dynamic user interface. The SenSage Security Intelligence solutions enable organizations to gain higher benefits from the vast amount of data they must save, to protect their valuable and sensitive data, and to respond more easily and fully to compliance and audit requirements. All SenSage Security Intelligence solutions have three primary components: the Interactive Analytics, the underlying Event Data Warehouse and the Administration Console. These SenSage components can be deployed in the form of software, hardware appliance and/or virtual machine, and each may support a variety of storage technologies including on-board storage, storage area network (SAN), network attached storage (NAS) and content addressable storage (CAS). Together, these SenSage and third-party components comprise a Security Intelligence solution (see Figure 1).

Figure 1. SenSage Security Intelligence Solution Architecture .


12

Interactive Analytics The Interactive Analytics component is an analytics environment that can be completely customized. It performs three operations: real-time monitoring, contextual investigation and reporting. Real-time monitoring is done using supplied and customized dashboards tailored to the specific Security Intelligence solution. For example, the SenSage Continuous Monitoring and Auditing for SAP product includes supplied analytics for fraud monitoring in the order-to-cash process (among many others) that can be edited or supplemented with custom analytics and dashboards built by the customer or by SenSage Professional Services.

Contextual investigation is enabled by a query wizard embedded with all of the organization’s collected event data elements or accessed through contextual links from any dashboard, report or prior query result. The reporting capability includes supplied reports, ad hoc reporting and compliance reporting. Supplied reports are available for many of the popular SenSage uses (e.g., SAP Monitoring and Auditing, Database Activity Monitoring, Windows). Ad hoc reporting is aided by a report-generating wizard and allows a range of formatting options for any custom query. Compliance reporting formats the event data and associated summaries into specific regulatory compliance formats such as ISO 17799, PCI, HIPAA, Sarbanes Oxley, FISMA, DCID/3 and NIPSOM.

System wizards enable nontechnical users to create new reports, dashboards, and ad hoc queries in seconds using a drag-and-drop interface. Exact-match querying across any data column enables the user easily to create data aggregation, trending, business and technical reports through bar, line and tabular charts. Unlike solutions that use “Google-style” searches, only exact matches are returned.

Technical users can use underlying SQL code to further fine-tune reports and queries. SenSage IntelliSchema provides cross-source and cross-vendor reporting capabilities, and new data sources can be easily added with no SQL changes. IntelliSchema was designed to give customers the ability to expand their solution capabilities on the fly, adding new sources, new reports and analyses without changing their data schema. IntelliSchema easily incorporates custom data sources in both the collection and reporting processes. Organizations can adapt to new threats and new regulations without major upgrades or service engagements, and there is no need to involve DBAs.

Event Data Warehouse The SenSage Event Data Warehouse comprises a collector, real-time monitor and columnar database. The collector performs the externally facing data acquisition functions typically referred to as “extract, transform, load (ETL)” in the data warehouse sector. The extract step is performed by SenSage log adapters, which operate in an agent less mode so that agents need not be deployed on or near the event data source. These log adapters obtain and parse data from over 250 event data sources through a variety of protocols including but not limited to Syslog, Syslog NG, SNMP, FTP, SFTP, SCP, SMB, RPC, SQL*Net/RDBMS, HTTP(S) GET and PUSH. Customization is easy and many customers develop their own log adapters. Depending upon the event data source and deployment preferences, SenSage log adapters may operate in streaming or scheduled-batch mode.

The transform and load steps involve two different processes to support the multiple operations modes noted above. As each new event data set arrives through the log adapters, one copy is


13

delivered to the real-time monitor for dynamic parsing, normalization, filtering, analysis and alerting. A second copy is delivered to the columnar database for tamper-resistant storage in its native/raw format. This unique data forking approach bridges real-time and historic analysis while maintaining the complete event log for forensic evidence. Further, this approach supports instant replay visualization; events may be replayed graphically to review their sequence and interdependency.

The real-time monitor is a highly scalable correlation engine that supports threshold- and scenario-based rules built from logical operations on event data and displayed in dashboards in the Interactive Analytics. The sophisticated scenario based real-time correlation engine leverages a state machine paradigm to correlate events from multiple sources over a sliding time-window. This methodology enables real-time threat detection that goes beyond attack pattern recognition and enables analysis of true threat behavior. Furthermore, the SenSage real-time correlation engine is fully integrated with SenSage historical event analysis. As such, it allows the operator to easily look for historical occurrences of similar events to fine-tune future real-time correlation effectiveness resulting in a virtuous cycle of better security. Real-time engine is scalable and may be distributed across multiple processes (and nodes) for large deployments.

The SenSage Columnar Database incorporates patented technology optimized for event data warehousing applications. Unlike traditional relational database management systems that use a row format, data is organized by column in a single, centralized data repository. While the difference may sound minor, the performance gains are dramatic. Indexes are unnecessary in this configuration, thus reducing storage and maintenance requirements. Data is compressed at a 10:1 advantage over relational databases (and up to 40:1 in practice when you consider the average number of indexes needed by traditional row-wise databases) and is stored in a time-based hierarchical series of folders and flat files. Alternatively, data may reside on a shared storage device such as a SAN, NAS or CAS.

The SenSage Columnar Database supports third-party business intelligence tools through an ODBC/JDBC interface. This enables users to leverage familiar tools and standard SQL to query and report on the event data.

The Event Data Warehouse features a massively parallel processing architecture that scales up or down depending on the number of nodes present in the system. This parallel architecture enables record insertion rates of hundreds of thousands of records per second. Moreover, each node in the parallel architecture may take advantage of advanced hardware features such as multicore processors and faster disk drives, and mixed environments may be configured to leverage nodes of varying power. To maintain constant availability, backup copies of each node’s data are stored on another node for data redundancy and automatic failover.

Administration Console GUI-based administrative screens enable easy management of users, privileges, schedules, and reports. SenSage Security Intelligence solutions offer robust and secure authentication, administration and access control with multiple security levels down to a highly granular degree of control. Authorized users are assigned roles with specific permissions that determine which features, functions, reports and data each user may access. Role-based filters support granular permissions where users only see data with specific values (i.e., users only see data related to systems they own). Users can install SenSage clients in any geographic location, and the connection between client and server is secure and encrypted.


14

SAP Integration The SenSage ERP solution has been fully integrated with SAP to provide in-depth visibility and monitoring of key SAP activities and processes. The integration is designed to provide the smallest possible footprint in the SAP environment, extract the activity data, and allow it to be analyzed outside of SAP. Integration with SAP is accomplished through SenSage-developed modules that query and extract relevant activity data from various SAP systems. The SAP integration has been tested, evaluated and certified by SAP. Figure 2 below shows the architecture of this integrated solution. Security Audit Log Within SAP, system administrators (typically basis administrators) first enable logging by running the SM-19 process. In this process, administrators can specify which user IDs and which transactions should be filtered during normal processing. Normally SAP administrators would use the SM-20 process to view the content of the logs across all application servers and would run another process to purge the older security audit logs. However with the SenSage solution, these log files are automatically picked up and purged from each of the application servers. Once picked up, the SenSage engine stores the data permanently in its immutable database and allows you to generate all the reports you need, including summary and detailed reports, ad hoc queries, and forensics investigations. The content in the Security Audit Log includes:

• logons/logoffs, unsuccessful logon attempts • locking out a user due to unsuccessful logon attempts; removal of account lock • successful/unsuccessful RFC/CPIC logons • transaction started and failed transaction starts • transaction locked or unlocked • successful/failed report starts • successful/unsuccessful RFC calls • user deleted, locked, or unlocked • user master or authorizations changed • authorization or profile created, changed, or deleted • configuration of the security audit log changed • application server started or stopped • files downloaded • digital signature called • test messages

The fields in most log entries include the transaction number, the user ID, and the terminal ID from which the transaction was initiated. That makes the security audit log one of the best log files for determining who truly performed a transaction. Even ABAP programming does not get around this.


15

Figure 2. SAP and SenSage Integration Architecture

SAP-Focused Analytics

The SenSage engine gathers the key activity and transaction information from SAP as well as from the IT systems and stores all of this data in a powerful data warehouse, making it possible to retain years’ worth of information in a highly compressed format. It also provides the ability to rapidly perform analytics without requiring that the user have any specialized SQL skills or that the user be a DBA. The powerful analytics capabilities of the SenSage solution transform millions of records of raw data into useful, meaningful business intelligence information. To facilitate the use of this information, the SenSage solution provides an easy-to-use user interface and includes an integrated suite of out-of-the-box reports and analytics tailored to meet the security, controls, and compliance requirements for SAP monitoring. In addition, the SenSage interface enables users to easily customize reports themselves and to create new reports in order to meet their organization’s unique analysis requirements. The built-in query wizard allows even users unfamiliar with SQL to create custom reports with point-and-click ease.


16

The following screenshots provide examples of SAP monitoring and auditing dashboards:

Figure 3. SenSage Console – Order Change Dashboard


17

Figure 4. SenSage Console – Expired User Roles Dashboard


18

SenSage Use Case: High-Severity SAP Events and User Activity Investigation SAP records system events in the Security Audit Log and categorizes each record by severity, from 0 (low) to 9 (high). The Security Audit Log can quickly grow to very large volumes, and as a result, most organizations are unable to monitor this data for sensitive or suspicious activities. The SenSage solution allows organizations to extract this data efficiently from SAP and to store and analyze the information within the SenSage event data warehouse. The SenSage solution provides an intuitive utility to configure which specific events are recorded in the Security Audit Log, as shown in Figure 5.

Figure 5. SenSage – Security Audit Log Configuration Utility


19

The dashboard in Figure 6 showing High Severity SAP Events demonstrates the value of collecting and analyzing the SAP Security Audit Log. This dashboard provides a graphical summary of the number of low-, medium- and high-severity SAP events.

Figure 6. SenSage Console – High Severity SAP Events Dashboard

It is easy to see in this example that the number of Severity 9 (the highest severity) events has suddenly increased and, further, that this occurred on Saturday. The top half of the dashboard shows all the raw data behind the summary graph below. The console indicates that over 500,000 records of Security Audit Log events are summarized in the chart. Having seen the sudden increase in Severity 9 events, you can now use the detailed, tabular view to instantly access events of interest.


20

First you will use the filtering capability to look for Severity 9 events and “locked” events only. This immediately reduces the number of records to 16, and you can quickly see a number of account lockout events (see Figure 7).

Figure 7. Using filters to isolate lockout events

The next step in the investigation is to understand what other activity these locked out users may have performed within SAP. By simply right-clicking the username of interest, the SenSage engine presents a menu of additional associated reports. In this case you want to see all the User Activity Details (see Figure 8).

Figure 8. Drilling down into a specific user’s activity details


21

Selecting this report opens a query wizard that is prepopulated with the user information (see Figure 9). You simply select the time range of interest and any other additional criteria (e.g., action type or client ID) and then click “Run.”

Figure 9. SenSage Query Wizard prepopulated with user activity detail


22

Within seconds, the SenSage engine returns a full report of all of this user’s activity in SAP (see Figure 10). In this case the report shows a number of failed logon attempts, followed by a successful logon, a password change, and finally a number of transactions. Of particular interest are the PA30 and PA40 transactions that correspond with hiring and maintaining employees.

Figure 10. Full report of user’s SAP activity details

With this information, you could then expand the investigation to look outside of SAP, perhaps to email, web surfing or instant message logs, to see if sensitive data may have been leaked from the organization. What this use case demonstrates is the ability to review high-level dashboard information and seamlessly drill down into granular user activity with a few mouse clicks. No special analysis skills such as SQL are required.


23

SenSage and SAP GRC SenSage has worked closely with the SAP Governance, Risk and Compliance business unit to ensure that the SenSage solution integrates with and extends the value of the SAP GRC suite of products. SenSage is the first SAP partner to leverage the GRC products Web Services APIs to deliver high-value alerts and key risk indicators (KRIs) into the SAP GRC suite. The SAP GRC suite comprises three products: Access Control, Process Control and Risk Management. The SenSage Continuous Monitoring and Auditing for ERP solution provides unique value for each product. Access Control SAP Access Control automates the process of searching for and alerting organizations to SoD conflicts. Its Firefighter component adds the ability for selected SAP users to elevate their privileges in emergency situations, while adding fine-grained tracking of Firefighter ID activity. The SenSage SAP solution provides critical additional monitoring and compensating controls to complement the capabilities of Access Control. For example, the SenSage solution provides the ability to monitor any user activity, not only Firefighter IDs. Many organizations find it necessary to override SoD conflicts to address staffing shortages or for other reasons. The SenSage solution allows organizations to monitor these situations and confirm that the potential conflict is not an actual violation. It also provides a long-term forensic capability that allows organizations to see not only who had which role in the past but also all the activity the user engaged in over months or years. Last, the SenSage solution adds visibility to non-SAP activity outside the scope of Access Control. The SenSage engine can alert SAP administrators to potential threats that can only be detected outside of SAP, for example shared network IDs or compromised workstations. Process Control SAP Process Control provides alerting, workflow and remediation capabilities to the SAP GRC suite. Process Control allows organizations to standardize and automate procedures to address security, compliance, or other risks as they arise. SenSage is the first SAP partner to integrate with SAP Process Control to deliver alerts from the SenSage engine into Process Control. This allows Process Control to take advantage of the full breadth of visibility that the SenSage solution offers, both within and outside of SAP. Any risk or threats identified by the SenSage engine can instantly be fed into the Process Control console and can have associated workflows and remediation steps identified and executed (see Figure11). In addition, the SenSage solution allows analysts to investigate the threat quickly by providing immediate access to all relevant user and transaction activity, not only today’s data but all historical data as well.


24

Figure 11. SenSage and SAP Process Control Integration Risk Management SAP’s Risk Management product provides an aggregated view of key risk indicators (KRIs) to allow senior staff to identify and respond to developing issues. Again, SenSage is the first SAP partner to integrate with Risk Management, leveraging the product’s APIs to publish additional KRIs into Risk Management. Because of the breadth visibility provided by the SenSage solution and its analytics capability, the SenSage SAP solution dramatically extends the reach of SAP Risk Management by delivering IT GRC KRIs into the console. These KRIs span both SAP-centric risks, as well as risk indicators from the broader IT environment. The massive scalability of the SenSage solution enables historical and trend-based KRIs to be computed and published to the Risk Management console (see Figure 12).


25

Figure 12. SenSage and SAP Risk Management Integration


26

Conclusion The demands on organizations to secure and control their IT systems continue to grow, with increased focus on ensuring the integrity of the SAP environment. With these new requirements come new challenges in terms of collecting and storing massive volumes of user activity and transaction data, as well analyzing and interpreting confusing log formats from myriad sources. Not only is it necessary to monitor this activity for compliance purposes, it is also critical for ensuring that operations run efficiently and securely. This paper highlights numerous threats that cannot be mitigated with traditional approaches such as role-based access control and segregation-of-duties alerting. While these solutions provide a measure of much-needed security and control, they do not prevent all sources of fraud, human errors, social engineering, and other threats. SenSage developed the Continuous Monitoring and Auditing Solution for ERP to address the need for greater and more flexible visibility into SAP activity. The solution provides organizations a complete, end-to-end solution for monitoring the SAP environment, and it includes:

• Collection capability to pull logs and event data from SAP • Secure, tamper-proof data warehouse • Complete analysis interface for reporting, alerting, querying, and investigations • Out-of-the-box dashboards and reports tailored for SAP monitoring and compliance

requirements


27

About SenSage, Inc. SenSage®, Inc. delivers Security Intelligence solutions that provide essential decision support to cyber-security, risk management and compliance operations. These solutions enable the necessary convergence of security information and event management (SIEM), log management and continuous controls monitoring through a single console and data management architecture. Over 450 organizations and government agencies around the world rely upon SenSage to combine these functions in support of more holistic IT oversight, real-time alerting and investigation, incident response and compliance reporting. Combining a patented event data warehouse platform and interactive analytics environment, SenSage Security Intelligence solutions are more scalable, flexible and affordable than traditional SIEM, log management and data warehouse point products. SenSage goes to market with numerous industry-leading OEMs and strategic alliance partners including Cerner, Cisco, EMC, HP, McAfee and SAP. Visit www.SenSage.com for more information. SenSage, Inc. www.SenSage.com Corporate Headquarters SenSage, Inc. 55 Hawthorne Street, Suite 700 San Francisco, CA 94105 USA Phone: +1.415.808.5900 Fax: +1.415.371.1385 Email: [email protected] EMEA Headquarters SenSage, Inc. Venture House, Arlington Square, Downshire Way, Bracknell, RG12 1WA United Kingdom Phone: +44 1344 741 053 Fax: +44 1344 741 001 Email: [email protected] © Copyright 2010 SenSage, Inc. All rights reserved. SenSage is a trademark of SenSage, Inc. in the United States.

sensage solution for sap - ittoolboxhosteddocs.ittoolbox.com/sensagesapwpfeb.pdf · sensage...

Documents