UI Masking, UI Logging, and Enterprise Threat Detection

SAP solutions for cybersecurity and data protection:

UI Masking, UI Logging, and Enterprise Threat Detection

Dec 3rd, 2019

2PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

The Insider Threat: underestimated & difficult to tackle


✓ UI masking for SAP [ECC; SAP S/4HANA]*

✓ UI logging for SAP [ECC; SAP S/4HANA]*

✓ SAP Enterprise Threat Detection*

✓ SAP Fortify by Micro Focus

✓ SAP Data Privacy Governance

✓ SAP Data Custodian

✓ SAP NetWeaver AS, add-on for code vulnerability analysis

Enterprise risk

and compliance

Access

governance

International

trade

Cybersecurity and

data protection

UI data protection and SAP Enterprise Threat DetectionEmbed GRC and security in SAP S/4HANA

*IBSO security suite

Tackling the insider threat:

three step approach


1) mask/obfuscate what

can be masked: with

UI Masking

2) Log what can NOT

be masked: with

UI Logging

Reality and Vision: Protecting the Intelligent Enterprise:

A Data Protection “Suite”

3) Automatically correlate and

analyze the log with

Enterprise Threat Detection


High Level Solution Architecture

SAP Backend SystemSAP UI (user)

Dynpro Processor

Request

Response

Database LayerBusiness Logic

UI Maskingvalidate authorization

&

apply masking rules

masked data

original data

UI Logging

alerting Log AnalyzerSAP Enterprise

Threat Detection

Key solution capabilities

UI Masking


• configurable scope of data to be protected

• configurable way how protection is required (security actions)

• configurable additional authorizations for “clear” access

▫ roles

▫ attributes and rules (“policies”)

▪→ configurations evaluated at runtime

▪→ security actions applied to the UI layer only

UI Masking: configurable data protection in SAP UIs


UI Masking: configurable data protection in SAP UIs

“Attribute based” access control


Use case Attribute Based Access Control (1)Context dependent access: organizational splits


Use case Attribute Based Access Control (2)Legal restrictions for moving data “offshore”: IT support from outside of EU


“Attribute based” access control in UI Masking: examples (2)


“Attribute based” access control in UI Masking: examples (2)

Reveal on Demand


Look & Feel: “Reveal on Demand”

SA

P G

UI

Fio

ri a

pp

UI Logging


• configurable scope of data to be protected on

transaction/application/service level

• configurable list of users subjected to logging

• configurable alerts on specific (critical) data accesses

• configurable log reasons and retention time

• Log Analyser UI for researching the log file

• Integration with SAP Enterprise Threat Detection

UI Logging: configurable logging of data access in SAP UIs


UI Logging: Log access, get notified, take action

4. Aggregate &

detect (SAP ETD)

1. Log data

access

2. Automatic

alert

3. in-depth

analysis

UI Logging Analysis Apps

24INTERNAL© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

DPO Cockpit: Fiori Applications

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer

UI Logging users (e.g., security office, data protection officer) leverage Fiori apps for keeping an overview, conducting

deep dive analysis into data usage, and managing lists of users whose data access they have identified as noteworthy.


UI Log Status and Statistics


UI Logging users can get an overview of system status as well as statistics concerning data usage (top n logged users,

top n accessed critical data fields (data types), top n triggered actions, and more)

…


Analysis of UI Logs



Analysis of UI Logs



Manage user lists



TagAnalyzing

29


LogAnalyzing

30

The most detailed view on a roundtrip is possible through the

LogAnalyzer, allowing to filter the UI log by header meta

information, tags, and UI specific identifiers down to the UI

field level and value.


LogAnalyzing

31

In the result overview screen, the relevant round trips and header information are displayed in the left section. Additional distinctions

(e.g. by views) is reflected in the top right section, and the actual logged fields are shown in the bottom right area.


LogAnalyzing

32

Per roundtrip, a more readable report can be accessed.

Business Benefits


Key business needs addressed by UI Masking and UI Logging

Reliable control who gets sensitive information displayed in SAP transactions and applications, in a quick and low-effort fashion

1

Introduce a dynamic determination of data access authorizations based on the context, at runtime

2

Increase protection of sensitive data against theft and abuse where access must be provided to privileged insiders

3

Detect potentially problematic access to sensitive data rapidly (in near-real time), and conduct a meaningful analysis in order to take the right actions

4

Better comply with business or legal requirements for tracking whoaccessed sensitive data (PII, BOMs, prices, customer information)

5

34Customer

1

SAP

Enterprise Threat Detection


SAP Enterprise Threat Detection

Customer Feedback

• „SAP systems are seen as a ‚Black Box‘ if it comes to security aspects and suspicious

behavior in SAP systems“

• There were critical incidents at customers that could have been avoided if the preparation

phase would have been discovered (see below)

SAP decided to create the product SAP Enterprise Threat detection

SAP ETD is a real-time Security Event Management and Monitoring solution

giving insights into SAP Systems.

It supports the customer to detect, analyze and neutralize cyber attacks as they

are happening, and before serious damage occurs.

Providing a very high performance analyzing thousand of log entries in real time

using a SAP HANA in Memory Database


Preventing Fraud from a Multi Vector Attack

STAD Http LogChange

documentsSystem LogRead access

logSTAD

User change

logHttp Log

Change

documents


Structured, standardized

security data across the

landscape

Patterns and correlation

engine

Alerts and forensic lab

Discover SM59

connections

config

DEV PROD

RFC to change

passwd

DEV PROD

Account

RFC change

passwd

Manager

controlling

Change vendor

PROD

FK02

Outgoing payments

PROD

F-53

DEV

Debugging DEV System

se80

sm59

get access


Correlation of any log data –

end to end analysis

Visualization of data

in suitable charts

User/system behavioral analysis

Automated attack detection

Anomaly detection

Forensic analysis, modelling

of attack detection patterns,

dashboards

Ready to use content

and up to date

regular content delivery

Leverage machine learning to

refine anomaly detection

How does SAP Enterprise Threat Detection work

Atomization of log reading to

collect event and context information

Normalization, enrichment and

pseudonymization of log entries

Drill down into subsets of

events, alerts, configuration

checks and health checks


Benefits of SAP Enterprise Threat Detection

Intellectual Property Reputation Sensitive Data PartnerSevere Penalties

Proactive Threat Monitoring,

Early Interception of Threats

Real Time Threat Visibility in

Complex SAP Scenarios

Centrally Audited SAP

Security Controls

Real Time Correlation of SAP,

Non-SAP Logs w/ Log Learning

High Manipulation Safety

of SAP Systems

SAP system transparency with

respect to security and compliance

Business Future


Reference Use Case: SAP Enterprise Threat Detection @ SAP ITSAP Cyber Defense and Response Center – Security Event Management

SAP Enterprise Threat Detection used by SAP IT for Security Event

Management

– Monitors, collects and correlates security events, generated within

the SAP IT infrastructure, SAP cloud platforms and if applicable

within the application layers, to detect security incidents and threats

for all SAP lines of business

Global deployments of Log Collectors to cover all SAP data centers

24x7 Security Operating Center

Current Figures

– 9.2 billions events per day

– ~120.000 events/sec

– ~200.000 events/sec (peak)

– 160 billions events (total)

– 7.7TB in-memory data


Use cases included with SAP Enterprise Threat Detection

Authorization Management Make sure that assignments of

critical roles or profiles to users

are conform with policies

System Configurations Make sure that system security

settings are not changed

Data Manipulation Make sure that content of

critical database tables are

not changed/deleted

Information DisclosureMake sure that no extraction of

confidential information takes place

Login Attempts Make sure that no logins of expired,

deleted or locked users take place

and that there is no miss-use of

standard users

Access to Critical ResourcesMake sure that forbidden/ blacklisted

transactions, reports or function

modules are not executed

Remote calls of a productive

System Make sure that communication from

non-productive to productive systems

does not takes place

Debugging and Error-

Analysis Make sure that no miss-use of

debuggers (e.g. change values at

runtime to change application flow)

takes place in productive systems


Use cases included with SAP Enterprise Threat Detection

Denial of ServiceMake sure that denial of service

attacks are recognized timely to

avoid complete system outages

or unresponsiveness of a system

Web-APIsMake sure that no miss-use of web-

APIs takes place

Passwords and

Administrative RolesMake sure that passwords of

administrative users are not being

manipulated

SQL Functions Make sure that suspicious SQL

functions calls of are recognized

User BehaviourMake sure that unusual behaviour

of technical and dialog users are

recognized

Special Patterns related to

attacks related to SAP

Security Notes

Read Access Logging as

additional source for

specialized PatternsEnsure that your Intellectual Property

is not stolen/downloaded/viewed


SAP Enterprise Threat Detection — Architecture


SAP HANA

Streaming Analytics SAP HANA

threat situation, lab

forensic, patterns, log

learning,…

SAP Landscape Non-SAP log data

SAP NW JAVA

SAP NW ABAP

SAP HANA

Log Collector

SAP Data Centers

Non SAP Data Centers

IT Network Devices

Log Collector

Systems provide log data and context information

Evaluation in real time only with ETD

Normalize and pseudonymize,

of log dataAnalysistool


Demo


Demo


ETD Standard Monitoring Page


Monitoring Page for Malicious Calls


RealTime Security: SAP Enterprise Threat Detection

Product Scope

• Real-Time Alerting based on predelivered and custom built

Attack Detection Patterns

• Near-Real-Time Transfer of log data out of SAP Systems and

high manipulation safety

• Real-Time ingestion of non-SAP log data

• High Performance Ad-Hoc Analysis

• On-the-fly Real-Time User Pseudonymization

• Real-Time Current State Monitoring Pages

• Alert Publishing and Integration with SIEM systems

• …

50PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

DemoAdjust Data in SAP Enterprise Threat Detection


Real Time Analysis

SAP ETD Exclusive Kernel API:

No Time Delay when getting data from AS ABAP!

Triggered Pattern Execution by

single Events or Alerts


Creation of PDF-Records

from Investigations for

auditing reasons

Fits to Report Generation

Saving of Evidences for Attacks


All Administration within one ToolHANA Admin Cockpit (Built-In)


Data Correlation over all Log Sources

Example: Brute Force Attack Pattern

Alerts based on failed logons from last month

plus successfull logon last hour

Correlation over different Sources:

Log Types (HANA, ABAP Logs),

Events (log On, Failed

Logon, Failed Logon due to

incorrect PW)

Alerts (‚Brute Force Attack‘)


Manual Forensic Analysis

Reference Filtering

Path1 to Path2


Manual Forensic Analysis: Available filled Attributes


ETD Fields of Attention

• Graphical visualization of

correlations

• Analysis of events on a time

line

• Classify Events as relevant


Thank you.

Questions


Introduction movie/use cases [4:30min]: https://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html

Public presentation: https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html

UI Masking overview blog (product team): https://blogs.sap.com/2019/05/06/general-information-ui-masking-solution/

UI Logging introduction (partner blog) : https://xiting.us/blog/introduction-to-sap-ui-data-security/

UI Masking - SAP Help Portal: https://help.sap.com/viewer/p/UI_MASKING

UI Logging - SAP Help Portal: https://help.sap.com/viewer/product/UI_LOGGING

UI Masking official roadmap: https://www.sap.com/germany/products/roadmaps/finder-products.html#pdf-asset=8699fa20-1f7d-0010-87a3-c30de2ffd8ff&page=1

UIM + UIL partner introduction (more content forthcoming): https://winterhawk.com/sap-grc/ui-logging-masking/

Special scenario: Context based masking in ECC scenarios: https://blogs.sap.com/2018/10/31/context-based-masking-scenarios-for-field-masking-for-sap-gui/

UI Data Protection Masking/Logging

Further information

https://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html

https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html

https://blogs.sap.com/2019/05/06/general-information-ui-masking-solution/

https://xiting.us/blog/introduction-to-sap-ui-data-security/

https://help.sap.com/viewer/p/UI_MASKING

https://help.sap.com/viewer/product/UI_LOGGING

https://www.sap.com/germany/products/roadmaps/finder-products.html#pdf-asset=8699fa20-1f7d-0010-87a3-c30de2ffd8ff&page=1

https://winterhawk.com/sap-grc/ui-logging-masking/

https://blogs.sap.com/2018/10/31/context-based-masking-scenarios-for-field-masking-for-sap-gui/


• Product Description

https://www.sap.com/products/enterprise-threat-detection.html

• Help SAP

https://help.sap.com/viewer/p/SAP_ENTERPRISE_THREAT_DETECTION

• Enterprise Threat Detection Community Topic Page

https://www.sap.com/community/topics/enterprise-threat-detection.html

• YouTube, e.g.

https://www.youtube.com/watch?v=EiypEITiIgY


Further Information

https://www.sap.com/products/enterprise-threat-detection.html

https://help.sap.com/viewer/p/SAP_ENTERPRISE_THREAT_DETECTION

https://www.sap.com/community/topics/enterprise-threat-detection.html

https://www.youtube.com/watch?v=EiypEITiIgY

Documents

UI Masking, UI Logging, and Enterprise Threat Detection