Upload
khangminh22
View
0
Download
0
Embed Size (px)
Citation preview
SAP solutions for cybersecurity and data protection:
UI Masking, UI Logging, and Enterprise Threat Detection
Dec 3rd, 2019
2PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Insider Threat: underestimated & difficult to tackle
3PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
✓ UI masking for SAP [ECC; SAP S/4HANA]*
✓ UI logging for SAP [ECC; SAP S/4HANA]*
✓ SAP Enterprise Threat Detection*
✓ SAP Fortify by Micro Focus
✓ SAP Data Privacy Governance
✓ SAP Data Custodian
✓ SAP NetWeaver AS, add-on for code vulnerability analysis
Enterprise risk
and compliance
Access
governance
International
trade
Cybersecurity and
data protection
UI data protection and SAP Enterprise Threat DetectionEmbed GRC and security in SAP S/4HANA
*IBSO security suite
5PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
1) mask/obfuscate what
can be masked: with
UI Masking
2) Log what can NOT
be masked: with
UI Logging
Reality and Vision: Protecting the Intelligent Enterprise:
A Data Protection “Suite”
3) Automatically correlate and
analyze the log with
Enterprise Threat Detection
8PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
High Level Solution Architecture
SAP Backend SystemSAP UI (user)
Dynpro Processor
Request
Response
Database LayerBusiness Logic
UI Maskingvalidate authorization
&
apply masking rules
masked data
original data
UI Logging
alerting Log AnalyzerSAP Enterprise
Threat Detection
11PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• configurable scope of data to be protected
• configurable way how protection is required (security actions)
• configurable additional authorizations for “clear” access
▫ roles
▫ attributes and rules (“policies”)
▪→ configurations evaluated at runtime
▪→ security actions applied to the UI layer only
UI Masking: configurable data protection in SAP UIs
12PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Masking: configurable data protection in SAP UIs
14PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use case Attribute Based Access Control (1)Context dependent access: organizational splits
15PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use case Attribute Based Access Control (2)Legal restrictions for moving data “offshore”: IT support from outside of EU
16PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
“Attribute based” access control in UI Masking: examples (2)
17PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
“Attribute based” access control in UI Masking: examples (2)
19PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Look & Feel: “Reveal on Demand”
SA
P G
UI
Fio
ri a
pp
21PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• configurable scope of data to be protected on
transaction/application/service level
• configurable list of users subjected to logging
• configurable alerts on specific (critical) data accesses
• configurable log reasons and retention time
• Log Analyser UI for researching the log file
• Integration with SAP Enterprise Threat Detection
UI Logging: configurable logging of data access in SAP UIs
22PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Logging: Log access, get notified, take action
4. Aggregate &
detect (SAP ETD)
1. Log data
access
2. Automatic
alert
3. in-depth
analysis
24INTERNAL© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DPO Cockpit: Fiori Applications
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer
UI Logging users (e.g., security office, data protection officer) leverage Fiori apps for keeping an overview, conducting
deep dive analysis into data usage, and managing lists of users whose data access they have identified as noteworthy.
25PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Log Status and Statistics
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25Customer
UI Logging users can get an overview of system status as well as statistics concerning data usage (top n logged users,
top n accessed critical data fields (data types), top n triggered actions, and more)
…
26PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Analysis of UI Logs
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 26Customer
27PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Analysis of UI Logs
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 27Customer
28PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Manage user lists
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 28Customer
30PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
LogAnalyzing
30
The most detailed view on a roundtrip is possible through the
LogAnalyzer, allowing to filter the UI log by header meta
information, tags, and UI specific identifiers down to the UI
field level and value.
31PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
LogAnalyzing
31
In the result overview screen, the relevant round trips and header information are displayed in the left section. Additional distinctions
(e.g. by views) is reflected in the top right section, and the actual logged fields are shown in the bottom right area.
32PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
LogAnalyzing
32
Per roundtrip, a more readable report can be accessed.
34PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Key business needs addressed by UI Masking and UI Logging
Reliable control who gets sensitive information displayed in SAP transactions and applications, in a quick and low-effort fashion
1
Introduce a dynamic determination of data access authorizations based on the context, at runtime
2
Increase protection of sensitive data against theft and abuse where access must be provided to privileged insiders
3
Detect potentially problematic access to sensitive data rapidly (in near-real time), and conduct a meaningful analysis in order to take the right actions
4
Better comply with business or legal requirements for tracking whoaccessed sensitive data (PII, BOMs, prices, customer information)
5
34Customer
1
36PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection
Customer Feedback
• „SAP systems are seen as a ‚Black Box‘ if it comes to security aspects and suspicious
behavior in SAP systems“
• There were critical incidents at customers that could have been avoided if the preparation
phase would have been discovered (see below)
SAP decided to create the product SAP Enterprise Threat detection
SAP ETD is a real-time Security Event Management and Monitoring solution
giving insights into SAP Systems.
It supports the customer to detect, analyze and neutralize cyber attacks as they
are happening, and before serious damage occurs.
Providing a very high performance analyzing thousand of log entries in real time
using a SAP HANA in Memory Database
37PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Preventing Fraud from a Multi Vector Attack
STAD Http LogChange
documentsSystem LogRead access
logSTAD
User change
logHttp Log
Change
documents
SAP Enterprise Threat Detection
Structured, standardized
security data across the
landscape
Patterns and correlation
engine
Alerts and forensic lab
Discover SM59
connections
config
DEV PROD
RFC to change
passwd
DEV PROD
Account
RFC change
passwd
Manager
controlling
Change vendor
PROD
FK02
Outgoing payments
PROD
F-53
DEV
Debugging DEV System
se80
sm59
get access
38PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Correlation of any log data –
end to end analysis
Visualization of data
in suitable charts
User/system behavioral analysis
Automated attack detection
Anomaly detection
Forensic analysis, modelling
of attack detection patterns,
dashboards
Ready to use content
and up to date
regular content delivery
Leverage machine learning to
refine anomaly detection
How does SAP Enterprise Threat Detection work
Atomization of log reading to
collect event and context information
Normalization, enrichment and
pseudonymization of log entries
Drill down into subsets of
events, alerts, configuration
checks and health checks
39PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Benefits of SAP Enterprise Threat Detection
Intellectual Property Reputation Sensitive Data PartnerSevere Penalties
Proactive Threat Monitoring,
Early Interception of Threats
Real Time Threat Visibility in
Complex SAP Scenarios
Centrally Audited SAP
Security Controls
Real Time Correlation of SAP,
Non-SAP Logs w/ Log Learning
High Manipulation Safety
of SAP Systems
SAP system transparency with
respect to security and compliance
Business Future
40PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Reference Use Case: SAP Enterprise Threat Detection @ SAP ITSAP Cyber Defense and Response Center – Security Event Management
SAP Enterprise Threat Detection used by SAP IT for Security Event
Management
– Monitors, collects and correlates security events, generated within
the SAP IT infrastructure, SAP cloud platforms and if applicable
within the application layers, to detect security incidents and threats
for all SAP lines of business
Global deployments of Log Collectors to cover all SAP data centers
24x7 Security Operating Center
Current Figures
– 9.2 billions events per day
– ~120.000 events/sec
– ~200.000 events/sec (peak)
– 160 billions events (total)
– 7.7TB in-memory data
41PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use cases included with SAP Enterprise Threat Detection
Authorization Management Make sure that assignments of
critical roles or profiles to users
are conform with policies
System Configurations Make sure that system security
settings are not changed
Data Manipulation Make sure that content of
critical database tables are
not changed/deleted
Information DisclosureMake sure that no extraction of
confidential information takes place
Login Attempts Make sure that no logins of expired,
deleted or locked users take place
and that there is no miss-use of
standard users
Access to Critical ResourcesMake sure that forbidden/ blacklisted
transactions, reports or function
modules are not executed
Remote calls of a productive
System Make sure that communication from
non-productive to productive systems
does not takes place
Debugging and Error-
Analysis Make sure that no miss-use of
debuggers (e.g. change values at
runtime to change application flow)
takes place in productive systems
42PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use cases included with SAP Enterprise Threat Detection
Denial of ServiceMake sure that denial of service
attacks are recognized timely to
avoid complete system outages
or unresponsiveness of a system
Web-APIsMake sure that no miss-use of web-
APIs takes place
Passwords and
Administrative RolesMake sure that passwords of
administrative users are not being
manipulated
SQL Functions Make sure that suspicious SQL
functions calls of are recognized
User BehaviourMake sure that unusual behaviour
of technical and dialog users are
recognized
Special Patterns related to
attacks related to SAP
Security Notes
Read Access Logging as
additional source for
specialized PatternsEnsure that your Intellectual Property
is not stolen/downloaded/viewed
43PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection — Architecture
SAP Enterprise Threat Detection
SAP HANA
Streaming Analytics SAP HANA
threat situation, lab
forensic, patterns, log
learning,…
SAP Landscape Non-SAP log data
SAP NW JAVA
SAP NW ABAP
SAP HANA
Log Collector
SAP Data Centers
Non SAP Data Centers
IT Network Devices
Log Collector
Systems provide log data and context information
Evaluation in real time only with ETD
Normalize and pseudonymize,
of log dataAnalysistool
47PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
ETD Standard Monitoring Page
48PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Monitoring Page for Malicious Calls
49PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
RealTime Security: SAP Enterprise Threat Detection
Product Scope
• Real-Time Alerting based on predelivered and custom built
Attack Detection Patterns
• Near-Real-Time Transfer of log data out of SAP Systems and
high manipulation safety
• Real-Time ingestion of non-SAP log data
• High Performance Ad-Hoc Analysis
• On-the-fly Real-Time User Pseudonymization
• Real-Time Current State Monitoring Pages
• Alert Publishing and Integration with SIEM systems
• …
50PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6
DemoAdjust Data in SAP Enterprise Threat Detection
51PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Real Time Analysis
SAP ETD Exclusive Kernel API:
No Time Delay when getting data from AS ABAP!
Triggered Pattern Execution by
single Events or Alerts
52PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Creation of PDF-Records
from Investigations for
auditing reasons
Fits to Report Generation
Saving of Evidences for Attacks
53PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
All Administration within one ToolHANA Admin Cockpit (Built-In)
54PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Data Correlation over all Log Sources
Example: Brute Force Attack Pattern
Alerts based on failed logons from last month
plus successfull logon last hour
Correlation over different Sources:
Log Types (HANA, ABAP Logs),
Events (log On, Failed
Logon, Failed Logon due to
incorrect PW)
Alerts (‚Brute Force Attack‘)
55PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Manual Forensic Analysis
Reference Filtering
Path1 to Path2
56PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Manual Forensic Analysis: Available filled Attributes
57PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
ETD Fields of Attention
• Graphical visualization of
correlations
• Analysis of events on a time
line
• Classify Events as relevant
59PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Introduction movie/use cases [4:30min]: https://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html
Public presentation: https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html
UI Masking overview blog (product team): https://blogs.sap.com/2019/05/06/general-information-ui-masking-solution/
UI Logging introduction (partner blog) : https://xiting.us/blog/introduction-to-sap-ui-data-security/
UI Masking - SAP Help Portal: https://help.sap.com/viewer/p/UI_MASKING
UI Logging - SAP Help Portal: https://help.sap.com/viewer/product/UI_LOGGING
UI Masking official roadmap: https://www.sap.com/germany/products/roadmaps/finder-products.html#pdf-asset=8699fa20-1f7d-0010-87a3-c30de2ffd8ff&page=1
UIM + UIL partner introduction (more content forthcoming): https://winterhawk.com/sap-grc/ui-logging-masking/
Special scenario: Context based masking in ECC scenarios: https://blogs.sap.com/2018/10/31/context-based-masking-scenarios-for-field-masking-for-sap-gui/
UI Data Protection Masking/Logging
Further information
60PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• Product Description
https://www.sap.com/products/enterprise-threat-detection.html
• Help SAP
https://help.sap.com/viewer/p/SAP_ENTERPRISE_THREAT_DETECTION
• Enterprise Threat Detection Community Topic Page
https://www.sap.com/community/topics/enterprise-threat-detection.html
• YouTube, e.g.
https://www.youtube.com/watch?v=EiypEITiIgY
SAP Enterprise Threat Detection
Further Information