AgileSI Whitepaper Business 0613 Klein

agileSItm Whitepaper

www.agilesi.net iT-CUBE SYSTEMS GmbH ITCS062013

SAP Security monitoring with agileSI

Business WhitepaperSecuring SAP Landscapes

www.agilesi.net it-CUBE SYStEmS GmbH


How to Protect Exposed Business-Critical Applications?

- 2 - - 3 -

the Problem A Dangerous Status Quo.In fact, in organizations that run business processes on SAP, employees, external consultants, providers, suppliers and others get access and accounts trusted with permissions, rights and privileges within SAP landscapes to perform specific tasks and ensure business operations. Segregation of Duties (SoD), applied to prevent fraud in SAP systems are achieved by disseminating tasks and associated privileges for a specific business process among multiple users. Access to SAP systems combined with other tools provided to users, can also be used to perpetrate fraud, harvest intellectual property, or sabotage operations.

While focusing on SoD controls, which are doubtlessly very important, the audit and security industries have overlooked many other threats involving a much higher level of risk: exploitable attack vectors caused by vulnerabilities in the business runtimes and misconfigurations.

The spectrum of examples is wide: SAP web servers that run services without authentication, the SOAP-based RFC Service that allows to call ABAP function modules, debugging rights on production systems that allow data manipulation without authentication, privilege escala-tions from low risk to high risk SAP Systems, OS command executions from the application level or SAP Gateway weaknesses which grant unlimited access to external programs. These technical weaknesses can have a tremendous impact on the business as they provide an entry point for espionage, sabotage and fraud.

Figure 2: SAP The forgotten world. IT silos causing blind spots in security monitoring

Today SAP business solutions are the first choice for many organizations to run their most critical business processes from managing manufac-turing to processing payments and preparing financial statements. Any information attackers seek is stored in the companys SAP lands-capes, e.g. financial data, HR data, corporate secrets, supplier tenders, and customer contacts. Given the criticality and the attack vectors in SAP landscapes it seems strange that most enterprises rely on Segregation of Duty checks performed as snapshot audits several times a year only, whereas strong security policies, patch management, intrusion prevention, security event correlation and other defenses apply to all other areas in the IT. Besides the fact that software in general has vulnerabilities, ERP solutions have more security issues due to customization, complexity, criticality and uncertainty, simply because their security gaps have been analyzed less often.

Although ERP systems are highly critical to businesses the security indus-try has so far hardly put any effort into targeting them. SAP and other business applications do not interwork seamlessly with centralized Security Information & Event Management Systems (SIEM) enterprises rely on to manage their security incidents. Traditionally those systems focus on network centric security aspects to protect against external and internal threats. This is one of the major reasons for the severe information gap integrating SAP systems with SIEM solutions, the SAP-SIEM-Gap.

Closing this gap requires three major steps:

1. Knowing, accessing and extracting all relevant data from a myriad of SAP sources,

2. Processing data and correlating disparate individual events,

3. Turning gigabytes of raw data into meaningful interpretable information.

However, comprehensive security and business risk management requires the monitoring of event data from core business applications such as SAP correlated with those from the supporting infrastructure such as databases, application servers, workstations, firewalls, proxies, remote access gateways, and other IT systems.

CIOs and CISOs across all industries have realized that transparency is fundamental for applied risk management. Anticipating cross-IT-silo politicking they want to get the big picture, knowing that security event management must integrate with them all. They raise skeptical questi-ons just like: Why dont we get ahead of the auditors confronting us with their findings?, Why do we pay for manual work of costly SAP experts and do not automate our SAP security monitoring instead?

Security Monitoring

NetworkSecurity

Interfaces

Physical

O/S,Database

Applications

Networks

Security Silos:

Applications have versatile securi-ty models, interfaces, formats...

Manual Handling:

Audits are snapshots and expensive as they are done manually

Multiple IDs:Administrators, technical users, account sharing, UIDs in Windows, applications...

Network Exposure:

Applications and threats pass network barriers

After-The-Fact:

Only real-time monitoring and alerting allows counter-actions

Incomplete, undetected:

Transactional data is the blind spot of IT security

SAP Web Server leaks information in HTTP headers and error messages

Configuration secure? (Table Data)

SAP Web Server runs services without authentication

Services deactivated? (Table Data) Standard users secured? (Table Data, Profile Parameters)

SOAP RFC Service allows to call ABAP Function Modules

Execution deactivated? (Table Data)

Debugging Mode allows data ma-nipulation without authentication

Debugging enabled? (System Log)

Figure 3: SAP ABAP Attack Vectors. Who is in charge of protecting the SAP landscape? Examples for weaknesses and vulnerabilities.

iT-CUBE SYSTEMS has developed a SAP-certified solution that closes the SAP-SIEM-Gap. It is named agileSI and turns SAP Security Data into Insight, Action, and Competitive Advantage. Its the industrys first automated solution that continuously scans SAP landscapes and detects weak system configurations, ex-cessive user access rights, SoD violations, potential threats through attacks, and can be used to monitor critical transactions or privileged user activity.

agileSI stands for Agility plus Security Intelligence. It goes far beyond regular SoD checks performed on a few selected systems. With its certified ABAP-based extractor framework it integrates seamlessly with SAP landscapes.

40%

30%

20%

10%

0%

38%

17%

21%

15%16%

5%

41%

8% 9%

12%

8%10%

Allocated spending

Perceived security risk ofinfrastructure layer

Gap between allocated spending and perceived security risk for the application layer

Network Layer

DataLayer

Human Layer

ApplicationLayer

Host Layer

PhysicalLayer

Figure 1: From the study The STATE of RISK-BASED SECURITY MANAGEMENT by Ponemon Institute llc, 2012

Centrally managed and precisely configured extractors offer unlimited access to the various sources within a SAP R/3 system and all its modules. The solution integrates with many SIEM products such as HP ArcSight, QRadar (Q1Labs/IBM), LogRhythm; LogPoint and Splunk eliminating the blind spot in SAP Security Monitoring.

agileSI is the answer to fundamental questions: How can we discover compliance violations in hundreds of our SAP systems before auditors do, and how can we protect our most critical applications while reducing efforts?. With agileSI you are just a few clicks away. agileSI automates the work of expensive consultants and extends the visibility to almost 100%. The solution helps you to lower the number and criticality of auditors findings, lets you transform risk into remediation and supports the fulfillment of compliance requirements.

Brute Force Attacks

Configuration secure? (SAL + Table Data)

Priviledge escalations from low risk to high risk SAP Systems (RFC, SSO)

Intrinsic relationships hardened? (Table Data + Cross Device Correlation)

Backdoor implementation (Pro-gram/ Role changes through transports

Suspicious transports detected? deactivated?

(Transport Log) OS Command execution

Execution discovered? (System Log + Cross Device Correlation)

Password Sniffing in unencrypted Srv-Srv / Client Srv Communi-cation

Configuration secure? (Profile Parameters)

Program Code Vulnerabilities in AddOns

Code scanned for vulns? (Code Profiler + Table Data)

SAP Gateway Weaknesses (unli-mited acces for external programs)

Weak configs detected? (Gateway Cfg. + Log)

Changes of critical data Changes discovered?

(Table Log)

These Scenarios Lead to the Big Questions: 1. How do you make sure your SAP systems are secure? 2. How can you measure their exposure and risk level? 3. How do you get ahead and provide proof to the auditor?



- 4 - - 5 -

agileSI - a Holistic Approach for 360 SAP Security monitoring

SAP Business Suite customers have several tools available for monitoring their security, but often find that these tools are point solutions that only deal with a single aspect of security monitoring (for instance, authorizations/roles while neglecting system configuration and other

Figure 4: agileSI covers a wide range of SAP security monitoring requirements. Extracting and processin security data from various sources in SAP systems, it helps in analyzing and presenting the data in one central spot, increasing transparency. It is applied security intelligence for the complete landscape and all aspects of SAP security.

Secure Code !

Many measures must be taken to secure the different SAP landscapes. It starts with secure code. SAP solutions are standard software but always modified. Vulnerabilities in the code can lead to loss of data integrity/confidentiality or an attacker taking control over business processes.

Manual code reviews can be replaced with automated ABAP code scanners that analyze the software utilizing security, performance and code quality checks finding security vulnerabilities in custom code and partner products.

Besides increasing the security and providing clear scan reports that increase transparency and support audits, there is a proven return on investment performing code scans:

According to a NIST survey, after an application is released into production, code changes cost 30x more than during design.

Avoiding manual code reviews will save time while developers can focus on their primary job: writing great software.

Developers can scan their source code while writing software, and the tool provides feedback on findings that helps developers to be-come more efficient as they learn to avoid security vulnerabilities.

Embed security into SDLC development process

In-house Outsourced Commercial Open Source

1Leverage Security Gate to validate resiliency of internal or external

code befor Production

2

Monitor and protect software running in production

3

This is application security

Improved SDLC policies

targeting SAP Systems on the Internet !

MYTH: SAP systems are inaccessible from the Internet, so SAP vulnerabilities can be only exploited by insiders.

TRUTH: Business processes are changing and anticipate the need to for remote and mobile access via web portals.

PROVE: Increasing numbers of SAP systems are exposed to the Internet, including Dispatcher, Message Server, HostControl, Web Services, Solution Manager, etc

STATS: Searches performed using well-known Google search requests or Shodanhq result in hundreds of SAP Servers accessible from the Internet

Espionage !The most critical data likely to be targeted by industrial spies, competitors or corrupt employees is stored in SAP modules such as:

Financial data and planning (FI) Corporate secrets (PLM) Customer lists (CRM) Supplier tenders (SRM) HR data, contact details (HR)Attackers just need to gain access to one of the above systems to successful steal critical information.

ERP applications often have interfaces to each other and are connected with other IT systems such as domain controllers, databases, web-servers and eventually with more critical systems like SCADA (Supervisory Control and Data Acquisition). In the real world it is common to directly link ERP systems and SCADA systems to the same RDBMS backend. This causes intrinsic trust relationships which can be added, manipulated or just used. More simply the need to backup, replicate or synchronize databases lets administrators directly connect cor-porate databases provisioning sysadmin accounts with hardcoded passwords. Access to an unprivileged user in such databases enables attackers to hop to another databases with sysadmin rights or gain access at OS level.

Sabotage !

There are various scenarios for fraudulent activities in SAP landscapes. Critical business processes often get controlled by workflows, ensuring Segregation of Duties between different employees or departments. Insiders will try to work around these controls. The spectrum includes attempts to manipulate travel expenses, or create and approve fake payments, create fake clients and transfer money up to installing robot applications performing penny scraping. Especially privileged users, administrators or service users, require special activity monitoring since most cases of successful attacks, where companies lose money or intellectual properties, are performed by insiders.

Fraud and Insider threat !

Application Server Type Search String Number based on Shodan Search

SAP NetWeaver J2EE (Enterprise Portal) inurl:/irj/portal 834

SAP BusinessObjects (SAP ITS) inurl:infoviewap 20

SAP NetWeaver ABAP inurl:/sap/bc/bsp 113

Figure 5: ABAP code scanning must be part of the system development life cycle (SDLC)

issues). These tools are not integrated with each other, focused on single systems rather than landscapes, are just not flexible enough to cover specific requirements and are very expensive compared to the functionality they provide. Besides that essential customer requirements are missing and cannot be met using the available tools forcing time-intensive manual inspections to resolve the issue.

agileSI covers and automates all these aspects of SAP Security Monitoring, can integrate other audit/monitoring solutions as data providers or replace them, and increases transparency in SAP security monitoring. agileSI either integrates directly with a SIEM system or comes as a standalone solution with an integrated frontend.



- 6 - - 7 -

New security vulnerabilities are detected daily, and SAP takes great efforts to correct them and to provide Support Packages for these issues. Security is a priority for SAP, resulting in an increased number of security notes in recent years.

SAP also recommends performing configuration checks of systems at least once per month. A correctly configured and patched system leaves little space for attackers as less vulnerabilities imply less successful attacks.

Nobody wants to or can do this manually on a regular basis, checking hundreds of system parameters and system / client settings. There are several tools to support this activity, but they are limited in many aspects. They fail in extracting the data needed, covering sin-gle systems only, providing just snapshots and cannot be customized or extended:

The System Check tools often work for one system only, leaving the customer with an extensive report (e.g. 100 pages in a PDF file) for each system in the landscape. The trouble is obvious, browsing through many long reports is not much easier than performing the checks. SAPs Security Optimization Service is an example for this problem.

SAPs Security Optimization Services also is a good example for another weakness of some tools: they are not flexible enough to cover all requirements. The SAP service (or self-service) for instance cannot be changed to reflect customers security policies.

agileSI is powerful when it comes to extracting data, flexibility and ease of configuration. Configuration does not start from scratch as many use cases are built into the solution, based on SAPs recommenda-tions, other generally accepted best practices and insights from penetration testing.

With agileSI, customers can continuously scan their SAP landscape and cover the audit recommendations as defined by the German-speaking SAP User Group (DSAG), for instance.

In SAP implementation projects and running solutions, designing and maintaining roles to control access to data and processes takes an important place in security concepts. Quite often organizations struggle with demonstrating the effectiveness of those controls during audits since it can be hard to automate them. Compensating controls allow organizations to remain protected in cases where control cannot be enforced, or when enforcement requires an additional process to achieve the goal. The firefighter scenario is a good example to illustrate organizational needs to temporarily assign roles to users, which violate their SoD controls. To compensate for this risk, it becomes necessary to monitor the firefighters activities for potential abuse of the exceptional but intended temporary role assignment.

There is some tool support for designing roles, and tools that help in monitoring the authorizations/roles users have in the SAP systems and determining whether there are users that accumulated critical authorizations, possibly violating SoD requirements for instance. SAP Business Objects GRC Access Control can be used for this task as it has other functions as well.

Secure Systems !

675

450

225

02001 2002 2003 2004 2005 2006 2007 2008 2009 2010

Total > 2400

Number of SAP Security Notes per Year

900

2011 2012

Figure 6: The number of SAP security notes has increased drastically over the last 3 years.

SAP BO GRC Access Control agileSI 1.1 / HP ArcSight ESM

Target systems SAP, Oracle, JD Edwards, PeopleSoft SAP (ABAP)

Cross-client correlation yes yes

Cross-system correlation yes yes

Check critical authorizations, SoD yes yes

Check of authorization approval workflows yes, + enterprise role management no (only w/ customizing)

Check technical system configuration no yes

Check on attacks (system, intra-/internet) no yes

Transaction and workflow monitoring no yes

Security audit log no yes

System log no yes

System parameters no yes

Gateway log no yes

DB/OS-settings and events no yes (HP ArcSight ESM)

Content of tables no yes

Table logging no yes

Check ABAP source code no integration with CodeProfiler

Transport Log no 1.2

Change documents for users, roles reporting on all authorization/role changes 1.2

Firefighter / SPM logging yes yes

Automated control no (can be enabled) yes

Event notifications periodic/event based (immediate) periodic/event based (immediate)

Integrated w/ central monitoring no yes

Reporting manual for specific purpose; (authorization checks); own format

automated in central monitoring (ArcSight ESM)

Standard checks out of the box SoD checks SoD checks, DSAG audit guide, attacks

Customer adjustments complex simple

Installation and deployment 10+ days 1 day

Training 5+ days 1 day

Updates SAP standard (service packs) Add-On

Support yes yes

License model company revenue per installation

Table 1: Usability of SAP GRC for security monitoring

agileSI does not only cover SoD monitoring in a continuous way it also provides a reporting which integrates many of the checks defined in the DSAG audit guidelines.

There are certain intrinsic weaknesses in SAP applications that must be controlled very closely for correct configuration and activity monito-ring.

The SAP Gateway is one example. The Gateway controls all communication between an SAP system and external programs (other SAP systems but also 3rd party products). If not properly configured, external programs can execute arbitrary code on the SAP application ser-ver, giving an attacker full control of the SAP system. This is a likely exploit and SAP strongly recommends monitoring as it allows detection of potential attacks. Data for monitoring the SAP Gateway is located in a special log file and can only be accessed by very few monito-ring products, including agileSI. There are a lot more critical activities such as the execution of Operating System commands by SAP users or activities related to development in a productive system that can be detected.

Detecting Attacks !

Since SAP systems store and process business-critical data, downtimes may incur significant losses in the business. Therefore patches and changes must be well understood and intensively tested before being implemented. SAP basis administrators often struggle with these risks. This leads to the fact that vulnerable software exists in enterprises over many years.

Changes via Transport Management to the productive environment can be critical from a security perspective in many ways: critical objects such as users or modified roles can be transported; and transports at unusual times, defined outside the maintenance windows, are either emergency repairs or must be considered as suspicious. There are tools that improve the standard SAP change management technology and processes. But these tools are not integrated with any security monitoring solution, and security teams usually have no insight what changes to SAP systems occur.

agileSI can monitor patch level, changes/transports and enables the IT security organization to review changes and act if necessary.

Secure Applications !



- 8 - - 9 -

transaction and Privileged User monitoring !

In their enterprise wide risk assessments, organizations should not underestimate the threat posed by insiders to the organizations critical as-sets, people, technology, and information. Many enterprises identify and prioritize assets, and determine who has, or should have, authorized access. But privileges tend to accumulate over time as employees change departments and job responsibilities. Organizations often fail with its change management giving authorized access to critical assets beyond what is required for employees to fulfill their job responsibilities. Continuous access control monitoring is essential and managers should not allow this control to degrade over time as it opens doors for fraudulent activities such as modification of financial information, tampering of sales and purchase orders or creation of new vendors or bank account numbers.

Dedicated activity monitoring is mandatory for privileged users, administrators and service users as lapses in control can be costly. Most successful attacks where companies lose money or intellectual property come from insiders. Organizations must consider that fraud by mana-gers and administrators differs substantially from fraud by non-managers by damage and duration.

Transaction Monitoring is an important part of SAP Security Monitoring, agileSIs data extraction technology can be utilized to gather all relevant information, and then process, visualize and report on it.

Standard User Accounts Account status (locked, initial passwords) Standard user activity Data integrity/non-changeability Debugging activity per system System enablement and authorizations OS Commands List of authorizations Alert of execution Changes to critical data

SAL is not enough (SAL does not provide sufficient informa-tion)

SAL transaction monitoring Administrator priviledge use

High priviledged accounts, special accounts (e.g. Firefigh-ter usage)

Changes to user master records by SAP*, DDIC*

Change Documents User Master Records Authorization Assignment (Roles, Profiles)

Changes to user master records (validity, password reset, )

System Access Active User Accounts vs. Corporate Directory SOAP service in use, configuration settings Access Control Violations Large number of DSAG security checks preinstalled Failed Logins

Technical users with PW typo Check Transport Imports

Critical transports of authorizations and access rights Transports changing authorization assignments

Check transports at unusual time window Scan objects by given list and check target client

technical Use Case & Detection Scenarios for SAP

Major Invoices being made without purchase orders Deviation of: value of purchase order and invoice value at equal quantity of goods Invoice receipt and payment before date of good receipt Control of critical data of application within customer namespace (e.g. applications in production process)

Use Cases for Business transaction monitoring with SAP

SIEm Integration the Big Picture in High ResolutionBecause SAP applications run in networking environments connected to email, cloud services and even the Internet, it is inevitable to moni-tor SAP in the context of its surrounding IT infrastructure. Thus its a must to collect event data from numerous systems, including:

Networking equipment (e.g., routers, switches, load balancers),

Security devices (e.g., firewalls, IPS, content filters, proxies),

Operating systems,

Databases and application servers,

Client systems (e.g., workstations, notebooks, smartphones),

Communication activity (e.g. Exchange, chat, Peer-to-Peer, cloud services),

Other corporate applications.

Today, leading edge SIEM solutions collect, aggregate, parse, normalize and categorize security data from a wide range of sources and provide sophisticated methods to analyze event data. The list of supported sources contains often more than 200 products from all catego-ries mentioned above. SIEMs have powerful, highly scalable correlation engines that support in memory, statistical and historical correlation based on threshold- and scenario-based rules. Various methods enable the intelligent escalation of events as they grow in the level of threat, using events prioritized based on the level of risk to the organization. The results are presented via a robust graphical engine in the most common formats, and can be adapted to technical, business, audit or executive users.

But a SIEM is as smart as the information it receives. Missing data, in particular security events and configuration information from SAP systems, and manual data handling are problems that customers face:

1. It is neither sufficient nor applicable to manually shift through gigabytes of system and user activity data when needed. Thus automation is the key to monitoring SAP as part of daily business operations so that threats can be detected and remediated proactively.

2. Events in SAP may involve many disparate individual actions which, taken together, will make a correlation rule fire and trigger other actions. As the data is not available in the SIEM system, there is no correlation for coherent events from a single or multiple SAP systems and also not for data from the surrounding IT infrastructure.

3. Auditors and security analysts often need to investigate past activity to understand the scope of an incident, retrace the steps of fraud events, and uncover other advanced persistent threats (APT). Security events and status information from SAP must no longer reside isolated from SIEM.

Therefore we have designed agileSI to interoperate with SIEM systems from the very beginning. As a result, agileSI integrates with many SIEM products which are widely accepted as the central spot for security monitoring. agileSI supports many solutions such as HP ArcSight, QRadar (Q1Labs/IBM), LogRhythm; LogPoint and Splunk.

FICO

AA

Network Devices

SecurityDevices

Email/WebGateways

Identity Mgmt. Systems

Physical Access

EndpointServers

Database

ApplicationRuntime

Continuous Data Collection & Preprocessing SIEM

SAP-SIEM Integration Automated Continuous Complete In one spot

SAP Security Sources Security Audit Log System Log System Parameters Tables Transport Log Gateway Config & Log Change Documents Table Change Logging Access Control Security Notes

SAP Security Analytics Content & Use Cases derived from: DSAG Audit Guidelines SAP Security Recommendations Pentesting Practises Dashboards, Reports, Notifications SAP specific categorization for SIEM Data Monitors, Active Lists, Rules Cross-Event & Device Correlation

figure 7: Continuous Auditing & Monitoring



Through its combination of unprecedented depth of visibility and the deep, built-in knowledge of how to best utilize that visibility, the new agileSI solution is a real game-changer in monitoring SAP systems for critical security events.

agileSI is based on a three layer architectural model with a collection, an administ-ration and an analysis layer (8).

The main task to be performed at the collection layer is the extraction of data per-formed by the agileSI agents running on monitored SAP systems. The agents are developed in ABAP and integrate closely with SAP systems. They will be delivered as Add-Ons or SAP transports, within having their own namespace registered with SAP. The agents and the central component called core form a powerful versatile extractor framework - the backend of agileSI.

The main component of the Admin Layer is the agileSI core the central instance for setting up the solution, configuring and monitoring it which also receives and preproces-ses all security monitoring data extracted by the agents. The agileSI core is an Add-On as well, and can be installed on one of the agent systems along with an agent, or separately on a dedicated SAP Netweaver Application Server ABAP.

The central pillar of the analysis layer is the agileSI frontend which can be either a SIEM solution which may already exist in the customers IT infrastructure or a standalone version utilizing an embedded front-end.

The agileSI agents have several data extractors to access data stored in log files, tables, change documents, etc. Table 2 lists all extractors and the data available through agileSI.

- 10 - - 11 -

Figure 8: agileSI - Industrys first automated and SAP-certified solution in SAP security monitoring

agile

SI

Ext

ract

ors

Information Source Events/Data Example Use Cases

Security audit log Subset of security events in SAP systems, such as (failed) logins, transaction starts, etc.

Brute force login User created / deleted /l ocked /

unlocked Password changes Execution of reports

System log SAP basis log for availability, error tracking, security, ...

Debugging Execution of OS commands Table logging in program disabled by user

System parameters SAP system configuration Password policy checks SAP gateway check SNC Encryption status

Tables Data stored in tables System and client change settings Single sign-on / logon tickets RFC configuration Any data stored in any table

Ping Monitor availability Check availability of SAP systems

Transport log Change management through transports with code, customizing

Updates to roles Transports of critical objects, at unusual times

Gateway configuration & log Communication with external programs Monitor 'denied' external calls

Change documents Changes to business objects Roles, profiles User master data

Table change logging Changes to data stored in tables Monitor critical tables (master data, conditions of purchase)

Access controls Checks against critical combinations of authorization objects

SoD conflicts Backdoor implementation via transports

Security notes SAP RSECNOTE implementation status Security notes missing in system landscape

The Core is the agileSI central component at the administration layer which provides a native web interface based on SAPs Web Dynpro ABAP (WP) technology to centrally configure and monitor the backend part of the solution.

The agileSI security analytics pack provides a comprehensive set of predefined correlation rules, meaningful dashboards, and adoptable reports for security relevant key indicators. The rule sets are applied to check for compliance, and identify violations, suspicious patterns, anomalies and security-related events. Presenting a view of the information agileSI provides realtime dashboards with a highly intuitive and customizable layout for each of the SIEM systems to be integrated.

Table 2: agileSI extractors and example use cases

Figure 9: agileSI SIEM Frontend

The predefined reports based on generally accepted audit guidelines and SAP security recommendations help customers to include the findings into a remediation cycle and take action to improve system security or react on security incidents. The solution delivers results out of the box but is highly customizable to allow adoption to special requirements and customers security policies.

thinking Ahead: SAP Security monitoring for Preempting

Business Risk

Integrating application security events into SIEM systems can quickly become a parody of its promise: inefficient, expensive and time-intensive. agileSI helps security teams and business process owners to take direct, timely action to operate proactively and efficiently in handling security incidents. Automati-on, continuous data extraction and smart correlation are the three key factors to saving money, protec-ting transaction integrity and reducing staff workload.

Eliminate the blind spot in SAP Security Monitoring

Continuously monitor your critical system conditions and events,

Automate collection, correlation, visualization & reporting,

Reduce your audit costs & efforts and safe costly SAP consultants,

Utilize standard checks and SAP-specific threat vector detection,

Enable your SOC team to interpret SAP security events and act.

Major SIEM vendors evaluated agileSI and signed in technology partnerships and joint-development programs to enhance the detection capabilities of their SIEM products by bridging the SAP-SIEM-Gap.

Global corporations and government agencies have tested to drive smarter, faster decisions in security risk management that contribute directly to the bottom line of IT operations.

To read more about how to protect your most critical business application while reducing costs visit: www.agilesi.net

agileSI - A CISOs Weapon for Passing Audits and minimizing Risks

Regain control with Security Intelli-gence for SAP

Improve your SAP Security & Risk Management,

Lower the number and criticality of auditors findings,

Transform your risks into remedia-tion,

Fulfill compliance requirements for your SAP landscapes,

Consolidate the SAP tool zoo into one holistic approach.

www.it-cube.net

iT-CUBE SYSTEMS GmbH

iT-CUBE SYSTEMS GmbH Paul Gerhardt-Allee 24 81245 Mnchen

Published by

Handelsregister: HRB 164 145 USt-ID: DE814759132 Managing Director: Dipl.-Ing. Andreas Mertz

T: +49-89 2000 148 00 F: +49-89 2000 148 29 E: [email protected]

About it-CUBE SYStEmS GmbH

iT-CUBE SYSTEMS is a full-service provider focused on IT security. We develop needs-oriented IT security solutions for your company, because your core business depends on the trustworthiness and availability of the IT infrastructure.

As a full-service provider, we supervise your IT project with practical knowledge gained in projects and daily operation over the entire period from planning to implementation to live operation.

Moreover, iT-CUBE SYSTEMS has consistently developed into a manufacturer, successfully positioning its own solutions on the market. Apart from the NAGIOS-based IT monitoring we offer agileSI, an SAP security intelligence solution for the continuous monitoring of security-relevant events and parameters of SAP landscapes.

iT-CUBE SYSTEMS is a contact partner for the entire bandwidth of IT security. You can avoid unnecessary communication errors, save time and costs, and can concentrate on your core business.

iT-CUBE SYSTEMS is headquartered in Munich, Germany, and is active throughout southern Germany and around the globe. Our customers include renowned large corporations as well as medium-sized enterprises of various sectors, such as the aerospace, auto-motive, financial, insurance, telecommunications, and chemical industries.

For more information about agileSI, please visit our Website at www.agilesi.net, email us at [email protected] or call us at +49 89 2000 148 0.

Copyright 2013 iT-CUBE SYSTEMS GmbH

All Rights Reserved. All information to be changed without further notice. iT-CUBE will accept no liability for the information provided here and will not guarantee that it is up to date, correct, complete or sound. Liability claims against the author, based on material or ideal damages caused by the use or ignorance of information provided here, will be generally excluded except in proven cases of gross negligence or conscious wrong-doing on the part of the author. The author explicitly reserves the right to modify, complete, delete certain sections of web-pages or the entire offer without further notice, or to cease to publish this content temporarily or definitively.

agileSI as well as the respective logo is a trademark or registered trademark of iT-CUBE SYSTEMS GmbH in Germany and other countries. SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. HP ArcSight ESM is a trademark of ArcSight, an HP company. All other product and service names mentioned are the trademarks of their respective companies.

legal notice: photo cover: fotolia.com // photo page 12: blind date photographer: birdy`s. source: photocase.com

Copyrights and trademarks