Embed Size (px)
Citation preview
SAP Enterprise Threat Detection Overview & Roadmap Martin Plummer, SAP SE
November 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Customer
Disclaimer
The information in this document is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This document is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Introduction
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4 Customer
Trends
Business landscape interconnected systems
Cyber crime sophisticated attacks
Security strategy risk based
security measures
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5 Customer
The threat landscape is changing And your security measures?
• Denial of service
• Standard malicious mails
• Standard malware
• Cost of insider attacks
• Business applications as a target
• Identity theft
• Targeted attacks against employees
• Cost of espionage
• Standard encryption reducing the effectiveness
of network-based security solutions
Incre
ase
Solutions are available on infrastructure layer but
with limited insight to the business systems
The weak point of most enterprises
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6 Customer
Risk-based security investments Do you protect your data or only the underlying infrastructure?
What data is critical to you?
Customer data
Employee data
Processes
Contract data Financial data Leads
Marketing activities
Production process
Product lifecycle
Vendor information
Specifications
Logistic
Where is that data mainly stored?
SAP systems
Mails
Cloud drives
Files
Device
Infrastructure
SAP system Security measures on the infrastructure level are mandatory. But for
most companies an SAP system is a black box with respect to
security. That black box often contains the most critical data.
…
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7 Customer
Security for business systems The missing piece
Detection
…
Patch management
Secure development
Secure configuration
Strong authentication
Identity Management Security from a
SAP department
perspective
SAP Landscape
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8 Customer
Detect attacks against your business systems
What kind of attacks are you able to identify in
your SAP business landscape in real time?
Description
Brute force attack (SAP RFC, web services, …)
Identity theft (SAP user)
Misuse of administrative rights within SAP
Misuse of development rights within SAP
SAP User anomaly detection
System anomaly detection
Data breach in a SAP system
…
Description
Threat situation last 24 hours?
SAP system patch status?
Forensic tools to examine a suspicion?
Who read confidential information in the SAP system?
Historically security data of your SAP system landscape?
Technical events versus sematic events?
Real time correlation of large amounts of security data?
…
What kind of transparency do you have into
your system landscape in real time?
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9 Customer
Customer scenarios
3rd party employee working with firefighter rights is creating a backdoor user (Banking)
• Risks: System can be accessed by unauthorized user
Employee is downloading unusal amounts of technical drawings (Manufacturing)
• Risks: Exfiltration of intellectual property
Admins login to a high-security system from a potentially unsafe network (Public Sector)
• Risks: Administratior credentials get compromised
SAP servers communicate with known malware hosts (SAP IT)
• Risks: Further spread of malware within the IT network, exfiltration of sensitive data
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10 Customer
The application level needs to be addressed
Application
Database
Operating System
Network
Product Overview
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12 Customer
Protect your business Effectively identify and analyze threats
Efficiently analyze
and correlate logs
Perform forensic investigations
and discover new patterns
Integrate custom log
providers
Find threats focused
on SAP software Leverage the power of the
real-time data platform
Automatically evaluate
attack detection patterns
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13 Customer
SAP Enterprise Threat Detection Main use cases
Real-time security monitoring
Gather events from the landscape
Evaluate attack detection patterns
React on critical alerts
Gain an overview of the threat situation
Ad hoc analysis
Analyze existing suspicions
Perform forensic investigation
Support compliance processes
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14 Customer
SAP Enterprise Threat Detection - Architecture
log
log
log
SAP landscape (any database)
Non-SAP log data
log
SAP HANA Smart
Data Streaming SAP HANA
Threat situation, forensic lab,
patterns, log learning, …
SAP Enterprise Threat Detection ABAP
HANA
…
Distributed system log data Normalize, pseudonymize,
enrich log data
Persistence, analyze,
generate alerts
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15 Customer
Integration with SIEM and other external processes
Alert publishing
Pushing via Email
Pushing as JSON
Pulling as JSON
Alerts, notifications, events as input
Log learning
Custom adapters on ESP
ETD SIEM JSON
Specialized
Detectors
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16 Customer
Log management (archiving) For long-term storage and retrieval
Normalized
Data
HANA
Normalized
Data 1
Normalized
Data 2
Normalized
Data 3
Original
Data 1
Original
Data 2
Original
Data 3
ESP (Event Stream
Processor)
Original
Data
Archive
Normalized
Data
Write events to files
Original (for auditing)
Normalized (same as sent to HANA)
Read normalized events from files
Retrieve old events for forensic analysis
ESP HANA
Normalized
Data 1
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17 Customer
Example scenario Assignment of SAP_ALL and following actions
Assign SAP_ALL Log on Debug and
divert money
The authorization of a user account is increased.
Someone now uses the enhanced user account to debug a
financial report to divert money to his account.
Automated attack detection patterns would alert the security
operations center at several stages and determine:
Users
Terminals
Key events
Values that were altered
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18 Customer
Working with SAP Enterprise Threat Detection Monitoring and Forensic Lab
Initial analysis Alerts Further analysis,
deriving new patterns
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 19 Customer
Example of analyzing events in the forensic lab
An existing workspace has filter paths
showing critical authorization
assignment and logons
There are 2 events where a logon
has taken place with an account that
has received a critical authorization
A path is added to look into what the
corresponding users have been up to
Filters are added to the path and
finally the raw data is examined
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 20 Customer
Anomaly and outlier detection compare observed feature
values against historic baseline.
Threat situation shows network of patterns, involved
systems, users and terminals. Resulting diagram allows
identification of hotspots of potentially malicious activities.
Graphical and statistical analysis Looking at the bigger picture
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 21 Customer
Anomaly Detection Lab Detect deviations from normal behavior
Over the course of 12 weeks, systems A, B,
and C only communicate with system D
Suddenly, system A communicates with
System B
Is this suspicious?
System
A
System
B
System
C
System
D
Normal
System
A
System
B
System
C
System
D
Abnormal
22 © 2016 SAP SE or an SAP affiliate company. All rights reserved.
Pseudonymization
…
GZVRR-8076
XYZ/000 XYZ/000
GZVRR-8076
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 23 Customer
Security Status Monitor Systems
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24 Customer
Security Status Monitor Security Notes Patterns
Coverage in SP04 is of recent ABAP Security Notes dating back
to September 2015 in three categories (total 53 notes):
Missing Authorization
Removed RFC flag
Disabled Code Execution
You can incorporate indicators from these into your own
patterns in the forensic lab
ETD @ SAP IT
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 26 Customer
SAP Enterprise Threat Detection inside SAP IT
SAP Fraud
Management
UIL / UIM
Foundational Services:
SAP GRC - Risk Management
SAP GRC - Process Controls
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 27 Customer
SAP Enterprise Threat Detection A Big-data Solution to a Serious Security Challenge
Company
SAP SE
Headquarters
Walldorf, Germany
Industry
High Tech
Products and Services
Enterprise software and
services
Employees
74,000
Revenue
€16.82 billion
Web Site
www.sap.com
Implementation Partners
-
TOP BENEFITS ACHIEVED
>80 Available attack patterns
~250 Mio Events per Day
0,7% to 1,5% CPU load on monitored systems
BUSINESS TRANSFORMATION
The company’s top objectives
• Add the layer of application level security monitoring to the existing security measures at SAP
• Bring knowledge about attack patterns into an executable form, so attacks can be detected automatically and accurately
• Enable Security Operations to timely identify and act on attacks and malicious behavior in SAP Systems
The resolution
• Implementation of dedicated SAP Enterprise Threat Detection (ETD) landscape with sufficient sizing to cope with the vast amount of log data available
• Tailoring of attack patterns to the specifics of the business systems being monitored
• Continuous expansion of pattern repository
• Close collaboration with product development teams to implement required features and integrate them into the standard product
The key benefits
• Readily and efficiently identify security lapses in SAP’s business systems
• Detection of threats and attacks as they happen
• On the fly security analytics capabilities
“SAP Enterprise Threat Detection enables us to identify real attacks to our business systems as they are happening and analyze the
threats quickly enough to neutralize them before serious damage occurs.”
Maximilian Adrian, Vice President Business Application Security, SAP SE
Roadmap
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 29 Customer
This is the current state of planning and may be changed by SAP at any time.
Today Future Direction Planned Innovations
SAP Enterprise Threat Detection Product road map overview - key themes and capabilities
Collect event and context information
• SAP platforms NetWeaver ABAP/Java and HANA
• User, system and subnet metadata
• Syslog protocol and log learning
• User pseudonyms
Analyze and visualize events
• Attack detection based on rules
• Anomaly detection based on user and system behavior
• Visualization of event and context data
• Support for two-tier landscapes
• Content delivered via service packs
Monitor and act on incidents
• Monitoring dashboards
• Threat situation
• System security status
• Alerts and investigations
• Integration with SIEM and ticketing systems
Operations
• Log archiving
• On Premise and in HANA Enterprise Cloud
Collect event and context information
• Additional ABAP/Java logs
• SAP Solution Manager security services
• SAP GRC products
• 3rd party products via CEF
Analyze and visualize events
• Regular content delivery
• SAP security notes and compliance checks
• Supervised machine learning for anomaly detection
• Enhanced functions for pattern definition
Monitor and act on incidents
• Integration with further SIEM systems
• Integration with SAP Solution Manager Alerting
• Visualization of threat situation
Operations
• Hot/warm data management
• SaaS
Collect event and context information
• SAP Cloud applications
• SAP ERP HCM, SAP SuccessFactors EC
• Threat intelligence providers
Analyze and visualize events
• Detection of new threats
• Advanced analysis & visualization
Monitor and act on incidents
• Automated reaction
• Flexible reporting / dashboards
(Release 1.0 SP04)
Summary
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 31 Customer
Security monitoring for your SAP business systems
Holistic security approach together with your existing infrastructure based investments
Understand the impact of an attack on your business systems
Support your compliance/audit goals
Protect your company and shareholder interests
Summary SAP Enterprise Threat Detection
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 32 Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services
are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
