SAP Enterprise Threat Detection Overview & Roadmap Martin Plummer, SAP SE November 2016
Disclaimer The information in this document is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This document is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 2
Introduction
Trends Business landscape interconnected systems Cyber crime sophisticated attacks Security strategy risk based security measures 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 4
Increase The threat landscape is changing And your security measures? Denial of service Standard malicious mails Standard malware Solutions are available on infrastructure layer but with limited insight to the business systems Cost of insider attacks Business applications as a target Identity theft Targeted attacks against employees Cost of espionage Standard encryption reducing the effectiveness of network-based security solutions The weak point of most enterprises 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 5
Risk-based security investments Do you protect your data or only the underlying infrastructure? What data is critical to you? Production process Specifications Customer data Product lifecycle Processes Employee data Marketing activities Vendor information Logistic Financial data Leads Contract data Where is that data mainly stored? Mails Device SAP systems Cloud drives Files Security measures on the infrastructure level are mandatory. But for most companies an SAP system is a black box with respect to security. That black box often contains the most critical data. SAP system Infrastructure 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 6
Security for business systems The missing piece Detection Security from a SAP department perspective Strong authentication Identity Management Secure configuration Patch management Secure development SAP Landscape 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 7
Detect attacks against your business systems What kind of attacks are you able to identify in your SAP business landscape in real time? Description Brute force attack (SAP RFC, web services, ) Identity theft (SAP user) Misuse of administrative rights within SAP Misuse of development rights within SAP SAP User anomaly detection System anomaly detection Data breach in a SAP system What kind of transparency do you have into your system landscape in real time? Description Threat situation last 24 hours? SAP system patch status? Forensic tools to examine a suspicion? Who read confidential information in the SAP system? Historically security data of your SAP system landscape? Technical events versus sematic events? Real time correlation of large amounts of security data? 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 8
Customer scenarios 3rd party employee working with firefighter rights is creating a backdoor user Risks: System can be accessed by unauthorized user Employee is downloading unusal amounts of technical drawings Risks: Exfiltration of intellectual property Admins login to a high-security system from a potentially unsafe network Risks: Administratior credentials get compromised SAP servers communicate with known malware hosts Risks: Further spread of malware within the IT network, exfiltration of sensitive data (Banking) (Manufacturing) (Public Sector) (SAP IT) 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 9
The application level needs to be addressed Application Database Operating System Network 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 10
Product Overview
Protect your business Effectively identify and analyze threats Efficiently analyze and correlate logs Perform forensic investigations and discover new patterns Automatically evaluate attack detection patterns Integrate custom log providers Find threats focused on SAP software Leverage the power of the real-time data platform 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 12
SAP Enterprise Threat Detection Main use cases Real-time security monitoring Gather events from the landscape Evaluate attack detection patterns React on critical alerts Gain an overview of the threat situation Ad hoc analysis Analyze existing suspicions Perform forensic investigation Support compliance processes 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 13
SAP Enterprise Threat Detection - Architecture HANA SAP landscape (any database) log ABAP log log SAP Enterprise Threat Detection Threat situation, forensic lab, patterns, log learning, Non-SAP log data SAP HANA Smart Data Streaming SAP HANA log Distributed system log data Normalize, pseudonymize, enrich log data Persistence, analyze, generate alerts 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 14
Integration with SIEM and other external processes Alert publishing Pushing via Email Pushing as JSON Pulling as JSON Alerts, notifications, events as input Log learning Custom adapters on ESP ETD JSON SIEM Specialized Detectors 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 15
Log management (archiving) For long-term storage and retrieval Write events to files Original (for auditing) Normalized (same as sent to HANA) Read normalized events from files Retrieve old events for forensic analysis Original Data ESP (Event Stream Processor) Normalized Data HANA Normalized Data Archive Original Data 3 Original Normalized Data 3 Normalized Data 2 Original Data 1 Data 2 Normalized Data 1 ESP HANA Normalized Data 1 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 16
Example scenario Assignment of SAP_ALL and following actions The authorization of a user account is increased. Someone now uses the enhanced user account to debug a financial report to divert money to his account. Assign SAP_ALL Log on Debug and divert money Automated attack detection patterns would alert the security operations center at several stages and determine: Users Terminals Key events Values that were altered 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 17
Working with SAP Enterprise Threat Detection Monitoring and Forensic Lab Alerts Initial analysis Further analysis, deriving new patterns 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 18
Example of analyzing events in the forensic lab An existing workspace has filter paths showing critical authorization assignment and logons There are 2 events where a logon has taken place with an account that has received a critical authorization A path is added to look into what the corresponding users have been up to Filters are added to the path and finally the raw data is examined 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 19
Graphical and statistical analysis Looking at the bigger picture Anomaly and outlier detection compare observed feature values against historic baseline. Threat situation shows network of patterns, involved systems, users and terminals. Resulting diagram allows identification of hotspots of potentially malicious activities. 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 20
Anomaly Detection Lab Detect deviations from normal behavior Over the course of 12 weeks, systems A, B, and C only communicate with system D Suddenly, system A communicates with System B Is this suspicious? System B System A Normal System D System C System A Abnormal System B System D System C 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 21
Pseudonymization GZVRR-8076 XYZ/000 GZVRR-8076 XYZ/000 2016 SAP SE or an SAP affiliate company. All rights reserved. 22
Security Status Monitor Systems 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 23
Security Status Monitor Security Notes Patterns Coverage in SP04 is of recent ABAP Security Notes dating back to September 2015 in three categories (total 53 notes): Missing Authorization Removed RFC flag Disabled Code Execution You can incorporate indicators from these into your own patterns in the forensic lab 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 24
ETD @ SAP IT
SAP Enterprise Threat Detection inside SAP IT Foundational Services: SAP GRC - Risk Management SAP GRC - Process Controls SAP Fraud Management UIL / UIM 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 26
SAP Enterprise Threat Detection A Big-data Solution to a Serious Security Challenge Company SAP SE Headquarters Walldorf, Germany Industry High Tech Products and Services Enterprise software and services Employees 74,000 Revenue 16.82 billion Web Site www.sap.com Implementation Partners - BUSINESS TRANSFORMATION The company s top objectives Add the layer of application level security monitoring to the existing security measures at SAP Bring knowledge about attack patterns into an executable form, so attacks can be detected automatically and accurately Enable Security Operations to timely identify and act on attacks and malicious behavior in SAP Systems The resolution Implementation of dedicated SAP Enterprise Threat Detection (ETD) landscape with sufficient sizing to cope with the vast amount of log data available Tailoring of attack patterns to the specifics of the business systems being monitored Continuous expansion of pattern repository Close collaboration with product development teams to implement required features and integrate them into the standard product The key benefits Readily and efficiently identify security lapses in SAP s business systems Detection of threats and attacks as they happen On the fly security analytics capabilities SAP Enterprise Threat Detection enables us to identify real attacks to our business systems as they are happening and analyze the threats quickly enough to neutralize them before serious damage occurs. Maximilian Adrian, Vice President Business Application Security, SAP SE TOP BENEFITS ACHIEVED >80 Available attack patterns ~250 Mio Events per Day 0,7% to 1,5% CPU load on monitored systems 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 27
Roadmap
SAP Enterprise Threat Detection Product road map overview - key themes and capabilities Today Planned Innovations Future Direction Collect event and context information SAP platforms NetWeaver ABAP/Java and HANA User, system and subnet metadata Syslog protocol and log learning User pseudonyms Analyze and visualize events Attack detection based on rules Anomaly detection based on user and system behavior Visualization of event and context data Support for two-tier landscapes Content delivered via service packs Monitor and act on incidents Monitoring dashboards Threat situation System security status Alerts and investigations Integration with SIEM and ticketing systems Operations Log archiving On Premise and in HANA Enterprise Cloud (Release 1.0 SP04) Collect event and context information Additional ABAP/Java logs SAP Solution Manager security services SAP GRC products 3 rd party products via CEF Analyze and visualize events Regular content delivery SAP security notes and compliance checks Supervised machine learning for anomaly detection Enhanced functions for pattern definition Monitor and act on incidents Integration with further SIEM systems Integration with SAP Solution Manager Alerting Visualization of threat situation Operations Hot/warm data management SaaS Collect event and context information SAP Cloud applications SAP ERP HCM, SAP SuccessFactors EC Threat intelligence providers Analyze and visualize events Detection of new threats Advanced analysis & visualization Monitor and act on incidents Automated reaction Flexible reporting / dashboards This is the current state of planning and may be changed by SAP at any time. 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 29
Summary
Summary SAP Enterprise Threat Detection Security monitoring for your SAP business systems Holistic security approach together with your existing infrastructure based investments Understand the impact of an attack on your business systems Support your compliance/audit goals Protect your company and shareholder interests 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 31
2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2016 SAP SE or an SAP affiliate company. All rights reserved. Customer 32