SAP Cybersecurityanddataprotection › resources › Documents › Cyber... · SAP Enterprise...
Transcript of SAP Cybersecurityanddataprotection › resources › Documents › Cyber... · SAP Enterprise...
2PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
ü UI masking for SAP [ECC; SAP S/4HANA]*
ü UI logging for SAP [ECC; SAP S/4HANA]*
ü SAP Enterprise Threat Detection*
ü SAP Fortify by Micro Focus
ü SAP Data Privacy Governance
ü SAP Data Custodian
ü SAP NetWeaver AS, add-on for code vulnerability analysis
Enterprise risk and compliance
Access governance
International trade
Cybersecurity and data protection
Agenda- SAP security product portfolioEmbed GRC and security in SAP [ECC; SAP S/4HANA]
*IBSO security suite
ProActive
ProActive
ProActive
ReActiveRealTime
RealTime
ProActive RealTime ReActive
Security (Re-)action times: From ProActive to RealTime to ReActive
ProActive
3PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP GRC solutionsSolution mapping to key themes
SAP Process Control
SAP Risk Management
SAP Audit Management
SAP Regulation Management by Greenlight
SAP Business Integrity Screening
SAP Access Control
SAP Cloud Identity Access Governance
SAP Dynamic Authorization Management by NextLabs
SAP Access Violation Management by Greenlight
SAP Identity Management
SAP Single Sign-On
SAP Enterprise Threat Detection
SAP Enterprise Digital Rights Management by NextLabs
UI field masking
UI logging
Code vulnerability analysis
SAP Fortify by Micro Focus
SAP Global Trade Services (SAP GTS), export management
SAP GTS, import management
SAP GTS, identity-based preference processing
Special customs procedures
SAP S/4HANA for international trade
SAP Watch List Screening
Access governanceEnterprise risk and compliance
Cybersecurity and data protection
International trade management
4PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Insider Threat: underestimated & difficult to tackle
5PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Cost of data breach report by IBM conducted by Ponemon institute
Cost of data breach report highlights
8PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Percentage of applications containing at least one critical or high vulnerability.2
1 U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT)2 2017 Application Security Research Update” by the HPE Software Security Research team, 2017 3 2018 Application Security Research Update, Micro Focus® Fortify Software Security Research Team
of security incidents from exploits against defects in the design or code of software.1
90%
of mobile applications had at least one critical or high-severity issue (vs. 66% last year) 3
79%
89%
of web applications had at least one critical or high severity issue (vs. 80% last year) 3
Application security is more important than everMajority of security breaches today are from application vulnerabilities
9PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Your Digital Enterprise
App
Are those users secure ? Are those applications secure ? Is the data secure ?
Attacks going to employee’s for example via a
malicious emailaka :Trojan horses, Login Spoofing, Virus, Worms , DoS, Man-in-the-middle*
Was access revoked / deactivated ?
Logic BombsTrap Doors*
……
Temporary workers to seasonally expand workforce – potentially limited security
validation, wrong access provided
Negligent/unintentional or unknowinglyemployee executes steps they are not
supposed to do
Security considerations for Internal only applicationsExamples of attacks on internal only applications
10PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Customer challenges with application security
11PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Developers have traditionally resisted security for a reason
12PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
*SANS Institute, 2015 State of Application Security: Closing the Gap
Security Spending
% of Attacks % of Dollars
84% 90%
16%
10%Web Applications
Network Servers
of All Information Technology Attacks are directed at the Web Application Layer
of All Applications Are Vulnerable
84%
2/3Gartner
Web Applications
Intellectual PropertyCustomer DataBusiness ProcessesTrade Secrets
Attacks vs Security Spending – what are drivers for AppSec ?
13PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The approach today: expensive and reactive
Somebody builds bad software.
In-house Outsourced Commercial Open source
IT deploys the bad software.
1
2
Breach, Pen Test or Code Scan proves our
code is bad.
3
We convince and paydevelopers to fix it.
4
14PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Ideal approach: cheap and Security built-in
Somebody builds SECURE software.
In-house Outsourced Commercial Open source
IT deploys the secure software.
1
2
Pen testproves our code is
good.
3
15PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Application Security needs to be seamless to keep up with the pace of development
16PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Ensure application security with an end-to-end solutionwith SAP Fortify by Micro Focus and SAP Code Vulnerability Analysis
Dynamic application security testing Static application security testing
Find vulnerabilities in the running application
Manual application penetration testing
Automated application vulnerability scanning
Find vulnerabilities analyzing the sources
Automated source code analysis
Manual source code review
SAP Fortify by Micro Focus and
SAP NetWeaver Application Server, add-on for code vulnerability analysis
non-ABAPnon-SAP
ABAP
Finding security issues at design time instead of in production is easier and less expensive!
Management platform for monitoring, auditing, analysis, reporting
SAP Fortify
integrates with CVA
17PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Security - Static Code Analysis for ABAPSAP NetWeaver AS, add-on for code vulnerability analysis
Created by THE ABAP experts for SAP internal use
Scan efficiently� Scanning directly from within the ABAP development environment� Scan throughout the Development lifecycle - Governance� Full range of predefined checks
Developer guidance� Prioritization of found vulnerabilities� Detailed help and explanations to all errors� Assistance to find the right location for the fix� Approval workflows for false positives included
Integration� Integrated into standard ABAP check frameworks,
SAP transport system and ABAP Test Cockpit (ATC)� Zero installation required� Check your Development to same level as SAP Core� Integrated into SAP Fortify by Micro Focus
18PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Demo1:00 min
SAP Security - Static Code Analysis for ABAPSAP NetWeaver AS, add-on for code vulnerability analysis
SQL Injection attack
19PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Real life example: CVA security scan result of all custom objects in a medium sized SAP enterprise customer in APJ.
20PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Recommended Setup – Automated Source Code Review with CVA
Application ServerABAP (DEV1)
Application ServerABAP(DEV2)
Developers
Developers
Transports
Application ServerABAP (Consolidation)
Scan Transports
Q Gate
TransportsMass/Full Scan
Q Gate
Q-experts run mass checkand distribute results
One Quality Standard for Q GateDevelopers run
static/unit/scenario tests on their objects
Periodic check runsto validate code ofDEV team
21PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Static Security Scanning – non-ABAPSAP Fortify by Micro Focus - Static Code Analyzer (SCA)
Static analysis – find and fix security issues in your code during development
Features:
• Automate static application security testing to identify security vulnerabilities in application source code during development
• Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance
• Prioritize all application vulnerabilities by severity and importance
• 3 ways to scan; in IDE, via cmd or via Audit Workbench
22PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Fortify by Micro Focus - Static Code AnalysisTool & Integrations
Audit Workbench• Security auditor’s toolkit including scanning, remediation
guidance, and reporting
Security Assistant• Instantly find vulnerabilities in real-time as developers code
Developer IDE plug-ins• Scan, view results, and manage remediation.
Scan Wizard• Easy scan configuration and build integration.• Scan from a cmd line (schedule scans)
Rules Editor• Build custom scan rules.• Customize Software Security Center to fit your SDLC.
23PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Fortify by Micro Focus - Broadest Technology Support
Static analysis supports 21 languages and growing
• ABAP (via CVA)• C#• Classic ASP• Cold Fusion• HTML 4&5• JavaScript/AJAX• Objective C• PL/SQL• T-SQL• VB6• XML
API SupportMore than 720,000 commonly used APIs are understood and supported by SCA
• ASP .NET• C/C++• COBOL• Flex• Java• JSP• PMicro Focus• Python• VB.NET• VBScript
Mobile application security solution covers• Objective C• Android• Blackberry• Microsoft
VulnerabilitiesDetects over 556 unique categories of vulnerabilities
S/4HANA relevant
24PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
A Mature Deployment Model
Hands-onAutomatedDevelopers
• Fortify on workstations• CVA in ABAP WorkBench• Scan and Remediate code
Code RepositoryCheck-in/out
1
Scan Machine• Entire app scanning• Can be automated• “Official” Results
2
•Work with latest scan results• FIX and re-scan• Repeat
5
Agency/Dept – Security• Review and Triage• Prioritize
4Executive ManagementCISO/PMs• View metrics• Generate reports•Measure and manage risk
6
Fortify SSC Server
3
Results Uploaded
25PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Demo1:00 min
SAP Fortify by Micro Focus - Static Code Analysis
Hardcoded password
26PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Application Security Solution – Component BreakdownEnd to end integrated solution
SAP Quality Center by Micro Focus
27PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• Reduce risk with minimal effort and operational costs
• Deliver measurable business and strategic value
• Meet government and industry compliance regulations
• Build a security culture throughout your organization
Application security benefits
Minimizing risk, driving business agility
30PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Data Security: two step approach to protect data from insiders
keep data accessible – and create a broad + deep log of data access
è induce compliant behavior è identify & prove irregular data usageè Baseline for decision on actions
conceal specific data –unless required for tasks
è make sensitive data unavailable for data abuse
UI Masking UI Logging
lock it… …or log it!
31PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Data Security High level solution architecture
SAP Backend SystemSAP UI (user)
Dynpro ProcessorRequest
Response
Database LayerBusiness Logic
UI Maskingvalidate authorization &
apply masking rules
masked data
original data
UI Logging
alerting Log AnalyzerSAP Enterprise Threat Detection
33PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Key business needs addressed by UI Masking and UI Logging
Reliable control who gets sensitive information displayed in SAP transactions and applications, in a quick and low-effort fashion1
Introduce a dynamic determination of data access authorizations based on the context, at runtime2
Increase protection of sensitive data against theft and abuse where access must be provided to privileged insiders3
Detect potentially problematic access to sensitive data rapidly (in near-real time), and conduct a meaningful analysis in order to take the right actions4
Better comply with business or legal requirements for tracking whoaccessed sensitive data (PII, BOMs, prices, customer information)5
33Customer
1
34PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Benefits for GDPR requirements
Data De-Personification and Reduction of Data Access • Decrease the risk of leaking sensitive data
• De-personize information – options for further processing of data (test scenarios, data export)
• psychological barrier against non-task related data access
Data Access Transparency• identify & understand unauthorized, non-compliant or malicious activity à adequate reaction
• supports 72h notification requirement in case of a breach involving personal information
37PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• configurable scope of data to be protected • configurable way how protection is required (security actions)• configurable additional authorizations for “clear” access▫ roles (RBAC)▫ attributes and rules (“policies”) (ABAC)
§à configurations evaluated at runtime §à security actions applied to the UI layer only
UI Masking: configurable data protection in SAP UIs
38PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Masking: configurable data protection in various SAP UIs
39PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Masking: Comparison Suite vs. S/4HANA offering
“classic” UI Masking solutions
S/4HANA “UI data protection masking”
Where to use ECC, classic CRM scenarios, HEC, (S/4HANA as „compatible“ solutions, potential limitations)
S/4HANA
How to get Separate installations per required UI technology
Unified technical installation
Configuration Separate configurations per required UI technology
Unified config, automated with data elements;consistent application of protective actions over all supported UI technologies.
Protective actions Masking of values in fields Masking of values in fields emptying/hiding/disabling fields/linkssuppression of lines in table displaysdata blocking
Authorization paradigm Role based; attribute/rule based authorizations through BAdI implementation
Role basedPolicy based (attributes and rules)
Additional features Reveal on Demand (2-step authorization)
40PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Masking: Data Protection applied in SAP Fiori – examples fie
ld m
aski
ng
field
rese
t
Dis
ablin
g of
fiel
ds
“Rev
eal o
n D
eman
d”
41PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ© 2016 SAP SE or an SAP affiliate company. All rights reserved. 41Customer
UI Masking: Data Protection applied in SAP GUI – examples fie
ld m
aski
ng
field
rese
t
disa
blin
g of
fiel
ds
“Rev
eal o
n D
eman
d”
hidi
ng o
f fie
lds
43PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use case Attribute Based Access Control (1)Context dependent access: organizational splits
One organization, one IT system, one workforce…
…developing into a situation of two organizations co-existing in the same IT system – which, unless it can be physically split, must support a virtual distinction to reliably prevent access to data by users who are not entitled to see them
44PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use case Attribute Based Access Control (2)Legal restrictions for moving data “offshore”: IT support from outside of EU
A multinational enterprise coming into a situation where legal requirements forbid the access to specific data (e.g. PII in HR, sales, customer relationship management) pertaining to “inlanders” by “users abroad” à it becomes necessary to distinguish between users, and ensure that “abroad” users get access to data they need for their tasks, but not to inlanders’ PII.
45PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
“Attribute based” access control in UI Masking: examples (1)
The state of the attribute “marital status” (“family status” determines whether and how the place of birth value is treated.
The logic is configured in “policies”, which are highly versatile and enable more differentiated treatment of field values based on additional attributes – pertaining to the user (e.g. HR employee associated to the company code), the data object ((e.g. employee older than 65 years), or other system-borne as well as external variables.
46PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
“Attribute based” access control in UI Masking: examples (2)
48PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
S/4HANA Masking: “Reveal on Demand”: value add
UI Masking
Trace
Reveal on Demand
“self service”
UserImplementation
options
Approval workflow
Multi factor authentication
Consent management
UI Masking introduces an intercept point for a user’s access to data based on a determination of authorization.“Reveal on Demand” constitutes a second intercept, refining and basing authorization on additional conditions. In an RoD scenario, data are always protected initially. A user action triggers an additional determination of authorization including a bespoke trace of the event and result. RoD authorization could be based e.g. on approval, additional authentication or, in a case the data subject of PII has given her consent for her data to be used under the given conditions.
49PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Look & Feel: “Reveal on Demand”
SAP
GU
IFi
ori a
pp
51PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• configurable scope of data to be protected on transaction/application/service level
• configurable list of users subjected to logging• configurable alerts on specific (critical) data accesses• configurable log reasons and retention time• Log Analyser UI for researching the log file• Integration with SAP Enterprise Threat Detection
UI Logging: configurable logging of data access in SAP UIs
52PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Logging: Log access, get notified, take action
4. Aggregate & detect (SAP ETD)
1. Log data access
2. Automatic alert
3. in-depth analysis
53PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Logging: Alerting scenarioConfigurable mail notification for critical data access
email alert
message definitionalerting definition
temporary log filedata access
54PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UIL
UI Logging: Integration with SAP Enterprise Threat DetectionTransfer of log to ETD
ETD System
Transfer Log to ETD (call standard TA SECM_LOG_2_ESP)
Configuration (technology/UI channel specific)
No Transfer to ETD
Temp. Log relevant for Alerting
Ext. Repository relevant for Alerting
Temp. Log
Ext. Repository
Enterprise Threat Detection plans to provide UIL-specific patterns as of SP8 (plannedH1/2019, cf. official ETD Roadmap)
56PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DPO Cockpit: Fiori Applications
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 56Customer
UI Logging users (e.g., security office, data protection officer) leverage Fiori apps for keeping an overview, conducting deep dive analysis into data usage, and managing lists of users whose data access they have identified as noteworthy.
57PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DPO Cockpit: UI Log Status and Statistics
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 57Customer
UI Logging users can get an overview of system status as well as statistics concerning data usage (top n logged users, top n accessed critical data fields (data types), top n triggered actions, and more)
…
58PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DPO Cockpit: Analysis of UI Logs
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 58Customer
UI Logging users can conduct exploratory analysis of access to data types. They gain a comprehensive view on data usage as multiple screen fields of the same type (e.g., social security number) can be aggregated or grouped by “tags”. Additional filter criteria allow for a more granular display of accessed data objects as well as accessing users.
59PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DPO Cockpit: Analysis of UI Logs
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 59Customer
UI Logging users can identify users whose data access and actions are worth noting, and can add them to a list of “users of interest” which can be edited until it is “published” (for handing over to other departments who may take additional steps).
60PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DPO Cockpit: Manage user lists
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 60Customer
UI Logging users can edit user lists until they finish their research and decide to “publish” them, e.g. for taking further steps on the identified users.
61PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Classic Analysis: TagAnalyzing
61
In addition to the Fiori based analysis apps, analysis can be conducted through the classical tools if desired. Relevant roundtrips are grouped by user sessions (Extended Passport). Per roundtrip, the relevant log data is displayed in the bottom left section, and additional data fields that may be assigned to tags are specified in the top right section.
64PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection
65PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection
Customer Feedback• „SAP systems are seen as a ‚Black Box‘ if it comes to security aspects and suspicious
behavior in SAP systems“• There were critical incidents at customers that could have been avoided if the
preparation phase would have been discovered (see below)
SAP decided to create the product SAP Enterprise Threat detection
• SAP ETD is the real-time Security Event Management and Monitoring solution giving insights into SAP Systems out of the box.
• It supports the customer to detect, analyze and neutralize cyber-attacks as they are happening, and before serious damage occurs.
• Providing a very high performance analyzing thousands of log entries in real time using a SAP HANA in Memory Database.
66PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
More than 120 SAP customers worldwide in all industries protect their SAP landscape with SAP Enterprise Threat Detection.
Most of those companies are listed within the DAX 30, DOW 30, or come e.g. from the defense sector.
SAP Enterprise Threat Detection is supported by the world leading auditing companies.
We have implementation partners in many regions of the world.
Partners are e.g.:
SAP Enterprise Threat Detection
• Ernst & Young,• KPMG,• Turnkey,• IBS Schreiber,
• Asconsit, • PWC, • SAPNS2,• Deloitte
• Accenture,• Infosys,• Xiting…
67PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Real Time Correlation of SAP,Non-SAP Logs w/ Log Learning
User/system behavioral analysisAnomaly detection
Forensic analysis
Ready to use content and regular content delivery & modelling of attack detection patterns
Leverage machine learning to refine anomaly detection
How does SAP Enterprise Threat Detection work
Atomization of log reading to collect event and context information
Normalization, enrichment and pseudonymization of log entries
Drill down into subsets of events, alerts, configuration
checks and health checks
Visualization of data in suitable charts
Automated attack detection
68PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Benefits of SAP Enterprise Threat Detection
Intellectual Property Reputation Sensitive Data PartnerSevere Penalties
Proactive Threat Monitoring and Treat Hunting leads to an Early Interception of Threats
Real Time Threat Visibility in Complex SAP Scenarios
Centrally Audited SAP Security Controls
High Manipulation Safety of SAP Systems
SAP system Transparency with respect to Security- and Compliance-Events
Business Future
69PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Use cases included with SAP Enterprise Threat Detection
Manipulation of users and authorization
Critical changes to system configurations
Manipulation of critical database tables
Information disclosureMake sure that no extraction of confidential information takes place
Login attempts
Access to critical, blacklisted transactions
Remote calls of a productive System
Miss-use of debugging and error-analysis
Mis-use of critical reports and function modules
Manipulation of passwordsExtraction of confidential information (GDPR)
Assignment of critical authorization
Monitoring SAP security notes
File manipulation (Parameter configuration, Transports)
Suspicious user behaviour (Technical and dialog users)
Read access logging as additional data source
Special patterns related to attacks related to SAP Security Notes
What else did the user do?
Threat hunting
Forensic analysis
Account sharing
Log-in from an inappropriate network segment
Correlation of different accounts to one person
70PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Demo2:00 min
SAP Enterprise Threat Detection demo – Employee data download
71PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection 2.1
Some of the New Features & Benefits: •Splunk integration: Security teams can now work together in their native environments to track and eliminate bad actors.
• Enterprise Threat Detection can now publish an event to Splunk in JSON format including all needed details. • The SAP alert then appears in Splunk Enterprise Security where you can drill into the evidence to determine the right action. • Splunk feeds alerts back to SAP ETD e,g, a suspicious IP address identified in Splunk can be added to the details of an
investigation in SAP ETD. •Integration to other solutions: All ETD alerts can now be published in CEF, LEEF, JSON format. •Increased Efficiency and Accuracy in Analysis incl. Artificial IntelligenceMonitoring Enhancements: • Show number of Original Data and Unrecognized logs Enhancements on streaming engine: • Add support for SSL encryption of JDBC connection • Provide HTTP endpoint on log collector for plain text messages New Log types for more detailed analysis:
• SOAP WebServices can now be integrated via Kernel API
2019 – Recent Innovations
72PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection 2.1
Some of the New Features & Benefits: • Step by step integration of SAP Cloud Solutions gaining more transparency across SAP products. e.g. SuccessFactors, Ariba,
Hybris, Concur. • Protection against known unpatched vulnerabilities. • Security patch state gives the user transparency about actions that need to be immediately taken in order to close a security incident
(e.g. patch the system). • Graphical state of the nation report including state of compromise. • ETD health checks e.g. log outages, system outages, errors of pattern jobs, query performance etc. • Detection of malware spreading attacks. • Tools for a convenient continuous delivery of content packages. Increased efficiency and accuracy in analysis incl. artificial intelligence: • Anomaly detection
Warning on activation if referenced data is too huge.Visualize of the distribution of values under different settings when creating an evaluation. Displaying the status of an anomaly detection if no result is available.
• Enhanced attack path automatic enrichment of information plus semi automatic pattern creation. New Log types for more detailed analysis: Support of Message Server Log Support of HTTP Client Log
2020 – Planned Innovations
73PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection 2.1
Integration Continue integration with SAP products, platforms and Cloud solutions. Enterprise Threat Detection on SAP HANA Cloud Platform Artificial Intelligence Text analysis of threats described in the internet. Connect of Vulnerability Databases and automated creation of related Attack Detection Patterns. Automated Attack Detection Patterns creation based on results of manual analysis and of other input channels. SAP Enterprise Threat Detection becomes threat intelligence provider Advanced Persistent Threat detection. Machine learning for better alert qualification. Machine learning for easier log interpretation / log learning. Proactive protection based on industry-, technology-, and region-specific risks. Customer community providing threat signatures and attack detection patterns. Predictive threat notification based on publicly available information.
2022 – Product Vision
74PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Send all masked dataUI Masking
Send all visible data displayed on screen
UI Logging
Reality and Vision: Protecting the Intelligent Enterprise: Unique integration Patterns – Kernel API
New UI Logging and UI masking patterns
Enterprise Threat Detection
Send logs via Kernel API
Some of the new Patterns
• Too Many reveal on demand
• Unmasked critical fields accessed
• Critical Employee data viewed
• Lookup many employees
• Download Employee data
Tamper proof Log Distribution
75PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Send all masked dataUI Masking
Reality and Vision: Protecting the Intelligent Enterprise: Unique integration Patterns – Context Sensitive Control
New UI Logging and UI masking patterns
Enterprise Threat Detection
User press Reveal button
Is system under surveillance?
User Alert count + Severity?
Request: is reveal allowed?
Response: NoShow masked data
* * * * *
Response: Yes
Error Message
76PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
UI Masking
Reality and Vision: Protecting the Intelligent Enterprise: Integration Patterns – Business Rule based Control
Threat patternsEnterprise Threat Detection
User Alert count + Severity?
Business Rules
Logs
Logs
Logs
Reveal: Yes
Reveal: No
Show masked data
Error Message
78PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Introduction movie/use cases [4:30min]: https://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html
Public presentation: https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html
UI Masking overview blog (product team): https://blogs.sap.com/2019/05/06/general-information-ui-masking-solution/
UI Logging introduction (partner blog) : https://xiting.us/blog/introduction-to-sap-ui-data-security/
UI Masking - SAP Help Portal: https://help.sap.com/viewer/p/UI_MASKING
UI Logging - SAP Help Portal: https://help.sap.com/viewer/product/UI_LOGGING
UI Masking official roadmap: https://www.sap.com/germany/products/roadmaps/finder-products.html#pdf-asset=8699fa20-1f7d-0010-87a3-c30de2ffd8ff&page=1
UIM + UIL partner introduction (more content forthcoming): https://winterhawk.com/sap-grc/ui-logging-masking/
Special scenario: Context based masking in ECC scenarios: https://blogs.sap.com/2018/10/31/context-based-masking-scenarios-for-field-masking-for-sap-gui/
Enterprise Threat Detection overview: https://www.sap.com/germany/products/enterprise-threat-detection.html
Further information
Contact us
Nanette BaberBusiness Development
T +61 421891880E [email protected]
http://www.sap.com/innovbizsolutions
SAP Innovative Business Solutions, A/NZ/PH
Amit Bajaj Senior Consultant GRC/IDM
T +61401365501E [email protected]
http://www.sap.com/innovbizsolutions
SAP Australia, Governance Risk and Compliance