Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

What if a hacker has already broken in when your IT auditor is at the door? How to actually protect your SAP systems. [Webinar]

akquinet enterprise solutions GmbH
akquinet enterprise solutions GmbH

We all know how it goes – once a year, the auditor carries out an IT audit as part of the year-end audit. The idea is to flag potential threats in SAP cyber security, and in identity & access management. In terms of risk, this procedure is no solution; rather, the step is taken much too late in the process to allow for any kind of quick reaction. Hackers may have already had ample time to take advantage of the risks. Despite this fact, many companies leave it too late to close loopholes. In this webinar, we will show you a much better approach that addresses this discrepancy. Thanks to SAST SUITE, you can achieve continuous, highly efficient real-time monitoring of all critical and security-related changes to your SAP systems. This means you can act immediately. No more waiting until next year when the auditor is at your doorstep. Topics of focus: • Immediate detection of unauthorized authorization assignments • Monitoring role allocation and any evasion of the dual control principle • Proper reaction – without delay – to suspicious table change documents • Cost-benefit analysis: manual downstream controls vs. intelligent real-time monitoring ------------------------------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

1 of 26
When the auditor rings, the hacker may have already been there. How to actually protect your SAP systems.
WELCOME! Introducing your host today: TIM KRÄNZKE CSO SAST SOLUTIONS Tel: +49 40 88173-2735 Email: tim.kraenzke@akquinet.com Web: sast-solutions.com MICHAEL MÜLLNER Head of Security & Compliance Services Tel: +43 676 9398461 Email: michael.muellner@akquinet.at Web: sast-solutions.com - 2 -
The IT audit as a snapshot: Reduce the risk of exploitation through traceability and risk detection. Business User  SoD conflicts  Users with extensive authorizations  Insecure Configuration  Patching and Maintenance SAP environment Administrator External check identifies errors  Fraud  Misappropriation  Vulnerabilities  Loss of control Downstream and randomly... too late / slow  Security for user management  Test functions and regulations  Secure SAP configuration  Risk monitoring - 5 -
The IT audit as a snapshot: - 6 - Downstream and randomly... too late / slow
For intelligent real-time monitoring, we combine for you the best of two worlds! How to actually protect your SAP systems!
Die SAST SUITE by akquinet AG
SAST SUITE: Real-time monitoring of your SAP systems. - 10 -  Common standard IT security solutions do not integrate your SAP systems.  Fastest possible response time in the event of a threat situation.  Identification of critical and unusual activities in real time.  Protecting the SAP system landscape against  Cyberattacks  Espionage  Manipulation  Abuse of rights  Data theft Attacks on SAP systems often remain undetected. ! ✓ SAST SUITE monitors your SAP system landscape comprehensively and in real time! The challenge
Why attacks on SAP systems are often not recognized. - 11 - Penetration Tests Attack using known SAP vulnerabilities: Unprotected RFC Functions Open Gateways Old SAP routers Result: A local Windows Admin account was created to perform the "Capture the flag" action via RDP. Customer Security Team Was focused on network protocols. Monitors Active Directory users and no local user accounts. Result: No suspicious event was detected in the logs. Regular SIEM-tools do not have special SAP controls and are therefore usually blind to attacks on SAP systems. None of our simulated attacks has been detected by SIEM specialists in recent years. Summary SAP is the "blind spot" for SIEM tools! ! Result: Due to missing attack patterns, threats and attacks are not identified.
Real-time threat detection for SAP systems. Threat scenarios from which SAST SUITE protects you: - 12 - Manipulation of users and authorization Assignment of critical authorization Misuse of critical reports and function modules Access to critical, blacklisted transactions Critical changes to system configuration Manipulation of critical database tables Information disclosure File manipulation (parameter configuration, transports) Suspicious user behavior (technical and dialog users) DoS detection Monitoring SAP security notes Critical transport content Extraction of confidential information (GDPR) Critical remote function calls Login attempts of privileged account Account sharing Misuse debugging and error-analysis Threat hunting Forensic analysis Correlation of different accounts to one person (Central Identity)
All-around protection for your SAP system with real time monitoring. SAP ERP SAP BI SAP CRM SAP SCM … NetWeaver Reports and analytics SAST Security Dashboard Splunk Extraction of all relevant log data Threat intelligence User and role management Superuser logging Download logging SIEM Integration SoD analyses System configuration Vulnerability & compliance scan - 13 - SAST SUITE for SAP ERP and S/4HANA
Real time cyber security monitoring: Find the needle in the haystack with SAST SUITE. - 14 - SOC TEAM
Real-time monitoring of your SAP systems with SAST SUITE. Your advantages at a glance: Constant monitoring of configuration, authorizations and security and change logs. - 15 - Push-button access to the security status of entire SAP system landscape. Seamless integration into existing SIEM solutions. Aggregated and evaluated information about security policy breaches. Automatic alerting for critical and complex events, even by combining several events that appear uncritical when viewed individually. Pseudonymization of user data to ensure compliance with the data protection laws of the European Union (GDPR). Ongoing content updates keeping all systems up-to-date. + + + + + + +
AKQUINET
AKQUINET business Robots (bRobots) Our software suite at a glance: bRobots for SAP ERP or S/4HANA SAP AUTHORISATIONS SAP COMPLIANCE SAP INTELLIGENCE aAAS – automatic Auth. Assignm. Solution aRCS – automatic Role Creation Solution aTCM – automatic Table Change Monitor - 17 - aRMS – automatic Role Mapping Solution aCW+ – automatic Compliance Workflow+ aBPM – automatic Business Partner Mgmt aYECP – automatic Year End Closing Procedure aUCS – automatic User Creation Solution aMDM – automatic Master Data Mgmt
AKQUINET business Robots (bRobots) Operating principle: - 18 - No need for programming knowledge Business Topics d*BIC bRobots Fiori App+ Decision+ Workflow+ Results Knowledge automation Intelligent workflow control
AKQUINET business Robots (bRobots) Operating principle: Decision+ App+ Business roles, the core of every bRobots Represent the “drive” Defines process-dependent decisions Ensure efficient and intelligent process flow Input interfaces from the bRobots Dynamically generated in real time based on the rule base No conventional programming necessary Generated context-based as Fiori interface or SAP GUI user mask Relies on SAP standard workflow Offers the possibility to define process chains  Collects and processes data across multiple domains Intelligent structure and sustainable documentation of processes Workflow+ - 19 -
How bRobots support Initial situation bRobots in the context of security intelligence: Often implemented in companies: Downstream controls Expensive static release workflows Increase compliance: Multi-level approval workflows are implemented as upstream (preventive) controls Automation of critical processes Documented activities in one workflow Transparency and traceability Users can see only the information that is relevant and intended for them - 20 - Conclusion: Violations are not discovered or with a time delay Huge administrative expenses for controls Cost-intensive due to manual activities Control mechanisms often operate too late and do not adequately compensate for risks Repetitive, manually performed activities are error-prone and more cost-intensive. ! ✓ CW+ reduces the project duration and the implementation effort!
Use case 1: Suspicious change of table - supplier bRobot Compliance Officer Cyclical evaluation of the change documents Critical change? Checking the change Starting workflow Change okay? Document check result in workflow yes Department Data change (e.g. bank details of the supplier) yes Manual data correction no End Start no - 21 -
Use case 2: Recognition of conspicuous/critical price changes  Prices may change due to various users  bRobot focuses on users with relevant SoD conflicts (Possibility to change prices, invoice and manage customer orders)  bRobot checks all price adjustments automated and decision-based  Release workflow initiated in suspicious cases only  Check  Approve / reject Price reduction of x% in relation to Material type Sales organization Stock situation etc. Identification of user Workflow relevance Identification of exceptional price adjustments Workflow Consideration of SoD conflicts ✓ ✓ - 22 -
Use case 3: Recognition of conspicuous/critical scrapping processes  Focusing on all SAP users who could basically scrap material in the system (e.g. spare parts)  bRobot checks all crapping processes desision-based  Release workflow initiated in suspicious cases only  Compliance Workflow+ defines essential decision criteria  Check  Approve / reject Material scrapping depending on:  Value of goods  Stock situation  Movement types  Material types  etc. Identification of activities Workflow relevance Identification of exceptional stock changes Workflow Consideration of critical activities ✓ ✓ - 23 -
Three steps to map your use cases… ✓ ✓ ✓
Central deposit of criteria for criticalities through decision tables  Flexible selection from a wide range of criteria  Determine and assign actions depending on criticality Step 1: Maintaining criteria for criticalities - 25 - Example: Differentiation by supplier number and authorization group Lines 2 and 4 = trigger a workflow for further checking Zeile 5 = triggers an e-mail notification to the responsible person
 Critical changes generate dynamic workflows and automatically add to the agent's worklist  Possibility to search for responsible person depending on the identified criticality  Responsible person can review and evaluate the incident (e.g., compliance officer)  Conventional SAP GUI interface or Fiori frontend Step 2: Dynamic creation of workflows - 26 -
 The results of the triggered workflows are stored. Evaluation is possible at operational as well as strategic level.  Operationally, the status of individual workflows can be viewed at any time. Strategic view in the Fiori Cockpit  Evaluations with various filter and sorting criteria  Free and need-based composition Step 3: Documented compliance Complete d Rejected In Progress Not started - 27 -
Real-time monitoring of your SAP systems bRobots. Your advantages at a glance: - 28 - Intelligent detection of suspicious (business) activities. Dynamic integration of release workflows in case of critical changes. Free maintenance of decision criteria, without programming effort. Automatic alerting of critical and complex events, customized for your company. Continuous software updates keep your systems up to date. + + + + + - 28 -
QUESTIONS? WE ANSWER. FOR SURE. MICHAEL MÜLLNER Head of Security & Compliance Services  Long term experience in management- and risk-consulting, focussing SAP.  Deep knowledge in the areas of Business Process Optimization, Access & Identity Management, Governance, Risk & Compliance, GDPR and IT-Audits. Tel: +43 676 9398461 E-mail: michael.muellner@akquinet.at Web: www.akquinet.at © Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright. All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions. The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.

More Related Content

What if a hacker has already broken in when your IT auditor is at the door? How to actually protect your SAP systems. [Webinar]

  • 1. When the auditor rings, the hacker may have already been there. How to actually protect your SAP systems.
  • 2. WELCOME! Introducing your host today: TIM KRÄNZKE CSO SAST SOLUTIONS Tel: +49 40 88173-2735 Email: tim.kraenzke@akquinet.com Web: sast-solutions.com MICHAEL MÜLLNER Head of Security & Compliance Services Tel: +43 676 9398461 Email: michael.muellner@akquinet.at Web: sast-solutions.com - 2 -
  • 3. The IT audit as a snapshot: Reduce the risk of exploitation through traceability and risk detection. Business User  SoD conflicts  Users with extensive authorizations  Insecure Configuration  Patching and Maintenance SAP environment Administrator External check identifies errors  Fraud  Misappropriation  Vulnerabilities  Loss of control Downstream and randomly... too late / slow  Security for user management  Test functions and regulations  Secure SAP configuration  Risk monitoring - 5 -
  • 4. The IT audit as a snapshot: - 6 - Downstream and randomly... too late / slow
  • 5. For intelligent real-time monitoring, we combine for you the best of two worlds! How to actually protect your SAP systems!
  • 6. Die SAST SUITE by akquinet AG
  • 7. SAST SUITE: Real-time monitoring of your SAP systems. - 10 -  Common standard IT security solutions do not integrate your SAP systems.  Fastest possible response time in the event of a threat situation.  Identification of critical and unusual activities in real time.  Protecting the SAP system landscape against  Cyberattacks  Espionage  Manipulation  Abuse of rights  Data theft Attacks on SAP systems often remain undetected. ! ✓ SAST SUITE monitors your SAP system landscape comprehensively and in real time! The challenge
  • 8. Why attacks on SAP systems are often not recognized. - 11 - Penetration Tests Attack using known SAP vulnerabilities: Unprotected RFC Functions Open Gateways Old SAP routers Result: A local Windows Admin account was created to perform the "Capture the flag" action via RDP. Customer Security Team Was focused on network protocols. Monitors Active Directory users and no local user accounts. Result: No suspicious event was detected in the logs. Regular SIEM-tools do not have special SAP controls and are therefore usually blind to attacks on SAP systems. None of our simulated attacks has been detected by SIEM specialists in recent years. Summary SAP is the "blind spot" for SIEM tools! ! Result: Due to missing attack patterns, threats and attacks are not identified.
  • 9. Real-time threat detection for SAP systems. Threat scenarios from which SAST SUITE protects you: - 12 - Manipulation of users and authorization Assignment of critical authorization Misuse of critical reports and function modules Access to critical, blacklisted transactions Critical changes to system configuration Manipulation of critical database tables Information disclosure File manipulation (parameter configuration, transports) Suspicious user behavior (technical and dialog users) DoS detection Monitoring SAP security notes Critical transport content Extraction of confidential information (GDPR) Critical remote function calls Login attempts of privileged account Account sharing Misuse debugging and error-analysis Threat hunting Forensic analysis Correlation of different accounts to one person (Central Identity)
  • 10. All-around protection for your SAP system with real time monitoring. SAP ERP SAP BI SAP CRM SAP SCM … NetWeaver Reports and analytics SAST Security Dashboard Splunk Extraction of all relevant log data Threat intelligence User and role management Superuser logging Download logging SIEM Integration SoD analyses System configuration Vulnerability & compliance scan - 13 - SAST SUITE for SAP ERP and S/4HANA
  • 11. Real time cyber security monitoring: Find the needle in the haystack with SAST SUITE. - 14 - SOC TEAM
  • 12. Real-time monitoring of your SAP systems with SAST SUITE. Your advantages at a glance: Constant monitoring of configuration, authorizations and security and change logs. - 15 - Push-button access to the security status of entire SAP system landscape. Seamless integration into existing SIEM solutions. Aggregated and evaluated information about security policy breaches. Automatic alerting for critical and complex events, even by combining several events that appear uncritical when viewed individually. Pseudonymization of user data to ensure compliance with the data protection laws of the European Union (GDPR). Ongoing content updates keeping all systems up-to-date. + + + + + + +
  • 14. AKQUINET business Robots (bRobots) Our software suite at a glance: bRobots for SAP ERP or S/4HANA SAP AUTHORISATIONS SAP COMPLIANCE SAP INTELLIGENCE aAAS – automatic Auth. Assignm. Solution aRCS – automatic Role Creation Solution aTCM – automatic Table Change Monitor - 17 - aRMS – automatic Role Mapping Solution aCW+ – automatic Compliance Workflow+ aBPM – automatic Business Partner Mgmt aYECP – automatic Year End Closing Procedure aUCS – automatic User Creation Solution aMDM – automatic Master Data Mgmt
  • 15. AKQUINET business Robots (bRobots) Operating principle: - 18 - No need for programming knowledge Business Topics d*BIC bRobots Fiori App+ Decision+ Workflow+ Results Knowledge automation Intelligent workflow control
  • 16. AKQUINET business Robots (bRobots) Operating principle: Decision+ App+ Business roles, the core of every bRobots Represent the “drive” Defines process-dependent decisions Ensure efficient and intelligent process flow Input interfaces from the bRobots Dynamically generated in real time based on the rule base No conventional programming necessary Generated context-based as Fiori interface or SAP GUI user mask Relies on SAP standard workflow Offers the possibility to define process chains  Collects and processes data across multiple domains Intelligent structure and sustainable documentation of processes Workflow+ - 19 -
  • 17. How bRobots support Initial situation bRobots in the context of security intelligence: Often implemented in companies: Downstream controls Expensive static release workflows Increase compliance: Multi-level approval workflows are implemented as upstream (preventive) controls Automation of critical processes Documented activities in one workflow Transparency and traceability Users can see only the information that is relevant and intended for them - 20 - Conclusion: Violations are not discovered or with a time delay Huge administrative expenses for controls Cost-intensive due to manual activities Control mechanisms often operate too late and do not adequately compensate for risks Repetitive, manually performed activities are error-prone and more cost-intensive. ! ✓ CW+ reduces the project duration and the implementation effort!
  • 18. Use case 1: Suspicious change of table - supplier bRobot Compliance Officer Cyclical evaluation of the change documents Critical change? Checking the change Starting workflow Change okay? Document check result in workflow yes Department Data change (e.g. bank details of the supplier) yes Manual data correction no End Start no - 21 -
  • 19. Use case 2: Recognition of conspicuous/critical price changes  Prices may change due to various users  bRobot focuses on users with relevant SoD conflicts (Possibility to change prices, invoice and manage customer orders)  bRobot checks all price adjustments automated and decision-based  Release workflow initiated in suspicious cases only  Check  Approve / reject Price reduction of x% in relation to Material type Sales organization Stock situation etc. Identification of user Workflow relevance Identification of exceptional price adjustments Workflow Consideration of SoD conflicts ✓ ✓ - 22 -
  • 20. Use case 3: Recognition of conspicuous/critical scrapping processes  Focusing on all SAP users who could basically scrap material in the system (e.g. spare parts)  bRobot checks all crapping processes desision-based  Release workflow initiated in suspicious cases only  Compliance Workflow+ defines essential decision criteria  Check  Approve / reject Material scrapping depending on:  Value of goods  Stock situation  Movement types  Material types  etc. Identification of activities Workflow relevance Identification of exceptional stock changes Workflow Consideration of critical activities ✓ ✓ - 23 -
  • 21. Three steps to map your use cases… ✓ ✓ ✓
  • 22. Central deposit of criteria for criticalities through decision tables  Flexible selection from a wide range of criteria  Determine and assign actions depending on criticality Step 1: Maintaining criteria for criticalities - 25 - Example: Differentiation by supplier number and authorization group Lines 2 and 4 = trigger a workflow for further checking Zeile 5 = triggers an e-mail notification to the responsible person
  • 23.  Critical changes generate dynamic workflows and automatically add to the agent's worklist  Possibility to search for responsible person depending on the identified criticality  Responsible person can review and evaluate the incident (e.g., compliance officer)  Conventional SAP GUI interface or Fiori frontend Step 2: Dynamic creation of workflows - 26 -
  • 24.  The results of the triggered workflows are stored. Evaluation is possible at operational as well as strategic level.  Operationally, the status of individual workflows can be viewed at any time. Strategic view in the Fiori Cockpit  Evaluations with various filter and sorting criteria  Free and need-based composition Step 3: Documented compliance Complete d Rejected In Progress Not started - 27 -
  • 25. Real-time monitoring of your SAP systems bRobots. Your advantages at a glance: - 28 - Intelligent detection of suspicious (business) activities. Dynamic integration of release workflows in case of critical changes. Free maintenance of decision criteria, without programming effort. Automatic alerting of critical and complex events, customized for your company. Continuous software updates keep your systems up to date. + + + + + - 28 -
  • 26. QUESTIONS? WE ANSWER. FOR SURE. MICHAEL MÜLLNER Head of Security & Compliance Services  Long term experience in management- and risk-consulting, focussing SAP.  Deep knowledge in the areas of Business Process Optimization, Access & Identity Management, Governance, Risk & Compliance, GDPR and IT-Audits. Tel: +43 676 9398461 E-mail: michael.muellner@akquinet.at Web: www.akquinet.at © Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright. All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions. The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.