Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security Monitoring for your SAP Landscape - Challenge accepted!Thomas Meindl// Senior Consultant IT-Security10.09.2014 iT-CUBE SYSTEMS GmbH 20142

COMPANY OVERVIEW10 years of strong IT- Security focus60 realized SIEM – Integrations8 years accredited HP ArcSight Partner & Training CenterDeep Knowledge in SAP Security & DevelopmentRevolutionary 360 SAP Security Solution10.09.2014 iT-CUBE SYSTEMS GmbH 20143

AgendaMotivationSIEM EvolutionThe Solution - agileSI 360 Use CasesRecap & BenefitsQuestions and Answers10.09.2014 iT-CUBE SYSTEMS GmbH 20144

Motivation SAP Security Status Quo10.09.2014 iT-CUBE SYSTEMS GmbH 20145

SAP RISKProtect your SAP data Essential Business ProcessesCritical, sensitive dataHR, FI, CRM, SRM, PP, PLMIntellectual propertyproduct data, bill of material, CAD data “big“ data! big risk!10.09.2014 iT-CUBE SYSTEMS GmbH 20146

SAP INHERENT SECURITY & VULNERABILITIESSAP RFCSAP Solution ManagerSAP GRCSAP IDMSAP GatewaySAP JCO SAP OSSSAP tools bypass SAP securitySAP STMSDebugging10.09.2014 iT-CUBE SYSTEMS GmbH 2014OS CommandsTransports7

SIEM Evolution10.09.2014 iT-CUBE SYSTEMS GmbH 20148

Log Device DiversitySIEM EVOLUTIONSIEMEvolutionApplicationLogsVA / IDM/ IAM /Reputation BasedDataOS / DBAV / FWThreatDetectionInsiderThreatDetectionIdentity View,APT, BotnetDetectionFraud, DLPLogmanagement / Compliance10.09.2014 iT-CUBE SYSTEMS GmbH 2014System MaturitySophistication of Use Cases9

360 SAP SECURITY MONITORINGSAP /SIEM IntegrationSecurity devicesIdentity managementThe blind spot:BusinessApplication RuntimeEndpoint serversDatabasesEmail/Web gatewaysNetwork devicesPhysical Access10.09.2014 iT-CUBE SYSTEMS GmbH 201410

THE SOLUTIONSIEM: (r)evolution in SAP Security MonitoringScope of inspectionSAP Security IntelligenceReportsManual checksremediation processLevel of automation10.09.2014 iT-CUBE SYSTEMS GmbH 201411

The Solution – agileSI 360 10.09.2014 iT-CUBE SYSTEMS GmbH 201412

SOLUTION ARCHITECTUREagileSI componentsdata extractionCEF format mappingSIEM visualizationHPSAP ArcSightSAP Security Sources Security Audit Log System Log System Parameters Tables Transport Log Gateway Config &Log Change Documents(SCDO UMR) Table ChangeLogging Access Control (SoD) Security Patches Transaction Codes10.09.2014 iT-CUBE SYSTEMS GmbH 2014SAP Security Analytics HP ArcSight specific content package 100 Detection Use Cases derived from DSAG Audit Guidelines SAP Security Recommendations iT-CUBE SAP Security Specialists(define content package with practical provenknowlegde)13

360 SAP SECURITY MONITORINGagileSI ‘s wider range of visibilityAuditLogon of virus infected clientSAP Standard AccountsChanges to User Master RecordsSystem & Client ChangesSOCSTMS/TransportsTable Change Logging10.09.2014 iT-CUBE SYSTEMS GmbH 2014SAPDepartmentManagementSoDConflicts & Access ControlAuthorization ChangesSecurity Audit Logs & SettingsTicketingsystem intf.Export to Excel DetectionDebugging ActivitiesRFC connectionsOS Command Exec.Critical transactions, programs, Application Brute Force attack14

Implementation in ArcSight10.09.2014 iT-CUBE SYSTEMS GmbH 201415

ARCSIGHT IMPLEMENTATIONFrom raw event to signal – separating the noiseagileSI Case ManagerSAPSecurityIntelligence10.09.2014 iT-CUBE SYSTEMS GmbH 201416

ARCSIGHT IMPLEMENTATIONSAP related security incidents 1 by agileSI HP ArcSight content package2 by HP ArcSight standard content[ agileSI talks SIEM ]3 by HP ArcSight standard content[ agileSI Asset/Network Model ]10.09.2014 iT-CUBE SYSTEMS GmbH 2014HPSAP failedloginArcSightauth.failureSAP relateddevices17

ARCSIGHT IMPLEMENTATION3. Powerful HP ArcSight Content Pack10.09.2014 iT-CUBE SYSTEMS GmbH 201418

agileSI for HP ArcSightagileSI SAP Security Intelligence package for360 SAP Security Monitoring in HP ArcSight SIEMagileSI ExtendedagileSI light[SAP remote connector withlimited security sources] for a maximum insecurity10.09.2014 iT-CUBE SYSTEMS GmbH 2014 for quick wins /proof of value19

Use Cases10.09.2014 iT-CUBE SYSTEMS GmbH 201420

USE CASE EXAMPLES - EXTENDEDUse CasesSoD conflictsand AccessControlSecurity Logsand SettingsRFCtransparency All DSAG ( 115!)checks implementedand covered byagileSI (SAP &ArcSight) Control of SAPSecurity Audit Logand other criticallogs like tablechange logs Actually used RFCconnections &transparency map(NON-SAP to SAP;NON-PROD. toPROD.) Checks aremaintainable,customizable,extendable Control of logsettings (activation,trace level) RFC settings likeSNC, RFC trace,trusted relationships RFC user monitoring(accounts and usertype used)STMS TransportManagement and manymore SoD conflicts inSTMS Monitoring of specialaccounts Critical objectsimported likeassignment ofauthorization objects Changes to criticaldata STMS parameterchecks Transport at unusualtime frame Logon of virusinfected clients Detect anomalies inworkflows What if critical datais leaving SAP?agileSI will help Continous! Automated! Complete and holistic! In SIEM!10.09.2014 iT-CUBE SYSTEMS GmbH 201421

READ ACCESS LOGGINGComing soon Read Access Logging (free version of SAP UI Logger)10.09.2014 iT-CUBE SYSTEMS GmbH 201422

WHAT THE CUSTOMER SAYS Customers use agileSI for Automated compliance &security monitoring Automation of compliancechecks and reports withagileSI Extension of given compliancechecks with Security use cases Complete system landscapemonitoring transfer of agileSI findings intoticketing systemControl of productionprocessAccess controls andtransaction monitoring Usage of precious metal inproduction International operatingorganization Control of production processvia custom applications Monitoring of international usersaccessing national-classified data(invoices, CAD, project owners) Transfer output of theseapplications into SIEM Continuous control! Management reports Adhoc monitoring & forensics RFC transparency in SAPlandscapes (SAP-to-SAP;NonSAP-to-SAP) Implementation SAP UI Logger10.09.2014 iT-CUBE SYSTEMS GmbH 201423

License10.09.2014 iT-CUBE SYSTEMS GmbH 201424

LICENSELicense: # SID (System Id, database Id)License# SID 3SID: ECPSID: PLPSID: CR P[ECC/ERP]central instance[PLM]central instance[CRM](central instance)App. Server instancesApp. Server instances10.09.2014 iT-CUBE SYSTEMS GmbH 201425

Recap & Key benefits10.09.2014 iT-CUBE SYSTEMS GmbH 201426

Compliance issues at a glance(e.g. Profile Parameter / System Configuration)10.09.2014 iT-CUBE SYSTEMS GmbH 201427

Security findings at a glance(Event based, e.g. Security Audit Log and others)10.09.2014 iT-CUBE SYSTEMS GmbH 201428

Monitor special accounts10.09.2014 iT-CUBE SYSTEMS GmbH 201429

Compliance – Reports (e.g. Profile Parameter / SystemConfiguration)10.09.2014 iT-CUBE SYSTEMS GmbH 201430

SUMMARYKey benefits Continuous, daily Audit Automated Compliance & Security Monitoring (ready-to-use) Complete SAP system landscape centrally monitored Lower the number of auditor’s findings Reduce compliance and audit costs through automation Improve your SAP Security & Risk Management10.09.2014 iT-CUBE SYSTEMS GmbH 201431

Questions and Answers10.09.2014 iT-CUBE SYSTEMS GmbH 201432

Please give me your feedbackSession TB4092Speaker Thomas MeindlPlease fill out a survey.Hand it to the door monitor on your way out.Thank you for providing your feedback, whichhelps us enhance content for future events.33 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Tonight’s [email protected] NewseumEnjoy food, drinks, company, and aprivate concert by Counting CrowsTime7:00 – 10: 00 pmShuttles run betweenhotel’s Porte Cochere(Terrace Level, byregistration) and Newseumfrom 6:30 - 10:00 pmQuestions?Please visit the Info Desk byregistration34 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Optional10.09.2014 iT-CUBE SYSTEMS GmbH 201436

SOLUTION ectionAGENTAnalysisAudit10.09.2014 iT-CUBE SYSTEMS GmbH 2014SOCSAPManagementAdmin37

ARCSIGHT IMPLEMENTATIONAsset Categorization – Information is available in SAP10.09.2014 iT-CUBE SYSTEMS GmbH 201438

ARCSIGHT IMPLEMENTATIONAsset Categorization - Benefits enhances correlation helps prioritize adds layer10.09.2014 iT-CUBE SYSTEMS GmbH 201439

APPLICATION SECURITY: SIEM THREAT RESPONSESIEM automated Threat Responsein case of strong suspicion SIEMUser Audit TrailUser Log outAdaptivemonitoringUser LockTCP Sessiontermination10.09.2014 iT-CUBE SYSTEMS GmbH 201440

THE llectionAGENTSIEMAnalysisAudit10.09.2014 iT-CUBE SYSTEMS GmbH 2014SOCSAPManagementAdmin41

10.09.2014 iT-CUBE SYSTEMS GmbH 201442

Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.