Webinar Recording

Detecting the Hand Still in the Cookie Jar

Log in and watch the full video!

SAP systems contain the most precious assets of an enterprise. They can however get lost, manipulated or destroyed in less than a minute. Examples are a) theft of sensitive customer data on a large scale by simple download, b) illegitimately elevated access rights: A user creates fictive other users, carries out illegal activities and deletes these users afterwards again, c) system take over by manipulating files on the level of the operating system which gives full access to all data on the SAP system.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Well, good afternoon, ladies and gentlemen, welcome to this cooking. A cold webinar, detecting the hand still in the cookie jar, breaking SAP in 59 seconds and how to respond with real time breach detection. This webinar is supported by ANet the speakers today. My name is Matthias vain. I'm senior Analyst at Ko, a Cole, and I will be presenting the first part of this webinar. And the second part, Ralph Kemp, managing director of ANet enterprise solutions will join us before we start some housekeeping. And of course, some general information about co a Cole as an Analyst company, Cola is providing enterprise it research advisory services, decision support, and networking for it. Professionals. We do this through our research services where we provide several types of documents, including leadership documents, comparing market segments, advisory notes, looking at various topics, vendor reports, executive views, etcetera, through our advisory services where we provide advisory to end user organization and vendors.
And through our events like webinars or seminars, our main event is the EIC, the European identity and cloud conference. And the next EIC will be held just to fit few weeks away in Munich from the 10th to the 13th of May, 2016. And we think, of course it will be a must attempt event, again, with a large number of speakers and sessions in the areas of identity and access management, governance, risk management, and compliance, as well as cloud security for already the 10th time Kok will bring together exhibitors and more than 600 participants. This will include most of Europe's and the world's leading vendors and users thought leaders, visionaries, and analysts. And we really recommend having a look at the agenda, which is already online. And apart from that, we are already preparing the digital finance world in Frankfurt. This will be an event covering strategies for the developments and to changes happening in financial services currently ranging from FinTech to big data and to new business models between mobile decentralization and the blockchain.
Please consider having a look at our website for all upcoming events at the given URL, some guidelines for the webinar, you are muted centrally. So you don't have to take care of this. We are recording this webinar and the podcast recording will be available tomorrow alongside with the slides that we are using. There will be a Q and a session at the end of the webinar, and you can enter your questions right away during the presentations at any time using questions panel or forgotten, depending on your local language version on the right side of the go to webinar software. And please do so so that we can start the Q and a session right away with a good set of your questions. The agenda for today, it consists of three parts. The first part will be my part, the Analyst view from it from traditional it security approaches to realtime security intelligence and incident response then from ANet will take over and show us, shows us processes and technologies for implementing realtime breach detection and existing SAP environment.
And I'm really looking forward to his part, especially the, the 59 seconds breach of SAP. I'm really looking forward to that. And the third part as already mentioned, will be the questions and answers session. So that's it for my introduction. And let's start out with my first part. And we will first have a look at traditional cybersecurity for SAP systems, and it's not too, too long ago when traditional cybersecurity was defined in analogy to conventional security. It, it started from the assumption that cybersecurity is possible and that security breaches can be prevented with just enough efforts. It was the, the time of, of traditional parameter protection and SAP systems were traditionally traditionally installed on premises. So in your own data center, which could be protected by firewalls and through network segmentation so that the bad guys could be kept out of your real important network segments.
So at that time, we had a clearly defined attack surface, which could be easily more or less protected. And it was one attack surface at that time. But we all know that this has changed dramatically. We have changing SAP environments as well, and SAP changes just the way that traditional it changes. In general, we have distributed platforms. We are seeing moving SAP into hybrid environments. We see that even on premises, the SAP solutions are changing. We are having virtualized solution. We are seeing evolving enterprise applications with changing functionality. We have changing access to SAP systems with employees, partners, and sometimes even customers accessing SAP systems, wherever they are located, either distributed or on premises or in the cloud. We have of course the chance to have storage and computing power at an unprecedented scale and price. We have platforms which are actually from SAP. We have the SAP HANA enterprise cloud, for example, but we have lots of organizations and, and vendors which provide SAP software as a service.
And this of course changes also the aspect of security. In that context, we have, we have entered the era of mobile with different types of devices, accessing enterprise infrastructure, including systems. We have individually developed apps that access SAP enterprise applications from your mobile phones, be it iOS, or be it Android or any other platform. And we have the new trend of bring your own device where users want to stick to their own devices, but use applications to, to access your SAP systems. And of course, IOT, the internet of things already has reached SAP as well. So we have SAP environments which operate at an internet scale, not at an enterprise scale with potentially billions of devices of access of ways. And so we have to make sure that the security also meets the same quality as before. So this good old approach will not work any longer just because we are no longer just living in the traditional enterprise on premises.
So the attack service is changing. So we have different aspects joining to the traditional aspects. We have the integration of customers, dealers, other parties as mentioned, we have connected cars and things that probably most probably will change the access methods we have industry for and IOT also in manufacturing, which is an important part for SAP environments as well, of course, cloud services and outsourcing. We have all these types of processes that we see and which are under the umbrella of digital transformation and new business partners. And one aspect that cannot be under overestimated is the, the topic of professional attackers, which aim at high profile enterprise applications, which might be your SAP system as well. So we have professional attackers from organized crime and of nation state sponsored attackers with most probably unlimited financial support, at least from the point of view of the, of, of, of you wanting to protect your environment.
So once you are connected, you are under attack and there is no such thing as the enterprise perimeter anymore. So we have to adapt in an appropriate way, the traditional way, more or less traditional for some, some years now is the assume breach approach we think. And I, I think this is a, a, a valid assumption that total security is not feasible and that we have to work and live with imperfect security. So we have to make sure that we protect the right things. We have continuous threats in a constantly evolving environment. So the infrastructure changes constantly, and we have to make sure that we adapt and adopt our security appropriately. So we have to think risk orientated. We have to make the right prioritization, and we have to do our responses in real time. Some of you know, this good old picture from or bad old picture from the fifties or sixties, a book about survival under atomic attack. Let's hope we have to not protect us for this, but we need of course, a book or at least some measures that help us to survive under constant attack.
So if the focus of security is obviously changing while we had the traditional approach, which was actually prevent to prevent any breaches from happening, the new focus is a bit different. Of course, we still prevent everything that does not happen, can make no harm. But if a breach, for example happens, then it has to be detected in a timely manner. It has to be responded to in an appropriate manner. And we have to recover immediately from any results, bad results from such an event. And I think this is something that Mr. Kemp will look at later on, in more detail, this realtime detection, this realtime response. And of course, one, one arrow is missing in this picture, and this is the constant learning and improving of our processes to make sure that once we ran into an issue, ran into a breach that we can learn from that and improve our measures appropriately and prevent more, get better at that point.
If you look at this in a more bigger view than we have actually one additional step, we will not go into every detail of this slide, but this gives the big picture of how a defense and incident management system or process framework should work within an organization. And the good thing, and the important thing is that we, first of all, have to understand the risk we have to identify, which is to protect in the environment, which are your crown jewels, which need to be protected. And this is a result of traditional risk management and it based risk management and corporate risk management enterprise risk management. We have, of course, the steps of prevention as mentioned before, which can also benefit from, from best practices from outside, from vendors, from, from CTS, from sources of threat intelligence. Once the information is provided here, we have to make sure that a security operating center operations center detects in a timely manner, the probable attacks, and has an in-depth analysis already and available.
And then we have to make sure that an incident handling is maintained in an appropriate way, in the best case for the, for, for usual breaches, that there are incident handling methods already prepared that can be used as a recipe, as pre pre-canned responses. And of course, again, the improvement as an important aspect, to make sure that we have a continuous improvement of the controls and the configuration. So there are integrated processes. There are, there is realtime security intelligence, which is of course here located in the security operations center. And of course, in, in the software that Mr. Kemp will, will demonstrate later on, and we have a structured handling of incident to make sure that nothing gets lost along the way that the right people are informed. And that we have the feedback for continuous improvement.
When we look at SAP security also again, 5, 6, 7 years ago, the traditional aspect that we looked at was access governance. We looked at the role design. We looked at how access actually was assigned to individual users, how that could be recertified if no violations against the segregation of duties, rules, where there, and again, we had risk based critical privilege analysis at that point, but SAP security has dramatically changed. And there are lots of more boxes to look at when we look at a 360 degrees approach towards SAP security. For example, we have to look at privileged accounts, which is an important factor because these are the people which deal with the full set of information available, the administrators, high level business users, or firefighter access users. We have to look at platform security at the security of the machines themselves, if they, whether they are patched appropriately.
And this also has to be considered in a, in a wider scale. When we look at system landscape security, which takes a look at the, at the complete infrastructure, and to make sure that a complete SAP infrastructure is not vulnerable due to reconfiguration of, of individual components. For example, we will have to look. And this is of course the case for, for modern SAP security and governance approaches at network security, to make sure that the, the underlying network infrastructure and the components there are appropriately protected, but we, we also have to look at users and what they're doing, if they are actually doing what we expect them to do, we need to have transparency. We need to detect undesired behavior because the attacker might be inside our systems. So we have to identify something that is considered to be normal, to identify the outliers code.
Security is an important aspect with SAP because many application systems in SAP can be and are extended with individually developed code and software and components. And this has to be checked for, for coding weaknesses for, for usual fallacies at that point. And this is an aspect that has to be considered as well. Last two boxes is mobile security. As I've mentioned before, the types of devices used for accessing the systems have changed. So we have to make sure that these are secured appropriately and that authentication and authorization is done in an appropriate manner. And all of this that I set before needs to be integrated with overall approach for enterprise security. So we have to look at sea systems at realtime security intelligence systems, and maybe the SAP security monitoring will also take place within the security operations center. So these are some aspects of SAP security that are under constant attack, and that needs to be monitored closely. And with this slide, I want to hand over to Mr. Kemp from ANet, but I want to remind you first to still that you're still able to add some questions for my part, for the part of Mr. Kemp, so that we can start out with the key and a later on with good questions. So I'd like to hand over to Mr. Ke looking forward to your presentation.
Hello, good afternoon, or good morning or good evening. And gentlemen, my name is ke and I, the presenter now for the next session, showing up some practical examples, how to detect the handle in the cooking jar and some examples how can be broken in 59 seconds and how normally you will not see that this happened. And I want to show up some examples how this could be detected based on some real time and, and real life examples. If you were to advance about ANet, we are a German company headquarter in Hamburg, just three figures. We have near nearby 80 million Euro revenue per year. We are 650 employees and 18 offices located in Europe. And one of our focal areas is focusing on SAP security, governance, Compli security investigation, and also to provide security operations center capability and resources to customers having demand for such sources and resources.
We are focused with our consulting and also software development area on the complete 360 degrees, realtime monitoring of your SAP systems. On the one hand focused on the traditional part since I got already explained authorization, segregation of duties, but also checks and measurements are provided for analyzing the system configuration. And what I would show up today is the specific part, the realtime threat detection within sat system. And this is unique in the market that we provide the only program software package in the market, combining all of this aspects in combination with real proven rules, which allows you to detect such attack. And actually we have nearby 3000 different rules event types in the system, which may help to find out if somebody is already active in your system, or hopefully not. What is is about threat detection? Spread detection is about lock monitoring. First of all, that is where I will later on this, what are the locks?
But the first question is if I have locks who can monitor all the types of locks, for instance, the sub security audited lock from the tech and here, all events must be locked because sometimes there are events which could get interesting the next day or the next week when something happens. Very often only firefighters and special user are locked in the practice practical environment that change documents and table loggings, or if something has been changed in the critical system table that needs to be detected the up system lock itself. So something is written in the system lock, and that has no aggregated lock functionality, which combines security, audited, and system lock. So the system lock made also contains interesting data from this threat detection perspective. When I talk about customers very often, when we talk about threat detection SAP, they say, okay, security audit locks.
Now we have everything turned on. We monitor the lock and now we are fine. Now you aren't because you have the platform, you have the windows, the Unix operating system, you have your databases, you have the network products like Z browser gateway, reverse proxy network, access devices, and so on. So you have a lot of locks in your system and they have all different formats. And very often the normal user environment in all those long times, you have more than 1 million lines per day per system. And that's, I would say impossible for the auditor, for the security operation center to go through by hand and to check for critical activities. And, and already a little bit explained the problem is while otherizing that security locks, for instance, sub security audit lock, we have very often unclear data in this lock. For instance, one event is the authorization of the user has been changed, but in the security audit lock, you will not see which permission has been assigned.
And by whom the false classification in the standard shipment, for instance, the log of that star account is green because it was a positive log on. It's fine, but a fail log on of a normal user red in the sub security audit drug. So this is from the classification already false definition about change documents and table logging. There's a very cool performance. So if you scan the table loggings or change documents of a day, week or month, it takes minutes hours to scan through. And the more you locks you produce the poorer, your performance will get the, that system lock will be over it. After approximately 24 hours, maybe 36. What we learn from practical breaches, this breach has been detected after 14 days. So the attacker was already 14 days in the system, and there was no chance to detect the first day where the first incidents and events occurred, cause everything was already overwritten for windows.
Unit lock. Very often administrator would privileges to watch up the lock data in the tables at the normal SAP administrator should not be root or administrator because we want have segregation of duties between OS database level and system level access. And a T database ISN are locked in Oracle. They are quite well readable in Ms. SQL. I find them unreadable. I cannot understand those locks. And very often there locks on the operating system and on the database are not activated at all. So there's no chance to get any evidence from this lock. And then we have very critical parts like Zaja or reverse proxy in practical way until now I never had one customer activated ZM tool watching for the broader locks for years. And we found a lot of permission, denies and fraud scans on broader locks that nobody was able to detect it.
So this is absolutely a black box and nobody is looking for it and better design error from SAP. None SAP products provides and also box flow forwarding. So for the log monitoring team, from the security creation system, you are lost. You are unsure, you are unclear, you have data probably, but this is just a mess. And you can't find out your events, which are interesting. And the next three examples, I will show three real life examples, which also happened at customers. And I want to demonstrate a little bit what could happen and how you can detect it. And where are the pitfalls to detect it and to react on it. The first attack is very simple data breach theft of customer data. So somebody is giving your customer accounts and is selling it to the competitor from the setting. It's quite simple. You have attackers or normal users in the system with access to business, data and bio authorizations.
They can list data. So you can select all the customer datas on a list. And like in practical life, in most customer systems, you can save it to a file on PC. And then this file is sent renamed and sent out via emails to a competitor or storing it on use B device or what else. Or there are many, well, many possible ways to bring data out of a company if you really want to do it, but how can we detected and where possible tracks? First of all, if the security out block is fully enabled, you will see entry slide download, blah, blah, blah, buy to a file. Okay? So we can detect there was a download, but in real life, we have thousands of downloads per day. So that's not so not so good information. If you would send the mail from the S a T system directly, there would be an outbound mail.
So there could be a mail send lock available in the source transaction, but nobody is looking toward it in the security audited lock. You may notice specific transaction has been started. So if you would be so dumb to do it with E team, it could be possible that it could be catch, but who's using E team because you are already aware you could be tracked in our first toolbox. We do it a lot different way. We have specific order, sensitive transactions, including critical functions. That means if I just start an se 16, nothing happens. It is not critical. But if I start se 16, if I select a critical table and it suppress the display or the download button, then it gets critical. So we only fire events in the case that something severe happens with the transaction. And we have also a possibility in the software that you can scan the download while the download is performed for the size and for critical pattern in this file.
That means if something goes outside via email to a suspicious email address, which is blacklisted, or which is not your corporate address, or if a contains pattern like customer data, then it will raise another event. And there are some challenges to find such reaches. For instance, practically transaction, we see slash two is a normal business transaction, but it allows you to print out your customer list with the contact persons and to self turnover, having this information. This is very essential for your competitor because he knows your best customers. And there are a lot of downloads today from multi of the users, for which user you will look really challenging tasks, and of course, files can be mailed instead of downloading it. So there is no download event. If the guy would send out lists from SAP directly via email from the dub system, and there's no security outed locks in the security audited lock.
If a mail goes out to an external address. So there is the weakness and the SAP configuration, what will happen? The attackers you I'm logging on as a normal consultant to the system, I create a download of the sales summary per customer with all the information I download the file to my PC and I get the info nearly 30 kilobyte downloaders. This was just my demo system. It could be 30 megabytes. This is really customer system, but will you see in your security audit block in the security audit block, there will be one event, 28,979 buys written to a file with the name for a, Hmm. You can't detect which information is in this file because the file is not available for you to look into the file. It's gone, it's outside, it's on the C this person. And at the end, the question is, has critical data been downloaded unanswered?
I can't tell you now a little bit different view on the same story. We did that in the, in a lot of customer requirements using our security radar threat detection, we have a difficult, different approach. First of all, the question is what is the critical download? The normal download that the file of 30 kilobytes is downloaded. It's just the yellow, yellow marking. It has sever five it's okay. It's not critical, but it's could get critical. If you would download 1000 bites with 30 kilobytes per day, then it can, can, can, then it can get critical, but we have a specific data source as download observer. And this tool is scanning the content and doing the scan. You will see this as severity nine, even nine from 10, a very high stability critical file. Download why this information with a civil nine will be sent via email to the security operation center, watch out for a critical sign download.
Now, the question is what has been downloaded? This is quite simple. Our tool is making snapshot of download and is highlighting the keyword that has been matched. That means now the security operating center has a possibility to analyze the download, to check if this is in line with a, with a business description of functional description of the user, and they can ask him what's about this file. Where does it go? Was it encrypted? And, and, and so you have evidence in your system, you can react. And at the end, having this, you can react as a security operating center, really on such a alert. So this was a very simple example.
There's a more complex example, which also happened in real life environments and customers. We call it user morphing privilege, escalation by user morphing. What's about user morphing. First of all, the setting is as follows. Where's a guy in the system. He has the permission to change users depends on your authorizations. If you are assigned only two persons can do it. If you are not so good aligned with your authorizations, it could happen that one persons can do it. And this guy is doing a small manipulation. He's changing a system user in RRC user to type dialogue. And he knows that in the environment of central user administration, all changes on the users made by the user R C C a in our demo environment. And now he's changing the user types in the password. And he's logging in with this R C C C a user, but in dialogue, and he's creating a backdoor user for himself for later usage 1, 2, 100 backdoor users.
And we had some incidents in customer environment where it was not clear at all, how many backdoor users has been created and to how many backdoor users that guy had access to. So, and finally, the system, which is now a dialogue user is switched back to system. So he's trying to cover the activity by using another user ID, which is on the normal day basis used for this activity. And he's covering his activity and the security audit block shelves, the are a CCO user has created a normal user. It's a normal activity, and audited would raise any, any clue about it as it says, no it's normal for this user, but now the attacker can use his vector users to do malicious things, to cover it with another user. And if he has multiple users, it's get really weird. So lock and possible tracks. First of all, up security out block there, one event user data changed, but no more information you can't see at all that the type has been changed.
And the authorization has been changed is just the event user data changed. And then you will see in our audit log entry, password changed for users, but you will only see the, this entry, if he is changing the password during log on. If he is changing the password as an administrator, as that, you will not write an audit log entry. So, and at the end, there is not much information in the security audit log. What happens in our task tool? We have some, some other event types defined one event is a critical system. User has been changed. The RFC user has been changed. The type has been changed. The passport has been changed. Something is strange. Then we will see in our tool, critical system, user logs in a dialogue mode, it gets really worth now because we know the user has been changed and is now logging on.
This was really a strange situation. But over here, the challenging thing to identify those manipulation is the permanent eyes on the locks. And you need to know, as the security operated center guide, that SAP has specific user types and that there are tech possible, it just types are changed and that the users are used. And if you're using the classical, you cannot detect it because information is not in the log file. So at, at the end with the classical, there's no chance in real life environment to really detect it near, near time or real time, or even after weeks, cause you are over fluided. So how will it look nice? We will log in. We change the user and we change it now to a dialogue user. And then we created backdoor user and we call him here, step Mayer, the user hacker or backdoor could be to easy to file.
So we call him Mr. Mayer, it's a German name. And, but what we do, we give sub all, because if I want to be a hacker, I need as much commercial as possible. And then we clean up. That means we change back the formerly system user to a dial to the dial user, back to a system user. So this creates some change documents, but in fact, we utilize, nobody will analyze this. And at the end we have more the user. And now we have a vector user as Maya with full authorization, and we can use them later on to do some nice things like transferring money to somebody. And we know the password it takes with the 2 0 1 to create a user 30 seconds maximum. So what do you see in the locks in the locks? You'll see, on the left hand side, the sub security audited block, the only red event is user Maya has been created, but this event is not red because it has been created with high utilizations.
Every user creation is red. The audit will see, oh, has been created by an RRC user from the central user administration. This looks fine. The suspicious thing is if you know about security and SAP, why is there a terminal ID? If it would be an RRC call, there is no terminal ID. So this is suspicious on the left side, but you will not see it. It's not so obvious on the right hand side, we see our lock from our tool and we have other reactions with higher priorities. First of all, we have one event. Our CCR has changed on user master record because one, one idea of this quick, if you have to change it back at a given point. So if you do it with the same user, it gives a very high criticality. Then the user master, a critical system user, and the monitoring has been changed.
Severity 10, pay attention and so on. And so on. You will see sub all signs. The user has locked on, and now we have severity 10 events, something real range goes on. So everything is red. And if we have severity 10 events, SOC has to react and has to analyze at many mobile to block the users, kill from the system, and then to look up what has happened. So we see in this scenario, we have a better identification in real time. Our detection frequency is once per minute. So we scan the system once per minute, without any impact to the performance. And we will see that the security operator has chance to detect it. And with the sub security audit lock, there really no chance, even though you would forward this two events to external systems, you don't have base information, no chance to detect now, third example, getting she access.
So I want to be a really bad guy. I want to have full access to the server via below S a T and for this as a small scenario and that one central file in the environment, if I would override it with some information, I know I could disable the password check for the so-called are the end user. And this was the administrator, the super user of the Z system. After the final has been changed, I can log on without any password. And if I do it in a nice way, the other guy can still log on with our password, but you will not see that I have a bypass in his login, lock some possible text in SAP, and then Unix, no locks, absolutely no detection in our environment. You will see critical file upload tool used and critical file changed, followed in a cm tool, SSA log in from a normal IP address, which is suspicious.
And so what does the pitfall with SAP? There are no security audited locks on update because SAP sync on the downloads are critical, but from a hacker perspective, the upload is much more critical than the download because then you can override configurations and then you are in, I want to give a small live more. That's a small screen capture now running, and I will stop it at giving a certain points to explain a little bit. Now we are seeing in this box on the, in the black box, on the right hand side, that I want to log in as administrator. And I'm guessing the password because the system asks me for a passport and I don't have the password. Now I do a trick. I'm a developer, or I'm a user having at 8 38 or permissions for some SAP standard transactions. So this as an example, this works also with SAP standard transactions and I'm doing a small exploit.
I was overriding a file on the server with a key, which I own, and which identifies me as an administrator. The next in our demo is after the file upload has been performed. I go to the same put screen. I log on with the same user and you will see I'm logged in. That means I have a password last log to the machine. I am completely on database and operating system level, and I can do what I want with your machine so I can steal the complete database and so on. And as I explained, and SAP, there is no possibility to detect it. And what you will see here is a reaction. This is about the real time reaction within the one minute interval. Our tool has detected this critical event and you will see here, file checks some critical file change severity, excuse me, for the German screenshot are prepared in German, but it's also works in eight other languages up to Chinese. And you will see here. One specific file has been overwritten, and now you have to react as a security operator because this is now really critical.
Okay. This were now three small examples. We have lots of more of examples, but as you, so here, our software reacts in real time and can send out an email or give you a paycheck for, if something happens, how to protect your systems. After learning now that something really came wrong. First of all, analyze all available logs to detect threats, attacks, and scans, but you need to know the attacks and the attack patterns. And this is something where I think only external resources can provide the information, how real attacks look because otherwise we won't find the real attack by just looking locks. And this has to be established on multiple layers. SAP consists of the net back operating system database and the, that server. So we need logging all the levers because my third attack was focused on the operating system. And you need combined configuration authorization in real time, look analyzing.
That means you have to do it permanently, and you need who the new resources which can provide it. You need experts who are really trained on that security, and they must understand how this tax patterns look and what the luck and we increase means we give a lot of explanation, but at the end, it needs to be a senior level security operating center guy with that experience. And there's nothing for new buyers. Cause you need the background information and you need some technical resources. You need VM server. That means if you have multiple SFP systems that scales, it means you need central server like creator from IBM outside, log, log points, you name it. There are a lot of servers available, but there's all one problem. All the cm systems, none of VM systems has any rule set for SAP systems. That means you need a data feed, which can provide SAP log information already analyzed and giving that attack patterns and giving the VM tool, the information, be careful, something goes on.
And that's what we provide with our solution and software. And you need the adapter to extract filters the forward of the events. Actually we can read 35 different lock sources from SAP about including the broader and everything. So I think we can detect most probably not all, but most of real life examples. And at the end, it should look like this where a ZM solution, which is already in place or which can be in place, focusing on all the classical it things. And from the first security radar perspective, defeats the systems versus event data stream indicating critical events, which could be correct, could be raised by threats, attacks, or misuse of your system. And what else do you need? You need to process as already explained to Mr. Reinwarth, you need a security operating standard, which that's the investigations about possible sets. Not every event is a real attack because there are very often normal activities, batch jobs running with the false users. They can be whitelisted. So there's always the work of blacklisting, whitelist, open investigations and open security in incidents and informed customer. This is a classical process and we provide also this monitoring process as in servers, from our data center and several customers already using this service that we provide to SOC instead of the customer, because we are doing it on a daily basis. Okay. Now I'm finished with my presentation and I would ask Mr. Rebar to switch back and now we are open for our questions and hopefully we can provide answers.
Yes. Thank you very much for that great presentation. Now, moving over to the question and answer section, and again, my, my reminder for the participants that they, if there are any other questions left now is the good time, the right time to enter them into the questions panel of the go to webinar software. And yeah, let's start out with a, with a few questions. One question is this threats information, the, the, the threat landscape is constantly changing. Is this also a service that you provide that current threats information is provided to, to your customers, to users of this system so that they are informed as soon as a, a, a threat is, is detected and is, is available for, for, for analysis?
Yes, we do. We have permanent security research, ongoing. We are also providing security research information to the SAP. And as soon as we know about, and as pattern has been defined, our customers get the info tickets that the new users are available for downloads combination, with the definition that they know what's going on and how to prevent it.
Okay, great. Thank you. One question from, from your experience, how are usual companies at present tackling the, the issue of preventing data theft within an SAP system? Is the, are they doing it as, as, as you are doing it or is there, is there room for improvement?
There's a lot of room for improvement. Most customers that I know has only two, two levels of protections. One is trying to minimize, assess permissions on the data to a level which gets acceptable, but there's always a lot of headroom that, that too many users can access critical data. So also a problem that data is not classified, correct in SAP and in combination with the security out block. But at the end, what I learned from practical ways, nobody's looking for the outer blocks because you cannot detect the real critical download. So they just drive by authorizations. And I had a lot of security during the last three years, has data has been, have been performed. And then at the end, the customer asked us to prepare evidence for justification or for, for losses.
Okay. Yeah. It seems as real room for improvement. Yeah. Okay. From, from your experience, from the experience of ANet, what, what would be a best practice approach if you have a company, no matter which, which, which industry would like to feed a cm solution with SAP data, is there, do you provide best practices? Can you, can you support in, in creating such a, such a connection to a cm solution or is something that everybody has to do for themselves? Because the infrastructure is somewhat different.
This is a very complex task, because what we learned is that the ZM tools are classically located in the network department or in the operating system departments. And they have no connections to SAP and they have no knowledge about SAP. So what we provide as an integration part for the such project, as we know about all the cm solutions, we know how to configure them, how to operate them, and we know how the SAP logic works. So on, on the first step, we provide the integration that SAP event data is formated to cm systems. On the second step, we provide the information how, how the escalation and information process should be implemented. And we train also the security operating centers with regards to SAP security that they know better about the background of such events and that they can learn after a certain time, if they can blacklist whitelists or not.
And this is something classical process. And in the first phase of the project, we are very often acting as level one support to provide this information, to teach all the persons. And then after a defined time, we switch over that we stay as a second third level support in the quiz case as to see has a piece for specific questions, then they can forward the questions to ask together with the locks and we make up our mind and get the feedback if this is critical or not. So it's P lessons learned and training, but we can provide it covering all cm systems.
Okay. Thank you. But, but from, from, from the points that I made in my slide, do you, do you see a change with the changing infrastructure and the, and the move of SAP to the cloud, that this is a bit changing that the silos between it and network infrastructure security and SAP application business security are, are that the, that the dividing lines are, are going away at least a bit, or is this still the strict business versus it
In most companies, it's still very strict, even though that applications are run already outsourced or in the cloud, there is still this, this, this internal firewall between the departments. And this is a very great key success factor for having really good cm and security monitoring solutions that, that this department are connected together. And also that external systems, which are also somewhere located in the cloud are connected as vital part of this monitoring framework. So it's, it's the persons to bring the person together and to get the information about the systems and how they work and how, how they are monitored.
Okay. Okay. Thank you. Another question from, from, from the practical aspect, once an organization decides to, to introduce such a system, how long does it take on average to, to establish such a, a useful and real effective SAP, realtime monitoring solution? What, what is the typical timeframe that you see in the, in, in, in real time, real life business?
Yeah, so we have a lot project process or software can be installed within, within one day in a system. So we install it sometimes in 30 systems in, within two, three days, and we have a frequency set. And after this installation, we start the training phase operators. We start the ZM integration and we start the lessons learned period for the software. That means we have to adjust the rules always to the customer situation. And this is normally a period of four to six weeks where we adjust our rule set to customer specific event situations and where we try to teach a customer so technical, if the resources are available and we can, we can use them then an implementation of such a real life working the solution could be feasible within four to six weeks, but it always depends on the availability of persons resources and so on.
Okay. But it's also training on the job. So you're trying to get the people up to speed so that they can take over this task as well.
Yeah, absolutely favor training is training on the job directly. So we do the installations together where we do the test drive together, and then we act as, as, as, as a buddy for this person's on the job. And after a given time, when everybody thinks, okay, now, now we have it on, on track. Then we act as second level or start level support that, that everybody, and every time somebody there, which who can be asked for the specific questions, if this is requested by the customer.
Okay. Understood. And I guess you have heard the following question quite sometimes, which is the, the top three or the worst, the worst things that you encounter when you do a first installation in a, in a given SAP environment, which are the typical mistakes that you encounter at first, even, probably with not an amended rule set, but just with the standard rule set.
Yeah. With the standard rule set very often happening event, there's one specific scanner for modifications of the user authorization buffer that happens several times that some clever about developers have assigned a hidden sub to the user profile, which is not detectable via zero one. But in fact, they had some, all Pinterest and it was detected in a few minutes. First of all, we checked for inconsistencies, but then we are, we saw other events like file changes, and always, I think, 80, 85% of this detected attacks, histor attacks very often where consultants and internal persons doing some, some screening for systems and that have all of them have been attacked, like hidden permission, assignment file, money populations, segregation of duties, violation, and transport. That means importing of critical transport without aide principles. Everything is detected within the first day.
Okay, great. Thank you. I think that's it for the questions that we had. We are through all, all of our questions. So we are getting to the end of our today's webinar. I would like to thank the participants of today's webinar. And of course I want to, I would like to thank, especially you Mr. Kemp, for your expertise and experience in this area of SAP and security and compliance was real and impressive demonstration. And it was a great look into the real life aspects of, of securing essential corporate infrastructure. I would like to take the opportunity to once again, mention the upcoming EIC in Munich. And I know that Aquanet will be there as well. So if you have any other questions, you might as well get in touch with me or Mr. Ke or Aquanet in general, or you might want to meet us in Munich and have a, have a chat if possible. And of course, we're looking forward to having all the participants again in one of our upcoming next webinars as well. So that's it for today. Thank you again, Mr. Ke, thank you for being with us today and goodbye to all participants.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Effective Threat Detection for Enterprises Using SAP Applications

Determined cyber attackers will nearly always find a way into company systems and networks using tried and trusted techniques. It is therefore essential to assume breach and have the capability to identify, analyze, and neutralize cyber-attacks before they can do any serious…

Analyst Chat

Analyst Chat #111: From SIEM to Intelligent SIEM and Beyond

A comprehensive cybersecurity strategy typically includes the use of modern, intelligent Security Information and Event Management (SIEM) platforms. These go far beyond simply aggregating and analyzing log files. Alexei Balaganski outlines the latest market developments based on his…

Analyst Chat

Analyst Chat #88: What (and why) is XDR?

XDR (eXtended Detection & Response) solutions are an emerging category of security tools that are designed to consolidate and replace multiple point solutions. John Tolbert and Alexei Balaganski join Matthias and share their views on this market, the existing offerings, and how it might…

Analyst Chat

Analyst Chat #62: The SOCaaS Market Segment - A First Look

The Security Operations Center-as-a-Service (SOCaaS) market has emerged and continues to develop in response to demand for security monitoring, analysis, detection, response, and improvement recommendations either instead of or as a supplement to permanent on-premises SOCs. KuppingerCole…

Analyst Chat

Analyst Chat #14: The Alphabet Soup of Security Analytics

Matthias Reinwarth and Alexei Balaganski discuss the plethora of acronyms for security analytics solutions: from SOC and SIEM to UEBA and SOAR.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00