SAP Enterprise Threat Detection integrated into Hewlett Packard Enterprise ArcSight
Hewlett Packard Enterprise (HPE) ArcSight is widely deployed by a lot of customers and is used in Security Operations Centers (SOC). Numerous connectors exist to collect events from networking devices, firewalls, (host) intrusion prevention systems, operating systems, antivirus solutions, webservers, databases, vulnerability scanners and many others.
But the capabilities of SAP monitoring are currently limited. There is only a connector for the security audit file. Information form i.e. the business transaction or the change documents log are missing.
On the other hand SAP Enterprise Threat Detection (ETD) has a very deep view into SAP event sources but has currently very limited capabilities in other areas like networking devices.
Therefore SAP and HPE decided to integrate both solutions to provide holistic monitoring capabilities for the complete IT landscape of an organization including SAP systems.
How the Integration works
Since many companies and organizations already have tied their incident management processes to their ArcSight installation we decided to integrate ETD into ArcSight. By doing so one can see alerts from ETD in ArcSight and can trigger the according response processes.
The figure above shows the information flow of SAP events into ArcSight. The events are generated in the SAP landscape and collected by ETD. There they are correlated with other events and context information available in SAP systems. Once something suspicious is detected an alert is generated. An ArcSight FlexConnector collects these alerts via ETD’s REST API and parses them into Common Event Format (CEF), the standard format of ArcSight. The REST API is activated in ETD under Settings as shown in the screenshot below. Further Details can be found in the SAP ETD implementation guide in chapter 8.8.
The mapping of ETD fields to CEF fields is developed in close cooperation between SAP and HPE so that the semantics are preserved as much as possible. The normalized alerts are then forwarded to ArcSight Enterprise Security Monitor (ESM), which is the central server of an ArcSight installation, where all events are stored and correlated. Finally the ETD alerts are displayed to the security analysts together with all other events form the IT landscape in the ArcSight Console.
By using the ArcSight FlexConnector framework we are very flexible and can quickly adapt to API changes on ETD side.
The figure below shows the detailed information flow from the source systems via ETD and ArcSight connectors to the ArcSight ESM in our demo setup. Straight lines are currently implemented and dotted lines planned for the near future. DC is the domain controller and EH6 and EC6 are two ABAP systems. More systems will be connected to ETD in the near future which will enable us to see Java logs etc.
One can see that SAP logs are sent to ETD and only resulting alerts are collected by the FlexConnector. On the other hand Windows event logs and database logs (for example Oracle) are collected directly by ArcSight connectors. Since this is a demo environment we installed all these connectors on the same machine. Also due to the demo environment we do not see any network layer logs. In the mid-term it is planned to install a firewall for the showroom, so that we might get logs from there.
Quite typical is the setup where all connectors are on premise and the ArcSight ESM is installed in one of our Security Operations Center (SOC), where the security analysts monitor all alerts via the ArcSight console as well. Such a presentation is shown in the picture below. It is a dashboard giving an overview of the current security situation in our demo environment.
The left side shows the graph view where red squares are sources, white squares are targets and the blue circles are the events or in the case of ETD alerts. An analyst can spot easily highly active users and systems here. For example one can see quickly that the user FF_SAPETD is very active on EC6 with client 020. The main issues is that he uses a lot of monitored transaction. So a further investigation here would be appropriate.
On the upper right corner the number of events is shown by severity for the last few hours. One can see that there were no heavy spikes, so it is either a normal situation or the timeframe is too small to see it as a maximum.
On the lower right corner first the top 10 target systems are shown. EC6/020 is number one here, which corresponds to the findings in the graph view. Second the distribution of the alerts is displayed. More than half of the alerts are due to unauthorized firefighter usage. In a productive environment this could be a hint that there is a problem with the firefighter process.
Use case Examples
Based on the additional information available by the integration of SAP ETD into HPE ArcSight in our current demo environment we developed two exemplary use cases. The first one shows how business related alerts from ETD can help to prioritize an incident response. The second one enables you to detect deviations from the DSAG Prüfleitfaden in nearly real-time.
Targeted Incident Response
Imagine the following situation: an attacker tricked some of your SAP admin to open a phishing mail containing a Trojan that allows for complete control over the victims PC. Unfortunately one of the admins was logged in at a business critical system. The attacker now uses this session to establish a backdoor in the system by creating a new admin user.
The figure above shows the data flow during such an attack. The lower part shows the operational layer where the compromised terminal accesses some SAP system. This system reports the activity to ETD which then rises an alert that is forwarded to ArcSight. On the other side the operating system log is sent to ArcSight directly.
From only the OS log (i.e. Windows Event Log) ArcSight can detect that there is a Trojan activity on the system and will rise an alert anyway. But what if there is not only one system compromised but 50? Which one to contain first? With the additional information from ETD a security analyst can see immediately that on one system the infection is actively used to further attack business critical SAP systems. So the decision which one to address first is quite easy now.
For further forensic investigations one can drill down in ArcSight as well as in SAP ETD. The screenshot below shows an active channel in ArcSight where all events from ArcSight connectors and the alerts from ETD are displayed for which the compromised systems was either source or destination.
One can see that the Firefighter user FF_SAPETD performed several actions in the system. To view more details about the activity of that user a drilldown in SAP ETD is the best way. Such a forensic investigation can be seen in this screenshot:
So the user performed several actions in the user management transaction (SU01) and some action in the security policy transaction (SECPOL). One would now look into the event details to see what exactly happened in the system EC6.
By using the combination of alerts from ArcSight and ETD we can create less precise patterns in ETD so that we can detect more attacks. For example we could create a pattern that triggers whenever the user management transaction (SU01) is performed. With ETD alone this would lead to a lot of false positives since user management is a normal administrative activity. But in combination with a compromised host it becomes a real threat. So we only rise an alert if user management was performed from a compromised host.
Event Based Compliance Monitoring
For any IT organization audits can be a huge burden. Furthermore they only tell you for a certain point in time that your systems are compliant (and hopefully following form that secure).
Event based compliance monitoring not only can make audits easier but also can show you derivation from a compliant state in nearly real-time. This works as follows: First it must be assured that all systems are in a compliant state. From this point on we can detect changes in the system configuration and can rise an alert which tells in detail which system violates which control. So the responsible admin can be informed and the issue can be resolved very quickly.
We decided to implement the DSAG Prüfleitfaden because it is the commonly used compliance standard for SAP systems. One has to keep in mind that not all controls from the DSAG Prüfleitfaden can be checked on a technical level since they are not of technical but of organizational nature. However, we try to implement as much technical controls as possible.
We discovered that violations of most of the controls can be detected in two ways: Directly by monitoring configuration changes and indirectly by observing activity that should not be possible in a compliant environment.
An example of this may be found in chapter 3.7 of the DSAG Prüfleitfaden the control 1.3 which requires that the user SAP* is created without any rights and locked for all clients. A direct detection of a violation would be a log entry that for example states that SAP* was unlocked. An indirect detection would be if ETD detects activity of SAP* on any productive system.
In an ideal world the direct detection should always be enough, but in reality many things can go wrong. Therefore we decided for this security in depth approach to provide a more robust system.
The table below shows which part of the DSAG Prüfleitfaden can be monitored by which solution. One can see that SAP ETD and HPE ArcSight are quite complementary.
In the figure below an exemplarily dashboard for DSAG Prüfleitfaden compliance can be found. The most interesting part is the list in the lower right corner. This is the “To Do” list. Every compliance violation will be shown there. Once the issue is resolved the alert can be removed. So an empty list means that the entire SAP landscape is compliant at the moment. And whenever this changes a security analyst will be alerted. This is meant by “real-time compliance”.
We are just at the beginning of the development of joint use cases for ETD and ArcSight but already this first ideas show the power of the integration between the two solutions. With a larger installation base more use cases will be discovered and made available for all customers.
Another very important benefit of integrating ETD into ArcSight is that SAP monitoring capabilities can be added very easily to an existing SOC may it be customer operated or as a managed service.
Excellent article, thank you
Does SAP have reseller rights for HP ArcSight?
Excellent use case!
Good blog item! Just one additional: next to SAP EDT there are some alternatives in order to transfer SAP security events (filtered, correlated, ...) into HPE ArcSight. Out of the box there may only be an extractor for the Security Audit Log though 3rd party vendors also offer SAP and HPE certified connectors.