SAP Enterprise Threat Detection (SAP ETD) allows early detection of critical events in the SAP environment and enables IT Security Analysts to take appropriate measures to stop a cyber attack or fraud incident. Security-critical events are determined upon evaluation of log files that are compared with known attack patterns in real-time. But what happens if an attack leaves no trace in the log file?
BY DENIS BORMOTOV, VIRTUAL FORGE
SAP ETD provides the ability of analysis and event correlation of a huge log amount. Being capable of processing different logs, SAP ETD empowers Security Analysts with an effective tool that allows to obtain security relevant information about ongoing activities or anomalies in real-time and compare them against events that happened in the past.
An average SAP system can have a vast number of logs and more than several thousand events generated per second. This number can increase during an ongoing attack. SAP ETD helps to handle and process this enormous amount of data utilizing the underlying HANA database and by comparing the incident data against known attack patterns.
Relying solely on logs, SAP ETD can still miss important security events as they leave no traces in the logs. This is where Virtual Forge SystemProfiler can reinforce and complement SAP ETD.
SystemProfiler helps Administrators to validate the status of the thousands of configuration settings and changes that happen in the entire SAP environment on a daily basis by utilizing the most advanced techniques.
Eliminating security flaws before they appear makes the SystemProfiler approach proactive and most effective. From the perspective of critical security events, SystemProfiler takes advantages of securing SAP systems beforehand. Having awareness of what types of flaws to expect allows to develop proactive approach to system security and configuration hardening.
The integration of SystemProfiler with SAP ETD let Security Analysts benefit from both approaches and leads to a comprehensive security lifecycle: From detecting vulnerabilities to mitigating activities up to sustaining a valid security state.
In the integration scenario I am going to describe, suspicious and malicious activities detected by SAP ETD are complemented by SystemProfiler findings. Moreover, SystemProfiler configured on the basis of newly found vulnerabilities responding to the threat by protecting the systems through a constant configuration validation process.
An Incident That Leaves No Trace
One example of the attacker activities recognized by the combination of both solutions is a spear phishing attack with a malicious Email attachment. The attack is simple: The sender pretends to be a colleague or a friend. A plausible reason convinces the victim to click and open the file. By doing so, a short VBA script is executed and exposes a known but unpatched vulnerability in a SAP system. In a more sophisticated scenario, this could even result in a user with extensive permissions being created directly at the database level.
This attack leaves no traces in the SAP logs because the user created cannot be seen in transaction SU01 with F4 search. But during the SystemProfiler inspection this kind of hidden user is been detected and reported to SAP ETD. The actual absence of an entry in the User Change log and as a result the alert generated by a standard ETD pattern for that type of scenario indicates that this may be a serious security incident.
As ETD detects and alerts the suspicious activity, a Security Analyst can start investigating the alert by leveraging both data repositories in the SAP ETD database: log file events and configuration scan result findings generated by SystemProfiler. The following YouTube video shows a demo of how SAP ETD and SystemProfiler can be both leveraged to detect the attack.
How To Configure SAP ETD with SystemProfiler
The configuration requires flat files integration through the SystemProfiler SIEM interface and SAP SDS projects for CEF file import. Lets start with the CEF interface.
SAP HANA SDS provides the capability of using CEF files for third party products integration into SAP ETD. This is achieved by using CEF parser projects. A good overview on CEF parser projects gives this blog post „Ingesting logs in CEF format in SAP Enterprise Threat Detection“ by Jürgen Frank.
Standard CEF header can be parsed by the project automatically. Header information contains timestamp, vendor and product name, product version, event ID, event text, and severity. CEF file extension carries all the information relevant to the event and the system event originator.
For project configuration CCX and CCR files must be deployed either in SAP HANA studio with SDS plugin installed or in the Streaming Projects tile at SAP HANA Smart Data Streaming Administration and Monitoring group in HANA Cockpit.
Make sure if you implement any changes in the CCL file to compile the project. This can be necessary in case you would like to adapt the CEF file parsing so that CEF extension containing important data will be assigned to ETD fields.
Standard CEF parser project behavior deletes the file after processing. This is necessary to avoid duplicate results in SAP ETD. Make sure you set up the correct OS permissions to the transfer folder so that it can be handled.
SystemProfiler SIEM Configuration
SystemProfiler is capable of providing the findings to other systems in the format of CEF files. The functionality called SIEM Configuration requires the configuration of test cases. SystemProfiler offers an out of the box configuration for some test cases which can be further extended.
The SystemProfiler architecture consists of a Central system as a server and Target systems as satellite systems. All configuration is performed in the Central system. This system will be the System Reporter of all the findings detected in the Target and in the Central system itself also. All the relevant to the identified threats information reported by SystemProfiler will be written in the CEF file.
The configuration requires setup of background Dispatcher runs and settings for the logical filenames and path as well as physical filename and path assignment.
By choosing the logical file one should pay close attention to the limitations SAP SDS has. SAP SDS Sandboxing security feature restricts access to the data files for projects in a cluster. The file path will look like /hana/data_streaming/<SID>/<tenant>/adapters/<workspace>/. Where <tenant> is SAP HANA database tenant name and <workspace> is workplace that you define. Only mounting this folder as a physical path at the SAP ABAP system side will allow to maintain constant file transfer. You can also create a subfolder for file transfer and this folder will be the value that you enter at the SAP SDS side.
Now the data is available in SAP ETD for exploring, building new patterns and alerting.
SAP ETD is the missing piece in SAP security: now, attacks against SAP environments can be detected in real-time. ETD is an open platform that allows to add custom content and to integrate with 3rd party solutions. By integrating other solutions, you are not only gaining the best of both worlds but also having some new unique features which are not found in the standalone products.
Using SAP ETD with SystemProfiler will allow you to make your entire SAP landscape comprehensively protected against threats utilizing the most advanced technologies of in-memory database, real-time protection and content gathered in more than ten years of SAP-related penetration tests and security projects.