If you want to secure something, you should always think holistically. It does not make much sense to position countless security cameras around a house, if the doors have no locks. The same can be applied to IT security; vulnerability assessment and the detection of unusual events cannot be separated from one another. In the SAP environment, there sadly was a huge gap between the two. Solutions for detecting potential attacks, like Enterprise Threat Detection (ETD) by SAP, and solutions for vulnerability assessments, like Virtual Forge SystemProfiler, close this gap.
But first, let’s take a step back: Until a few years ago, SAP security often was neglected. There were several reasons for that. For example, SAP systems were often managed separately from “normal” IT networks back then. Furthermore, the SAP technology varies from other IT applications, which led to the wide-spread view that SAP systems were “black boxes” – at least regarding security.
Luckily this changed, as companies now realized that SAP systems should not be just as secure as other applications, but due to the sensitive data stored in them, especially secure. For that reason, we from Virtual Forge developed SystemProfiler, which continuously and extensively inspects SAP systems for vulnerabilities, a few years ago. In turn, SAP offers Enterprise Threat Detection, which continuously and extensively detects potential threats. I purposely chose similar wording for both sentences, because the differentiation between vulnerability assessment and event detection regarding SAP security might not be entirely clear.
Yet, the explanation is quite simple, especially if an analogy is used: SystemProfiler inspects if all windows and doors are closed, while SAP ETD detects when somebody tries to break into the house. All who want security should obviously cover both aspects to really have a secure house – or to come back to the actual matter – a secure SAP system. Separated from one another, these two solutions do not offer a holistic approach. Coming back to the analogy, ETD shows me that somebody tried to break in. SystemProfiler in turn shows me that there are some vulnerabilities which might lead to a successful break-in. Both provide very important information but the connection between them is missing. Namely: Which vulnerability did the intruder take advantage of? Exactly this integration of both solution is available now, offering the possibility to view the security of a SAP system holistically for the first time. A comprehensive analysis of all vulnerabilities combined with an exhaustive analysis of events which pose potential threats.
In order to achieve this, the developers of SystemProfiler and their counterparts of SAP ETD put their heads together. The result is a direct and deepened integration of the results of SystemProfiler into the monitoring functions of SAP ETD. The advantages can be best shown with a few examples from the probably most extensive standard for SAP security: the audit guidelines set by DSAG (German SAP User Group).
Both solutions, SAP ETD and SystemProfiler, cover part of the audit guidelines. Naturally, ETD focuses on the detection of unusual events, while SystemProfiler analyses the technical inspections of the guidelines. The results of this analysis can be directly uploaded to SAP ETD due to the joint-integration. This again means that the patterns of SAP ETD can fully use this content. Only due to the interaction of SAP ETD and SystemProfiler, an extensive inspection of the DSAG guidelines is possible. Let’s take the notorious standard user SAP* as an example. Should the respective profile parameter have been set incorrectly (login/no_automatic_user_sapstar = 0) and therefore the user SAP* not exist, an attacker can log into the SAP system with SAP* and the password “PASS” without any problems. The standard patterns of ETD already detect such a problem, but can now be complemented with the results provided by SystemProfiler.
Another example shows how the standard patterns of SAP ETD can be complimented with SystemProfiler. SAP ETD primarily evaluates log files and in the newest version (SP6) also SAP security notes as well as a few important system parameters. SystemProfiler goes further with its 500 test cases and also covers other subjects. With the combination of SystemProfiler and ETD, attacks can now be detected and assessed, even if the attacks have not left a trace in the protocol files. For example, it is possible to grant extensive authorizations on the database level (e.g. the assignment of the profile SAP_ALL to a user). While SAP ETD can evaluate databank protocols, such a profile assignment would not be registered in any log within the SAP system. In contrast, SystemProfiler detects that there is an additional user with the privileges of the profile SAP_ALL and reports it to ETD. Existing patterns can be adjusted in a way so that this vulnerability cannot be used by attackers in the future. You can take a look at this example in a YouTube video: https://www.youtube.com/watch?v=rUJRj93XRCs
Back to our house analogy: If you are looking for a (reasonable) alarm system, you would know that such a system is made up of multiple components. In most cases, there are door and windows sensors, a few cameras and a command center that combines the Information of both components. In this analogy, SAP ETD represents the cameras as well as the command center. In turn, SystemProfiler represents the sensors. With the combination of SystemProfiler and ETD, such an alarm system is now available to SAP customers, regardless of complexity and size of the SAP system landscape.