Академический Документы
Профессиональный Документы
Культура Документы
FRAMEWORK
Contents
Contents ....................................................................................................................................................2
Introduction ..............................................................................................................................................3
PREDICT .....................................................................................................................................................6
Asset management................................................................................................................................ 7
Business Environment ...........................................................................................................................8
Governance ...........................................................................................................................................9
Vulnerability Management..................................................................................................................10
Risk Management ................................................................................................................................11
Secure Development ...........................................................................................................................12
PREVENT ..................................................................................................................................................13
Access Control .....................................................................................................................................14
Awareness and Training ......................................................................................................................15
Data Security .......................................................................................................................................16
Secure Architecture .............................................................................................................................17
DETECT ....................................................................................................................................................18
Event Management .............................................................................................................................19
Threat Detection ................................................................................................................................. 20
User Behavior ......................................................................................................................................21
Data Leakage .......................................................................................................................................22
RESPOND .................................................................................................................................................23
Incident Response ...............................................................................................................................24
Clear Communications ........................................................................................................................25
Continuous Analysis ............................................................................................................................26
Mitigation ............................................................................................................................................27
Improvements .....................................................................................................................................28
About EAS-SEC.........................................................................................................................................29
About ERPScan .......................................................................................................................................30
2
Introduction
EAS-SEC SAP Cybersecurity Framework is intended to systemize all the necessary activities to
secure business applications such as ERP systems from cyberattacks, espionage, sabotage and fraud.
The growing number of incidents against ERP systems and constant flow of weaknesses demand a
change in approach to security. The tendency to tackle myriad cybersecurity challenges in a
piecemeal manner could expose organizations to significant security risks. An enterprise security
team without C-level guidance working with a disintegrated security solution stack, cloud
applications, and an eroding system boundaries cannot keep up with the growing number of attacks.
Security managers need to solve the problem of disintegrated security and create the strategic options
and environment to ensure the security of business applications.
They should shift from overly relying on blocking and preventing mechanisms of access controls and
Segregation of Duties to integrative approaches. Security managers should assume the
preventing mechanisms could and do fail, so ERP systems require continuous monitoring and
remediation.
Security managers should ensure that protection of business application combines predictive,
preventive, detective and response capabilities and seamlessly integrates with enterprise security
processes like incident, risk and compliance management.
We’ve created an SAP Cybersecurity Framework to form a conceptual bridge between integrated
adaptive security architecture and actions. The framework articulates critical areas of action for
establishing security of ERP systems, describes desired outcomes and provides 3-step approach to
succeed in each area.
SAP Cybersecurity Framework implements EAS-SEC approach to unify completeness of the coverage
and priority of implementation. The framework provides you guidance on how achieve in all protection
areas with minimum effort for maximum effect.
SAP Cybersecurity Framework implements Gartner’s approach to adaptive security architecture in area
of ERP security and describes four categories for ERP protection processes: predictive, preventive,
detective and responsive.
Each category describes specific protection processes, like asset management, incident management
or threat intelligence. All the processes are in line with industry recognized frameworks and
approaches from NIST, SANS, ISO, CIS, but reflects the specifics of ERP systems.
SAP Cybersecurity Framework provides you a three-step roadmap towards the realization of each of
ERP security processes:
• Implementing the first step is the minimum that lets you set up the basis for protection and
solve the most critical issues.
• Second step provides you with the sufficient level of security and requires medium level of
effort.
• Third step includes all the advanced things like automation, forensic, collaboration and other
stuff, that provides you the cutting-edge security capabilities.
Regardless of the degree of effort you are ready to put in, the framework articulates the outcomes you
are expected to archive: be it an Inventory of Assets, SAP Continuity Plans, SAP Risk Register or SAP
Security Metrics. The difference is in an extent of details.
3
We encourage you to start small and implement first steps for each of the processes: choose a
category, implement first step for one of the processes and switch to another category and process.
This gradually let you to cover all of the processes at the very basic level. After that you will be ready
to take ERP security to the next level by executing second steps and finally third steps. At the very
moment of this building process you have all the capabilities you need to effectively secure enterprise
systems.
We believe the security of ERP system shouldn’t longer be the poor cousin of enterprise security any
longer and should receive due attention and strategic management as it ensures resiliency of core
enterprise operations.
SAP Cybersecurity Framework is developed under the EAS-SEC initiative. Security professionals are
welcome to participate to get a common, agreed and efficient standard of ERP security operations.
4
5
TO UNDERSTAND SAP SYSTEM'S
ENVIRONMENT, PROACTIVELY
PRIORITIZE AND ADDRESS
SYSTEM EXPOSURES
PREDICT ASSET MANAGEMENT
7
PREDICT BUSINESS ENVIRONMENT
8
PREDICT GOVERNANCE
• Establish an approach to communicate and address risks associated with the operation and
use of SAP applications in context of organizational operations risk management.
• Demonstrate top management leadership and commitment with respect to the SAP
cybersecurity.
2. Develop SAP security processes:
• Develop descriptions for all relevant to organization SAP Security Processes.
• Define SAP cybersecurity roles and responsibilities. Assign them to internal roles,
organizational positions and external parties.
• Implement SAP cybersecurity review in all management phases of SAP projects: project
objectives should include cybersecurity goals; necessary security controls are identified and
security assessment is a part of acceptance and testing of SAP systems.
3. Implement control procedures:
• Document and keep up to date all relevant to SAP systems legislative statutory, regulatory
and contractual requirements.
• Develop specific controls and individual responsibilities to meet relevant compliance
requirements.
• Prepare questionnaires and technical procedures to evaluate compliance of SAP security
controls and processes.
9
PREDICT VULNERABILITY MANAGEMENT
• Conduct vulnerability assessments and security audits for SAP systems in use, before
acceptance and in development.
• Systematically assess SAP security controls through internal and external penetration tests.
• Communicate security assessments results in terms of security breach, fraud and compliance
risks.
2. Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations:
• Prepare and maintain scan profiles for assets according to applicable compliance
requirements, security policies and protection guidelines.
• Prioritize remediation activities according to asset criticality, vulnerability risk and estimated
effort.
• Develop remediation plans to address security issues in SAP applications, security controls
and infrastructure.
• Maintain remediation knowledge database with description of executed corrections, applied
patches, secure configurations and context considerations.
3. Monitor vulnerabilities, remediations and threats online from public and private
sources and threat intelligence feeds
• Monitor information about SAP vulnerabilities, new remediations and threats on vendor and
third-parties web-sites, mailing lists, newsgroups and other notification services
• Collect Threat Intelligence feeds and review them in regards to ERP Security threats.
• Stay up to date with latest research publications and security events.
10
PREDICT RISK MANAGEMENT
11
PREDICT SECURE DEVELOPMENT
12
PROCESS
SECURE ARCHITECTURE
PREVENT ACCESS CONTROL
• Establish procedures and baseline security requirements to users and applications for
granting access to SAP systems services and endpoint devices.
• Implement two-factor authentication.
• Restrict access to administrative SAP services and anonymous access to critical web-
services.
2. Implement role-based access control to SAP functionality:
• Define user and administrative roles to communicate with SAP systems. Establish
organization subjects that may occupy the role, objects and actions that will available for
the role. Document privileges that may be granted to defined roles.
• Restrict access to admin profiles such as SAP_ALL profile to administrators.
• Restrict unauthorized access to critical transactions, programs, remote function calls,
database tables, web-services and other entities.
3. Enforce Segregation of Duties controls according to business process rules:
• Create SOD matrix according to business process rules and best practices
• Enforce SOD controls in SAP systems
• Audit override of access control mechanisms: SOD conflicts, role based access conflicts.
14
PREVENT AWARENESS AND TRAINING
• Training Materials. Training goals are identified for each category of SAP
systems stakeholders and adequately addressed by awareness training
and education materials.
• Training Records. Education and trainings are tracked and provided on
regular bases and in case of SAP system changes. OUTCOMES
• Knowledge Assessment Reports. Level of cybersecurity awareness is
identified and managed for SAP stakeholders.
15
PREVENT DATA SECURITY
• Identify data representing information assets in SAP systems, their location and related
contractual, regulatory and legal requirements influencing security of the data.
• Establish an approach to label security attributes of data in SAP systems: metadata, visual
marking, handling rules, etc.
• Develop data handling rules and procedures for enforcing data security during acquiring,
modification, removal, transfers, and disposition of SAP system assets.
2. Protect data-in-transit using SNC and SSL/TLS
• Document data flows between SAP systems and external systems along with requirements
security requirements to the connections.
• Implement cryptographic mechanisms to prevent unauthorized disclosure and detect
changes to data.
• Authenticate connected parties using certificates and PKI services, network controls and
additional safeguards.
3. Protect data-at-rest by encryption, secure storage location and tokenization
• Employ cryptographic mechanisms to prevent unauthorized disclosure and detect changes
in stored data and system configuration.
• Remove from online storage and store off-line in a secure location defined data assets.
• Conduct regular audits of SAP configuration, data security controls and handling procedures.
16
PREVENT SECURE ARCHITECTURE
• Secure connections between SAP systems and external systems (OT/ICS): proxy, SSO, etc.
• Choose an approach to document architecture of SAP systems: users, data, connections,
security domains, security controls and services, technical solutions.
2. Secure SAP communications:
• Create SAP communication schema.
• Ensure that SAP RFC connections are documented and secured (access is limited and
connection credentials are stored securely).
• Review that other connections to SAP systems (database, XI, SOAP, J2EE, HANA, etc.) are
justified by need and securely configured.
17
PROCESS
TO RECOGNIZE THREATS,
EVENT MANAGEMENT l
DETECT CONDITIONS AND POSSIBLE
SIGNS OF COMPROMISE
�HREAT DETECTION
USER BEHAVIOR
DATA iEAKAG�
DETECT EVENT MANAGEMENT
3. Monitor SAP related network, systems, personnel and external service provider activities:
• Document auditable events, processing rules and event sources.
• Create event database, store data from diverse event sources
and enrich it by context information.
• Protect security-related data: encrypt event records, move data to separate location
or third party storage provider, ensure non-repudiation and long-time preservation
of event records.
19
DETECT THREAT DETECTION
• Acquire and maintain updated attack signatures database for IDS/IPS system.
• Subscribe to threat feeds from vendors and research teams for 0-day attack signatures.
• Ensure traffic of all SAP systems is monitored by IDS/IPS solutions.
2. Manually review SAP security events:
• Select threats to monitor inside SAP and identify data sources for them.
• Review SAP logs, traces and special reports to detect attacks.
• Use information about security attacks to assess SAP cybersecurity risks.
20
DETECT USER BEHAVIOR
• Identify privilege accounts and critical actions to monitor in SAP systems: account and role
operations, creation of data connections, modifying transactions, etc.
• Create list of reports and logs to monitor privileged account actions.
• Configure automated notification of the critical events.
• Litan, A. and Phillips, T. (2017). Market Guide for User and Entity
Behavior Analytics. [online] Gartner.com. Available at: https:/
www.gartner.com/doc/3538217/market-guide-user-entity-behavior
REFERENCES
21
DETECT DATA LEAKAGE
• Data Marking Practice. The order of marking exported data reports and
data flows is defined.
• Leakage Conditions. The configuration settings that create conditions to
data leakage are defined. OUTCOMES
• Leakage Detection Rules. Signs of possible data leakage are identified and
configured.
3. Monitor data flows and devices to detect data leakage in real time:
• Monitor data flows on a network level.
• Monitor endpoint devices and servers for presence of sensitive data exported
from SAP systems.
• Automate detection and notifying of possible data leakage event combinations.
22
PROCESS
MITIGATION
IMPROVEMENTS
RESPOND INCIDENT RESPONSE
1. Develop SAP security event correlation rules and incident alert threshold:
• Define possible attack vectors, select related signs of an incident and sources: alerts, logs,
IMPLEMENTATION STEPS
24
RESPOND CLEAR COMMUNICATIONS
25
RESPOND CONTINUOUS ANALYSIS
• SAP Security Metrics. Metrics for SAP security controls and processes are
identified.
• SAP Security Dashboards. Security data is analyzed and presented in
dashboards. OUTCOMES
• Forensic Procedures. Guidelines on gathering evidence from SAP systems
are prepared.
26
RESPOND MITIGATION
• Compile SAP security guidelines, recommendations and standards for SAP developers,
administrators and users.
• Create collaborative environment for sharing experience and knowledge management
on the SAP security and administrative topics (company portal, forum, Wikipedia, etc.)
• Encourage personnel to share knowledge and learn SAP security topics.
3. Deploy virtual patching and automatic correction tools for SAP security issues:
• Document security issues, which are unable to be resolved at the time.
• Develop workarounds: virtual patching, network filtering, event detection controls, etc.
• Automate mitigation of detected issues with corrective controls.
27
RESPOND IMPROVEMENTS
PURPOSE To learn from external events and improve SAP security processes
• Analyze SAP security updates and disseminate security notifications and security alerts to
members of Security and BASIS teams.
• Study announcements about successful attacks and threats to SAP systems and redistribute
it over organization.
• Monitor security bulletin boards, hacker forums and hacker underground (P2P networks,
community forums and social networks).
2. Attend SAP security events and trainings:
• Join SAP security communities and follow up security vendors, research centers
and most recognizable security professionals.
• Participate in security conferences, online events and meetups.
• Attend trainings and courses, choose certification tracks for key security staff.
3. Assess effectiveness of SAP security controls:
• Prepare questionnaires, tools and guidelines to assess SAP security controls
and effectiveness and efficiency of security processes.
• Map automatic technical checks to SAP security controls and use automated tools to
obtain assessment results.
• Use security controls assessment results to improve SAP systems security plans and carry
out corrective actions.
28
About EAS-SEC
The EAS-SEC (Enterprise Application Systems Security) is an international organization established to
develop and implement security enabling practices for acquiring, operating, and maintaining
enterprise business applications.
EAS-SEC has several ongoing projects:
• Enterprise Application Security: Development Issues
• Enterprise Application Security: Vulnerability Assessment
• Enterprise Application Security: Awareness
EAS-SEC is an open community of security professionals and organizations willing to ensure security of
their business application. EAS-SEC provides the following forms of participation for EAS-SEC members:
• developing guidelines, tools and reports;
• providing professional expertise;
• conducting implementation case-studies.
The framework provides you with guidance on how to achieve maximum protection in all security
areas with minimum effort.
Research results are distributed freely for large community. Members of EAS-SEC benefit from
collaborative sharing of experience and voluntary consulting during case studies.
info@eas-sac.org
eas-sec.org
29
ABOUT ERPScan
ERPScan is the most respected and credible Business Application Security provider. Named as an
‘Emerging vendor’ in Security by CRN and distinguished by more than 40 other awards - ERPScan
is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan’s
primary mission is to close the gap between technical and business security, and provide
solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-
attacks as well as internal fraud.
We use ‘follow the sun’ principle and function in two hubs, located in the Netherlands and the US
to operate local offices and partner network spanning 20+ countries around the globe.
info@erpscan.com
erpscan.com
30