EAS-SEC SAP CYBERSECURITY

FRAMEWORK
Contents
Contents ....................................................................................................................................................2
Introduction ..............................................................................................................................................3
PREDICT .....................................................................................................................................................6
Asset management................................................................................................................................ 7
Business Environment ...........................................................................................................................8
Governance ...........................................................................................................................................9
Vulnerability Management..................................................................................................................10
Risk Management ................................................................................................................................11
Secure Development ...........................................................................................................................12
PREVENT ..................................................................................................................................................13
Access Control .....................................................................................................................................14
Awareness and Training ......................................................................................................................15
Data Security .......................................................................................................................................16
Secure Architecture .............................................................................................................................17
DETECT ....................................................................................................................................................18
Event Management .............................................................................................................................19
Threat Detection ................................................................................................................................. 20
User Behavior ......................................................................................................................................21
Data Leakage .......................................................................................................................................22
RESPOND .................................................................................................................................................23
Incident Response ...............................................................................................................................24
Clear Communications ........................................................................................................................25
Continuous Analysis ............................................................................................................................26
Mitigation ............................................................................................................................................27
Improvements .....................................................................................................................................28
About EAS-SEC.........................................................................................................................................29
About ERPScan .......................................................................................................................................30

2
Introduction
EAS-SEC SAP Cybersecurity Framework is intended to systemize all the necessary activities to
secure business applications such as ERP systems from cyberattacks, espionage, sabotage and fraud.
The growing number of incidents against ERP systems and constant flow of weaknesses demand a
change in approach to security. The tendency to tackle myriad cybersecurity challenges in a
piecemeal manner could expose organizations to significant security risks. An enterprise security
team without C-level guidance working with a disintegrated security solution stack, cloud
applications, and an eroding system boundaries cannot keep up with the growing number of attacks.
Security managers need to solve the problem of disintegrated security and create the strategic options
and environment to ensure the security of business applications.
They should shift from overly relying on blocking and preventing mechanisms of access controls and
Segregation of Duties to integrative approaches. Security managers should assume the
preventing mechanisms could and do fail, so ERP systems require continuous monitoring and
remediation.
Security managers should ensure that protection of business application combines predictive,
preventive, detective and response capabilities and seamlessly integrates with enterprise security
processes like incident, risk and compliance management.
We’ve created an SAP Cybersecurity Framework to form a conceptual bridge between integrated
adaptive security architecture and actions. The framework articulates critical areas of action for
establishing security of ERP systems, describes desired outcomes and provides 3-step approach to
succeed in each area.
SAP Cybersecurity Framework implements EAS-SEC approach to unify completeness of the coverage
and priority of implementation. The framework provides you guidance on how achieve in all protection
areas with minimum effort for maximum effect.
SAP Cybersecurity Framework implements Gartner’s approach to adaptive security architecture in area
of ERP security and describes four categories for ERP protection processes: predictive, preventive,
detective and responsive.
Each category describes specific protection processes, like asset management, incident management
or threat intelligence. All the processes are in line with industry recognized frameworks and
approaches from NIST, SANS, ISO, CIS, but reflects the specifics of ERP systems.
SAP Cybersecurity Framework provides you a three-step roadmap towards the realization of each of
ERP security processes:

• Implementing the first step is the minimum that lets you set up the basis for protection and
solve the most critical issues.
• Second step provides you with the sufficient level of security and requires medium level of
effort.
• Third step includes all the advanced things like automation, forensic, collaboration and other
stuff, that provides you the cutting-edge security capabilities.
Regardless of the degree of effort you are ready to put in, the framework articulates the outcomes you
are expected to archive: be it an Inventory of Assets, SAP Continuity Plans, SAP Risk Register or SAP
Security Metrics. The difference is in an extent of details.

3
We encourage you to start small and implement first steps for each of the processes: choose a
category, implement first step for one of the processes and switch to another category and process.
This gradually let you to cover all of the processes at the very basic level. After that you will be ready
to take ERP security to the next level by executing second steps and finally third steps. At the very
moment of this building process you have all the capabilities you need to effectively secure enterprise
systems.
We believe the security of ERP system shouldn’t longer be the poor cousin of enterprise security any
longer and should receive due attention and strategic management as it ensures resiliency of core
enterprise operations.
SAP Cybersecurity Framework is developed under the EAS-SEC initiative. Security professionals are
welcome to participate to get a common, agreed and efficient standard of ERP security operations.

4
5
TO UNDERSTAND SAP SYSTEM'S
ENVIRONMENT, PROACTIVELY
PRIORITIZE AND ADDRESS
SYSTEM EXPOSURES
 PREDICT ASSET MANAGEMENT

To communicate information about assets in SAP systems,

PURPOSE To communicate
security category information about
of the assets,
protection requirements.
rulesassets in SAP systems,
of acceptable use andsecurity

• Inventory of Assets. The SAP systems, servers, applications, information

assets, personnel and devices, related information systems and
information flows are identified and updated on a regular manner.
• Criticality Assessments. Assets are prioritized according to their
importance to business.
OUTCOMES
• Acceptable Use Requirements. Rules, responsibilities of and requirements
to the acceptable use of the SAP systems are developed.

1. Create an Inventory of Assets:

• Develop a classification schema and templates to describe different types of SAP assets:
IMPLEMENTATION STEPS

systems, servers, applications, services, information assets and devices.

• Establish procedures for creating and updating Inventory of Assets during procurement, using
and retention of the assets.
• Inventory assets and identify stakeholders of the assets: administrators, owners, us ers
and third-parties.
2. Assess criticality of the assets:
• Elicit and document contractual, regulatory and internal requirements to information assets
inside the SAP systems.
• Develop an approach and procedure to assign and review criticality level of assets.
• Mark assets according to their criticality level.
• Document requirements to acceptable use of assets of different types and criticalities during
the lifecycle of assets.
• Develop guidelines and controls for protecting assets according to their criticality level.

3. Develop complete specification of the SAP systems:

• Inventory all modules, services and software on assets.
• Determine connections and information flows between assets, internal and external
information systems and data providers for each of the SAP system.
• Establish requirements to third parties, vendors, contracts and contractors regarding security
of SAP systems.

• NIST FIPS Publication 199, Standards for Security Categorization of Federal

Information and Information Systems, February 2004.
• NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and
Information Systems to Security Categories, August 2008.
REFERENCES
• NIST SP 800-53 Rev. 4 CM-8

7
 PREDICT BUSINESS ENVIRONMENT

To provide SAP business context, ensure cybersecurity continuity of SAP

PURPOSE systems and address cybersecurity in supplier relationships.

• Business Context: organization’s business processes, activities,

stakeholders and resilience requirements to SAP systems are identified
and prioritized.
• SAP Continuity Plans: SAP cybersecurity continuity requirements are
identified and addressed by cybersecurity continuity controls. OUTCOMES
• Supplier Catalogue: suppliers and associated contracts are identified,
cybersecurity requirements to suppliers are established and monitored in
contracts and service deliveries.

1. Identify Business Context:

• Identify organization’s activities and business processes (procurement to pay, order to cash
and so on), corresponding SAP systems, external information systems and services required to
achieve organization’s purposes.
IMPLEMENTATION STEPS

• Identify stakeholders of business processes.

• Gather resilience requirements to SAP systems that support organization’s activities.
• Inform assessment of asset criticality by performing criticality analysis of corresponded
business functions.
2. Prepare SAP Continuity Plans:
• Develop requirements for cybersecurity of SAP system in adverse situations: e.g. under attack
or during recovery.
• Document plans, response and recovery procedures for maintaining cybersecurity of SAP
system in case of disruptive event.
• Integrate cybersecurity continuity controls with organization’s business continuity or disaster
recovery activities.
3. Maintain Supplier Catalogue:
• Identify and mandate cybersecurity controls and requirements (notification, incident
management, screening, audit, compliance and so on) to contracts to specifically address
supplier access to the organization's SAP systems.
• Establish and agree cybersecurity requirements with each supplier that may access SAP
systems. Review requirements during changes to supplier agreements, development of any
new application and systems.
• Establish, Monitor, review and audit supplier adherence to agreements regarding SAP
cybersecurity. Implement monitoring process for managing supplier audit trails, records of
security events, operational problems and failures disruptions related to the service delivered.

• ISO/IEC 27001:2013 15.1, 15.2, 17

• NIST SP 800-53 Rev. 4 CP-2, PM-8, SA-12, PM-11, SA-14
• NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal
Information Systems
REFERENCES

8
 PREDICT GOVERNANCE

To develop cybersecurity policies, roles, responsibilities and procedures to

PURPOSE ensure SAP cybersecurity is understood and integrated to organization
operational and management processes

• SAP Cybersecurity Policy. Organizational information security policy

addresses SAP cybersecurity objectives, threat environment and controls.
• SAP Security Processes. Cybersecurity processes and procedures, roles
and responsibilities are established and aligned with internal roles and
external partners. OUTCOMES
• SAP Control Procedures. Legal, regulatory and operational requirements
regarding cybersecurity of SAP systems are identified, enforced and
controlled in SAP systems.

1. Establish SAP Cybersecurity Policy:

• Define SAP cybersecurity objectives and guiding principles, assign general responsibilities for
SAP cybersecurity and communicate them to employees and relevant external parties.
IMPLEMENTATION STEPS

• Establish an approach to communicate and address risks associated with the operation and
use of SAP applications in context of organizational operations risk management.
• Demonstrate top management leadership and commitment with respect to the SAP
cybersecurity.
2. Develop SAP security processes:
• Develop descriptions for all relevant to organization SAP Security Processes.
• Define SAP cybersecurity roles and responsibilities. Assign them to internal roles,
organizational positions and external parties.
• Implement SAP cybersecurity review in all management phases of SAP projects: project
objectives should include cybersecurity goals; necessary security controls are identified and
security assessment is a part of acceptance and testing of SAP systems.
3. Implement control procedures:
• Document and keep up to date all relevant to SAP systems legislative statutory, regulatory
and contractual requirements.
• Develop specific controls and individual responsibilities to meet relevant compliance
requirements.
• Prepare questionnaires and technical procedures to evaluate compliance of SAP security
controls and processes.

• ISO/IEC 27001:2013 – Information technology -- Security techniques --

Information security management systems -- Requirements.
International Organization for Standardization
• NIST Framework for Improving Critical Infrastructure REFERENCES
Cybersecurity, 2014.
• MacDonald, N. and Firstbrook, P. (2017). Designing an Adaptive Security
Architecture for Protection From Advanced Attacks. [online]
Gartner.com. Available at: https://www.gartner.com/doc/2665515/
designing-adaptive-security-architecture-protection

9
 PREDICT VULNERABILITY MANAGEMENT

To provide cybersecurity assurance in SAP systems by assessing

PURPOSE vulnerabilities and reducing attack vectors

• Scan Plans. Security testing covers all SAP systems.

• Scan Profiles. Relevant SAP risks, compliance and technical policies are
translated into scan profiles and technical checks.
• Remediation Plans. Organization develops and implements
OUTCOMES
remediation plans to address vulnerabilities in SAP systems.

1. Regularly perform SAP security audits and penetration tests:

• Develop an annual scan plan to ensure gradual coverage of all SAP systems.
IMPLEMENTATION STEPS

• Conduct vulnerability assessments and security audits for SAP systems in use, before
acceptance and in development.
• Systematically assess SAP security controls through internal and external penetration tests.
• Communicate security assessments results in terms of security breach, fraud and compliance
risks.
2. Repeatedly scan SAP systems for vulnerabilities, recommend and track remediations:
• Prepare and maintain scan profiles for assets according to applicable compliance
requirements, security policies and protection guidelines.
• Prioritize remediation activities according to asset criticality, vulnerability risk and estimated
effort.
• Develop remediation plans to address security issues in SAP applications, security controls
and infrastructure.
• Maintain remediation knowledge database with description of executed corrections, applied
patches, secure configurations and context considerations.
3. Monitor vulnerabilities, remediations and threats online from public and private
sources and threat intelligence feeds
• Monitor information about SAP vulnerabilities, new remediations and threats on vendor and
third-parties web-sites, mailing lists, newsgroups and other notification services
• Collect Threat Intelligence feeds and review them in regards to ERP Security threats.
• Stay up to date with latest research publications and security events.

• NIST SP 800-4 Version 2.0, Creating a Patch and Vulnerability

Management Program, November 2005
• NIST IR 7435 The Common Vulnerability Scoring System (CVSS) and Its
Applicability to Federal Agency Systems
• The SAP NetWeaver ABAP platform vulnerability assessment
REFERENCES
guide, 2014

10
 PREDICT RISK MANAGEMENT

To make decisions on addressing possible adverse impacts from the

PURPOSE operation and use of SAP systems

• Threat Model. The organizational approach to SAP cybersecurity risks is

established.
• Risk Register. Risks from operation and use of SAP systems are
identified, prioritized and estimated.
• Risk Responds. Appropriate courses of actions to accept, avoid, mitigate
OUTCOMES
or transfer SAP cybersecurity risk are identified, evaluated and
implemented.

1. Create threat model for SAP systems:

• Identify scope (organizational entities, SAP systems, etc.) for SAP cybersecurity risk
IMPLEMENTATION STEPS

management activities and align them with enterprise risk management.

• Create threat model for SAP systems: document and approve risks assessment
methodology: threat sources, vulnerabilities, attack scenarios and impacts.
• Develop risk assessment and response guidance.

2. Assess likelihoods and estimate business impacts of cybersecurity risks:

• Identify threats to and vulnerabilities in SAP systems and infrastructure.
• Analyze likelihood of cybersecurity risks using vulnerability assessment results,
surveying subject matter experts and business impact analysis.
• Determine the risk to organizational operations if identified threats exploit
identified vulnerabilities.
3. Automate risk management and develop risk response plans:
• Automate risk management by integrating Vulnerability Management, GRC platforms and
Incident Response solutions.
• Identify and implement alternative courses of actions to respond to SAP cybersecurity risks
determined during the risk assessment.
• Create plans for monitoring the effectiveness of risk response measures and risk monitoring
triggers.

• NIST SP 800-39, Managing Information Security Risk: Organization,

Mission, and Information System View, March 2011
• NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments
September 2012 REFERENCES
• COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02

11
 PREDICT SECURE DEVELOPMENT

PURPOSE To ensure security during SAP systems development and acquisition.

• SAP Security Requirements. Cybersecurity requirements to the SAP

systems in development are identified and addressed by security controls.
• Development Standards and Processes: SAP system development occur
with standard processes that consider secure practices and are
documented and repeatable.
OUTCOMES
• Security Plans. All SAP systems have security plans in place describing
implemented security controls and solutions.

1. Develop basic security requirements to configuration of servers, networks, SAP

applications and endpoints:
IMPLEMENTATION STEPS

• Separate development, testing and production environments.

• Develop secure transport procedures.
• Assign and control access rights of developers (developer access keys and developer
authorizations).
2. Create secure development standards and processes:
• Prepare development and coding standards, which includes checking of developed systems
for SAP vulnerabilities (code issues, obsolete statements, missing authorization checks, etc.)
• Provide security trainings for development team.
• Ensure quality assurance plans address SAP security requirements: adherence to standards,
passing of security assessments, proper documentation.
3. Automate secure development processes:
• Automate secure development process in ITSM. Integrate code scanning tools into
automated development workflow.
• Use virtual patching for code issues which can’t be quickly patched due to resource
constrains. Document these issues, applied remediations and future considerations.
• Require developers and contractors to prepare security plans for each SAP systems and
authorize using of SAP systems on the basis of risk management and security control
assessment results.

• NIST SP 800-64 Rev. 2, Security Considerations in the System

Development Life Cycle, October 2008
• NIST SP 800-37, Revision 1, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle REFERENCES
Approach, February 2010.
• NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for
Federal Information Systems, February 2006

12
 PROCESS

TO REDUCE ATTACK ACCESS CONTROL I

SURFACE AREA AND BLOCK
ATTACKERS BEFORE THEY AWARENESS AND TRAINING
IMPACT THE COMPANY
DATA SECURITY

SECURE ARCHITECTURE
 PREVENT ACCESS CONTROL

To limit rights of authorized users and prevent unauthorized use of an SAP

PURPOSE system.

• Access Rules. Users and application access to SAP systems is based on

need, documented and implements principles of least privileges and
segregation of duties.
• Access Mechanisms. Procedures for granting, changing and revoking
access to SAP systems are established throw-out the network, OS, DBMS
and application layers.
OUTCOMES
• Access Control Reports. Access control mechanisms are continuously
tested and comply to access rules.

1. Secure the network, servers and endpoint devices:

IMPLEMENTATION STEPS

• Establish procedures and baseline security requirements to users and applications for
granting access to SAP systems services and endpoint devices.
• Implement two-factor authentication.
• Restrict access to administrative SAP services and anonymous access to critical web-
services.
2. Implement role-based access control to SAP functionality:
• Define user and administrative roles to communicate with SAP systems. Establish
organization subjects that may occupy the role, objects and actions that will available for
the role. Document privileges that may be granted to defined roles.
• Restrict access to admin profiles such as SAP_ALL profile to administrators.
• Restrict unauthorized access to critical transactions, programs, remote function calls,
database tables, web-services and other entities.
3. Enforce Segregation of Duties controls according to business process rules:
• Create SOD matrix according to business process rules and best practices
• Enforce SOD controls in SAP systems
• Audit override of access control mechanisms: SOD conflicts, role based access conflicts.

• NIST Interagency Report 7316, Assessment of Access Control Systems,

September 2006
• SAP NetWeaver Security Guide, Network and Communication Security REFERENCES
• Wagener, M. (2008). Practical Guide for SAP Security

14
 PREVENT AWARENESS AND TRAINING

To provide personnel and contractors cybersecurity awareness education

PURPOSE and trainings to perform their duties and responsibilities.

• Training Materials. Training goals are identified for each category of SAP
systems stakeholders and adequately addressed by awareness training
and education materials.
• Training Records. Education and trainings are tracked and provided on
regular bases and in case of SAP system changes. OUTCOMES
• Knowledge Assessment Reports. Level of cybersecurity awareness is
identified and managed for SAP stakeholders.

1. Enlist commitment of Board and C-level executives:

• Choose an SAP security education provider and organize SAP security awareness workshop.
IMPLEMENTATION STEPS

• Maintain cybersecurity awareness of managers and senior executives by regular digest of

recent news.
• Demonstrate commitment of senior executives to secure operation of SAP systems by
personal example and budget allocation.

2. Provide SAP security trainings for BASIS and security teams:

• Identify education goals and provide role-based security trainings and practical exercises to
BASIS team.
• Identify education goals and provide role-based security trainings and practical exercises to
security team.
• Test security awareness of BASIS and security team by periodic assessments and simulation
of SAP system anomalous behavior.
3. Provide awareness training to SAP users:
• Prepare trainings materials, choose courses and third-party education providers.
• Provide basic and refresher security awareness training to SAP systems users and
contractors.
• Monitor awareness of SAP users by regular tests, simulating insider threats and anomalous
SAP system behavior.

• NIST SP 800-50, Building an Information Technology Security

Awareness and Training Program
• NIST SP 800-16 DRAFT A Role-Based Model for Federal REFERENCES
Information Technology/Cybersecurity Training, March 2014

15
 PREVENT DATA SECURITY

To enforce requirements to confidentiality, integrity and availability of

PURPOSE information in SAP systems on the data layer.

• Data Inventory. Data assets are identified and linked to relevant

organization’s information assets.
• Data Flows. Data flows between SAP systems and external systems are
identified along with requirements to protection of the represented
information. OUTCOMES
• Data Security Reports. Organization receives assurance the data in SAP
system at rest and in transit is protected in accordance with the value of
represented information.

1. Classify data assets according to its value to organization

IMPLEMENTATION STEPS

• Identify data representing information assets in SAP systems, their location and related
contractual, regulatory and legal requirements influencing security of the data.
• Establish an approach to label security attributes of data in SAP systems: metadata, visual
marking, handling rules, etc.
• Develop data handling rules and procedures for enforcing data security during acquiring,
modification, removal, transfers, and disposition of SAP system assets.
2. Protect data-in-transit using SNC and SSL/TLS
• Document data flows between SAP systems and external systems along with requirements
security requirements to the connections.
• Implement cryptographic mechanisms to prevent unauthorized disclosure and detect
changes to data.
• Authenticate connected parties using certificates and PKI services, network controls and
additional safeguards.
3. Protect data-at-rest by encryption, secure storage location and tokenization
• Employ cryptographic mechanisms to prevent unauthorized disclosure and detect changes
in stored data and system configuration.
• Remove from online storage and store off-line in a secure location defined data assets.
• Conduct regular audits of SAP configuration, data security controls and handling procedures.

• ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,

A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1,
A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
• COBIT 5 APO01.06, DSS06.06
• NIST SP 800-154 (DRAFT), Guide to Data-Centric System Threat
REFERENCES
Modeling, March 2016

16
 PREVENT SECURE ARCHITECTURE

To ensure security of all SAP solutions through-out all SAP components,

PURPOSE connections, infrastructure and security controls.

• SAP Security Architecture. SAP systems components and

interdependencies are identified and documented.
• SAP Security Controls. Common security services and specific SAP
security controls are documented. OUTCOMES
• SAP Technical Solutions. Technical solutions for SAP security controls
are selected.

1. Protect SAP perimeter:

• Protect and configure SAP Router. Use SAP Web Dispatcher for external connections.
IMPLEMENTATION STEPS

• Secure connections between SAP systems and external systems (OT/ICS): proxy, SSO, etc.
• Choose an approach to document architecture of SAP systems: users, data, connections,
security domains, security controls and services, technical solutions.
2. Secure SAP communications:
• Create SAP communication schema.
• Ensure that SAP RFC connections are documented and secured (access is limited and
connection credentials are stored securely).
• Review that other connections to SAP systems (database, XI, SOAP, J2EE, HANA, etc.) are
justified by need and securely configured.

3. Integrate SAP security and enterprise security:

• Categorize SAP systems and identify boundaries between SAP systems and other enterprise
subsystems.
• Allocate and implement in SAP systems common security controls according to enterprise
security policy.
• Examine all SAP connections, interfaces, security-relevant dependencies among subsystems
and select security controls for interconnections.

• Sherwood Applied Business Security Architecture

• Security Architecture Design Process for Health Information
Exchanges (HIEs)
• NIST SP 800-53 Rev. 4, Assessing Security and Privacy Controls in
REFERENCES
Federal Information Systems and Organizations, December 2014

17
 PROCESS

TO RECOGNIZE THREATS,
EVENT MANAGEMENT l
DETECT CONDITIONS AND POSSIBLE
SIGNS OF COMPROMISE
�HREAT DETECTION

USER BEHAVIOR

DATA iEAKAG�
 DETECT EVENT MANAGEMENT

PURPOSE To collect information on SAP security related events.

• Audit Events. The list of events to monitor is identified.

• Event Databases. Event data is collected inside data stores.
• Event Collecting Procedures. Procedures for collecting required set of OUTCOMES
events are established for all source systems.

1. Configure SAP security audit log:

IMPLEMENTATION STEPS

• Identify set of events to monitor inside SAP systems.

• Configure SAP systems to store data related to identified set of security events.
• Regularly review security events and disseminate findings among interested parties.

2. Collect SAP security-related events:

• Aggregate data related to specific event from different sources (SAP logs, HTTP,
Gateways logs and connected systems).
• Convert event records to standardized format.
• Establish thresholds and alert rules for specific combination of events.

3. Monitor SAP related network, systems, personnel and external service provider activities:
• Document auditable events, processing rules and event sources.
• Create event database, store data from diverse event sources
and enrich it by context information.
• Protect security-related data: encrypt event records, move data to separate location
or third party storage provider, ensure non-repudiation and long-time preservation
of event records.

• NIST SP 800-184 Guide for Cybersecurity Event Recovery,

December 2016
• NIST SP 800-92 Guide to Computer Security Log Management, REFERENCES
September 2006

19
 DETECT THREAT DETECTION

PURPOSE To detect attacks and possible threats to SAP systems.

• Threat Catalogue. List of possible threats and attacks is identified.

• Threat Data Sources. For each threat data collection rules are
documented and implemented.
• Threat Detection Rules. For each threat detection rules are created.
OUTCOMES

1. Configure IDS/IPS systems to detect SAP attack signatures:

IMPLEMENTATION STEPS

• Acquire and maintain updated attack signatures database for IDS/IPS system.
• Subscribe to threat feeds from vendors and research teams for 0-day attack signatures.
• Ensure traffic of all SAP systems is monitored by IDS/IPS solutions.
2. Manually review SAP security events:
• Select threats to monitor inside SAP and identify data sources for them.
• Review SAP logs, traces and special reports to detect attacks.
• Use information about security attacks to assess SAP cybersecurity risks.

3. Monitor potential attacks, security event combinations and anomalies:

• Document detection rules for discovering attacks and potential threats to information assets
inside SAP systems and infrastructure components.
• Automate continuous gathering threat data, applying detection rules and generating
threat notification.
• Integrate threat detection capabilities with incident respond process and automate
creation of incidents.

• NIST SP 800-154 (DRAFT), Guide to Data-Centric System

Threat Modeling, March 2016 REFERENCES

20
 DETECT USER BEHAVIOR

PURPOSE To detect deviations of user behavior from typical in SAP systems.

• Critical Actions Reports. Information on the actions with critical SAP

system objects is collected.
• Baseline Behavior Profiles. Normal behavior profiles of SAP users are
determined. OUTCOMES
• Anomaly Detection Rules. Signs of suspicious behavior are identified.
•

1. Review privilege accounts activities:

IMPLEMENTATION STEPS

• Identify privilege accounts and critical actions to monitor in SAP systems: account and role
operations, creation of data connections, modifying transactions, etc.
• Create list of reports and logs to monitor privileged account actions.
• Configure automated notification of the critical events.

2. Establish profiles for SAP user behavior and detect anomalies:

• Baseline behavior profiles for SAP users and roles.
• Establish anomaly behavior thresholds and notification rules.
• Report anomalous SAP user’s behavior to responsible personnel or roles.
3. Monitor SAP business activities and SOD conflicts in real time:
• Implement automated process of anomalous behavior detection and notification.
• Audit override of access control mechanisms: SOD conflicts, role based access conflicts
in real time.
• Augment anomaly detection rules by business context from external sources: HR data,
DLP, IAM, endpoint solutions and physical access control systems.

• Litan, A. and Phillips, T. (2017). Market Guide for User and Entity
Behavior Analytics. [online] Gartner.com. Available at: https:/
www.gartner.com/doc/3538217/market-guide-user-entity-behavior
REFERENCES

21
 DETECT DATA LEAKAGE

PURPOSE To detect data leakages in SAP systems.

• Data Marking Practice. The order of marking exported data reports and
data flows is defined.
• Leakage Conditions. The configuration settings that create conditions to
data leakage are defined. OUTCOMES
• Leakage Detection Rules. Signs of possible data leakage are identified and
configured.

1. Identify data leakage conditions in custom code and configuration:

IMPLEMENTATION STEPS

• Identify pre-disposing data leakage configuration settings of an SAP system or services.

• Review custom developed code for possible data leakage conditions.
• Implement visual marking of exported reports from SAP systems.

2. Analyze security events to detect possible data leakage:

• Develop an approach to trace security attributes of data records in logs.
• Define leakage detection rules on the basis of collected security events.
• Regularly review reports and event records to discover data leakage.

3. Monitor data flows and devices to detect data leakage in real time:
• Monitor data flows on a network level.
• Monitor endpoint devices and servers for presence of sensitive data exported
from SAP systems.
• Automate detection and notifying of possible data leakage event combinations.

• NIST SP 800-94 Rev. 1, DRAFT Guide to Intrusion Detection and

Prevention Systems (IDPS), July 2012 REFERENCES

22
 PROCESS

TO INVESTIGATE ISSUES, DESIGN INCIDENT RESPONSE

AND IMPLEMENT CHANGES TO
SECURITY CONTROLS, AND CLEAR COMMUNICATIONS
LEARN FROM EXTERNAL
ENVIRONMENT CONTINUOUS ANALYSIS

MITIGATION

IMPROVEMENTS
 RESPOND INCIDENT RESPONSE

To systematically respond to violation or threat of violation of SAP security

PURPOSE policies and practices.

• Incident Definitions. Possible SAP security incidents are identified,

categorized, have assigned data sources and correlation rules.
• Incident Cases. Information on detection and responding to security
incidents is stored and tracked. OUTCOMES
• Incident Response Plans. Plans of actions to respond most significant and
common incidents are prepared.

1. Develop SAP security event correlation rules and incident alert threshold:
• Define possible attack vectors, select related signs of an incident and sources: alerts, logs,
IMPLEMENTATION STEPS

publicly available information and people.

• Establish incident response team and staff it with people with appropriate skills. Provide them
ways and means of communication, proper hardware and software.
• Profile networks and SAP systems, understand normal behavior and perform event
correlation.
2. Develop SAP incidents response and recovery plans:
• Define factors for prioritizing incidents: functional, security and recoverability of incidents.
• Develop incidents response procedures for various kinds of SAP cybersecurity incidents:
containment, eradication, recovery and investigation.
• Establish rules for notification of different parties: C-level executives, system owners, system
and network administrators, other incident response teams, legal department (if
appropriate).
3. Automate SAP incident response procedures:
• Implement automated process of incident response: security event analysis, incident
identification, response and investigation.
• Regularly review effectiveness, analyze and improve incident response procedures and
correlation rules.
• Prepare to consult with external resources: CERTs, peer organizations, contractors with SAP
incident response and forensic expertise.

• NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide,

August 2012
• NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident REFERENCES
Response, August 2006

24
 RESPOND CLEAR COMMUNICATIONS

To establish structure for SAP security responsibility in a business and

PURPOSE provide means for clear communications between its members.

• Security Responsibilities. Responsibilities on secure operating of SAP

systems are identified and assigned.
• Security Roles Delineation. Security roles and responsibilities of BASIS,
security team and other parties are delineated. OUTCOMES
• Cyber Threat Information. Information about cyber security threats is
shared with external parties. S

1. Assign responsibilities for ensuring SAP Security:

• Assign general and specific responsibilities for SAP security to C-level executives.
IMPLEMENTATION STEPS

• Define business security responsibilities on business unit level and establish

SAP assets owners.
• Describe personnel responsibility regarding access and use of SAP systems.
2. Establish communications between security teams and other parties:
• Delineate SAP security responsibilities between Security and other parties
(BASIS team, Audit, Network, etc.).
• Assign specific tasks to Security and BASIS teams
• Establish ways and means of communication between all parties and establish
conflict resolution procedures.
3. Establish communications with 3rd party companies and threat intelligence providers:
• Identify existing internal sources of cyber threat information and establish information
sharing rules.
• Join and participate in information sharing efforts with vendors, peer organizations and
research centers.
• Use secure, automated workflows to publish, consume, analyze, and act upon cyber threat
information.

• ISO27002:2013 5.1 Management direction for information security

• NIST SP800-150 Guide to Cyber Threat Information Sharing, October
2016
REFERENCES

25
 RESPOND CONTINUOUS ANALYSIS

PURPOSE To provide insights into state of SAP security.

• SAP Security Metrics. Metrics for SAP security controls and processes are
identified.
• SAP Security Dashboards. Security data is analyzed and presented in
dashboards. OUTCOMES
• Forensic Procedures. Guidelines on gathering evidence from SAP systems
are prepared.

1. Develop SAP security metrics:

• Identify stakeholders of security measures and goals of measurement.
IMPLEMENTATION STEPS

• Document security metrics: goals, formulas, targets, implementation evidences,

frequencies, responsible parties, data sources, etc.
• Report on a regular basis on the state of SAP security to stakeholders using security
metrics.
2. Automate tracking of SAP security metrics and analyze trends:
• Implement automated process of collecting, calculating and tracing of SAP security trends.
• Create SAP security dashboards and notifications for various parties.
• Use security metrics to manage SAP security processes: connect metrics to process goals,
collect data and analyze results, identify and apply corrective actions, set new target levels
for metrics.
3. Develop SAP forensic investigation procedures:
• Prepare SAP systems for data collection: perform regular backups, enable auditing,
forward critical event records to centralized log servers, maintain baseline system
configurations.
• Identify forensic goals and create guidelines for carrying out common forensic procedures:
acquiring the data from SAP systems, preserving integrity of evidence, examining and
analyzing SAP data, case reporting.
• Build and maintain skill of forensic team by ongoing trainings, education and hands-on
exercises.

• NIST SP800-55 Rev. 1. Performance Measurement Guide for Informtion

Security, July 2008
• NIST SP800-86 Guide to Integrating Forensic Techniques into Incident REFERENCES
Response, August 2006

26
 RESPOND MITIGATION

PURPOSE To design, model and make changes to security of SAP systems.

• Knowledge Base. Information on SAP security controls and best practices

is collected, stored and provided to all stakeholders.
• Security CMDB. Changes to SAP security configuration are managed
consistently. OUTCOMES
• Security Workarounds. Security workarounds and their implications are
identified.

1. Develop SAP security controls knowledge base:

IMPLEMENTATION STEPS

• Compile SAP security guidelines, recommendations and standards for SAP developers,
administrators and users.
• Create collaborative environment for sharing experience and knowledge management
on the SAP security and administrative topics (company portal, forum, Wikipedia, etc.)
• Encourage personnel to share knowledge and learn SAP security topics.

2. Implement task and change management practices for SAP systems:

• Baseline SAP system configurations and maintain versions of configuration.
• Implement formal change management for SAP configuration and track change
requests and approvals.
• Detect unapproved changes in configuration and investigate reasons for them.

3. Deploy virtual patching and automatic correction tools for SAP security issues:
• Document security issues, which are unable to be resolved at the time.
• Develop workarounds: virtual patching, network filtering, event detection controls, etc.
• Automate mitigation of detected issues with corrective controls.

• Linkies, M. and Off, F. (2006). SAP security and authorizations.

1st ed. Fort Lee (NJ): Galileo Press. REFERENCES

27
 RESPOND IMPROVEMENTS

PURPOSE To learn from external events and improve SAP security processes

• Improvements Suggestions. Suggestions on improvement of SAP

security controls based on security events and news.
• Controls Assessments. Results of assessment efficiency of SAP OUTCOMES
security controls.

1. Continuously analyze SAP security updates and threats:

IMPLEMENTATION STEPS

• Analyze SAP security updates and disseminate security notifications and security alerts to
members of Security and BASIS teams.
• Study announcements about successful attacks and threats to SAP systems and redistribute
it over organization.
• Monitor security bulletin boards, hacker forums and hacker underground (P2P networks,
community forums and social networks).
2. Attend SAP security events and trainings:
• Join SAP security communities and follow up security vendors, research centers
and most recognizable security professionals.
• Participate in security conferences, online events and meetups.
• Attend trainings and courses, choose certification tracks for key security staff.
3. Assess effectiveness of SAP security controls:
• Prepare questionnaires, tools and guidelines to assess SAP security controls
and effectiveness and efficiency of security processes.
• Map automatic technical checks to SAP security controls and use automated tools to
obtain assessment results.
• Use security controls assessment results to improve SAP systems security plans and carry
out corrective actions.

• support.sap.com. (2017). Support Portal. [online] Available at:

https://support.sap.com/securitynotes
• SP 800-53 Rev. 4, Assessing Security and Privacy Controls in
Federal Information Systems and Organizations, December
REFERENCES
2014

28
About EAS-SEC
The EAS-SEC (Enterprise Application Systems Security) is an international organization established to
develop and implement security enabling practices for acquiring, operating, and maintaining
enterprise business applications.
EAS-SEC has several ongoing projects:
• Enterprise Application Security: Development Issues
• Enterprise Application Security: Vulnerability Assessment
• Enterprise Application Security: Awareness
EAS-SEC is an open community of security professionals and organizations willing to ensure security of
their business application. EAS-SEC provides the following forms of participation for EAS-SEC members:
• developing guidelines, tools and reports;
• providing professional expertise;
• conducting implementation case-studies.
The framework provides you with guidance on how to achieve maximum protection in all security
areas with minimum effort.
Research results are distributed freely for large community. Members of EAS-SEC benefit from
collaborative sharing of experience and voluntary consulting during case studies.

info@eas-sac.org

eas-sec.org

29
 ABOUT ERPScan
ERPScan is the most respected and credible Business Application Security provider. Named as an
‘Emerging vendor’ in Security by CRN and distinguished by more than 40 other awards - ERPScan
is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan’s
primary mission is to close the gap between technical and business security, and provide
solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-
attacks as well as internal fraud.
We use ‘follow the sun’ principle and function in two hubs, located in the Netherlands and the US
to operate local offices and partner network spanning 20+ countries around the globe.

info@erpscan.com

erpscan.com

30