Deloitte - ArcSight for SAP SE Overview

Summary:

### Summary of the Document Analysis This document discusses the role of ArcSight ESM (Enterprise Security Manager) in enhancing enterprise security by detecting threats such as backdoor accounts and mis-use of privileged access. The tool is capable of inferring and adapting risk behavior based on ongoing activity, which helps organizations take preemptive measures against potential cyber threats. ### Key Points Discussed: 1. **Backdoor Accounts**: ArcSight ESM can detect the presence of a backdoor account by monitoring locked and unlocked accounts from the same workstation. This is achieved through the use of specific solutions that dynamically monitor and alert on suspicious activities related to shared or misused accounts. 2. **SAP Account Sharing**: The document highlights the risk associated with sharing SAP accounts, particularly when multiple individuals share an account on a production instance. Misuse of such accounts can lead to unauthorized access and security vulnerabilities. 3. **ArcSight ESM Solutions**: The tool has specific solutions for detecting use of IDs from multiple locations, RFC calls across different workstations (exempting certain portal systems), and raising awareness about at-risk users accessing SAP. 4. **HR Account Management Issues**: The document addresses an issue where a former employee's account was still active in SAP despite being disabled in Active Directory. This inconsistency highlights the need for better synchronization between HR systems and SAP to prevent unauthorized access. ### Recommendations: 1. **Synchronize Account Deactivation**: To avoid issues with misused or shared accounts, ensure that any changes to user status (like disabling an account) are applied consistently across all relevant systems such as Active Directory and SAP. 2. **Monitor Activity Outside Standard Windows**: Utilize ArcSight ESM to monitor activities outside the standard maintenance windows for sensitive transactions to prevent misuse of privileges and unauthorized access. 3. **Raise Awareness on At-Risk Users**: Continuously assess user activity against enterprise meta-directories like Active Directory to identify at-risk users who might have continued access due to account management issues, especially focusing on contractors and new employees. ### Conclusion: The document underscores the importance of using advanced security tools like ArcSight ESM to proactively detect and respond to threats such as backdoor accounts and mis-use of privileged access. By implementing these recommendations, organizations can significantly reduce the risk of data breaches and other serious security incidents.

Details:

Deloitte has formed a strategic alliance with HP/ArcSight, focusing on enhancing security services and risk consulting for clients. As the market leader in this field, Deloitte aims to quickly grow its revenue from security services by committing to aggressive training programs, hiring professionals, and actively acquiring new partners. The partnership leverages Deloitte's expertise in security and risk consulting with HP/ArcSight’s SIEM software to provide comprehensive solutions for clients facing increasing cyber threats. Through this alliance, Deloitte has committed to integrating ArcSight into its service delivery model, aiming to drive client revenue through a go-to-market program that focuses on differentiating the ESP (Enterprise Security Platform) in the market and dominating the security and privacy ("S&P") market. The partnership is poised to capitalize on the opportunity to scale and dominate the SIEM software market, supported by significant offshore resources trained and aligned with Deloitte's strategic goals. For contact information related to this alliance, you can reach out to Deloitte representatives including Steve Livingston, Scott Alexander, Glen Holland, and Mark Fernandes via email. This document discusses the integration of ArcSight with SAP GRC (Governance, Risk Management, and Compliance) solutions. It highlights how organizations can leverage this technology to enhance their risk management capabilities, particularly focusing on supply chain, business intelligence, financials, risk and compliance, customer relationship management, mobile platforms, eCommerce, and human resources. The document also addresses the regulatory trends that necessitate a more robust approach to compliance, such as increased vigor in enforcement and evolving demands by different countries. The integration of ArcSight with SAP provides several benefits including real-time monitoring and alerts, advanced data analysis for threat detection, improved correlation capabilities, and enhanced risk management across various business functions. The document emphasizes that while there are economic drivers like the cost implications of recession or changes in consumer behavior, there is also a growing expectation from stakeholders for companies to develop compliance programs that reflect prevention, detective, and remediation capabilities. The document includes detailed examples of use cases and provides screenshots (Appendix A) and an overview of ArcSight SAP GRC integration (Appendix B). It concludes with a discussion on the value of SIEM in managing risks within an SAP environment, particularly addressing scenarios like disgruntled IT employees or outside contractors manipulating system configurations for financial gain. The document underscores that while these events can lead to significant disruptions, effective use of technology such as ArcSight can mitigate potential realized loss scenarios and improve overall risk management practices. The article discusses the challenges faced by SAP customers in managing compliance and regulations, with over 90% lacking an effective application strategy. It highlights that risk data is often manually collected and analyzed, providing only a snapshot of compliance rather than real-time proof. Additionally, existing SIEM (Security Information and Event Management) clients may not be able to natively connect and monitor key SAP controls without complex integration projects. The future state potential with SIEM for SAP aims to address these challenges by automating manual monitoring, minimizing regulatory fines, preventing data leakage, protecting intellectual property, reducing compliance assessment information, and improving network security monitoring. The ArcSight SAP Enterprise View solution is introduced as a possible solution, consisting of four modules: Collection Layer, Analytical Layer, Correlation Layer, and Multi-Dimensional Correlation Layer. These modules include correlation, threat modeling, statistical anomaly detectors, reports, and other related content to enhance SIEM capabilities for SAP environments. In summary, the article outlines potential solutions such as ArcSight SAP Enterprise View to improve compliance management in SAP environments by automating processes, enhancing network monitoring, minimizing risks, and protecting sensitive information through integration modules tailored for SAP systems. The text discusses the use of privileged accounts for achieving objectives such as risk reduction and compliance, particularly in the context of ArcSight / SAP High-Risk Transactions Monitoring. It highlights the importance of managing higher-risk users (like contractors) to protect intellectual property, personally identifiable information (PII), and to ensure segregation of duties in SAP systems. The use cases are derived from a Deloitte-based library of SAP applications and directly address security risks and compliance issues related to program execution, table maintenance, remote interface functions, batch job schedules, transport management system, user event correlation across multiple systems, and physical access correlation among sensitive users. The text also presents a scenario where Robert Jackson, an SAP BASIS administrator with extensive system access, attempts unauthorized usage of a high-risk transaction, specifically payment fraud, to demonstrate the importance of monitoring such actions in potentially sensitive environments. The scenario presented is focused on protecting Intellectual Property (IP) by addressing risks such as theft of sensitive information and segregation of duties fraud. In the first part, a former contractor named Robert was able to extract highly sensitive bill of material data from an SAP system after gaining physical access to a disabled in-active branch employee's directory on Windows. This allowed him to bypass typical security measures like user termination processes which are prone to errors and slow due to SAP specific requirements. The second part of the scenario emphasizes preventing Segregation of Duties (SoD) based fraud by highlighting unapproved changes to critical production configuration settings, direct program execution, and direct table maintenance that can lead to unauthorized data access. These actions were performed using remote interface functions and batch job schedules which are not in compliance with approved procedures. In both scenarios, the use of ArcSight logging is implied as a means to monitor and correlate events related to these risks. By doing so, potential threats such as theft or misuse of sensitive information can be detected early, allowing for more efficient prevention and response measures. The summary highlights a risk scenario involving Robert Jackson, who uses his privileged user account to bypass the change management process in an organization's transport management system. This unauthorized use of a privileged account leads him to create sales orders for a false "local sports" customer and associate it with a new ship-to address that is not linked to any existing customer or location. By doing so, Robert aims to avoid control measures associated with existing customers and eventually sells the goods on eBay for personal gain. ArcSight, an enterprise security management company, detects these events through its system access analysis capabilities. It identifies conflicting roles (Segregation of Duties - SoD) as the primary method used by Robert Jackson to execute unauthorized transactions. The detection logic in ArcSight matches the source and destination addresses linked to RJACKSON, indicating potential fraudulent activities, which are then confirmed by reviewing SAP transaction details such as creation of fictitious ship-to addresses and sales orders. To prevent this type of fraud, it is recommended that organizations follow a structured approach involving multiple stakeholders: CIO, CFO, CISO, internal control team, and SAP security experts from Deloitte or similar partners. This integrated approach helps in building a client-specific strategy to effectively manage privileged account usage and detect potential fraud by unauthorized users like Robert Jackson. The text discusses the integration of SAP and ArcSight, focusing on enhancing risk management through advanced analytics. Key points include: 1. Combining R&D Administrators with SAP and ArcSight groups to improve internal audit and SOC (Security Operations Center) management practices. 2. Demonstrations showcasing the capabilities of the combined systems, including visualizations like drill-down dashboards for risk analysis and threat detection. 3. Specific examples of how ArcSight's solutions can be leveraged:

• Using SAP Enterprise View to analyze overall SAP risk status through advanced visualizations.

• The SAP Risk Analysis Model identifies statistical anomalies in user activities, such as transactions that exceed expected rates.

• Pattern Discovery within the SAP environment detects transactional patterns outside normal behavior and reveals detailed interactions between high-risk users and SAP systems.

4. Integration with SAP GRC (Enterprise Governance, Risk Management) through ArcSight: This allows for detailed inspection of transaction data to verify Segregation of Duty rules, monitoring emergency access activities, and detecting anomalies in centralized emergency access. 5. The integration leverages ArcSight's capabilities to improve the overall risk management framework by integrating with SAP GRC 10.0 and Access Risk Management. Overall, this text emphasizes the benefits of combining SAP and ArcSight technologies for more effective enterprise-wide risk analysis and compliance monitoring. This document outlines how ArcSight can integrate with Enterprise Governance, Risk and Compliance (eGRC) by monitoring for SAP user provisioning outside of the GRC workflow and supplying control effectiveness test results to eGRC. ArcSight is described as a complementary solution rather than a replacement for GRC. It highlights core GRC capabilities such as segregation of duties in internal controls and transaction monitoring, scheduled user access reviews, security role governance and change management, privileged user controls, fraud detection, anomaly detection, pattern discovery, and adaptive risk profile monitoring based on ongoing activity. The document includes use case examples: 1. Former employee accessing SAP - ArcSight detects an account lockout when Susan Smith tries to access John Green's account, adding both the user and workstation to a watch list. Further actions are monitored automatically. 2. Ex-employee accessing SAP (continued) - Transactional activity from a watched workstation results in a priority alarm condition. 3. Example of a former employee attempting to unlock an account using a backdoor method - Sam Mitchell bypasses normal user management procedures and uses a backdoor to unlock his locked account, which is detected by ArcSight ESM. The document explains the limitations of current technology, specifically mentioning the inability to infer and adapt risk behavior based on ongoing activity. ArcSight ESM (Enterprise Security Manager) is a security information and event management tool that helps organizations detect, investigate, and respond to security incidents. In this case, the solution detected an account being locked out and unlocked from the same workstation, which indicated the presence of a backdoor account. A backdoor account refers to a hidden or secondary user account that is used to gain unauthorized access to a system or network. These accounts can pose significant risks because they bypass normal security protocols and are often difficult to detect. Backdoors, kill switches, and logic bombs are types of malicious software designed to provide persistent access to an IT infrastructure even after the primary method of entry has been closed. The main reason why this cannot be done with current technology is due to the inability to infer and adapt to risk behavior. Traditional security technologies may not be capable of recognizing subtle patterns or behaviors that indicate potential threats, such as misusing privileged accounts for unauthorized purposes. This can lead to missed detections and delayed responses to real security events. In the specific scenario described, an SAP administrator named Sam Mitchell accidentally locked his own account while attempting to use a backdoor account (ssanchez). Mis-use of privilege is a common risk associated with shared or compromised accounts that are not properly managed. In this case, Mr. Mitchell unlocked his account using a backdoor account, illustrating the risks and vulnerabilities inherent in such practices. Another related issue discussed in the summary is SAP Account Sharing. When multiple individuals share an account on a production SAP instance, it becomes difficult to determine which individual used the account at any given time. This practice poses significant risk because shared accounts often have weak or reused passwords that are known by many users, making them easy targets for attackers. To address these risks, ArcSight ESM has developed specific solutions to detect and prevent unauthorized access through compromised accounts. These include detecting use of IDs from multiple locations and RFC calls across different workstations, while exempting certain portal systems like SAP Web Portal or Citrix to avoid false positives. The benefit of this approach is that it helps organizations mitigate the risk associated with shared or misused accounts by dynamically monitoring and alerting on suspicious activities. In summary, ArcSight ESM plays a crucial role in enhancing enterprise security by proactively detecting and responding to threats such as backdoor accounts and mis-use of privileged access. The tool's ability to infer and adapt to risk behavior enables organizations to take preemptive measures against potential cyber threats, thereby reducing the likelihood of data breaches and other serious security incidents. The document discusses two use cases involving SAP transactions at an organization using ArcSight SAP Enterprise View for monitoring and risk management: 1. **Sensitive Transaction Outside of Maintenance Window**: This involves a user, "sapbasis," performing sensitive activities outside the approved maintenance window (0100 – 1200 on Saturday). The purpose of this scenario is to demonstrate how ArcSight can detect activity both within and outside the specified time period or maintenance window. By doing so, it helps in better managing SAP transactions and detecting misuse of privileges. 2. **Exited Employee Still Using SAP Account**: This involves a former employee, Gary Sanders, who has left the organization but still has an enabled SAP account even after being disabled in Active Directory by HR. ArcSight detects this anomaly and creates a risk model for users based on their activity against enterprise meta-directories like Active Directory. This helps in raising awareness about at-risk users accessing SAP, including contractors and new employees. Both scenarios highlight the capability of ArcSight to monitor activities outside the standard maintenance windows and detect misuse or unauthorized access even by former employees. The document concludes that while other solutions may have limitations in time scale monitoring relative to maintenance T-Codes, ArcSight provides a comprehensive solution for SAP transaction monitoring and risk management. HR realized that Gary's "gsanders" account was still active in SAP, even though it had been disabled in Active Directory. This means that there were issues with how the accounts were managed between these two systems. To solve this problem, HR should make sure to disable any account changes in both Active Directory and SAP at the same time to avoid such inconsistencies in the future.