SAP Security Monitoring with agileSI

Summary:

The article provides an overview of agileSI™, a SAP-certified solution for security monitoring that integrates with existing IT infrastructure or operates as a standalone system. Key features include automated collection and correlation of event data, visualization of critical security events, and integration with SIEM systems to enhance visibility into potential threats. Here is the detailed summary: 1. **Event Correlation**: agileSI™ has been designed from the start to interoperate with Security Information and Event Management (SIEM) systems. This allows for comprehensive security monitoring across the enterprise, leveraging widely accepted SIEM products like HP ArcSight ESM. 2. **Insider Threats**: The article emphasizes the importance of continuous access control monitoring for privileged users and administrators who have direct access to critical SAP systems. Monitoring is crucial in preventing insider threats such as financial data manipulation, order tampering, or unauthorized asset creation. 3. **Transaction Monitoring**: agileSI™ uses data extraction technology to gather information from SAP systems relevant to security events, which are then processed, visualized, and reported on to provide a comprehensive view of critical security events. 4. **Architectural Model**: agileSI™ operates based on a three-layered architectural model comprising collection, administration, and analytics layers. It collects event data from various sources including networking equipment, security devices, operating systems, databases, application servers, client systems, communication activities, and corporate applications to provide deep visibility within the SAP environment. 5. **Integration with SIEM Systems**: The solution is designed to work seamlessly with existing SIEM systems like HP ArcSight ESM for enhanced event correlation and comprehensive security monitoring. 6. **Data Collection**: Agents with various data extractors are used to gather information from log files, tables, and change documents within SAP systems. These agents are essential components of the solution, particularly in the Admin Layer where they serve as the core component responsible for setting up, configuring, and monitoring the agileSI™ system. 7. **Actionable Insights**: The solution aims to convert risk into actionable insights through visualizations, providing clear, understandable information that contributes directly to IT operations efficiency and compliance with security regulations. 8. **Customizable Real-Time Dashboards**: agileSI™ allows for customizable real-time dashboards that can be adapted according to specific SIEM systems used by different customers, from global corporations to government agencies. This adaptability makes the solution accessible and beneficial even for those without a deep SAP expertise. 9. **Expertise and Experience**: iT-CUBE SYSTEMS GmbH, which develops agileSI™, is a leading full-service provider for IT security solutions with over 10 years of experience in reducing business risk and lowering long term investment in information security. They serve various sectors including aerospace, automotive, financial, insurance, telecommunications, and chemical industries. For more detailed information on agileSI™ or to explore other IT security solutions provided by iT-CUBE SYSTEMS, you can visit their website at www.it-cube.net/agilesi, email them at sales@it-cube.net, or call +49 89 2000 148 0.

Details:

The "agileSI™ Whitepaper" published in September 2012, Version 1.1, discusses how IT-CUBE SYSTEMS has developed a SAP-certified solution named agileSI™ to address the gap between SAP Security Information and Event Management (SIEM) systems. This solution aims to transform SAP security data into actionable insights that provide competitive advantages by automating continuous scanning of SAP landscapes for weak system configurations, excessive user access rights, Segregation of Duties (SoD) violations, potential threats from attacks, and other vulnerabilities. The whitepaper highlights the criticality of ERP systems in businesses and the lack of focus on their security within the industry. agileSI™ is presented as a solution to fundamental questions about discovering compliance violations in SAP systems before auditors and protecting critical applications while reducing audit efforts. The automated solution eliminates blind spots in SAP Security Monitoring by integrating with SAP R/3 system modules, using HP ArcSight ESM as the SIEM product for data processing and correlation. The whitepaper explains that comprehensive security and business risk management requires monitoring event data from core business applications correlated with infrastructure support systems like databases, application servers, etc. It emphasizes that while SoD controls are important, other threats involving higher risks such as exploitable attack vectors due to vulnerabilities in the business runtimes need attention. The agileSI™ solution helps organizations lower the number and criticality of auditor's findings, transform risk into actionable insights, and support compliance requirements. The article discusses the integration of SAP security event management to address weaknesses and vulnerabilities that can lead to espionage, sabotage, and fraud in SAP systems. It highlights how technical weaknesses such as lack of authentication for services running on SAP web servers, unauthorized access through OS command executions from the application level or SAP Gateway, and password sniffing in unencrypted HTTP headers and error messages can be exploited by attackers. The article also points out that current security practices involve manual handling and siloed approaches which are inefficient and may lead to incomplete or undetected issues. It is argued that these weaknesses provide an entry point for espionage, sabotage, and fraud as they enable unauthorized access to critical data stored in SAP modules such as financial data, corporate secrets, customer lists, supplier tenders, and HR data. The article calls for a comprehensive approach to SAP security monitoring that integrates various sources of security data, extracts relevant information, and presents it centrally to increase transparency and effectiveness. The article concludes by emphasizing the need for agileSI™ to cover a wide range of SAP security monitoring requirements, providing security intelligence across the complete landscape and all aspects of SAP security, thereby helping to prevent fraudulent activities in SAP landscapes. This text discusses the importance of securing SAP systems to prevent vulnerabilities and insider threats that could lead to data loss or system compromise. It highlights the need for a comprehensive approach to security monitoring across all aspects of SAP landscapes, including code reviews and automated scanning. The article mentions agileSI™ as a solution that integrates various aspects of SAP Security Monitoring, providing clear scan reports and supporting audits by automating the process of identifying vulnerabilities in custom code and partner products. It also emphasizes the importance of embedding security into the software development lifecycle (SDLC) and using tools like ABAP code scanners to prevent costly issues post-release. The article discusses the challenges faced by enterprises in monitoring authorization/role users have within their SAP systems, which can lead to vulnerable software existing over several years. The goal is to ensure that critical authorizations are not accumulated by certain users potentially violating separation of duties (SoD) requirements. This involves using tools like SAP Business Objects GRC Access Control and agileSI™ 1.1 / HP ArcSight ESM for monitoring, which can identify changes in user roles or other objects via transport management to the productive environment. These tools are designed to monitor patch levels, changes/transports, and detect critical authorizations; however, they have limitations such as not being integrated with security monitoring solutions, providing only snapshots without customization or extension. The article also highlights SAP's efforts in enhancing security through increased number of security notes over the years, recommending monthly configuration checks of systems to maintain a secure environment. It mentions that there are tools available to support these activities but face limitations in data extraction and system coverage. The article concludes with an emphasis on the importance of continuous monitoring and adjusting to customer's security policies as part of SAP’s Security Optimization Services. To summarize the provided text about monitoring SAP as part of daily business operations for threats detection and remediation, we can break it down into key points: 1. **Automation in Monitoring**: It is crucial to automate the monitoring of SAP systems within daily business operations to detect and address potential threats effectively. This includes proper configuration of the SAP Gateway which controls communication with external programs, including other SAP systems and third-party products. If not properly configured, this can lead to security vulnerabilities such as remote code execution by external programs on the SAP application server. 2. **SAP Event Monitoring**: Events in SAP may involve multiple individual actions that, when correlated, can trigger a rule resulting in potential attacks if not monitored correctly. The data for monitoring the SAP Gateway is stored in specific log files and can only be accessed by limited monitoring products like agileSI™. Other critical activities to monitor include operating system commands executed by users or development activities on productive systems which could also indicate security events. 3. **Integration with SIEM Systems**: To improve event correlation, agileSI™ has been designed to interoperate with Security Information and Event Management (SIEM) systems from the start of its integration process. This allows agileSI™ to work with widely accepted SIEM products like HP ArcSight ESM, ensuring comprehensive security monitoring across the enterprise. 4. **Insider Threats**: Organizations should not overlook the insider threat which poses significant risks to critical assets and information. Continuous access control monitoring is essential for privileged users and administrators who have direct access to critical systems where lapses in control can lead to fraudulent activities such as financial data manipulation, order tampering, or unauthorized asset creation. 5. **Transaction Monitoring**: A crucial part of SAP security monitoring involves transaction and privileged user monitoring using agileSI™'s data extraction technology that gathers all relevant information from SAP systems. This information is then processed, visualized, and reported on to provide a comprehensive view of critical security events. 6. **Architectural Model**: agileSI™ operates based on a three-layered architectural model comprising collection, administration, and analytics layers. It collects event data from various sources including networking equipment, security devices, operating systems, databases, application servers, client systems, communication activities, and corporate applications to provide unprecedented depth of visibility within the SAP environment. In summary, this text underscores the importance of automated monitoring for SAP systems in preventing potential threats and insuring robust protection against insider threats and advanced persistent threats (APT). The integration with SIEM systems enhances event correlation and provides high-resolution visibility into critical security events across the enterprise IT infrastructure. The article discusses agileSI™, an SAP-certified solution for security monitoring that integrates with existing IT infrastructure or operates as a standalone system. Key components include agents with various data extractors accessing data from log files, tables, and change documents within SAP systems. These agents are integral to the Admin Layer's core component, the agileSI™ core, which acts as the central instance for setting up, configuring, and monitoring the solution while preprocessing all security monitoring data. The Analysis Layer is supported by the agileSI™ frontend, which can be either an existing SIEM or a standalone version with embedded front-end capabilities. The agents have multiple extractors designed to gather data from various sources such as log files, tables, change documents, etc., and are capable of accessing SAP security events like brute force login attempts, password changes, system parameter checks, and more. The agileSI™ solution is designed to automate the collection, correlation, visualization, and reporting of data efficiently, saving time and resources while enhancing security measures in SAP environments. It supports continuous monitoring of critical system conditions and events, with a focus on automating these processes to reduce costs, protect transaction integrity, and minimize staff workload. The solution also aims to integrate application security events into SIEM systems effectively by providing actionable insights for security teams and business process owners, thereby improving SAP Security & Risk Management while reducing audit burdens and compliance efforts. The company, iT-CUBE SYSTEMS GmbH, specializes in providing IT security solutions and has developed a product called agileSI™ which is designed to bridge the gap between SAP systems and Security Information and Event Management (SIEM) products. This system includes predefined correlation rules for analyzing data, generating meaningful dashboards for visualizing key indicators of potential security risks, and detecting anomalies or suspicious patterns related to SAP-specific events. The goal is to enhance decision-making in risk management by providing actionable insights that contribute directly to the bottom line of IT operations through more efficient use of resources and better compliance with security regulations. agileSI™ allows for real-time dashboards that are customizable according to individual SIEM systems, making it adaptable for a wide range of customers from global corporations to government agencies. It is designed to be SOC (Security Operations Center) agnostic, meaning it does not require the team to become SAP experts in order to benefit from its features. By converting risk into actionable insights through visualizations, agileSI™ helps users understand what happened, by whom, why, and how to resolve issues related to SAP security. iT-CUBE SYSTEMS is a leading full-service provider for IT Security with expertise in reducing business risk and lowering long term investment in information security. They serve various sectors including aerospace, automotive, financial, insurance, telecommunications, and chemical industries, among others. The company has over 10 years of experience and an experienced team that ensures high standards of service delivery. For more information on agileSI™ or to explore other IT security solutions provided by iT-CUBE SYSTEMS, visit their website at www.it-cube.net/agilesi, email them at sales@it-cube.net, or call +49 89 2000 148 0.