Onapsis: The CISO Imperative Taking Control of SAP

Similar documents
Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

SAP Security anno Tim Lynen, Manager axl & trax 2017

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Automating the Top 20 CIS Critical Security Controls

10 FOCUS AREAS FOR BREACH PREVENTION

ForeScout Extended Module for Splunk

CyberArk Privileged Threat Analytics

Uncovering the Risk of SAP Cyber Breaches

Total Security Management PCI DSS Compliance Guide

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

ANATOMY OF AN ATTACK!

Transforming Security from Defense in Depth to Comprehensive Security Assurance

RSA NetWitness Suite Respond in Minutes, Not Months

SIEMLESS THREAT DETECTION FOR AWS

INTELLIGENCE DRIVEN GRC FOR SECURITY

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Building Resilience in a Digital Enterprise

Are we breached? Deloitte's Cyber Threat Hunting

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Cyber Protections: First Step, Risk Assessment

What It Takes to be a CISO in 2017

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Business continuity management and cyber resiliency

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Designing and Building a Cybersecurity Program

GDPR Update and ENISA guidelines

Combating Cyber Risk in the Supply Chain

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Securing Your Most Sensitive Data

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

the SWIFT Customer Security

Cyber Resilience. Think18. Felicity March IBM Corporation

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

From Managed Security Services to the next evolution of CyberSoc Services

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Securing Office 365 with SecureCloud

Best Practices in Securing a Multicloud World

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

locuz.com SOC Services

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Threat Centric Vulnerability Management

Cyber-Threats and Countermeasures in Financial Sector

NEN The Education Network

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Microsoft Security Management

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

2017 Annual Meeting of Members and Board of Directors Meeting

GDPR drives compliance to top of security project list for 2018

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

WHITE PAPER. 10 Principles of Database Security Program Design

CipherCloud CASB+ Connector for ServiceNow

Reinvent Your 2013 Security Management Strategy

External Supplier Control Obligations. Cyber Security

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Cybersecurity Session IIA Conference 2018

RiskSense Attack Surface Validation for IoT Systems

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Think Like an Attacker

Nebraska CERT Conference

Comprehensive Database Security

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Canada Life Cyber Security Statement 2018

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Secure Access & SWIFT Customer Security Controls Framework

Cyber Risks in the Boardroom Conference

Teradata and Protegrity High-Value Protection for High-Value Data

Cyber Security. Our part of the journey

Information Security Controls Policy

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Security-as-a-Service: The Future of Security Management

6 KEY SECURITY REQUIREMENTS

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

TRUE SECURITY-AS-A-SERVICE

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Cybersecurity Today Avoid Becoming a News Headline

Transcription:

Onapsis: The CISO Imperative Taking Control of SAP Cyberattacks @onapsis 2016

Key SAP Cyber-Security Trends Over 95% of the SAP systems we have assessed, were exposed to vulnerabilities that could lead to full compromise of the company s business processes and information. Most vulnerabilities could be exploited anonymously and remotely. In most scenarios, anyone that can ping an SAP server, can break into it.

SAP Cyber Attacks are Motivated by Critical Assets SAP houses a multitude of organizational assets which span industries and motivate cyber security attacks Intellectual property High value industry data Financial reporting insights Inside financial information Sensitive customer information High volume customer data Sensitive employee information High volume employee data Business process trade secrets Competitive insights Network front door Access point to the corporate network Treasury and cash Corporate bank accounts Life blood of the business Single point of operational failure

TYPICAL SAP ENVIRONMENT SAP Systems Run the Business Mapping SAP Systems and Connections is Complex

SAP Security Breaches in the Press The Escalation of SAP Security Breaches May 2015 2014 2012 Anonymous claimed breach to Greek Ministry of Finance using SAP zero-day exploit 2013 A malware targeting SAP systems discovered in the wild - A Tsunami of SAP Attacks Coming? A Chinese hacker exploited a vulnerability in a corporate SAP NetWeaver Portal. Report: Chinese Breach of USIS targeted SAP. Went unnoticed for over six months and compromised over 48,000 employee records of DHS and OPM.

UNDERSTAND THE RISKS Economic Impact Compliance Impact Context Impact Understand the value chain that SAP systems and applications support. Also calculate the dollars that the SAP platform manages at your organization. Map Policies with an SAP security lens (i.e. SAP Security Guidelines) as well as authoritative sources (SOX, PCI) and perform assessments to identify critical compliance gaps. Prioritize risk by severity against assets (TOP-10, don t boil the ocean), likelihood and timing of the risks and the potential business impact.

What Is the Probability? Killing Some Myths MYTH We are applying SAP patches regularly Window of Exposure = 18 Months + VS Most attacks occur when patches are delivered to market 12 Months 6 Months TRUTH A Vulnerability is found and reported to SAP. B SAP delivers a patch to the market C Organization deploys patch.

What Is the Probability? Killing Some Myths MYTH VS TRUTH Our SAP platform is only accessible through internal networks Inurl:/irj/portal www.shodanhq.com/search?q=sap

What Is the Probability? Killing Some Myths MYTH We have an SAP Security Team that looks after this VS TRUTH Enforcing Segregation of Duties controls (user roles and authorizations) will not stop advanced threat vectors on SAP.

What Is the Probability? Killing Some Myths MYTH We are migrating to SAP HANA anyway, we are safe VS TRUTH Results (public): 450% increase in new security patches. In 2014: 82% high priority Evolution of SAP HANA security patches 15 10 5 0 2011 2012 2013 2014

SAP HANA, SAP S/4HANA AND SAP CLOUD SOLUTION RISKS November 2015 Onapsis discovered and helped mitigate 21 vulnerabilities: Critical risks could allow cyber attackers to steal, delete or modify corporate business information. Over 10,000 companies potentially affected. Both a TREXNET configuration issue which is unpatchable and non-deployed SAP patches. Through cutting edge research major largescale attacks potentially avoided. Customer using Onapsis Advanced Threat Detection get zero-day coverage and a virtual patch capability

SAP Attacks Evade Traditional Security Approaches Attackers are going after the crown jewels and traditional security solutions won t stop them. GRC and IAM Firewall Anti Anti Virus Virus IP Perimeter Monitoring Tools Using advanced malware to get into an SAP system - once in the attacker has full access to the business s Crown Jewels - information and processes All residing within SAP

TOP 3 ATTACK SCENARIOS 1 Pivoting between SAP systems: Pivot from a system with lower security (Development or QA system) to a critical system (Production system), to execute SAP remote function modules in the destination system. 2 3 Customer and Supplier Portal Attacks: Create users in the SAP J2EE User Management Engine using the CTC servlet, by exploiting a vulnerability through HTTP verb tampering, and obtaining access to the SAP Portal business information (and internal systems). Attack on SAP services configuration: Execute Operating System commands under the privileges of the user <sid>adm by exploiting vulnerabilities in the SAP RFC Gateway. Get and potentially modify credit card information stored in the SAP database.

ATTACK SCENARIO 1 1. Attacker compromising an initial system, typically a non-prod system (Dev/QA) 2. List of RFC destinations and its properties SM59 SE16 - RFCDES 3. Attacker goes to transaction SE37 and abuses pre-established interfaces

ATTACK SCENARIO 2 1. Vulnerable systems are also connected to Internet! 2. Attacker sending HTTP request to the CTC servlet and creating a user 3. Using the web browser, the attacker will send the user creation request to the CTC using the invoker servlet 4. Attacker repeats the process to add roles to the created user: http://192.168.0.190:50000/ctc/servlet/com.sap.ctc.util.configservlet?param=com.sap.ctc.util.userconfig;assign_role_to_user;role= <ROLE>,USERNAME=<user>;

ATTACK SCENARIO 3 By abusing of insecure configurations in the SAP systems, there are different techniques an attacker would leverage to access business data: 1. Using exploiting the SAP Gateway ( Get Business table ) Request Customers: table KNA1 Customer table is displayed

Respond GENERAL ACTION PLAN Respond to new threats, attacks, or user behavioral anomalies as indicators of compromise. Incorporate SAP into your Incident Response program. Deploy zero day signatures to systems vulnerabilities. Threat Intelligence Gain Visibility Gain insight into you SAP infrastructure, the connections between systems and the the past, current and new vulnerabilities that can impact the business. Detect Leveraging vulnerability and compliance gap analysis to determine likelihood and impact of treats, Notifications of attacks with prioritization based on businesscontext. Continuous Monitoring Prevent Continuously monitor systems for exploits. Patch systems with security notes and incorporate SAP into your risk, compliance and vulnerability management processes.

Onapsis Security Platform Solutions Vulnerability and Compliance Identify all SAP infrastructure and generate graphical topology maps along with the connections between systems and applications. Assess risks based on vulnerabilities and tie business context into remediation planning processes. Performs audits to Identify compliance gaps and report when systems don t meet requirements based on policies and industry regulations. Onapsis Security Platform Provides organizations a holistically adaptive approach to focus on the factors that matter most to their business critical applications running on SAP that house vital data and run mission-critical business processes. Delivers three solutions Detection and Response Continuous monitoring of advanced threats and anomalous user behavior on SAP infrastructure. Provides visibility into attacks, with context, to determine if the attack is likely to be successful. Leverages real-time reporting on the likelihood and impact of threats from SAP exploits. Delivers attack signatures to identify anomalous user behaviors. Detects system changes that make organizations more vulnerable to attack Advanced Threat Protection Provides protection against SAP security issues for which no SAP note has been released for Onapsis customers to eliminate the risks.. Eliminates the window of exploitability and protects customers against known but unpublished vulnerabilities. Customers who subscribe to Advanced Threat Protection receive signatures for exploitation attempts against zero day vulnerabilities.

2016 THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback