Translate

An effective way to bring SAP Security Notes under control

Previously, SAP has regularly published current security updates to the SAP Support Portal and SAP Solution Manager once a month on what as known as patch day. This provides IT departments with information on relevant security vulnerabilities. They can then import this information into their SAP system environments in good time to prevent the vulnerabilities from being exploited by attackers. However, there are often technical or organizational reasons as to why it is not possible to import the information promptly. This is because importing all relevant Security Notes into all affected SAP systems would require a lot of effort. In addition, many companies defer patch implementation until the next system maintenance window in order to avoid unnecessary downtime. However, by this time, the affected SAP applications face even higher risks than before – when security updates are published, a large group of people learn about the existing security vulnerabilities and could exploit them specifically. For this reason, security experts call this the "window of exposure".

Urgency is the deciding factor

To enable IT departments to keep this window of exposure to risks as small as possible, the real-time security solution, SAP Enterprise Threat Detection (ETD), was enhanced to include functions for promptly monitoring SAP Security Notes. SAP ETD immediately sends an alert if a function with a known vulnerability is performed in an SAP system that has not been patched yet. The decision is made based on the urgency of the available patch installations: The more often an insecure SAP function is executed, the sooner the affected security update should be imported to avoid potential risks. SAP ETD does not just check the execution of critical software code points – in many cases, it also checks whether the vulnerability itself is being exploited, for example by evaluating program parameters.
By monitoring reported SAP vulnerabilities in real time, IT departments benefit from being able to import highly critical Security Notes in good time or eliminating the risks temporarily at another level. For example, this may involve blocking an RFC module or a port that is not critical to business processes. Less critical Security Notes can continue to be imported during the scheduled maintenance window. This approach saves time and effort. The other vulnerabilities that have not yet been patched are monitored in real time, allowing a direct response to other potential risks. 

Essential approach for project success   

When the new ETD functions for monitoring SAP Security Notes are introduced, the success of the project depends on taking a structured and efficient approach.
In general, the following applies: The more heterogeneous the existing system landscapes and release statuses, the more effort will be involved in the roll out. It is also important to keep the current backlog of SAP security updates in mind. In our experience, many SAP customers do not have a security team tasked with systematically and exclusively taking care of importing the current SAP patches. As a result, a sizable backlog of security updates has built up from previous patch days and must be processed first.   

The core project requirements include the following:

1. "Get clean" for the patch backlog
The first step is to "triage" the existing backlog by sorting it by urgency. This is done by analyzing the security updates as to when and in what sequence they should be imported into the SAP systems. The goal is to bring the backlog that has built up down to an acceptable starting situation for future evaluations on every patch day.
2. "Stay clean" by taking an efficient approach to Security Notes
Next, companies should perform an evaluation of the current security updates on every patch day in order to achieve permanent protection for the SAP systems. Considering the large quantities of patches and affected systems, we recommend focusing on the critical Security Notes and integrating the rest into ETD monitoring based on defined checking rules. The basis for this is how the company specifically defines its what it understands as a risk.
3. Create an appropriate alert level
If ETD sent alerts every time an insecure SAP function is called, its acceptance would immediately plummet because a flood of alerts are not manageable in the context of day-to-day work. Thus, which alerts are relevant for a company and at what threshold values the alerts should be displayed must be defined for the Security Notes to be integrated into ETD monitoring on every patch day.

Combine expertise in security and SAP

This information shows that SAP customers who want to benefit from the new ETD functions must prioritize their triaging efforts. Because many companies do not have enough personnel, we recommend bringing in a external security provider, whether this involves one-time support for the roll out project or ongoing services for each patch day. It is vital for the consulting partner to have the required expertise in SAP and security, and specifically experience in implementing patches, an understanding of different SAP releases and upgrade methods, and knowledge in threat detection – both in general in terms of SIEM solutions (Security Information and Event Management) and particularly in terms of SAP ETD.

Complete with a preventative approach

One way to further boost SAP security is to round out the ETD real-time monitoring of unpatched systems with a preventative approach. This monitoring already identifies vulnerabilities in custom source code or in the SAP system settings. A current edition of the Business Code Quality Benchmark shows just how great the risk potential is. According to this, anonymized scans at over 300 SAP customers worldwide showed that customer-specific SAP applications contain, on average, 2,000 critical security errors in internal ABAP code that make a company vulnerable to attacks.
Special SAP security software can be used to automatically identify these vulnerabilities in SAP custom code and – to the extent possible – correct this. What is more, the software also provides the option to integrate these vulnerabilities into ETD monitoring until they are fixed. A similar option is available for known vulnerabilities in third-party applications used by many SAP customers: ETD sends an alert here, too, when an insecure function is called.
Posted by
Subscribe to: Post Comments (Atom)

Labels

sap hana hana database aws s4 hana hana db s4hana conversion steps sap hana azure bw4hana hana migration s4hana migration sap cloud migration steps sap hana migration steps sap hana migration to azure s4hana sap fiori fiori performance fiori erp s4 hana fiori sap fiori app sap fiori client sap fiori launchpad sap s4 hana fiori cisco ecc AI SAP AI abap dumps hana sap S/4HANA S/4HANA Conversion best sap ui5 & fiori training configuration database fiori tutorial on webide free sap ui5 & fiori training s/4 hana sap dumps sap fiori tutorial sap ui5 sap ui5 & fiori sap ui5 & fiori tutorial sara ui5cn 2367245 - Troubleshooting performance issues with SAP BPA Amazon free tier for SAP AWS setup Experience CALL_FUNCTION_NOT_FOUND CCMS Configuration and Use Create New Data Class in SAP (Oracle) Critical top SAP Abap dumps DHCP Clients Not Receiving IP Addresses Download Stack.xml HAN-DB HAN-DB-ENG High CPU Usage Due to Excessive Process Switching How To How to Start and Stop SAP Hana Tenant Database How to change SAP Hana Sql Output results are limited to 5000 Records How to perform SAP Dual Stack Split - Netweaver Inactive Objects in SAP Intercompany transactions in SAP AP / AR : Cross Company Code Transaction Interface Flapping Due to Duplex Mismatch KBA LOAD_PROGRAM_LOST MSSQL shrinking transaction log file Migrating to SAP hana database NAT Overload Causing Internet Access Failure Note 500235 - Network Diagnosis with NIPING OSPF Adjacency Not Forming PRINCE2 Foundation Sample Questions Preparing for S/4HANA Conversion and the MUST know items Push to Download Basket S/4HANA Migration Cockpit S/4JANA SAP BI Support Data Load Errors and Solutions SAP BI/BW Landscape SAP BPA SAP Basis SAP Basis Automation SAP Business Objects SAP CPS SAP Certification SAP FI Certification SAP FI Certification Sample Questions SAP HANA Admin - Cockpit SAP HANA DB Engines SAP HANA Database SAP HANA terminate session connection disconnect cancel kill hang stuck SAP Hana DB restore SAP Hana Numeric Error Codes SAP Landscape SAP Language installation SAP MM and Purchase Order Tables SAP Maintenance Planner SAP Note 500235 SAP R/3 Glossary SAP Readiness Check SAP S/4HANA 1709 Installation Files SAP S/4HANA 2023 SAP S/4HANA 2023 Installation SAP S/4HANA 2023 running SAP S/4HANA Installation SAP Scheduling SAP Solman 7.2 CHARM: SAP Support Package Stack Strategy SAP Support package SAP Upgrade SAP support stack upgrade SP stacks STORAGE_PARAMETERS_WRONG_SET SUSE/SLES/Kernel versions Setup of S/4hana 2023 TSV_TNEW_PAGE_ALLOC_FAILED TSV_TNEW_PAGE_ALLOC_FAILED error Transaction ID Unable to download an SAP Note Unix/Linux Command That Are Helpful For SAP Basis Upgrading SAP Kernel Without Downtime Upgrading windows server 2008 to windows server 2019 What is OSS Notes? SAP SNOTE Tutorial accounting agile ale idoc ale/edi archive FI documents audit auditing auditor aws aws cloud basic type bluefield approach ccms ccmsidb charm copilot datavard dbacockpit download sap note download snote edi idoc electronic data interchange enable sap archiving objects erpprep ffid firefighter fraud functional hana admin how to apply sap security note https://www.erpprep.com/ idoc install install sap fiori installation interfaces intermediate document internal control license key linux version materials management messsage niping test order type port prince2 agile prince2 agile practitioner purchasing quick info s4 hana sap abap dumps sap abbreviations sap activate certification sap activate project manager sap authorization sap aws sap brownfield sap ccms sap ccms configuration sap erp sap error sap grc sap greenfield sap internet demo system sap license sap maintenance certificate sap material management sap meaning sap mm sap mm consultant sap monthly security note sap netweaver sap network diagnostic sap niping sap note sap oss sap patch day sap performance sap performance issue sap purchase order sap s/4hana sap sales and distribution sap sap otc sap sd sap sd certification training sap sd course sap sd jobs sap sd module sap sd online training sap sd training sap sd tutorial sap sd tutorial for beginners sap security sap security note sap snote sap snote tutorial sap solution manager sap sql segregation of duties separation of duties sles slicense smc snote snote in sap system sod conflict solution manager solution maneger stop start hana database suse linux techie trex two step upgrade required waterfall