A Trend Micro White Paper | November 2015

Comprehensive Security for SAP How Trend Micro Deep Security protects SAP systems

SAP SECURITY LANDSCAPE SAP and other Enterprise Resource Planning (ERP) systems contain highly sensitive financial, human resources, customer, and supply-chain data that must be kept safe. Recent events have highlighted that hackers are increasingly targeting these business-critical systems because the information they access and store is very valuable. However, most SAP security discussions relate to authorization, separation of duties, and other general IT controls. Typically, the security of the underlying infrastructure has not been addressed, but that is changing as high-profile breaches increase in number and intensity. The United States Investigation Services (USIS) breach in 2013 made headlines because for the first time, it was publicly disclosed that an SAP vulnerability was the origin of an attack that lead to theft of personal information1. Claims by groups such as Anonymous about hacking government organizations using zero-day vulnerabilities in SAP highlight that exploits are being developed to target SAP systems in particular2. In addition, a new variant of a well-known remote-access Trojan that searches infected systems for the existence of SAP applications has been discovered. From these SAP applications, an attacker could potentially read configuration files and capture passwords3. This information could allow attackers to steal company trade secrets, personnel information, or even money from the compromised company. An increasing number of vulnerabilities have been discovered in SAP systems, resulting in more vendor-supplied patches4. However, most organizations already struggle with patch management, and the criticality of these systems has further aggravated the issue5. Generally, these vulnerabilities are not being secured, leaving the systems open to attack.

Reference: http://www.cvedetails.com/vendor/797/SAP.html

Many organizations are not monitoring system security adequately, which makes it unlikely they will detect security issues. In addition, inadequate maintenance of secure configurations for SAP systems often leads to improper security management. In some cases, administrators are not even aware when a new system has been added to the network. This can result in systems going completely unprotected. Factors contributing to inadequate security include lack of resources, complexity, and simply not having security that’s up to the task. As these systems become more web-accessible through a range of devices, attackers can more readily target and exploit the vulnerabilities, misconfigurations, and mismanagement of SAP systems and in the underlying operating systems, web servers, and business applications. This has made timely patching and real-time monitoring critical. Regulatory compliance is valuable and necessary for most enterprises but an overwhelming amount of requirements make the task of compliance difficult.

Page 2 of 7 | Trend Micro White Paper Comprehensive Security for SAP

ADDRESSING THE CHALLENGE Helping protect these systems and the data they contain is the focus of Trend Micro’s Deep Security for SAP. With Deep Security in place, you can leverage the powerful security modules of Deep Security to protect your SAP servers and entire data center (SAP and non-SAP) with one solution. These modules include anti-malware, intrusion prevention services (IPS) such as virtual patching, integrity monitoring, firewall, log inspection, and web URL filtering.

Trend Micro Deep Security for SAP also performs antivirus and content scanning on customer data being uploaded to SAP MIME repositories and databases. This scanning is done using the native SAP Netweaver Virus Scan Interface 2.0 (NW-VSI) to maximize performance and security. This module also protects against possible malicious script content that might be embedded or disguised inside documents.

Page 3 of 7 | Trend Micro White Paper Comprehensive Security for SAP

HOW DOES DEEP SECURITY PROTECT SAP? Trend Micro’s Deep Security for SAP module offers customers two layers of protection. The first layer of protection secures the operational infrastructure, and in this context, Deep Security protects the hosts in the SAP environment through a wide range of host-based security controls. A central management console also gives a state-of-the-environment picture with ability to drill down for details, and allows administrators to implement policies for each of the Deep Security protection modules. Users can also use role-based access control to assign administration roles for Deep Security activities.

The second layer of protection provides extensive malware and active content protection specifically for the SAP platform. It uses the SAP interface, NW-VSI which is embedded into SAP’s NetWeaver, HANA, and FIORI platforms. Deep Security uses the NW-VSI to search and analyze all types of content and documents, including embedded images and active content (such as JavaScript), in order to identify and isolate malicious content. Details about the content type are also sent back to SAP Administration, allowing policies to be developed on authorized content types.

How Does This Interface Work? On a default SAP system, role-based access control is used to allow access for file uploads, however only rudimentary checks are done on those uploads. Usernames and passwords often become compromised and basic checks are not enough to determine whether a file is safe. The main purpose of the NW-VSI is to allow third-party partners to provide more advanced protection against uploads of malicious objects and more specifically, active content. With Deep Security for SAP, when a file is uploaded, scanning is triggered by SAP using this NW-VSI. This sends the file to Deep Security for SAP for malware scanning, active content scanning, and MIME-type determination. The scan results are then sent back to SAP NW-VSI and the appropriate action is taken. Possible actions include denying access or allowing the file to pass through. The policy for allowed content types is defined by the SAP administrator on the SAP system.

Figure 1: Deep Security Log Entry

Page 4 of 7 | Trend Micro White Paper Comprehensive Security for SAP

Why is Scanning Important? The NW-VSI is provided and controlled by SAP, which has a better understanding of where and when files should be scanned. This provides an advantage over conventional malware scanning on the server. The scanning helps protect clients of an SAP system by preventing the upload of malicious content that may be downloaded and opened from an SAP application or other users of the system. It also helps protect the SAP server by protecting against the execution of malicious scripts that may attack the server. In the default SAP configuration, for example, an internal user accessing a malicious file containing active content such as ABAP or JAVA code, may allow that malicious code to execute. This code could give an attacker the ability to hijack user sessions or steal credentials that allow them to gain access to confidential information. This attack method is commonly known as cross-site scripting (XSS). In the example below, an attacker uses phishing to infiltrate an organization. A file is presented to HR and that file is uploaded to the SAP database. An executive then opens the file and executes malicious code which may result in data exfiltration.

Figure 2: Attack on SAP Server with Default Configuration However, by using Deep Security for SAP and the NW-VSI, all files will have the content type checked before upload to ensure they meet the SAP Administrator-defined policy. Deep Security for SAP will also block the active content from running so the code cannot execute. With Deep Security for SAP in place, the file is stopped from being uploaded to the SAP database and the executive does not have the opportunity to inadvertently execute the malicious code.

Figure 3: SAP Server with Deep Security for SAP

Page 5 of 7 | Trend Micro White Paper Comprehensive Security for SAP

How Does Deep Security Protect my Server Environment?

Deep Security protects SAP systems and the other servers with:

• Anti-malware with web reputation: integrated with the Trend Micro Smart Protection Network for global threat intelligence and web reputation, this control protects servers from sophisticated attacks by isolating malware from critical operating system and security components.



• Intrusion detection and prevention (IDS/IPS): for each server, examines all incoming and outgoing traffic protocol deviations, policy violations, or content that signals an attack. This enables automated protection against known but unpatched vulnerabilities by virtually patching (shielding) against the exploit. This helps reduce the urgency of applying critical vendor patches, allowing organizations time to fully test systems and reduce the potential for system downtime. The self-learning rules and comprehensive network behavior analysis also make it possible to defend against SQL injection, cross-site scripting, and web application vulnerabilities.



• Bi-directional and host-based firewall: decreases the attack surface of physical, cloud, and virtual servers with fine-grained filtering, policies per network, and location awareness for all IP-based protocols and frame types. It provides logging of firewall events at the host, enabling compliance and audit reporting per server.



• Integrity monitoring: monitors critical operating system and application files (directories, registry keys, and values) to detect and report unexpected changes in real time. Such changes may be intentional or unintentional but may expose systems and components to vulnerabilities that could be exploited by attackers. Integrity monitoring also simplifies administration by greatly reducing the number of known good events through automatic cloud-based whitelisting from the Trend Micro Certified Safe Software Service.



• Log inspection: collects, analyzes, and reports on operating system and application logs in over 100 log file formats, identifying suspicious behavior, security events, and administrative events across SAP systems and the data center. Logs can also be sent to leading SIEMs like IBM QRadar, HP ArcSight, and Splunk

Page 6 of 7 | Trend Micro White Paper Comprehensive Security for SAP

THE DEEP SECURITY DIFFERENCE Trend Micro’s Deep Security addresses challenging security needs while enabling regulatory compliance with PCI DSS 2.0, HIPAA, FISMA/NIST, NERC, and SSAE-16. It provides comprehensive protection, greater operational efficiency, superior platform support, and tighter integration with existing investments, including SAP. Deep Security for SAP provides extensive malware and active content protection for SAP platforms. Using the SAP NW-VSI interface that is embedded into SAP’s NetWeaver, HANA, and FIORI platforms, Deep Security can search and analyze all types of content and documents, including embedded images and active content (such as JavaScript), in order to identify and isolate malicious content. With Trend Micro Deep Security you can have:

• Deeper protection: including stateful firewall, IPS/IDS, application-layer firewalling, file and system integrity monitoring, and log inspection—in a single solution.



• Greater operational efficiency: through quick deployment and automated task management— including the recommendation of appropriate protection to be applied to each server. You can manage security much more efficiently, with minimal impact on existing IT resources.



• Superior platform support: full functionality across more platforms, and continuous adoption of the newest virtualization platforms and operating system releases without sacrificing protection.



• Tighter integration: with IT infrastructure, including directory and virtualization platforms—as well as other security investments such as SIEM. This helps ensure effective enterprise deployment and continued vendor flexibility.

Customers also benefit from Deep Security’s seamless integration with VMware, Amazon Web Services (AWS), Microsoft Azure, and other leading cloud and virtualization providers to automate cloud and data center security without compromising performance.

Conclusion With hackers increasingly targeting the vulnerabilities in SAP systems, enterprises using SAP must deploy adequate security or risk losing their sensitive information. Deep Security can protect physical, virtual, and cloud servers as well as SAP systems with a single solution. Centralized management saves time and resources and security policies are automatically applied to the right servers, ensuring they are always protected.

REFERENCES [1] First Example of SAP Breach Surfaces by Ericka Chickowski (May 12, 2015). http://www.darkreading.com/attacks-breaches/first-example-ofsap-breach-surfaces/d/d-id/1320382 [2] Trojan malware steals sensitive data from SAP client apps by Lucian Constantin (November 21, 2013). http://www.computerworld.com/ article/2486193/security0/trojan-malware-steals-sensitive-data-from-sap-client-apps.html [3] Anonymous hacks Greek Ministry of Finance. Infosecurity Magazine (October 30, 2012). http://www.infosecurity-magazine.com/news/ anonymous-hacks-greek-ministry-of-finance [4] New Vulnerabilities Uncovered in SAP by Ericka Chickowski (February 26, 2015). http://www.darkreading.com/application-security/5-newvulnerabilities-uncovered--in-sap/d/d-id/1319239 [5] Patch Management – NOT A Solved Problem! by Anton Chuvakin (May 6, 2013). http://blogs.gartner.com/anton-chuvakin/2013/05/06/ patch-management-not-a-solved-problem/

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com.

©2015 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_Comprehensive_Security_for_SAP_151101US]

Page 7 of 7 | Trend Micro White Paper Comprehensive Security for SAP