We all know how it goes – once a year, the auditor carries out an IT audit as part of the year-end audit. The idea is to flag potential threats in SAP cyber security, and in identity & access management. In terms of risk, this procedure is no solution; rather, the step is taken much too late in the process to allow for any kind of quick reaction. Hackers may have already had ample time to take advantage of the risks. Despite this fact, many companies leave it too late to close loopholes. In this webinar, we will show you a much better approach that addresses this discrepancy. Thanks to SAST SUITE, you can achieve continuous, highly efficient real-time monitoring of all critical and security-related changes to your SAP systems. This means you can act immediately. No more waiting until next year when the auditor is at your doorstep. Topics of focus: • Immediate detection of unauthorized authorization assignments • Monitoring role allocation and any evasion of the dual control principle • Proper reaction – without delay – to suspicious table change documents • Cost-benefit analysis: manual downstream controls vs. intelligent real-time monitoring ------------------------------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

1. When the auditor rings,
the hacker may have
already been there.
How to actually protect your
SAP systems.

2. WELCOME!
Introducing your host today:
TIM KRÄNZKE
CSO SAST SOLUTIONS
Tel: +49 40 88173-2735
Email: tim.kraenzke@akquinet.com
Web: sast-solutions.com
MICHAEL MÜLLNER
Head of Security & Compliance Services
Tel: +43 676 9398461
Email: michael.muellner@akquinet.at
Web: sast-solutions.com
- 2 -

3. The IT audit as a snapshot:
Reduce the risk of exploitation through traceability and risk detection.
Business User  SoD conflicts
 Users with extensive
authorizations
 Insecure Configuration
 Patching and Maintenance
SAP environment
Administrator
External check identifies errors
 Fraud
 Misappropriation
 Vulnerabilities
 Loss of control
Downstream and randomly...
too late / slow
 Security for user management
 Test functions and regulations
 Secure SAP configuration
 Risk monitoring
- 5 -

4. The IT audit as a snapshot:
- 6 -
Downstream and randomly...
too late / slow

5. For intelligent real-time
monitoring, we combine
for you the best of two
worlds!
How to actually protect your SAP systems!

6. Die SAST SUITE
by akquinet AG

7. SAST SUITE: Real-time monitoring of your SAP systems.
- 10 -
 Common standard IT security solutions do not integrate your SAP systems.
 Fastest possible response time in the event of a threat situation.
 Identification of critical and unusual activities in real time.
 Protecting the SAP system landscape against
 Cyberattacks
 Espionage
 Manipulation
 Abuse of rights
 Data theft
Attacks on SAP systems often remain undetected.
!
✓ SAST SUITE monitors your SAP system landscape comprehensively and in real time!
The challenge

8. Why attacks on SAP systems are often not recognized.
- 11 -
Penetration Tests
Attack using known SAP
vulnerabilities:
Unprotected RFC Functions
Open Gateways
Old SAP routers
Result:
A local Windows Admin account
was created to perform the
"Capture the flag" action via RDP.
Customer Security Team
Was focused on network
protocols.
Monitors Active Directory users
and no local user accounts.
Result:
No suspicious event was detected
in the logs.
Regular SIEM-tools do not have
special SAP controls and are
therefore usually blind to
attacks on SAP systems.
None of our simulated attacks
has been detected by SIEM
specialists in recent years.
Summary
SAP is the "blind spot" for SIEM tools!
!
Result:
Due to missing attack patterns,
threats and attacks are not
identified.

9. Real-time threat detection for SAP systems.
Threat scenarios from which SAST SUITE protects you:
- 12 -
Manipulation of users and
authorization
Assignment of critical authorization
Misuse of critical reports and function
modules
Access to critical, blacklisted
transactions
Critical changes to system configuration
Manipulation of critical database tables
Information disclosure
File manipulation
(parameter configuration, transports)
Suspicious user behavior
(technical and dialog users)
DoS detection
Monitoring SAP security notes
Critical transport content
Extraction of confidential information
(GDPR)
Critical remote function calls
Login attempts of privileged account
Account sharing
Misuse debugging and error-analysis
Threat hunting
Forensic analysis
Correlation of different accounts to
one person (Central Identity)

10. All-around protection for your SAP system with real time monitoring.
SAP ERP
SAP BI
SAP CRM
SAP SCM
…
NetWeaver
Reports
and
analytics
SAST Security Dashboard
Splunk
Extraction
of all relevant
log data
Threat
intelligence
User and role management
Superuser logging
Download logging
SIEM
Integration
SoD analyses
System configuration
Vulnerability & compliance scan
- 13 -
SAST SUITE for SAP ERP and S/4HANA

11. Real time cyber security monitoring:
Find the needle in the haystack with SAST SUITE.
- 14 -
SOC
TEAM

12. Real-time monitoring of your SAP systems with SAST SUITE.
Your advantages at a glance:
Constant monitoring of configuration, authorizations and security and change logs.
- 15 -
Push-button access to the security status of entire SAP system landscape.
Seamless integration into existing SIEM solutions.
Aggregated and evaluated information about security policy breaches.
Automatic alerting for critical and complex events, even by combining several events that
appear uncritical when viewed individually.
Pseudonymization of user data to ensure compliance with the data protection laws of the
European Union (GDPR).
Ongoing content updates keeping all systems up-to-date.
+
+
+
+
+
+
+

13. AKQUINET

14. AKQUINET business Robots (bRobots)
Our software suite at a glance:
bRobots for SAP ERP or S/4HANA
SAP AUTHORISATIONS SAP COMPLIANCE SAP INTELLIGENCE
aAAS – automatic Auth. Assignm. Solution
aRCS – automatic Role Creation Solution aTCM – automatic Table Change Monitor
- 17 -
aRMS – automatic Role Mapping Solution
aCW+ – automatic Compliance Workflow+
aBPM – automatic Business Partner Mgmt
aYECP – automatic Year End Closing
Procedure
aUCS – automatic User Creation Solution
aMDM – automatic Master Data Mgmt

15. AKQUINET business Robots (bRobots)
Operating principle:
- 18 -
No need for
programming
knowledge
Business
Topics
d*BIC
bRobots
Fiori App+
Decision+
Workflow+
Results
Knowledge
automation
Intelligent
workflow control

16. AKQUINET business Robots (bRobots)
Operating principle:
Decision+ App+
Business roles, the core of every bRobots
Represent the “drive”
Defines process-dependent decisions
Ensure efficient and intelligent process
flow
Input interfaces from the bRobots
Dynamically generated in real time
based on the rule base
No conventional programming
necessary
Generated context-based as Fiori
interface or SAP GUI user mask
Relies on SAP standard workflow
Offers the possibility to define
process chains
 Collects and processes data across
multiple domains
Intelligent structure and sustainable
documentation of processes
Workflow+
- 19 -

17. How bRobots support
Initial situation
bRobots in the context of security intelligence:
Often implemented in companies:
Downstream controls
Expensive static release workflows
Increase compliance:
Multi-level approval workflows are implemented as
upstream (preventive) controls
Automation of critical processes
Documented activities in one workflow
Transparency and traceability
Users can see only the information that is relevant
and intended for them
- 20 -
Conclusion:
Violations are not discovered or with a time delay
Huge administrative expenses for controls
Cost-intensive due to manual activities
Control mechanisms often operate too late and do not
adequately compensate for risks
Repetitive, manually performed activities are error-prone and more cost-intensive.
!
✓ CW+ reduces the project duration and the implementation effort!

18. Use case 1:
Suspicious change of table - supplier
bRobot
Compliance
Officer
Cyclical
evaluation of
the change
documents
Critical
change?
Checking the
change
Starting
workflow
Change
okay?
Document check result
in workflow
yes
Department
Data change
(e.g. bank details of
the supplier)
yes
Manual data
correction
no
End
Start
no
- 21 -

19. Use case 2:
Recognition of conspicuous/critical price changes
 Prices may change due to various users
 bRobot focuses on users with relevant
SoD conflicts
(Possibility to change prices, invoice and manage
customer orders)
 bRobot checks all price adjustments
automated and decision-based
 Release workflow initiated in suspicious
cases only
 Check
 Approve / reject
Price reduction of x%
in relation to
Material type
Sales organization
Stock situation
etc.
Identification of user Workflow relevance
Identification of exceptional price adjustments
Workflow
Consideration of SoD conflicts
✓ ✓
- 22 -

20. Use case 3:
Recognition of conspicuous/critical scrapping processes
 Focusing on all SAP users who could
basically scrap material in the system
(e.g. spare parts)
 bRobot checks all crapping processes
desision-based
 Release workflow initiated in
suspicious cases only
 Compliance Workflow+ defines
essential decision criteria
 Check
 Approve / reject
Material scrapping
depending on:
 Value of goods
 Stock situation
 Movement types
 Material types
 etc.
Identification of activities Workflow relevance
Identification of exceptional stock changes
Workflow
Consideration of critical activities
✓ ✓
- 23 -

21. Three steps
to map your
use cases…
✓
✓
✓

22. Central deposit of criteria for criticalities through decision tables
 Flexible selection from a wide range of criteria
 Determine and assign actions depending on criticality
Step 1: Maintaining criteria for criticalities
- 25 -
Example: Differentiation by supplier number and authorization group
Lines 2 and 4 = trigger a workflow for further checking
Zeile 5 = triggers an e-mail notification to the responsible person

23.  Critical changes generate dynamic workflows
and automatically add to the agent's worklist
 Possibility to search for responsible person depending on
the identified criticality
 Responsible person can review and evaluate the incident
(e.g., compliance officer)
 Conventional SAP GUI interface or Fiori frontend
Step 2: Dynamic creation of workflows
- 26 -

24.  The results of the triggered workflows are stored. Evaluation is possible at operational as well
as strategic level.
 Operationally, the status of individual workflows can be viewed at any time.
Strategic view in the Fiori Cockpit
 Evaluations with various filter and sorting criteria
 Free and need-based composition
Step 3: Documented compliance
Complete
d
Rejected
In Progress Not started
- 27 -

25. Real-time monitoring of your SAP systems bRobots.
Your advantages at a glance:
- 28 -
Intelligent detection of suspicious (business) activities.
Dynamic integration of release workflows in case of critical changes.
Free maintenance of decision criteria, without programming effort.
Automatic alerting of critical and complex events, customized for your company.
Continuous software updates keep your systems up to date.
+
+
+
+
+
- 28 -

26. QUESTIONS?
WE ANSWER. FOR SURE.
MICHAEL MÜLLNER
Head of Security & Compliance Services
 Long term experience in management- and risk-consulting, focussing SAP.
 Deep knowledge in the areas of Business Process Optimization, Access & Identity
Management, Governance, Risk & Compliance, GDPR and IT-Audits.
Tel: +43 676 9398461
E-mail: michael.muellner@akquinet.at
Web: www.akquinet.at
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior
written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.