Security – a Midlife Crisis 02/12/19 What Constitutes a Security Midlife Crisis? History of Technology and Threats

Security – A midlife crisis 02/12/19 What constitutes a security midlife crisis? History of technology and threats

2005 – 2006 Identify theft (phishing) 2003 – 2004 Advanced worm/Trojan (“I love you”) 2007 – 2008 2000 1995 Organized crime Malicious (data theft) 1980s Breaking code Viruses websites (Melissa) 2009 – today Sophisticated targeted attacks

Petya/ Non-Petya Meltdown/ Slammer Stuxnet Spectre

Advanced For-profit Viruses and worms persistent Targeted attacks malware threats

Mainframe Client / server Client / cloud You know the challenge – breaches are increasing World’s largest data breaches and hacks

2009 – 2014 2015 – 2019

2014 Latest

2019

2013

2018 2012

2017 2011

2016 2010

2015 2009 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Sept 26 – Food delivery service gets hacked • Affected users: 4.9 million • Industry or type: restaurant • Cause of breach: hack

DoorDash learned in September that an unauthorized third party was able to access its user data on May 4, 2019. Many of the food delivery app’s users were affected, totaling almost 5 million. The hack affected only those people who joined before April 5, 2018.

The hacker was able to access the following information: • Profile information • Names • Email addresses • Delivery addresses • Order history • Phone numbers • Passwords (hashed and salted) • Last four digits of payment cards (for consumers) • Last four digits of bank accounts (for Dashers and merchants) • Driver’s license numbers (for roughly 100,000 Dashers) July 30 – Largest banking data breach

• Affected users: 100 million • Industry or type: banking and finance • Cause of breach: hack Capital One, the major US banking institution, suffered possibly the largest banking data breach in history. Between March 12 – July 17, Paige A. Thompson, a former software engineer, was able to access a cloud-based Amazon server and steal the data of 100 million Capital One customers and applicants. The largest group of information came from those applicants who had applied to get Capital One credit cards between 2005-2019. After the breach was discovered on July 19, the company immediately fixed the vulnerability that allowed Thompson to access the data. The leaked data includes: • Names and addresses • Phone numbers • Email addresses • Dates of birth • Self-reported income • Social Security numbers (140,000 affected) • Bank account numbers (80,000 affected) July 20 – Russia’s FSB spies get hacked

• Affected users: unknown (7.5 TB of data) • Industry or type: government • Cause of breach: hack

Russia’s Federal Security Service (FSB), which functions as its main intelligence agency, was the target of a successful hack attempt. The hacking group under the name 0v1ru$ was able to breach a major FSB contractor, SyTech, and steal 7.5 terabytes of data. The group then passed on this stolen data to the major hacking group Digital Revolution, which then shared the files with various media publications and on Twitter.

The leaked data shows that FSB was working on: • De-anonymizing Tor browsing • Scraping social media • Helping split off the state internet from the global internet

This hack has been called “the largest data leak in the history of Russian intelligence services.” April 29 – Microsoft Cloud server breach

Security researchers discovered an unsecured database that is hosted on a Microsoft cloud server. At the moment, the owner of this data is not known. Nonetheless, the database contains the data of more than 80 million US households.

This information includes: • Names • Addresses • Age • Dates of birth • Geographic location

Other demographic information was also included. Hackers can use this information (in combination with other data stolen in various breaches) to steal money, do social hacking, or engage in other malicious activities. Past and new realities in software stacks Past Future 3rd party (no contract) or 90% from SAP SAP GUI Browser, JavaScript freeware Microservices 90% freeware >98% from SAP ERP (npm, python, Java,…)

Application server 90-100% freeware NetWeaver (Tomcat, node, ..) 95% from SAP AS Container Operating System 100% freeware 100% from Database Kubernetes, Docker, vendor, contract 100% freeware Cloud Foundry 100% from Operating vendor, contract System Operating System 100% freeware Threat Exposure – Cloud Operation with Open Source Stack

Malicious actor Open Source Community (external) High knowledge by vulnerability disclosure

Time advantage due to public disclosure High knowledge Increased Increased due to common attack surface reproducibility Development Provisioning standards

Software vendor Customer

Development Build Cloud Operation Consumption Security Challenges

• Security is not a “check the box” activity, or an afterthought ▪ Security mindset change needed to plan & integrate security into processes, new technologies, and people from day 1 ▪ All LoB’s must have a mandate for security, with the proper internal/external engagement models in place • Partnership (Bridges, not Silos) ▪ Mandatory to understand “North/South & East/West” together with a clear understanding of the current threat landscape. • Standardization & Enforcement (Enterprise Architecture & Governance) ▪ In the continuously changing and overly complex environments, all processes, services, architectures etc. must be centralized and standardized, and more importantly enforced. 15 How do you deal with a midlife crisis? Do we just give up

Blockchain, Machine Learning, IoT, Virtual Reality, Quantum Computing, 42?! Global data protection regulations are expanding Data protection regulations vary globally and are extending their reach

• Global data protection regulations impact cloud vendors and customers

Country Regulations USA Patriot Act, Stored Communications Act, EU-US Privacy Shield, USA California Consumer Privacy Act – 2020

EU Data Protection Directive replaced in 2018 by the EU General Data EU Protection Regulation (GDPR) − privacy laws in 28 countries

Germany Federal Data Protection Act (FDPA)

Brazil General Data Protection Law (LGPD) – 2020

Australia Privacy Act 1988, Australian state and territory legislation

Singapore The Personal Data Protection Act (PDPA)

Personal Information Protection Act (PIPA), Personal Information Protection and Electronic Canada Documents Act (PIPEDA), Freedom of Information and Protection of Privacy Act (FIPPA)

Russia Federal Law No. 152-FZ on Personal Data Business and reputational impact can be extensive with breaches Imagine, for example, what could have been with GDPR in effect…

Potential Fines if Fines BEFORE GDPR Occurred AFTER GDPR

The UK subsidiary of a £200K £1.6B major healthcare group Data breach April 2015 Data breach

A US global financial $27M+ $125M+ services group Data breach May 2017 Data breach

A major internet service £400K £59M provider Security failure October 2015 Security failure

Based on publicly available data – Calculated based on maximum fines companies anonymized against annual revenues Areas exposed to security risks

Applications • Critical to run every business • Breaches can involve significant disruptions and costs Data • Data is key to insights and strategy • Personally identifiable data and intellectual property must be safeguarded Bad actor People Security risk • Human element poses a significant security risk • Yet a well-informed human firewall can help confront threats Build trust in digital transformation Effectively manage cybersecurity and data protection risk

Digital transformation requires security to be smarter, automated, and embedded

Manufacturing Digital Core People & Supply Chain Engagement 1 Security role design and governance must be considered early on to minimize cross-system Customer Network & Spend Experience Management risk and insider threats

Intelligent Suite 2 Interconnected systems and applications must be monitored and maintained to minimize Intelligent Technologies vulnerabilities and protect against data loss

3 Manual controls and checks must be replaced AI/ML | IoT | Blockchain | Analytics with smarter, AI-driven controls to identify anomalies and potential issues early on

Digital Platform 4 Digital automation requires more reliable and

Data Cloud effective monitoring of transactions and processes as Management Platform human intervention is minimized Cyber Security & Compliance for the Intelligent Enterprise

Key measures: • Controls embedded in Processes • Certifications Key measures: • Consolidation & Automation: • Threat monitoring Multi-Compliance-Framework • Comprehensive Laws / Regulations Attacker Cyber Defense

Key measures: • Integration in dev. process Innovation Cycle Key measures: • Awareness training for • Enterprise Security Contractor & Employees Develop products requirements •With Quality • Security Strategy ! •With Security • Protection & Project •Enabling compliance portfolio Operate securely & compliant Mindset change Attack Surface/ • Transparency •SAP Applications •Infrastructure Secure Entry Points customer Data Ensure Compliance 5 Pillars for addressing Cybersecurity & Data Protection

SAP GRC and Security solutions are designed to protect your applications and help govern your compliance process through:

Cyber Risk and Governance

Application Security

Identity and Access Management SAP Intelligent Enterprise Data Protection and Privacy

Cloud Transparency and Control Cyber Risk and Governance Identify and manage risks, regulations and polices to minimize potential business impact

• Document and monitor security risks and regulatory compliance as part of the enterprise risk management program • Align risk management and controls with business objectives and security best practices • Establish security policies and test adherence and understanding • Document and test response and recovery plan • Audit the security program to provide independent assurance • Report and manage at the board level to ensure awareness and status

SAP GRC and Security solutions are designed to help manage risk and provide governance for your compliance processes. Application Security Protecting the applications that run your business • SAP GRC and Security solutions are designed to help secure your core applications • Monitor business applications for anomalies and attacks • Analyze business transactions for fraud and unusual activity • Correlate insights from security and business alerts • Apply security patches and updates • Focus on custom code, find and fix vulnerabilities • Continuously monitor critical security configuration

“ERP systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information, which can be used for cyber espionage, sabotage, and fraud.”1 Identity & Access Management Optimizing digital identities across the enterprise

• Reduce cost and improve security with identity management and automated provisioning • Manage access for enterprise applications – cloud or on premise – role and/or attribute-based controls • Enable greater user productivity by eliminating excessive logins with single sign-on • Reduce audit costs by quantifying the financial impact of access risk violations • Support super user account access with monitoring and integrated log review workflow

Identity and Access Management provide the key capabilities to manage system accounts and ensure the correct authorization assignments. Data Protection and Privacy Addressing data protection and privacy concerns and regulations • Secure files and data using transportable policies and encryption • Add layers of granularity for access decisions based on a variety of attributes • Enable data masking in sensitive data fields • Manage personal and sensitive data across landscapes and geographies • In case of potential breach, use logging features to identify (and stop) sources of potential data leaks

Protect company reputation and intellectual property, and improve compliance and reporting for specific regulations. Public Cloud Transparency & Control SAP solutions are designed to deliver multi-cloud data transparency and control

• Create and enforce public-cloud data access, location, movement, and processing policies • Monitor and report on data access, storage, movement, processing, and location in the public cloud • Configure public-cloud data location, movement, processing, and access policies • Enforce geolocation controls for data access, storage, processing, and movement • Prevent unlawful transfer of business data Manage Cybersecurity & Data Protection SAP solutions for GRC and Security

Intelligent GRC and Security Across End-to-End Processes Embed controls and risk monitoring

AS AS IAM IAM CRG CRG SAP SAP Access DPP SAP Enterprise SAP Cloud Identity Violation UI data SAP Process SAP Risk Business Mgmt. Threat Detection Integrity Access Governance Mgmt. by protection CTC Control Screening Greenlight DPP logging SAP Data Custodian for SAP Enterprise AS AS IAM IAM DPP Public Cloud CRG CRG SAP Dynamic Digital Rights UI data SAP Unified SAP SAP Access Authorization SAP Audit Management protection Digital Connectivity Solution Control Management by by NextLabs Mgmt. Manager NextLabs masking Boardroom CTC AS DPP IAM IAM DPP SAP Data Custodian CRG Code Vulnerability SAP Privacy SAP Identity SAP Privacy Management by Key Management Analyzer* SAP Single System SAP Privacy Sign-on Management Governance BigID Governance

Cloud Identity and Access Cybersecurity Risk Application Security Data Protection and Privacy Transparency Management and Control and Governance

*SAP NetWeaver Application Server, add-on for code vulnerability analysis Solution

Security Risk Threat & Vulnerability Management Digitization of the Security Risk Model How can security risks be managed in a volatile, uncertain, complex and ambiguous world?

Develop a strategy to move from enterprise risk management (traditional / manual) to intelligent risk management (digitized / automated), which combines managing security risk and performance to support the strategy and its objectives.

1 As-Is 2 To-Be 3

Enterprise Risk Management Security Risk Management Transparent Source Systems Automated Integration

Strategy Near Real Time Integrated Based on Data

Analytical Predictive

Several Weeks (AI / ML / MR)

Implicit risk management Explicit risk management (SRTV) Overview – Explicit Security Risk Management

Central Database Intelligent Enterprise Security Security Risk Reporting Analytics Dimensions

▪ Cross organisation People Security Risk Catalog ▪ Key Processes

▪ Buildings Workstation Application Process Threats

Data Hub GRC ▪ Countries

▪ Legal Entities

IoT Network Controls Vulnerabilities ▪ Business Impacts (Brand, Value, Operations)

▪ Security Risk Appetite New Approach enabled by SRTV - Integration Target Picture

Infrastructure Security Source Systems ▪ Cross organisation Security Risk People ▪ Key Processes ▪ Virus scanning Catalog ▪ Network compliance ▪ Buildings ▪ BladeLogic ▪ Incident Workstation Application Process Threats Reporting ▪ Code scan. ▪ Countries Server / Mobile Devices / ▪ Product ▪ Monitoring Data Endpoints / NW Development components ▪ Mail Gateway Hub ▪ IDM ▪ Legal Entities ▪ Hana Bugzilla ▪ ETD ▪ Business Impacts (Brand, Value, Operations) IoT Network Controls Vulnerabilities ▪ Security Risk Appetite

Security Data Flow Business Translation Risk and Control Transformation Monitoring Security Landscape

▪ Reduce threats and vulnerabilities, ▪ Determining the ▪ Implement and integrate ▪ Achieve visibility into ▪ Holistic security risk and identify security risks and infrastructure framework security tools (source systems) effectiveness of security control management ineffective controls around the and business critical assets to ensure continuously programs and the protection of reporting (dashboards) by primary assets, business entities cross organisation. monitoring of assets that may the primary assets per business covering of multiple and processes. ▪ Key prerequisite a proper affect security effectiveness. entity. business dimensions. ▪ Demonstrate security risk and asset management ▪ Provide automated data to ▪ Establish SRTV data hub to ▪ Data driven dashboards control performance. system covering supply the SRTV data hub. provide data for the purpose of about key risk and ▪ Drive automation and use infrastructure of related explicit / effective security risk performance indicators analytical capabilities to identify legal entities. and control management. etc. to analyze the key risk indicators and continues security risk landscape. control monitoring. SRTV Solution - Key Components at a Glance

Integration Reporting Process Transparency Accuracy Automation New Approach enabled by SRTV - Reporting

Unit A Unit B Unit C Unit D

Risk Level BC High High High High Medium Medium Medium Medium Low Low Low Thank you.

Contact information: Chris Kerr SAP Security [email protected] +44 7966975058 Follow us

www.sap.com/contactsap

© 2018 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See www.sap.com/copyright for additional trademark information and notices.