New job offers from SAP demonstrate the potential of HANA to secure SAP systems
HANA’s real-time analytical power provides an excellent foundation to rapidly deal with security-related issues. At this year’s Sapphire, Hasso Plattner described the importance of HANA in fighting hackers.
….the increased number of potential attack vectors open to hackers means that companies can no longer rely on perimeter defences. The chairman said enterprise-level customers need to upgrade to intelligence models powered by advanced analytics tools, like HANA.
Plattner said: “What’s on show here is a new security-monitoring application that collects all significant hardware, network and software vendors’ security messages. It takes them from people like Microsoft, HP, IBM, CISCO and Oracle. It takes all of them into a large HANA database and does multi-system security breach analysis.
What I always found intriguing about this quote was that Hasso didn’t mention SAP systems as being involved in such HANA-based cyber-threat scenarios.
Two new job offers reveal that SAP is indeed examining the potential of HANA to deal with such issues.
The job offers
Position: Working Student: Smart analysis of SAP log data in a central HANA Database
Our department has the task to examine and prepare the development of a new product in the area of mass data analysis that deals with attacks to SAP systems. The relevant data sources to analyze are e.g. the very different logs of SAP systems, which are in general very large and grow fast within short time ranges. With SAP’s in Memory HANA Database it becomes now possible to examine and analyze such mass data in a very fast way. This new opportunity allows us to analyze the data according to SAP system hacks that occurred in the past, or that are even currently occurring. One of the challenges is to transfer the relevant data into a good SAP HANA Database readable format that allows for a highly performing access via HANA-DB optimized select statements.
Some corresponding questions are:
- How does the format of the most relevant data of the different sources look like? How can relevant information be found out of this data?
- Which features does the SAP HANA Database provide to read structured and unstructured (text) data in a fast way?
- How shall a SAP HANA Database table format (or formats) look like, into which the data out of the different sources need to be transferred?
- What are alternatives to optimize the SAP HANA Database table format(s) in order to find the relevant data in a highly efficient way?
- How could meta data models look like to allow some kind of modeling of the highly efficient select statements?
Position: Thesis Student: Analysis and Definition of Attack Patterns for SAP systems
[first part of job description is the same as the first offer]
…… One of the challenges is to determine/define valid general Attack Patterns to SAP Systems or to system landscapes with SAP systems and to transfer these patterns into technical analysis statements that are applied to the relevant mass data in a SAP HANA Database.
Some corresponding questions are:
- Which are valid attack patterns?
- Which data out of which sources is needed in order to find a potential attacks according to an attack pattern?
- How does the filtering and order of filtering of the data look like to most exactly find a potential attack?
- How can so called ‘false positives’ (i.e. findings of potential attacks that aren’t any) be ignored in a most reliable manner?
POV
- I know that both positions may be viewed more as research-related (Working Student, Thesis Student, etc) rather than part of product teams but it looks like things are more serious than just research. The description contains a reference to a new product: “Our department has the task to examine and prepare the development of a new product new product in the area of mass data analysis that deals with attacks to SAP systems.”
- There are other efforts from SAP employees to read logs into HANA – for example, Importing Apache Webserver Logs to SAP HANA for Web Analytics & Reporting – but these efforts focus more on monitoring and traffic analysis rather that security concerns.
- As I read these job descriptions, I thought about the possible integration possibilities with HANA-enhanced GRC products as well as broader fraud management solutions.
- A recent graduate of the HANA Start-up program called “Alert Enterprise” has a HANA-based security system which “addresses the single most overlooked gap in enterprise security – the prevention, detection and fast resolution of linked IT and physical access violations across diverse enterprise systems, applications, databases and geographically distributed assets.” [SOURCE]. As I watched the JD-OD video that Dennis Howlett made last year about AlertEnterprise I realized that the broader potential value of such a SAP product would have for such security-related frameworks.
Fascinating topic, this!
Unfortunately it doesn't work too well as a defense strategy - it shares similar issues with defending against terrorism:
Attacks on IT systems are similar: if we see a single IP address trying to brute force user IDs and passwords we can counteract by blocking the IP or throttling, but then the attacker simply uses a botnet instead.
We can identify malicious input like SQL injection, but this is only useful if we have prepared for that in our server code by sanitizing user input.
Still, there is merit in this analysis, it's useful to identify changes in threat patterns or watch new attacks gain usage. It helps architecting and sizing your defense infrastructure.
For developers it puts the focus on threat modeling, and rightly so. A good security design is still the only promising effort against successful exploits.
Application developers can help the analysis effort in two ways:
I would love to see results from those efforts soon. Ideally these end up in the cloud, shared by all users of the infrastructure so that customers can share knowledge and adapt their systems accordingly.
I think might be interesting is to look at this work in terms of the HANA Enterprise Cloud where many customers host their SAP systems. HANA might be useful in this environment. In such environments, the aggregation of data from multiple customers might quickly allow SAP developers to adapt their security design more efficiently. Such aggregation would also allow more rapid identification of threat patterns.
I always have to think about those bomb detectors they've been using in Iraq.
Some guy created so called "bomb-detectors" which didn't work at all, but the mere idea of getting caught this way, had it's effect on car-bomb attempts
Although there are no figures on how many bomb attacks have been prevented and how many still got through, the mere thought of security, provided more security.
The problem with IT security, is that an attacker doesn't really get punished for a failed attack. If there would be a system where a hacker got tracked by drones who stuck a cattleprod up his *** after a failed hacking attempt: then the thought of security would actually make your systems more secure.
Fear of punishment is you best security strategy.
This would actually make a great demo-jam idea 😛
Have Hana analyse the incoming requests and interactions. Identify hacking attempts. backtrack the origin. Send in a drone with a cattle-prod.
Didn't Graham Robinson make a NetWeaver operated shuffeling drone last year?
Every day I'm shuffling. Shuffling shuffling. 😛
I'd like to know if SAP employs "white hat" hackers to test SAP systems. There must be someone on staff to do penetration testing with freely available tools like Metasploit.
If not, then there should be. We have to be able to ensure that our clouds, databases and systems are secure, even from our friends in Fort Meade. What a great selling point that would be.