SAP Enterprise Threat Detection and SIEM systems. What is the difference? Here you can find an answer ….
So what is SIEM? SIEM stands for security information and event management. The application is collecting security event information throughout a IT landscape. SIEM products are already a long time in the market.
A personal note
Some SIEM vendors really missed the opportunity to renew their architecture (security data is a big data issues nowadays which require a change in the architecture and the use of new analytical tools). Some products are distributed across several servers and databases, actual data in one database, historically in another and you have to jump between tools for analysis and reporting. But these are vendor specific issues and not a problem of the SIEM idea and there are also good vendors out there! So watch out if your are selecting a SIEM solution and do not implement yesterdays technology.
So what is difference to SAP Enterprise Threat Detection?
It is the focus of security events types. SIEM solutions traditionally use security events on the network and operation system level to detect attacks. But the most solutions have no idea what happens in the applications,. But nowadays sophisticated attacks cannot be only detected on the lower levels, you have to look into the applications stack! That is the starting point of SAP Enterprise Threat Detection. It collects security information on the application stack and correlated it with context information to detect cyber attacks when it happens. This is only working because we are using the newest technology on the market: SAP HANA as a big data platform in combination with SAP Event Streaming processor.
Just an example. How do you want to find an internal or external who stole some credentials to a SAP system (there are many techniques – this would fill a comlete own blog) and try to steal confidential data with the help of the credentials? It is about the user behaviour in the system in combination with context(region, device, HR information, IP, …) information –> SAP Enterprise Threat Detection.
Does SAP Enterprise Threat Detection replace existing SIEM solutions?
No, SIEM solution are very good on the operation system and network level. They incorporate the experience of many years. They are complementary to ETD like other security solutions (virus scanner, IPS, IDS, …). My opinion: There will be not one solution in the market, which can protect everything.
Does SAP Enterprise Threat Detection support also non-SAP data?
Yes, you can also upload your proxy data (or any other) to analyze it and many other things which your exisitng system is perhaps not able to do because of an outdated technology. But the content (security patterns) delivered by SAP focuses on the SAP application level. By the way, there are many security partners planning to provide additional security patterns.So watch out for partners which not only provide impementation services but also additional content.
Why did SAP not build the ETD solution on existing SIEM solutions?
We would not invested into SAP Enterprise Threat Detection without our SAP HANA technology. SAP HANA allows us to analyze large amouts of data, correlate and visualize it. With the predictive, geospacial, data scaling and other functionalities we are able to provide a complete new experience in the future. Furthermore we do not want to lock-in our customers to one SIEM solution. SAP will rather integrate with leading SIEM solutions to use the strength of both worlds.
So the products is availabe since the end of 2014 and provides already now a great insight. But there is also a roadmap available and SAP will deliver innovations with each service pack.