How SAP runs SAP Enterprise Threat Detection
Welcome to a small series about SAP Enterprise Threat Detection. This is the first of four blog posts in the SAP Runs SAP space to give you some insights about this co-innovation project and how we run this new solution to protect our business systems. Let’s start with the last topic.
SAP Security Monitoring Center
The SAP Security Monitoring Center is a dedicated team at IT Security which operates 24×7 to detect and analyse attacks, as well as to assess the threat situation and to initiate possible countermeasures.
SAP Enterprise Threat Detection is an additional tool for this team to manage this process for ABAP system logs.
We have 3 roles in the team setup, which correspond to dedicated applications in the ETD solution, the Monitoring Agent, the Security Expert and the Service Manager. The standard setup will show all ETD applications in one group in the Fiori Launchpad, but you have the possibility to group the applications by role.
The important applications for the Monitorig Agent are ‚Monitoring’ and ‚Alerts’.
The Monitoring application allows to watch the stream of incoming alerts from pattern detection grouped by pattern, system, severity, etc. The visualisation supports various chart types and colour code alerting. This application allows customizing and individualization, which is needed to splitt monitoring tasks between individuals and support time-zone handover. We can create an unlimited number of monitoring views.
The Alerts applications allows the Monitoring Agent to rank, combine, close or escalate the system generated alerts. In case he presumes a attack he will combine the relevant alerts in one ‚Investigation’ and hand over to the Security Expert.
The important applications for the Security Experts are the ‚Forensic Lab’, ‚Pattern’ administration and everything around ‚Investigations’.
The Forensic Lab has a double function. It allows to analyse data sets by using filters and conditions and to create a pattern based on such an analysis. The Security Expert has the task to create new patterns and to continuously improve the quality of active patterns, e.g. to minimize the number of false positive alerts. The trigger for new patterns can be a changed internal process, the go-live of a new application, or an external threat warning.
The Security Expert has several ‚Investigations’ application to have an overview on the overall threat situation and to review the investigations in his queue. It is his accountability to decide if the case needs to be escalated, or if it is a known and minor issue, or even a false positive. But if he decides that the case is a real threat, then he will consolidate all information and initiate management information and action.
The important applications for the Service Manager are ‚Resolve User Identity’ and ‚Management Info / Action’.
The Service Manager will get the serious information from the Security Expert and will initiate a security task force with the right specialists fort he case. As part oft his task force activities the Service Manager has the authorization to unto the de-personalization and resolve the user identity. This authorisation is limited to up to three persons within the IT Security department.
The Service Manager is accountable for continuous security status reporting, senior management communication and escalation handling.
IMPORTANT: This blog post describes a team setup, which the IT Security department at SAP is using to run SAP Enterprise Threat Detection. This is not the only possible way and you may have other ideas or organizational requirements. Especially the authorization to resovle user identity needs to follow your corporate guidelines and must be discussed with your data protection officer and works council upfront.