SAP has launched their Version 1.0 of their new Security Product “SAP Enterprise Threat Detection” (ETD) earlier this year.
It is a brand new product based on SAP HANA that adds a complete different twist to the whole security discussion.
I was lucky enough to become invited to be part of the first Partner Ramp Up Workshop in Walldorf in May 2015 to get exclusive Hands-On Training and deep insights into the new product.
There are already a couple of good blogs by SAP about ETD, so I will not make another intro here. Just a quick rundown.
It is a new security concept based on the gathering and processing of security relevant events and log files. They are collected and fed into the “Event Stream Processor” that was part of the Sybase portfolio. This Event Stream Handler takes all the streams, extract the information and inserts them as normalized column-based objects into a SAP HANA instance. I never heard of the Event Stream Processor before and was surprised to see it as a blazing.-fast processor that sits on a small footprint Linux-server in front of HANA.
(picture copyright SAP SE (c) )
The processed data can be queried by SAP HANA via Fiori interfaces. The participants, all of them seasoned SAP consultants, where surprised by the slim and fast, but very informative and effective UI. “This is the very first 1.0 release ever by SAP that has a decent UI and is absolutely usable” said one partner.
This was also the first time I have seen HANA in action outside of demos and classrooms. There was seldom a technology that is even cooler on action than on paper. If you think that log file based security is boring and slow, think different.
(picture copyright SAP SE (c) )
Once the data are in HANA, there is a set of queries that will give insights into Security events and their exceptions. You can choose out of 100 so called patterns (and they are constantly growing) that is provided by SAP and that you can use to create a cockpit that will fit your security needs.
The patterns and their events can be customized and they are your approach to your own pattern-based security. Just to pick an example that I think is very handsome is the ability to read the RAL (Read Access Logs, protocols of data access) and create patterns around usage of SAP data. This is especially useful for tracking RFC-based security patterns.
Use Case “Catch the Debugger Enemy”
One impressive hands-on example was the setup, where you were debugging in a production system on the one side with “overwrite” activities during debugging. And some moments later, on the HANA side, you can see ETD raise an alert, because the debug based overwriting was detected, with terminal, user, variable and value. A typical case of “caught in the act”. You could actually hear security rush to that desk..
Another great feature was the “log learner”, that is part of the Event Stream Processor. You can dump any kind of log file, from simple to complex, and have “ETD” learn this format. ETD will detect time field, IP-fields, variables, constants and more and give you a “learned picture” from this log file, including all import routines and schedulers to insert it constantly in HANA as normalized column based pattern. This sounds not very challenging, but the degree of intelligence that is already in this 1.0 version is incredible. This usual manual nightmare of counting character, fields, delimiter and make them fit and import to databases is fully automated. You can add a lot of resource logs other than default SAP to this system with no significant effort.
Check the price tag
Those of you who think their companies will never afford ETD because of the usage of HANA, there is good news. The license of HANA is included in the license of ETD. Just add hardware. And – ask your local dealer – it is cheaper than you think. What I will say (before all SAP Salesman are at my desk), let’s have your SAP contact made a presentation for your company and you get an idea of where this is all heading to.
Installation is a matter of some days, give or take the complexity. But definitely not month. Activating the functionality is the same. Even the powerful out of the box function is a great security jumpstart.
My Two Cents Disclaimer
This is by no means a complete review. To keep this readable, I have written about the highlights that I think makes this software tool different than any other existing security tool. To check the complete feature list, look for the official SAP blogs and documents. But as you can tell, I am excited about this product and the new possibilties that comes with the usage of HANA.
The overall impression was that this is a great complimentary tool to your overall IT security strategy. And it is probably your entry ticket to the HANA world. SAP was stressing the point that this is not meant to be another SIEM tool. It is by far different. It will “Protect Your SAP Crown jewels” (original quote) and this is what it is doing perfect. It is not your network monitor, not your SIEM radar or your overall security monitor. It is your HANA based SAP Guardian and this is done well, profound and leading towards future security developments.
Most of the partner where fine with what is in this 1.0 version. A lot is missing, but SAP has acknowledged this lack and is eager together with partner and customers to continuously fill the gap. There is a defined roadmap to 2.0 and further on and there is still enough room for customer input.
I can only give the advice, in any serious security project, to look at the product (hands on), to check the price tag and open-minded consider the usage.