Real-time attack detection made possible by SAP HANA in-memory technology, analysis of millions of events per second – the highlights of SAP’s Enterprise Threat Detection (ETD) are impressive. Unfortunately, many customers also associate this with the need to set up a Secure Operations Center (SOC) that operates 24 hours a day, 7 days a week and which of course needs to be monitored. This may be true for an SOC – SAP ETD, on the other hand, shows its full potential in much smaller scenarios – as the example of a medium-sized company from the manufacturing industry proves.
A Secure Operations Center, in my imagination, is always a building without windows, surveillance cameras everywhere, and then inside something like a “war room” as it is known from Hollywood blockbusters. And in many cases that’s exactly what an SOC is. For the limited IT budgets of a medium-sized company, an SOC unfortunately remains rather fictitious – something the bad guys don’t really appreciate. Especially medium-sized companies with their specific know-how – keyword “hidden champions” – are a worthwhile target for attackers. Our experience shows that SAP systems in particular are being attacked increasingly. A solution that recognizes and analyzes attacks on SAP systems would be a welcome response to the efforts of the hacker community, especially in medium-sized businesses.
“But ETD is far too complex” – just one of the arguments we hear in discussions with customers. The example mentioned at the beginning shows that, on the contrary, ETD is a very useful instrument for securing the SAP systems, especially for customers such as the medium-sized manufacturer.
SAP ETD is characterized by an extremely high performance in the detection and analysis of events. The so-called patterns play a central role here, but are exactly the reason why the ETD, unlike other tools, is ideally suited for medium-sized businesses. With the help of the patterns the customer can concentrate on the essential events. Let us take a concrete example to illustrate this.
The basis administrator of a customer’s SAP landscape logically knows the most important data in his system. These should of course be particularly protected. This can be HR data, customer data or PLM data. The important aspect is that via the Read Access Log (RAL) the ETD is informed in real time when this data is accessed. The pattern recognition of the ETD in turn notifies the admin when unusual activity is detected. To define exactly what is “unusual”, positive and negative lists are simply defined in advance.
Once this process has been set up, it also becomes clear why no SOC is necessary: Should critical access to the sensitive data take place, the administrator is automatically informed by notification and can take immediate action. Otherwise he can analyze the accesses – anonymized of course, an important detail in view of the approaching EU DSGVO – at the end of the week.
The nice side effect of the described scenario: it is not only a simple process which is shown there, the implementation and implementation is just as simple. Of course, ETD can do much more and can also monitor large system landscapes – but then it also needs an SOC. Virtual Forge’s experience from the ETD projects we have managed together with SAP in the past clearly shows, however, that SAP ETD is flexible enough to give small and medium-sized businesses the certainty that their SAP systems are secured and monitored. The base admin then uses the time won to admire the SOC in a Hollywood movie of his choice.