Security for the Intelligent Enterprise – How SAP leverages its own cyber intelligence and analytics product called SAP Enterprise Threat Detection internally and finds security attacks in real-time
Security is a holistic topic and we at SAP do not only run our enterprise resource planning software internally, but also our technology solutions including all of our security products. One of them, the latest security innovation and thus youngest security product, SAP Enterprise Threat Detection, is a product that allows to analyze whether SAP systems have been attacked. It runs on SAP’s flagship product and in-memory database, SAP HANA, and leverages its performance and analytics capabilities as well as latest inventions in machine learning and artificial intelligence.
More information on the SAP Enterprise Threat Detection product can be found here: https://www.sap.com/products/enterprise-threat-detection.html
As can be seen from the architectural diagram down below logs are extracted into SAP HANA from SAP and non-SAP sources via the SAP HANA Smart Data Streaming service. In SAP Enterprise Threat Detection product capabilities like patterns, semantic events etc support the forensic analysis of data and will throw an alert in case of an attack.
As stated the SAP Enterprise Threat Detection product is what SAP’s Global Security Organization (SGS) has implemented as part of its Cyber Defense and Response Center – Security Event Monitoring service. The service is leveraged in SAP’s internal Security Operations Center by both Cyber Security Analysts as well as IT and Security Forensic Analysts.
The team has enhanced the content shipped with the product to drill down on security events and find the needle in the haystack. Patterns which allow to filter the massive amount of big data to the meaningful and significant events, reduce the size of the data and will create an alert or an incident when an activity happens within a system or a multitude of systems, which can then be analyzed by the Security Experts of the team.
The product leverages SAP Fiori technology for its user interfaces and down below screen shot gives a glimpse at what a cyber security analyst would see, when looking at events in the monitoring and forensic lab of the service.
The SAP internal implementation is one of the largest SAP HANA landscapes on this planet with more 42 Terabyte of hot storage and 2 Petabyte of warm storage. Only the SAP HANA database has given the internal IT security experts at SAP the performance and analytics capabilities to deal with the amount of big data that are generated from applications and systems as security logs on a regular basis. For more information on SAP HANA, please check out its SAP community page on SCN here: https://www.sap.com/community/topic/hana.html.
To get a grasp on what big data means in this respect, take a look at the kill-chain:
The sheer amount of messages per day or events per month can measure up to the big data generate by the well-known social networking giants. Only sophisticated algorithms and machine learning can help deal with the magnitude of data to not generated too many false positives.
Analogous to SAP’s Active Global Support, SAP Security Operations Center team is spread around the globe at certain locations to ensure 24 hours monitoring of SAP’s own productive systems and its cloud infrastructure hosting all the customers’ business critical systems. As can be seen from above the team deals with billions of messages per day, up to 15 terabyte of logs per day and 100 billion events per month. Out of these SAP’s cyber security analysts follow up through ~ 15,000 alerts per month with ~ 700 investigations per month.
Only SAP’s own product, SAP Enterprise Threat Detection, offers these capabilities.
For information on SAP’s security products, please check out the SAP community on SCN here: https://www.sap.com/community/topics/security.html