Business data is the most important information in a company. It documents the past of transaction processes as well as the current inventory of virtual and physical assets. They forecast future business transactions, provide information on statistics and preserve the intellectual property of the company. All this data is stored in SAP systems.
Some customers believe that SAP systems are very well protected by classical SIEM (Security Information and Event Management) based approaches and that no further precautions are necessary to further secure their SAP architecture. The idea is that suspicious activities at the infrastructure – and network level are detected and blocked by IT security.
In fact, many attacks on the IT infrastructure and the business applications hosted on it can be detected in advance and prevented. But SAP applications work differently than IT systems. These are complex applications that, due to their functionality, offer a multitude of attack options that cannot be detected via the perimeter view of an IT security monitoring system. The SAP system itself can be completely open to attackers if it is badly configured. For example, incorrect authorizations are the main cause of vulnerabilities that are difficult or even impossible to assess for a SIEM system.
The most important data is stored in SAP applications. Someone who debugs in an ABAP production system is not recognized at the infrastructure level. Further activities when debugging such as changing the application logic and accessing or changing sensitive data remains unnoticed. Experience shows that internal attacks are possible at the SAP application level. For this reason, customers are very interested in providing security for SAP.
On the other side SAP resources in companies are very often a bottleneck. The employees with deep SAP know-how are overloaded with daily work activities. This is the reason a full blown SIEM approach (24 hours, 7 days a week) to protect the most important data in SAP systems is not wanted by a lot of customers. These customers are looking for smaller solutions to provide insight into suspicious activities in SAP centric landscapes. A solution to enable you to identify security breaches as they occur. An opportunity to neutralize danger and prevent critical damage without the huge efforts of defining a Security Operation Center (SOC).
What can be the solution for this problem?
SAP Enterprise Threat Detection can be tailored in different modes. One possibility is to use ETD only for the most important data in your company. Based on a workshop with knowledgeable consultants this data will be recognized, and the predefined patterns selected. Optional some additional patterns could be defined by the consultant. The experience shows 10 active patterns are enough for this first basic approach. For small customer use cases 2 servers are enough. One Server for SAP HANA (128 GB RAM) and another for SAP HANA Smart Data Streaming (32 GB RAM). SAP and SAP Partner have “Hosting possibilities” for you.
What does this mean for an operational mode?
In this case SAP Enterprise Threat Detection is only used in a limited way. The patterns are tailored to protect the most important data of the customer. The number of alerts will be very small. The experience of reference customers show, SAP administrators can execute the alerts. In addition, SAP and SAP Partner offer Managed Service approaches to unburden SAP administrators. No Security Operation Center is necessary, even an integration in SIEM products is possible.
SAP Enterprise Threat Detection is the perfect choice to set up alarm systems to protect the most important data stored on an SAP application level. The usage of services for hosting and managed service scenarios can help you to avoid data breaches and relieve the burden for SAP administrators.
Tailored use cases can be defined to help our company to avoid data breaches.