SAP Enterprise Threat Detection (SAP ETD) 2.0 provides several new and enhanced features, which delivers numerous improvements in the operational – and analytical area.
Improvements in the operational area on the one hand reduce the total cost of ownership (TCO). This consists of resource savings either in terms of system resource consumption or in terms of human resources needed for the deployment, operation and maintenance of the solution.
Improvements in the analytical area on the other hand provide more comprehensive and more effective monitoring – and detection capabilities to identify cyber-attacks as they are happening and before serious damage occurs.
What’s new and what are the highlights in SAP Enterprise Threat Detection 2.0?
Out-of-the-box integration of SAP Cloud Platform Audit Log
SAP Cloud Platform Audit Logs in the Neo – and Cloud Foundry environment can now be connected out-of-the box with SAP ETD 2.0. Make use of the SAP ETD connector and integrate your own SAP Cloud Platform account. Analyse your own SAP Cloud Platform Audit logs using the Forensic Lab and correlate them with other logs e.g. from your On-Prem environment.
No own development of SAP Cloud Platform connector and no log learning are needed anymore. And, it supports hybrid monitoring in terms of having a more comprehensive view across your On-Prem – and your SAP Cloud Platform applications.
Replay Attack Detection Patterns
Apply new Attack Detection Patterns to existing historic data by using the new functionality ‘Replay of Attack Detection Pattern’. This functionality also allows to post-process Attack Detection Patterns after a log outage (e.g. resulting from a maintenance activity) has been resolved. Make use of this new functionality to prevent from alert loss.
Enhancement of User Pseudonymization and – Resolution
SAP ETD 2.0 delivers a new user pseudonymization concept. This new user pseudonymization concept enhances the performance during log normalization process and improves the identification of the same user account although acting on different systems.
Further, the Resolve User application has been enhanced with the capability to receive the pseudonyms for a given user account. A user account has been classified as suspicious and the further activities of this user account has to be further investigated. This is now possible with the new reverse resolution functionality and the navigation to the Forensic Lab for further investigation.
Enhancement of Alert Monitoring with Related Indicators
For an Attack Detection Pattern, it is now possible to define related indicators, that are shown in the alert details view. As a security expert, define related indicators by:
- Assigning the same scenario to related Attack Detection Patterns
- Defining the relevant timeframe when the related indicators may occur
Related indicators can now be quickly accessed by the monitoring agent and by that allows the monitoring agent to assess the criticality of an alert in a less time-consuming way.
Enhancement of Warm Storage Integration
Make use of the warm storage adapter based on SAP HANA Dynamic Tiering to store log data (unrecognized and recognized) for a longer period of time using a cheaper storage.
Unstructured search in historic data for forensic investigation based on a given indicator of compromise (IoC) such as a malicious hostname, IP or any kind of ID is supported via the Sherlog application. Hits can be downloaded for evidence collection purposes. Further analysis incl. correlations are supported via navigations to the Forensic Lab and Case Files.
Integration of Configuration Validation
SAP ETD 2.0 provides a configuration validation API, which allows partner solutions to easily connect to SAP ETD. Partner solutions are now able to send their configuration validation results such as static checks of security relevant system – and application settings to SAP ETD. Configuration validation results exposed to SAP ETD can be used for further analysis and correlation with log events and by that leads to a more comprehensive view of the threat situation. Also, this allows to build more sophisticated patterns e.g. offered by the partner and helps you to improve your security measures including the reduction of false positive alerts.
Enhancement of Log Learning
SAP ETD 2.0 enhances the Log Learning application by improving the user experience. Further, new functionalities are delivered such as
- Changing and copying markups in case the log format changes over time e.g. new fields are introduced. Changing or copying the markup eliminates the need to completely re-work the log learning rule
- An improved rule testing, which gives the reason why log normalization is failing (Timestamp, no rule, extraction error)
- Restrict the accepted timestamp formats i.e. only accept logs with complete timestamps containing date, time and time zone
SAP HANA Platform 2.0 Mandatory
As the name SAP ETD 2.0 already indicates, SAP HANA Platform 2.0 is now mandatory in order to reduce the maintenance complexity and to concentrate and further leverage the operational – and analytic capabilities given with SAP HANA Platform 2.0.
Light-weight Log Collectors
SAP ETD 2.0 delivers light-weight log collectors. The systems having light-weight log collectors deployed, no longer requires SAP HANA & SAP HANA Streaming Analytics. And this leads to:
- a simplification of how log collectors are operated and maintained
- 70%-80% system resource savings
Continuous Improvement in Resilience, Scalability and Performance
Continuous improvements in terms of resilience, scalability and performance delivered with SAP ETD 2.0 includes e.g.:
- A more resilient and fault tolerant log processing
- An increase in the log normalization throughput
- An optimization in the backend processing, which reduces systems resource consumption
An improvement in the UI responsiveness by optimizing the UI incl. the backend queries
Enhancement of Solution Operations & Monitoring
SAP ETD 2.0 delivers monitoring scripts, which automatically checks and restarts log processing components in case of component failures. Further, monitoring metrics such as statistics about log processing volumes and throughputs are available with SAP ETD 2.0. These monitoring metrics can be e.g. integrated into a Prometheus/Grafana dashboard.
Enhancement of Immediate Log Transfer (aka. Usage of the Kernel API)
SAP ETD 2.0 supports now the immediate log transfer of the log type System Log, additionally to the log types Security Audit Logs and Read Access Log. This leads to:
- Simpler configuration
- No delay in log data transfer
- More comprehensive information available on kernel level are delivered to SAP ETD. These are e.g. correct timestamps, systems hostname incl. its IP address, terminals hostname incl. its IP address or user information
Enhancement of Transport-based Correction Instruction (TCI)
To simplify how SAP NetWeaver AS ABAP systems especially with lower Releases and Support Packages can be connected to SAP ETD, the support of TCIs is enhanced with SAP ETD 2.0. Instead of installing several SAP Notes only the TCI needs to be implemented.
SAP Enterprise Threat Detection 2.0 is now available and can be downloaded from the SAP Software Download Center. Have a look on our Implementation Guide in the SAP Help Portal, especially the section Upgrading SAP Enterprise Threat Detection, if you are already making use of SAP ETD.
Further explore the following links: