Personal Insights
SAP Security Monitoring – Few People Know About It. What Is It? (Post 1/3 In Series)
Hello! I’m Megan Hargrove, and I work as a SAP Security/Cyber Security Analyst for a Fortune Top 100 company, tasked with the responsibility of overseeing the security of 120+ SAP systems. SAP Security is a topic I feel is severely neglected, so my goal with this post (as well as future posts) is to share some of the knowledge and experience I have acquired with you. Let’s discuss:
SAP security monitoring – how ironic that something so imperative to your organization’s safety and stability is so unfounded and rarely thought of until it is all you (as well as your CISO!) can think of because a vulnerability within your SAP environment has been exploited.
SAP security monitoring encompasses the practice of actively analyzing all movements (both vertical and lateral) within your production and non-production systems in efforts of identifying both external and internal threats. Consider the transactions your user’s employ, the execution of dangerous RFC callbacks, the system parameters your Basis team does (or does not) set, the overzealous roles assigned, the attempted operating system commands executed on SAP gateways using Type-E connections, the multiple bank account changes within a short period of time, etc… these are all common activities analyzed within SAP security monitoring.
As opposed to waiting for a vulnerability within your SAP landscape to be exploited, wreaking havoc on your organization, SAP security monitoring identifies these critical issues in real-time so that seasoned SAP security analysts can consume the events and immediately begin the process of mitigation or remediation.
Only a few professionals today know about SAP security monitoring – but I assure you that the attackers are well aware of what you are… and are not monitoring.
Please stay tuned for posts 2/3 and 3/3 of this series where I will discuss the importance of monitoring your SAP systems, as well as some specific examples of what exactly you should be looking for when monitoring your SAP systems security.
Hi Megan,
Thank you for this great initiative! I strongly agree that security monitoring for SAP systems is not a topic that has the necessary attention by the community.
I work mainly with ABAP systems, and besides the well-known (I suppose) transactions for security monitoring like (SM18, SM19, SM20 - RSAU_CONFIG, RSAU_READ_LOG, and RSAU_ADMIN, SM50 security trace and Read Access Logging) I don't see many scenarios where other tools are used for active monitoring of security events.
Being an advocate for proactive monitoring myself, SAP Enterprise Threat Detection is the best solution, as far as I know, for active monitoring of security events for SAP systems, and I rarely see it being mentioned or even used on critical scenarios.
https://help.sap.com/viewer/product/SAP_ENTERPRISE_THREAT_DETECTION/2.0.1.0/en-US
https://blogs.sap.com/2019/06/13/sap-enterprise-threat-detection-2.0-is-now-available/
Cheers,
Filipe dos Santos
Dear Megan,
excellent initiative which I will definitely follow! The need for continuous security monitoring is very much underestimated still. I myself work for a SAP security vendor specialized in real time threat detection and vulnerability monitoring, we do see the awareness growing rapidly. Looking forward to your other posts.
Dear Filip,
no doubt I'm biased given my role though I would recommend SAP customers to run an actual comparison of available solutions. A good product is not immediately the best solution.
Cheers,
Ivan