Recently Splunk announced a new and expanded partnership with SAP, focused on enabling the Intelligent Enterprise, by bringing new integrations and solutions for our joint customers to be successful in the experience economy. Specifically, I’m excited about the new integration between Splunk Enterprise Security and SAP Enterprise Threat Detection. Splunk is a leader in the Enterprise Security market and now with SAP’s Enterprise Threat Detection tool, you can gain greater visibility into your SAP environment with Splunk’s Enterprise Security software. Become more proactive in finding security threats earlier, stopping security events or breaches before they happen. Given these tools have a two-way communication, high quality alerts can now be quickly identified and addressed. Learn how to more efficiently secure your SAP landscape during our live, Thursday, Dec. 5th webinar.
What is SEIM
For those familiar with the Security Incident and Event Management (SIEM) market, there may be a question as to why SAP has developed a SIEM tool. Let me provide a brief overview of what a Security Incident and Event Management (SIEM) tool is and then how and why SAP built one.
SIEM tools evolved from simple log collectors and analyzers to more complex tools that collect logs, correlate the information in the logs, provide analysis against volumes of data, apply user behavior, machine learning algorithms, and threat intelligence to alert on real time threats. Forensic investigation capabilities are usually provided and increasingly, Security Orchestration, Automation and Response (SOAR) capabilities may be included.
Challenges to SIEM Tools
The challenges that SIEM tools have is that the information collected can be immense, leading to expensive implementations and subsequently a large volume of false positives. With the sheer volume of data that must be sorted in order to find true threats versus those events which look like threats, these tools highlight areas for security analysts to investigate but later turn out to be false alerts. Given the large amount of data that the SIEM tools collect, many SIEM tools still provide an incomplete picture of the enterprise landscape.
Application logs can present a unique challenge to SIEM tools. In order to properly sort through these logs, there should be an understanding of the application log and how it relates to the network and infrastructure. In the case of the SAP landscape which can vary between customers due to the flexibility and configuration options available, this can be difficult and expensive for the SIEM providers or consultants to do.
Splunk and the SIEM Market
Splunk has been ranked for the last six years as a leader and a visionary in the SIEM market by Gartner. According to Gartner, Splunk offers the ability to start with a small security implementation and to add additional capabilities to ensure a successful implementation of Splunk Enterprise Security. Additionally, the full Splunk Security Intelligence Platform can be implemented by adding User Behavior Analytics (UBA) and Phantom with its SOAR capabilities. There is also a robust marketplace of partner solutions that integrate to the Splunk solutions.
Splunk’s offerings are widely installed and help to address a wide range of security threats. The “Known, Knowns” and “Known, Unknowns” are typically where an organization may spend most of its time due to the amount of data that is being reviewed. Splunk helps to automate these threat detection activities in Enterprise Security which can allow a customer to free up resources to focus on the more serious threats such as Insider Threats, Nation State, and targeted attacks.
SAP Enterprise Threat Detection
SAP developed Enterprise Threat Detection because our customers have asked for a solution that gives increased visibility into the SAP application landscape. The SAP system is typically seen as a black box by the IT Security teams at SAP customers. Enterprise Threat Detection was built to give customers the ability to find out what is going on in the SAP system and to enable them to handle securing an SAP system. Enterprise Threat Detection provides a full platform based on HANA’s big data in-memory correlation capabilities for analyzing data from many different SAP log sources along with non-SAP data in order to issue alerts based on specialized SAP threat detection patterns. The alerts issued by Enterprise Threat Detection can be handled through its forensic lab and/or be forwarded to a SIEM solution to be correlated with additional SIEM information. In the case of the Splunk integration, this is a two-way communication, allowing Splunk to share network and infrastructure data with Enterprise Threat Detection.
Benefits from the joint Splunk, SAP solution
Enterprise Threat Detection allows very fast correlation of the SAP data from SAP specialized logs which are difficult for SIEM tools to understand. Additionally, Enterprise Threat Detection drastically cuts down time for analysis of the SAP landscape, delivering well-formed alerts to a SIEM tool. In Splunk’s case, Splunk can send alerts back to Enterprise Threat Detection allowing it to further compare infrastructure data to the SAP data related to a user’s behavior within the SAP landscape.
Splunk can take the Enterprise Threat Detection alerts and apply these to the Splunk events to gain even better insights on users, devices and potential security incidents. Splunk can apply additional risk scoring metrics to the users and entities related to the alerts coming from the SAP system. This can lead to better prioritization of the specific risks related to the enterprise. This prioritization allows more productivity for the security analysts, making sure that they are focusing on the highest priority alerts.
Learn more with our Webinar
SAP and Splunk have diligently worked with specific customers to better address their overall IT security. We are excited to demonstrate how this joint solution can improve your organization’s security as well. I hope you will join us during our live webinar, Thursday, Dec. 5.