SAP Enterprise Threat Detection in the Modern SOC: Integrating with EDR and XDR Solutions
What is SAP Enterprise Threat Detection?
SAP ETD is a real-time security event management and monitoring solution. Its core function is to protect the SAP system and enable customers to detect, analyze and block cyber attacks as they occur, before the attack inflicts serious damage.
SAP ETD leverages powerful and flexible monitoring, detection, and response capabilities to help keep SAP systems safe from cyberattacks. This solution helps reduce the scope of threats that critical business assets face by issuing timely, actionable alerts. ETD is a commercial solution—license cost is based on the number of monitored users.
ETD is part of a range of security solutions offered by SAP to address all stages of the cybersecurity lifecycle. ETD covers the detection and response stage, while other stages of the cycle are covered by:
- SAP EarlyWatch Alert
- SAP Focused Run
- SAP Code Vulnerability Assessment (CVA)
- SAP Identity and Access Management (IAM)
In addition, SAP provides several compliance solutions that integrate with SAP ETD:
- SAP UI Data Protection Logging
- SAP UI Data Protection Masking
- SAP Business Integrity Screening
- SAP Data Custodian
How SAP ETD Works
SAP ETD is a security information and event management (SIEM) solution that focuses on the application layer. It collects and analyzes events occurring in the SAP HANA Database and the associated SAP applications.
SAP ETD understands the semantics of events in the SAP application layer, and analyzes them to identify suspicious activity. This is a major advantage of SAP ETD, because it requires a massive configuration effort to analyze SAP events in a general-purpose SIEM. However, ETD can also collect and analyze events from non-SAP systems.
ETD architecture is based on two main components:
- Log preprocessor—normalizes, enriches, and anonymizes log data from SAP NetWeaver, SAP HANA, and integrated non-SAP systems. The log processor performs semi-automatic discovery of new logs and maps them into the ETD event model.
- SAP HANA—data collected by ETD is stored in SAP HANA and its analytics capabilities are based on HANA’s built in analytics
SAP ETD leverages the analytics capabilities of the SAP HANA database, providing:
- Ongoing monitoring and recording of SAP events in an easily queryable format
- Analysis of event trends in SAP systems and pattern recognition
- Anomaly detection using machine learning
- Insight into event history for forensic analysis and threat hunting
- Dashboards and user interfaces for data exploration
- Built-in detection for standard attack detection patterns, with new attack patterns added every two months, based on SAP security advisories, security research, and customer feedback
The Security Stack Powering the Modern SOC
The modern security operations center (SOC) is based on several key technology components: SIEM, governance, risk and compliance (GRC) systems, firewalls and intrusion prevention/detection systems (IPS/IDS), EDR and XDR systems, threat intelligence, and zero trust security models. I’ll cover three of these components in more detail below.
The term SIEM stands for “security information and event management”. SIEM technologies match events against predefined rules in combination with analytics engines, and then indexes the matches to enable sub-second search. This method applies globally gathered intelligence for the purpose of detecting and analyzing advanced threats. Security teams can leverage these insights for deeper data analysis, as well as event aggregation, correlation, log management, and reporting.
Extended Detection and Response (XDR)
Emerging extended detection and response (XDR) solutions can automatically collect and correlate data from multiple security products to improve threat detection and incident response. For example, attacks triggered by emails, endpoints, and the network can be combined into a single event.
The main goals of XDR are to increase detection accuracy and improve the efficiency and productivity of security operations. XDR solutions centralize and normalize data in one user interface, improving productivity for security analysts, and making it possible to detect evasive threats that operate across several layers of the IT environment.
Zero Trust Model
This is a new network security model based on the assumption that the network is already compromised. By assuming that the network is unreliable, organizations aim to strengthen both external and internal security controls.
The key principle of zero trust is that both internal and external networks are vulnerable to attack and require equal protection. This includes identification of key business data, mapping data flows, implementing logical and physical segmentation, and enforcing policies and controls through automation and continuous monitoring.
How SAP ETD Works with XDR and EDR
Modern XDR solutions have advanced capabilities, but they rely on data. SIEM platforms like SAP ETD can provide that data. XDR can ingest SIEM data, and enable rapid investigation of security incidents using a combination of AI and human analysis:
- AI-based analytics—since XDR is cloud-native, it often comes with access to AI-powered solutions offered by top cloud providers.
- Human-led analysis—allows analysts to record their insights and augment them with AI-generated inputs.
- Response—humans and AI jointly determine the steps to take next. This may include organized automated responses, or decisions and manual actions by members of the security team.
Here are several types of responses that can be made possible by XDR solutions leveraging data from ETD or other SIEM solutions:
- Alerts—cyber security is a collaborative effort that needs to include a wide range of stakeholders, rather than just IT and security staff. All relevant stakeholders must be included in decisions on major security incidents. XDR can help determine which stakeholders must be involved in each security incident, and trigger the relevant notifications.
- Configuration changes—XDR applications integrate with EDR, IDS, and network equipment to perform automated changes to access control, and automated network segmentation, as a rapid response to security events.
- Repair—XDR solutions can use data to automatically identify and fix serious security issues from end to end. To reach this level of insight, the solution requires massive amounts of data.
In this article I discussed the capabilities of SAP ETD and how it can work together with other components of the cybersecurity stack. SAP ETD can feed its data to EDR and XDR solutions to enable smart alerts, automated configuration changes and remediation in response to security events, as part of a zero trust security model.