Opening the Black Box
SAP Application Security Monitoring.
In a perfect world all of this would not happen, but today CISOs are sometimes surprised when their business applications are compromised and the company loses data or business is affected by data manipulation or manipulation of business processes.
The number of targeted cyberattacks on SAP business applications is strongly increasing. A successful attack on business applications most often compromises the confidentiality and integrity of the business application. This frequently goes unnoticed for a long period of time and can have serious consequences for the organization.
How this can happen & what can be the consequences.
The misuse of such stolen identities cannot always be detected by an organization’s perimeter security. That makes it easy for hackers to stay underneath the radar and makes it difficult for the security operation to detect such attacks.
In 2020, The data breach life cycle of a malicious or criminal attack took an average of 315 days. In such a sophisticated and persistent cyberattack it’s not the target to cause a denial of service, get a ransom payment and walk away with that. It is to stay! Stay undetected as long as possible and maximize the impact on the organization or maximize the profit out of the attack. Such an attack is not only about simple data theft of company IP, PII data, customer and partner information, or employee data, which should already ring everybody’s alarm bell. It’s also about manipulation of documents in simple fraud cases as well as changes in business documents such as order quantities or payments, manipulation of documents in the financial books, such as tax information, vendor and customer information, or location information. This kind of manipulation can lead to an incorrect financial statement of an organization, loss of investor trust or even market leadership, regulatory fines or other legal penalties.
This means that most of the cyberattacks remain unnoticed, giving hackers plenty of time to explore the landscape and to obtain the data they are looking for. A slow response to a data breach can cause even more trouble for your organization, resulting in a loss of customer trust, productivity, or regulatory fines.
To help customers detect threats in their business applications we have developed SAP Enterprise Threat Detection, cloud edition.
What is SAP Enterprise Threat Detection, cloud edition.
SAP Enterprise Threat Detection provides transparency about suspicious (user) behavior and anomalies in SAP business applications to identify and stop security breaches in real time.
SAP Enterprise Threat Detection uses highly efficient and automated processes based on HANA technology and machine learning to track hacker activity using SAP’s predefined and easily customizable attack detection patterns.
The solution runs patterns and applies algorithms and statistical analysis to detect meaningful anomalies related to suspicious (user) events, correlates events, even over time, and detects anomalies in user behavior that indicate potential threats and fraud within SAP applications.
Why customers prefer SAP Enterprise Threat Detection monitoring SAP applications.
“IT and SAP Basis” – Two Worlds
The focus of known generic SIEM solution is on the real-time analysis of security alerts generated by network components, hardware, operating systems, and many other applications. When it comes to the monitoring of business applications like SAP, specific knowledge and skills are needed to interpret business application log files, for example monitoring changes to objects within the business environment. This is what SAP Enterprise Threat Detection is specialized in. Sure, it might seem obvious that in an ideal world all this should be combined in one solution but the reality looks different: when traveling from A to B it’s difficult always using the same transportation technology, it would be very inefficient to go from Europe via Australia to the US using a bicycle or going from one town to another using a 747. In other terms we would always use the tool that fits best for the demand.
What’s in SAP Enterprise Threat Detection, cloud edition.
- Full cloud provisioning
- Integrated managed application security service
- SAP Enterprise Threat Detection, cloud edition ships with over 45 standard attack use cases Brings an included 24×7 alerting
- 5×8 risk based & prioritized investigation of alerts
- Monthly reporting of all incidents and all log data
- Collecting and storing of audit relevant business log information
- And to bridge the gap between the two worlds we integrate SAP Enterprise Threat Detection, cloud edition with the world’s leading generic SIEM solutions as described in this blog post: SAP Enterprise Threat Detection (ETD) and Security Information and Event Management (SIEM). What is the difference and how can they work together? | SAP Blogs by Martin Mueller.
How SAP Enterprise Threat Detection integrates with generic SIEM and SOAR solutions.
How does SAP Enterprise Threat Detection, cloud edition work.
- Business application and system events plus contextual data is sent to SAP Enterprise Threat Detection, cloud edition by SAP Enterprise Threat Detection log collector which needs to be installed in the environment.
- Data is then efficiently enriched, normalized, pseudonymized, analyzed, stored and correlated in the cloud.
- Use cases that automatically evaluate the attack path and identify the kill chain are executed in real-time and possible alarms are generated.
- Security analyst examines the alerts and evaluates the criticality (severity, true/false positive).
- Investigation report is created after completion by analyst.
- A Monthly report about all investigations is provided to the customer.
- If additional forensic analysis, threat hunting and modeling of new or existing attack detection patterns is needed, this can also be done leveraging additional services.
Why would an organization use SAP Enterprise Threat Detection, cloud edition.
- Gain transparency and simplify the analysis of suspicious activities
- Detect threats to avoid financial loss, legal and reputation damage
- Ensure the continuity of business
- Reduce effort and identify security gaps
- Analyze huge amounts of information quickly
- No effort maintaining infrastructure and software
- Security operation managed by SAP (or partner / available Q2 2023)
How does SAP Enterprise Threat Detection, cloud edition look like.
To simplify access to relevant information about cyberattacks, we created a clearly designed user interface that is easy and intuitive to use.
The performed investigations can be filtered by severity, ID, creation date, description and customer message. The chosen report can immediately be downloaded and reviewed by the end user.
The report includes an overview of what has happened and when and additionally includes a free text description from the investigator about the results of the investigation and recommended mitigation steps for further clarification. All technical details such as the triggering events are also provided with the report.
This enables the customer to take the right mitigation action at the right time. Overall, this managed cybersecurity service offered by SAP fills a significant gap by opening the black box and enabling continuous monitoring of SAP business applications as it’s required by standard cybersecurity frameworks.
Further information can also be found here:
Interesting partner blog:
If you have questions or like to have a live demo session, please do not hesitate to contact your SAP sales representative.