sap enterprise threat detectiona248.g.akamai.net/n/248/420835/37189cd861bd01465d0cb... ·...

PUBLIC

Arndt Lingscheid

07, 2020

SAP Enterprise Threat Detection Overview Presentation


1. The Key Values of SAP Enterprise Threat Detection

2. Why you need Enterprise Threat Detection

3. Preventing Fraud & Cyber Attacks

4. Details & Benefits of SAP Enterprise Threat Detection

5. Implementation of SAP Enterprise Threat Detection

6. SAP Enterprise Threat Detection — Architecture

7. One Day Experience Workshop

Agenda


The Key Values of SAP Enterprise Threat Detection

• SAP ETD is the real-time Security Event Management and Monitoring solution

giving insights into SAP Systems out of the box.

• It supports the customer to detect, analyze and neutralize cyber-attacks as they

are happening, and before serious damage occurs.

• Providing a very high performance analyzing thousands of log entries in real

time using a SAP HANA in Memory Database.

The Key Values of Enterprise Threat Detection

• Transparency in complex and hybrid SAP landscapes with respect to

security and compliance

• Real time threat visibility in complex SAP, non SAP scenarios to detect cyber

attacks as they are happening

• Extremely efficient and cost effective via highly automized processed and

anomaly detection

• Pre defined and customer tailored attack use cases


What cyber attacks do we see

Application Level

Application Layer

Database

Operating System

Network

IT Infrastructure

Am

ount

of

Attacks

worldw

ide

Am

ount

of

Attacks

worldw

ide

Malware, Ransomware, Phishing

Analysts e.g. from ensurance companies rate cyber attacks as the biggest risks

for enterprises worldwide within the top 10 Business Risks.

HANA Database


SAP Enterprise Threat Detection (ETD) and generic SIEM systems

Collect and

analyze

Collect and

analyze

Database SAP HANA

SIEM SAP ETD Application Level

SAP ETD focus onSIEM solutions focus on

Database

Operating System

Network

Continue use of proven

security incident reporting

Real time monitoring of business

critical SAP applications & data+

Integration of SAP ETD with all leading SIEM solutions (HP Arcsight, IBM Q-Radar, Splunk) available

HANA Database

Application LayerIT Infrastructure


• The average cost of a data breach is ~ $4M. In the US it’s more than $8M.

• The average time to identify and contain a breach is ~ 280 days.

• The faster a data breach is identified and contained, the lower the costs are.

• An incident response team and extensive testing of response plans can save millions.

• Automating security processes and checks is a must.

• The percentage chance of experiencing a data breach within two years is ~ 30 percent in 2019.

Statistics

From the experience there are two types of customers the ones that know that have been hacked and the

ones that do not know.


NIST Framework

Asset Management

Business

Environment

Governance

Risk Assessment

Risk Management

Strategy

Supply Chain Risk

Management

Access Control

Awareness and

Training

Data Security

Information

Maintenance

Protective

Technology

Anomalies and

Events

Continuous

Security Monitoring

Detection

Processes

Response Planning

Communications

Analysis

Mitigation

Improvements

Recovery Planning

Improvements

Communications

Protect Detect Respond Identify Recover


Positioning SAP Enterprise Threat Detection



ProtectIdentify



279 Day‘s(206 + 73 )

Experiencing a data breach within

two years is ~ 30 percent.

ProtectIdentify



Experiencing a data breach within

two years is ~ 30 percent.

When are you able

to stop a breach ?

ProtectIdentify


Protect

When are you able

to stop a breech ?


279 Day‘s(206 + 73 )

SAP Enterprise Threat Detection

Protect Detect Respond Identify


STAD Http LogChange

documentsRead access

logSAL STAD

User change

logHttp Log

Change

documents

Discover SM59

connections

QAS PROD

RFC to change

passwd

DEV PROD

Change vendor

PROD

Outgoing payments

PRODDEV

Debugging DEV System

Preventing Fraud & Cyber Attacks

System Log

01.2020 06.2020 03.2021


SAP Enterprise Threat Detection (ETD) and generic SIEM systems

Collect and

analyze

Collect and

analyze

Database SAP HANA

SIEM SAP ETD Application Level

SAP ETD focus onSIEM solutions focus on

Database

Operating System

Network

Continue use of proven

security incident reporting

Real time monitoring of business

critical SAP applications & data+

Integration of SAP ETD with all leading SIEM solutions (HP Arcsight, IBM Q-Radar, Splunk) available


More than 140 SAP customers worldwide in all industries protect their SAP

landscape with SAP Enterprise Threat Detection.

Most of those companies are listed within the DAX 30, DOW 30, or come e.g.

from the defense sector. Please address the authors or your SAP account

manager for more details about our reference customers.

SAP Enterprise Threat Detection is supported by the world leading auditing

companies.

We have implementation partners in many regions of the world.

Partners are e.g.:


• Ernst & Young,

• KPMG,

• Turnkey,

• IBS Schreiber,

• Asconsit,

• PWC,

• SAPNS2,

• Deloitte

• Accenture,

• Infosys,

• Xiting…


How does SAP Enterprise Threat Detection work

Evaluate

Automatically evaluate

attack detection patterns

with real-time alerting

Investigate

Forensic analysis and modeling of

existing and new attack detection

patterns and dashboards

Integrate

Integration of SAP and

non-SAP log data

Analyze

Efficiently enrich, analyze,

and correlate logs Cybersecurity and Data

Protection


Benefits of SAP Enterprise Threat Detection

Intellectual Property Reputation Sensitive DataPartner

Severe Penalties

Proactive Threat Monitoring and

Treat Hunting leads to an Early

Interception of Threats

Real Time Threat Visibility in

Complex SAP Scenarios

Single Source of truth for

centrally audited SAP

Security Controls improves

compliance

High Manipulation

Safety of SAP Systems

SAP system Transparency with

respect to Security- and

Compliance-Events

Business Future

Improved monitoring of user

activity and auditing

Audit logs are easy to read

and transparent


SAP Netweaver/ S/4 Log Types

▪ System Log

▪ Security Audit Log

▪ Business Transaction Log

▪ HTTP Server Log

▪ RFC Gateway Log

▪ User Change Log

▪ Change Document Log

▪ Read Access Log / UI Log

▪ SOAP based Web Services Log

Log Data Supported by ETD

SAP Netwaever Java

▪ HTTP Access Log (Java)

▪ Security Audit Log (Java)

▪ Security Log (Java)

HANA DB

▪ HANA Audit Trail

SAP Cloud Platform

▪ SAP Cloud Platform Audit Logs (Neo +CF)


• Forensic Analysis, Threat Hunting, Anomaly detection

• All SAP logs unfiltered, normalized, readable to be used by Audit

• Analysis of Read access logging logs, SOAP based web services

logs, UI Logging Logs

• Any log type can be added

• Continuous automated detection, analyze and neutralize cyber-

attacks in real time

• Real time manipulation save data transfer to Enterprise Threat

Detection

• Look at all log types and correlate the complete picture, not only a

few small puzzle peace’s

• Analysis of e.g.: What else did the user do?

• Generic approach (not based on fix test cases)

Unique benefits of Enterprise Threat Detection


Unique use cases for SAP Applications

Information disclosureMake sure that no extraction of

confidential information takes place

Remote calls of a productive

System

Miss-use of debugging and

error-analysis

Extraction of confidential

information (GDPR)

Monitoring SAP security notes

File manipulation (Parameter

configuration, Transports)

Suspicious user behaviour

(Technical and dialog users)

Read access logging as additional

data source Account sharing

Log-in from an inappropriate

network segment

Correlation of different

accounts to one person

Manipulation of users and

authorization

Critical changes to system

configurations

Manipulation of critical database

tables

Access to critical, blacklisted

transactions

Mis-used of critical reports and

function modules

Assignment of critical authorization


Reference Use Case: SAP Enterprise Threat Detection @ SAP ITSAP Cyber Defense and Response Center – Security Event Management

SAP Enterprise Threat Detection used by SAP IT for Security Event

Management

• Monitors, collects and correlates security events, generated within

the SAP IT infrastructure, SAP cloud platforms and if applicable

within the application layers, to detect security incidents and threats

for all SAP lines of business

Global deployments of Log Collectors to cover all SAP data centers

24x7 Security Operating Center

Current Figures

• 9.2 billions events per day

• ~120.000 events/sec

• ~200.000 events/sec (peak)

• 160 billions events (total)

• 7.7TB in-memory data


DEMO


Recommendation:

• Risk Assessment

• Risk based step by step implementation

Implementation of SAP Enterprise Threat Detection

◼ Amount of systems

◼ Used patterns

◼ Used log types

◼ Operating mode (reactive, 8*5 or 7*24)

Amount of systemsP

att

ern

s


SAP Enterprise Threat Detection — Architecture

SAP On-Premise SAP C/4HANA

SAP Concur

SAP HEC / Hosting


ERP

ERP

ERP ERP

ERP

ERP

ERP



SAP HEC / Hosting

Managed Service


SAP On-Premise SAP C/4HANA

SAP Concur

ERP

ERP

ERP ERP

ERP ERP ERP


ERPERPERPERP


SAP HEC / Hosting


SAP On-Premise

SAP C/4HANA

SAP Concur

ERP

ERP

ERP

Managed Service


SAP C/4HANA

SAP Concur

SAP Enterprise Threat Detection Cloud Edition (2021) — Architecture

SAP On-Premise


SAP HEC / Hosting

ERP

ERP

ERP

ERP

ERP

ERP ERP

Managed Service


• SAP Enterprise Threat Detection provided in the Cloud Appliance

Library is a quick and very easy way to consume the SAP Enterprise

Threat Detection solution in the cloud.

• Within this one-day workshop companies can evaluate the SAP

Enterprise Threat Detection solution on a Cloud Appliance Library.

• The One Day Experience Workshop can connect to a companies

S/4 Application or use the existing S/4 HANA in the CAL.

One Day Experience Workshop

https://blogs.sap.com/2019/12/13/sap-enterprise-threat-detection-as-a-one-day-experience/

S/4 HANA Enterprise

Threat Detection

S/4 HANA

Cloud Appliance Library



• With the one-day experience together with one of our highly

experienced SAP security consultants you can analyze and monitor

suspicious activities in the SAP S/4HANA application, create Attack

Detection Patterns, process alerts or you can train the system to

learn a new log source by making use of the log learning application.

• This experience workshop is free of additional costs.


S/4 HANA Enterprise

Threat Detection

S/4 HANA





Preparation:

• Select the use cases from our list / or propose own use cases to be shown in the workshop.

• Agree on the workshop date.

• Decide on whether you use the cloud environment only or include an own S/4 system.

• If an on system is used:

• You will get the connection enabling document.

• Select the appropriate system usually not a PRD system.

• Enable secure connections in that system.

• Open ports for communication.

• Make sure systems can connect 2 weeks prior the workshop.


S/4 HANA Enterprise Threat Detection

S/4 HANA





Enterprise Threat Detection gives transparency in real time to suspicious (user) behavior an anomalies in SAP business applications to identify and stop security breaches in real-time.

Enterprise Threat Detection uses highly efficient and automated processes based on HANA technology and Machine learning to track hacker activity using SAP's predefined and easy customizable attack paths.

Stop security breaches in today’s SAP business applications.

Contact information:

▪ Arndt Lingscheid

▪ SAP Enterprise Threat Detection,

▪ IBSO Products

▪ SAP SE Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

Thank you.

mailto:[email protected]

https://community.sap.com/topics/enterprise-threat-detection

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of

SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its

distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or

warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.

The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty

statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional

warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or

any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,

and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and

functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason

without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or

functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ

materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they

should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names

mentioned are the trademarks of their respective companies.

See www.sap.com/copyright for additional trademark information and notices.

www.sap.com/contactsap

Follow us

https://www.sap.com/copyright

https://www.sap.com/registration/contact.html

https://www.linkedin.com/company/sap

https://www.youtube.com/user/SAP

https://twitter.com/sap

https://www.facebook.com/SAP

sap enterprise threat detectiona248.g.akamai.net/n/248/420835/37189cd861bd01465d0cb... ·...

Documents