The SIEM alarm system for your SAP landscape for more security
SAP customers are facing a steadily increasing number of cybersecurity attacks. Espionage, extortion, sabotage, insider threats, and the employment of detectives might sound like the thrilling plot of a Hollywood film, yet these issues arise daily. Wherever there are assets, there is an essential question: how can these be protected? While IT security focuses on the safety of systems, cybersecurity emphasizes the protection of products and services. SAP systems process data of the highest security classes. In addition to business partners and employees, sensitive financial and banking data, materials management, production planning, and many other business processes are represented in an SAP system. The SIEM tool, SAP Enterprise Threat Detection (ETD), monitors the system landscape and associated applications. The goal is to identify cyberattacks in real time, analyze them with IT forensic methods, and neutralize them to prevent potential damage to the company or organization. In this context, ETD acts as an alarm system for your core SAP systems.
This article is relevant for CIO, CISO, SAP Basis Administrators, and SAP Technology & Security Consultants, and will guide you through the subject of SAP ETD.
To begin with, we aim to answer three crucial questions to appropriately prioritize the need for an alarm system:
Are SAP systems currently being attacked? YES
Do you require an alarm system for SAP systems? YES
On average, how long does it take to patch a known security vulnerability in an SAP system? 280 days.
What are the NIST framework recommendations for cyber security?
The NIST (National Institute of Standards and Technology) Framework for cyber security is a widely recognized standard for evaluating and enhancing cybersecurity in businesses. It is based on five main categories: Identify, Protect, Detect, Respond, and Recover. Here are the NIST Framework’s recommendations for each of these categories:
| Identify | This initial step involves understanding the systems, data, and resources within the company that need protection. This includes: – Asset Management: Identify and manage all physical and software-based assets within the organization. – Risk Management: Identify and assess the risks to the systems, data, and resources. – Governance: Establish policies and procedures to effectively manage the cybersecurity program. |
| Protect | After identifying assets and risks, appropriate protective measures need to be taken. This can include: – Access Control: Determine who has access to the systems and data and what actions they are allowed to carry out. – Data Encryption: Encrypt data both at rest and in transit to protect it from theft or manipulation. – Security Training: Educate employees in security-conscious behavior and in recognizing threats like phishing attacks. |
| Detect | The company must be able to detect cyberattacks and security breaches when they occur. This can involve: – Anomaly and Vulnerability Detection: Use tools and techniques to detect unusual activities that might indicate a security breach. – Security Monitoring: Continuously monitor the systems and networks for signs of security breaches. |
| Respond | If a security breach is discovered, the company must be capable of responding effectively. This encompasses: – Response Planning: Ensure that an emergency response plan is in place and up-to-date. – Communication: Inform internal and external stakeholders about the issue and how it is being handled. – Analysis: Investigate the security breach to understand its cause and impact. |
| Recover | After a security breach, the company must be capable of restoring its systems and activities. This involves: – Recovery Planning: Ensure that plans and processes for restoring systems and data are in place and current. – Improvements: Use the insights from the security breach to strengthen cybersecurity measures. – Business Continuity Management: Plan to continue your business during outages and have alternatives in place. – Communication: Recovery activities are coordinated with internal and external parties (e.g., coordination centers, Internet service providers, owners of attacked systems, victims, and other providers). |
SAP ETD specifically addresses the “Detect” and “Respond” categories of the NIST Framework and centrally collects logs from the entire landscape, storing them for at least one year. SAP ETD is here filling the gap what your ABAP System with Security Audit Log (Transaction SM20) is not able to do.
What problem does SAP ETD solve?
Numerous measures, such as the renowned “Patch Tuesday”, are already being taken by SAP customers to enhance the security of SAP systems. However, these efforts are not sufficient.
Consider this: you receive a recommendation to retrofit the windows in your home with locks. This increases security and makes it harder for a burglar to gain access to your home. This is a clear example of implementing a security recommendation. But what you don’t know is whether the burglar, despite the security measure, could still gain access to your home through the front door using a lock pick tool. An alarm system, which ideally also alerts the security service provider, solves this problem.
SAP Enterprise Threat Detection (ETD) is a security solution that helps companies, especially SAP customers, to detect, analyze, and respond to cyberattacks and security incidents. This happens in real-time using advanced machine learning algorithms and pattern recognition. Unusual behavior and potential violations in SAP systems and applications are systematically detected. As such, SAP ETD fills the gap in the NIST Framework and empowers SAP customers with IT forensics. SAP ETD, based on the SAP HANA platform, aims to increase the operational security of the connected SAP systems, leveraging SAP’s modern technology platform. Since SAP ETD stores log files, traces, and protocols, these can then be evaluated centrally and comfortably.
You may ask, why can’t the existing SIEM system be used for the SAP landscape? SAP ETD is the best at interpreting SAP log data and offers application-level monitoring. Thus, SAP ETD complements existing SIEM solutions that focus on the infrastructure level. Furthermore, the alerting from SAP can be comfortably implemented with JSON pushing and pulling into existing SIEM systems for integration.
How does SAP ETD work?
SAP ETD operates by collecting and analyzing log data from SAP and non-SAP systems in real time. These can include SAP Application Server ABAP, SAP Application Server JAVA, SAP HANA databases, or various cloud products such as the SAP Business Technology Platform or the ERP system S4/HANA Cloud. It utilizes a multitude of data sources, including database logs, application logs, and operating system logs. The gathered data are then scrutinized for potential threats.
The analysis is carried out with the aid of so-called detection patterns, which represent predefined rules capable of identifying specific types of threats or suspicious activities. Upon a match, an alert message is generated, furnishing the necessary information for investigating and responding to the threat.
Additionally, SAP ETD enables integration with other security information and event management systems (SIEM), to ensure a comprehensive view of the company’s security situation. With SAP ETD, businesses can effectively respond to threats, identify them, and act proactively to minimize the impact of security breaches and protect their systems and data. In conclusion, SAP ETD is an efficient and effective tool for enhancing security and safeguarding corporate data, by facilitating early detection and response to potential threats.
How to implement SAP ETD?
The implementation of SAP Enterprise Threat Detection (SAP ETD) is a multi-stage process that requires careful project planning and a well-thought-out strategy. Here are the fundamental steps to implementing SAP ETD:
| Requirement Analysis | Before commencing with the implementation, it is crucial to understand your company’s specific requirements for security monitoring. This involves identifying the systems and data that need to be monitored, as well as the types of threats you want to detect. |
| System Preparation | The next step is to prepare the SAP ETD system environment. This includes installing the SAP ETD server and the SAP HANA database server, which serve as the foundation for SAP ETD. |
| Data Source Integration | SAP ETD can collect log data from a multitude of sources, both SAP and non-SAP systems. You need to identify the systems to be monitored and configure them accordingly to send log data to SAP ETD. |
| Configuration of Detection Patterns | SAP ETD uses detection patterns to identify suspicious activities in the collected log data. You need to configure detection patterns based on the specific threats you want to detect. |
| Alarm Management | Once a detection pattern identifies a potential threat, SAP ETD generates an alarm. You need to establish processes and responsibilities for managing these alarms. |
| Training and Testing | Prior to final deployment, it is essential to conduct comprehensive testing and ensure that your personnel is adequately trained to effectively utilize SAP ETD. |
What skills are required to operate SAP ETD?
The competencies required to operate SAP Enterprise Threat Detection are derived from its scope of work.
| Technical Operation | Installation Hardware management System life cycle management Application life cycle management Availability management Connecting log sources |
| Functional Operation | Configuration and custom adaptation of use cases Content management |
| Processing Insights | Processing security breaches in the log Decision making Change management |
| Monitoring Task | Monitoring Investigation and analysis of cases Alarm processing |
How are SAP systems attacked today?
SAP systems are central to many businesses and hence, an attractive target for cyberattacks. These attacks can come from both external and internal sources, depending on the nature of the attacker and their objectives. It’s also important to emphasize that you should protect not only your productive SAP systems but also your non-productive ones and backups, as they can also contain valuable data. Here’s an overview of the various types of attacks on SAP systems:
External Attacks:
| Exploiting vulnerabilities: Attackers search for known security gaps in SAP software to gain access to systems and data. This can be done by exploiting errors in SAP software or by exploiting configuration errors at the system or network level. |
| Phishing attacks: In this scenario, the attacker sends fake emails that appear to come from a legitimate source. The goal is to trick the recipient into revealing sensitive information or installing malware that allows the attacker to gain access to the SAP system. |
| Denial-of-Service (DoS) attacks: In these attacks, the SAP system is bombarded with an overwhelming number of requests, which can result in the system slowing down or failing entirely. |
Internal Attacks:
| Misuse of permissions: These are situations where employees misuse their access rights to access sensitive information or cause damage. This can happen either intentionally or unintentionally. |
| Insider threats: In some cases, employees, contractors, or business partners may deliberately try to compromise the SAP system. They can use their knowledge of the system and their access rights to steal, manipulate data, or sabotage the system. |
| Faulty configurations: Errors in system configuration can allow employees to unintentionally access information that they should not normally have access to. |
Actual security incidents in the SAP environment:
- Attack on the USR02 table with password hashes
- Information on new product data was published on the internet before the product was officially introduced.
- An employee downloaded the product recipe, bill of materials, and formula from the test system before switching to a competitor.
- Disruption of business processes for several days after an SAP table was deleted by an external consultant.
- Attackers try to gain access to SAP systems via various SAP standard users.
- A privileged user manipulates his salary in the SAP Payroll PA30.
- A whistleblower provides the press with the CEO’s salary and expense reports.
- A corporation is unable to present its annual report at the general meeting due to a cyberattack.
- An external developer bypasses security policies and develops and debugs in the production system.
- A user logs in simultaneously from different locations, and identity theft was detected.
- Access to blacklisted transactions and unlocking of transactions
It is important to stress that SAP is continually working on improving the security of its systems. Nevertheless, it’s the responsibility of each company to actively protect its systems and data, taking into account both external and internal threats. Relevant Keywords are SAP systems, cyberattacks, external attacks, internal attacks, exploiting vulnerabilities, phishing attacks, Denial-of-Service attacks, misuse of permissions, insider threats and faulty configurations.
What are the risks and consequences of an attack on an SAP system?
An attack on an SAP system can pose significant risks and consequences for a company. SAP systems often form the backbone of business processes and store a wealth of sensitive and critical business data. Thus, attacks on these systems can have considerable negative impacts. Here are some examples of risks and consequences:
| Data loss or theft | A successful attack could result in confidential data being lost or stolen. For instance, an attacker could steal customer data containing personal information such as names, addresses, and credit card details. This could lead to significant financial losses for the company and its customers and undermine trust in the company. |
| Operational interruptions | An attack could disrupt crucial business processes. For example, a Denial-of-Service attack could cause the SAP system to become unresponsive, potentially halting production, order processing, or other critical business operations. |
| Reputation loss | If it becomes known that a company has fallen victim to a cyberattack, it can lead to significant loss of trust from customers, partners, and shareholders. Customers, for instance, might hesitate to do business with a company that was unable to protect its data. |
| Legal consequences and penalties | If a company fails to protect its customers’ or employees’ data, it could face legal consequences and significant penalties, especially in light of data protection laws such as the EU General Data Protection Regulation (GDPR). |
An attack on an SAP system is a serious risk that businesses must actively manage and protect against. It’s crucial for companies to have a strong cybersecurity strategy that includes both preventive measures and a plan for dealing with security incidents.
What does IT forensics mean?
IT forensics in relation to SAP Enterprise Threat Detection (ETD) refers to the systematic investigation of security incidents and anomalies within an SAP system. The goal is to identify the cause of security breaches, understand their impact, and develop measures to prevent future incidents. SAP ETD is a powerful tool that collects and analyzes data from various sources to detect potential threats and trigger alerts. An employee working in IT forensics for SAP ETD requires a set of specific competencies:
| Analytical skills | An IT forensic analyst needs to be capable of analyzing large amounts of data and identifying patterns that could indicate a security breach. They also need to understand complex technical details and use this information to develop hypotheses about the cause and course of security breaches. |
| Technical expertise | A deep understanding of the SAP system architecture, including knowledge about different SAP modules, data structures, and log file formats is crucial. Additionally, knowledge of the SAP HANA database and related technologies, including network and operating system components, is advantageous. |
| Experience with security tools | Experience with security tools such as SAP ETD and other threat detection and response tools is important. The employee should know how to use such tools to detect suspicious activities, generate alerts, and create detailed reports. |
| Communication skills | Since the IT forensic analyst often has to communicate the results of their investigations to non-technical stakeholders, strong communication skills are required. This includes the ability to explain complex technical details in a way that is understandable to all. |
With these competencies, an IT forensic analyst can effectively work with SAP ETD, investigate security incidents, and contribute to strengthening the company’s cybersecurity.
What are the legal requirements for the security of SAP systems?
The security of SAP systems is regulated by various legal and regulatory requirements. Some of these requirements are:
| Data protection laws | Many countries have laws that regulate the protection of personal data. For instance, in the EU, the General Data Protection Regulation (GDPR) is a key legal framework that regulates the processing of personal data by companies. Companies must ensure that their SAP systems are configured to meet the requirements of the GDPR. |
| IT security laws | Some countries have specific laws pertaining to IT security. For instance, in Germany, the IT Security Law is relevant, which obligates operators of critical infrastructures to implement certain security measures and report significant IT disruptions. |
| Industry-specific regulations | There are specific regulatory requirements for IT security in certain industries. For example, banks and financial institutions in many countries must meet strict regulatory requirements for their IT systems. |
| BSI IT Protection | The Federal Office for Information Security (BSI) in Germany provides the IT Baseline Protection, a catalog of recommendations and requirements for IT security. Companies can use the IT Baseline Protection to design and operate their SAP systems securely. |
| Best practice recommendations Working Group Revision and Risk Management | DSAG and ASUG working groups are frequently publishing a catalog of best practice recommendation and they are considered like guardrails for industries. |
What does a typical project plan for an SAP ETD implementation look like and what abilities/skills are required for this?
The technology experts at BALTX.COM assist SAP customers in detecting and responding to cyberattacks. The implementation of SAP Enterprise Threat Detection (ETD) requires thorough planning and specific skills. BALTX.COM supports you in this journey from the start. The scope of projects is measured by the number of patterns used, the number of systems, the chosen operating work, and the chosen landing zone along with the deployment variant. BALTX.COM recommends a step-by-step approach and the use of the ETD starter pack. Below is a typical project plan along with the necessary skills and competencies:
| Planning phase | This phase involves creating a detailed project plan defining objectives, timeline, resources, and responsibilities. Required skills: Project management, strategic planning, SAP security expertise. |
| System preparation and design | At this stage, the current SAP landscape is evaluated, and the design for the SAP ETD solution is established. This includes selecting the systems to monitor and defining the log sources. Required skills: SAP system knowledge, network design, database technology skills, security architecture. |
| Installation and configuration | During this phase, SAP ETD is installed and configured. This includes setting up log sources, defining threat indicators, and establishing alerts. Required skills: Knowledge in SAP technologies, especially SAP HANA and SAP ETD, technical competencies in system installation and configuration. |
| Testing and validation | The system is tested to ensure it functions correctly and detects intended threats. Required skills: System testing, security analysis, troubleshooting ability. |
| Training and rollout | In this phase, the system is put into operation and Go-Live, and users are trained on how to effectively use SAP ETD. Required skills: Training capabilities, change management knowledge, communication skills |
| Operation and maintenance | After the rollout, the system needs to be monitored, maintained, and adjusted as needed. It’s important to distinguish whether 24-hour surveillance or business hours monitoring is the goal. Furthermore, integration scenarios in Cyber Defense Centers (CDC) and other SIEM tools (e.g., Splunk or ArcSight) should be considered. Required skills: System monitoring, IT operation and maintenance knowledge, ongoing security analysis. |
The successful implementation of SAP ETD requires a mix of technical and management-related skills. A deep understanding of the SAP system landscape, security practices, and project management principles is essential. For BALTX.COM, the following are critical success factors in an SAP ETD implementation:
– Definition of an operating model with all stakeholders.
– The security standard should be defined from the beginning.
– Creating organizational awareness.
– False-positive analysis.
– An appropriate log transfer strategy.
– Sufficient time for patches and upgrades.
With these, SAP customers achieve an improvement in proactive response time, transparency, expertise, and focus, as well as action-oriented risk management.
IT Security Act 2.0 | EUNIS2
As a new obligatory regulation of the IT Security Act 2.0, effective from May 1, 2023, operators of critical infrastructures are obliged to implement systems for attack detection. This includes the SAP systems in operation and is part of the EU NIS2 Directive, which aims to ensure a high common level of cybersecurity in the EU. The regulation also applies to suppliers for operators of critical infrastructure and will most likely soon become a mandatory regulation. This is also applicable for the cloud applications and platforms used within the company, such as SAP C4C, SAP Business Technology Platform (BTP), SAP Ariba, SAP SuccessFactors, and SAP Concur. It can be assumed that SAP ETD will be part of future audits by auditing firms. This is indicated by case studies published by Deloitte, Ernst & Young (EY), KPMG, and PWC.
Which SAP ETD subscriptions are available at BALTX.COM?
| basic subscription | premium subscription | |
| Implementation of SAP ETD productive landscape | yes | yes |
| Implementation of SAP ETD quality landscape | optional | yes |
| Consulting on sizing and landing zone | yes | yes |
| Backup and disaster recovery | no | yes |
| System Lifecycle Management / Updates / Patches | first year included | first year included |
| Data Lifecycle Management / Housekeeping | no | yes |
| transport management | no | yes |
| Incident management / Support | 9-16h CET Standard | 24/7h Enterprise |
| Customization | optional | optional |
| Surveillance of the connected SAP systems / monitoring | optional | optional |
| Penetration testing services | optional | optional |
| Case management and analysis for IT-Forensics | optional | optional |
| Retention Bonus | yes | yes |
| Prices (Initial costs plus maintenance and operation) | on demand | on demand |
To expect the unexpected shows a thoroughly modern intellect.
Oscar Wilde