PUBLIC
Arndt Lingscheid
07, 2020
SAP Enterprise Threat Detection Overview Presentation
2PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
3PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
1. The Key Values of SAP Enterprise Threat Detection
2. Why you need Enterprise Threat Detection
3. Preventing Fraud & Cyber Attacks
4. Details & Benefits of SAP Enterprise Threat Detection
5. Implementation of SAP Enterprise Threat Detection
6. SAP Enterprise Threat Detection — Architecture
7. One Day Experience Workshop
Agenda
4PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Key Values of SAP Enterprise Threat Detection
• SAP ETD is the real-time Security Event Management and Monitoring solution
giving insights into SAP Systems out of the box.
• It supports the customer to detect, analyze and neutralize cyber-attacks as they
are happening, and before serious damage occurs.
• Providing a very high performance analyzing thousands of log entries in real
time using a SAP HANA in Memory Database.
The Key Values of Enterprise Threat Detection
• Transparency in complex and hybrid SAP landscapes with respect to
security and compliance
• Real time threat visibility in complex SAP, non SAP scenarios to detect cyber
attacks as they are happening
• Extremely efficient and cost effective via highly automized processed and
anomaly detection
• Pre defined and customer tailored attack use cases
5PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
What cyber attacks do we see
Application Level
Application Layer
Database
Operating System
Network
IT Infrastructure
Am
ount
of
Attacks
worldw
ide
Am
ount
of
Attacks
worldw
ide
Malware, Ransomware, Phishing
Analysts e.g. from ensurance companies rate cyber attacks as the biggest risks
for enterprises worldwide within the top 10 Business Risks.
HANA Database
6PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection (ETD) and generic SIEM systems
Collect and
analyze
Collect and
analyze
Database SAP HANA
SIEM SAP ETD Application Level
SAP ETD focus onSIEM solutions focus on
Database
Operating System
Network
Continue use of proven
security incident reporting
Real time monitoring of business
critical SAP applications & data+
Integration of SAP ETD with all leading SIEM solutions (HP Arcsight, IBM Q-Radar, Splunk) available
HANA Database
Application LayerIT Infrastructure
7PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• The average cost of a data breach is ~ $4M. In the US it’s more than $8M.
• The average time to identify and contain a breach is ~ 280 days.
• The faster a data breach is identified and contained, the lower the costs are.
• An incident response team and extensive testing of response plans can save millions.
• Automating security processes and checks is a must.
• The percentage chance of experiencing a data breach within two years is ~ 30 percent in 2019.
Statistics
From the experience there are two types of customers the ones that know that have been hacked and the
ones that do not know.
8PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
NIST Framework
Asset Management
Business
Environment
Governance
Risk Assessment
Risk Management
Strategy
Supply Chain Risk
Management
Access Control
Awareness and
Training
Data Security
Information
Maintenance
Protective
Technology
Anomalies and
Events
Continuous
Security Monitoring
Detection
Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
Protect Detect Respond Identify Recover
9PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Positioning SAP Enterprise Threat Detection
10PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Positioning SAP Enterprise Threat Detection
ProtectIdentify
11PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Positioning SAP Enterprise Threat Detection
279 Day‘s(206 + 73 )
Experiencing a data breach within
two years is ~ 30 percent.
ProtectIdentify
12PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Positioning SAP Enterprise Threat Detection
Experiencing a data breach within
two years is ~ 30 percent.
When are you able
to stop a breach ?
ProtectIdentify
13PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Protect
When are you able
to stop a breech ?
Positioning SAP Enterprise Threat Detection
279 Day‘s(206 + 73 )
SAP Enterprise Threat Detection
Protect Detect Respond Identify
14PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
STAD Http LogChange
documentsRead access
logSAL STAD
User change
logHttp Log
Change
documents
Discover SM59
connections
QAS PROD
RFC to change
passwd
DEV PROD
Change vendor
PROD
Outgoing payments
PRODDEV
Debugging DEV System
Preventing Fraud & Cyber Attacks
System Log
01.2020 06.2020 03.2021
15PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection (ETD) and generic SIEM systems
Collect and
analyze
Collect and
analyze
Database SAP HANA
SIEM SAP ETD Application Level
SAP ETD focus onSIEM solutions focus on
Database
Operating System
Network
Continue use of proven
security incident reporting
Real time monitoring of business
critical SAP applications & data+
Integration of SAP ETD with all leading SIEM solutions (HP Arcsight, IBM Q-Radar, Splunk) available
16PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
More than 140 SAP customers worldwide in all industries protect their SAP
landscape with SAP Enterprise Threat Detection.
Most of those companies are listed within the DAX 30, DOW 30, or come e.g.
from the defense sector. Please address the authors or your SAP account
manager for more details about our reference customers.
SAP Enterprise Threat Detection is supported by the world leading auditing
companies.
We have implementation partners in many regions of the world.
Partners are e.g.:
SAP Enterprise Threat Detection
• Ernst & Young,
• KPMG,
• Turnkey,
• IBS Schreiber,
• Asconsit,
• PWC,
• SAPNS2,
• Deloitte
• Accenture,
• Infosys,
• Xiting…
17PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
How does SAP Enterprise Threat Detection work
Evaluate
Automatically evaluate
attack detection patterns
with real-time alerting
Investigate
Forensic analysis and modeling of
existing and new attack detection
patterns and dashboards
Integrate
Integration of SAP and
non-SAP log data
Analyze
Efficiently enrich, analyze,
and correlate logs Cybersecurity and Data
Protection
18PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Benefits of SAP Enterprise Threat Detection
Intellectual Property Reputation Sensitive DataPartner
Severe Penalties
Proactive Threat Monitoring and
Treat Hunting leads to an Early
Interception of Threats
Real Time Threat Visibility in
Complex SAP Scenarios
Single Source of truth for
centrally audited SAP
Security Controls improves
compliance
High Manipulation
Safety of SAP Systems
SAP system Transparency with
respect to Security- and
Compliance-Events
Business Future
Improved monitoring of user
activity and auditing
Audit logs are easy to read
and transparent
19PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Netweaver/ S/4 Log Types
▪ System Log
▪ Security Audit Log
▪ Business Transaction Log
▪ HTTP Server Log
▪ RFC Gateway Log
▪ User Change Log
▪ Change Document Log
▪ Read Access Log / UI Log
▪ SOAP based Web Services Log
Log Data Supported by ETD
SAP Netwaever Java
▪ HTTP Access Log (Java)
▪ Security Audit Log (Java)
▪ Security Log (Java)
HANA DB
▪ HANA Audit Trail
SAP Cloud Platform
▪ SAP Cloud Platform Audit Logs (Neo +CF)
20PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• Forensic Analysis, Threat Hunting, Anomaly detection
• All SAP logs unfiltered, normalized, readable to be used by Audit
• Analysis of Read access logging logs, SOAP based web services
logs, UI Logging Logs
• Any log type can be added
• Continuous automated detection, analyze and neutralize cyber-
attacks in real time
• Real time manipulation save data transfer to Enterprise Threat
Detection
• Look at all log types and correlate the complete picture, not only a
few small puzzle peace’s
• Analysis of e.g.: What else did the user do?
• Generic approach (not based on fix test cases)
Unique benefits of Enterprise Threat Detection
21PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Unique use cases for SAP Applications
Information disclosureMake sure that no extraction of
confidential information takes place
Remote calls of a productive
System
Miss-use of debugging and
error-analysis
Extraction of confidential
information (GDPR)
Monitoring SAP security notes
File manipulation (Parameter
configuration, Transports)
Suspicious user behaviour
(Technical and dialog users)
Read access logging as additional
data source Account sharing
Log-in from an inappropriate
network segment
Correlation of different
accounts to one person
Manipulation of users and
authorization
Critical changes to system
configurations
Manipulation of critical database
tables
Access to critical, blacklisted
transactions
Mis-used of critical reports and
function modules
Assignment of critical authorization
22PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Reference Use Case: SAP Enterprise Threat Detection @ SAP ITSAP Cyber Defense and Response Center – Security Event Management
SAP Enterprise Threat Detection used by SAP IT for Security Event
Management
• Monitors, collects and correlates security events, generated within
the SAP IT infrastructure, SAP cloud platforms and if applicable
within the application layers, to detect security incidents and threats
for all SAP lines of business
Global deployments of Log Collectors to cover all SAP data centers
24x7 Security Operating Center
Current Figures
• 9.2 billions events per day
• ~120.000 events/sec
• ~200.000 events/sec (peak)
• 160 billions events (total)
• 7.7TB in-memory data
23PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀPartner
SAP Enterprise Threat Detection
24PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
DEMO
25PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Recommendation:
• Risk Assessment
• Risk based step by step implementation
Implementation of SAP Enterprise Threat Detection
◼ Amount of systems
◼ Used patterns
◼ Used log types
◼ Operating mode (reactive, 8*5 or 7*24)
Amount of systemsP
att
ern
s
26PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection — Architecture
SAP On-Premise SAP C/4HANA
SAP Concur
SAP HEC / Hosting
SAP Enterprise Threat Detection
ERP
ERP
ERP ERP
ERP
ERP
ERP
27PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Enterprise Threat Detection — Architecture
SAP HEC / Hosting
Managed Service
SAP Enterprise Threat Detection
SAP On-Premise SAP C/4HANA
SAP Concur
ERP
ERP
ERP ERP
ERP ERP ERP
28PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
ERPERPERPERP
SAP Enterprise Threat Detection — Architecture
SAP HEC / Hosting
SAP Enterprise Threat Detection
SAP On-Premise
SAP C/4HANA
SAP Concur
ERP
ERP
ERP
Managed Service
29PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP C/4HANA
SAP Concur
SAP Enterprise Threat Detection Cloud Edition (2021) — Architecture
SAP On-Premise
SAP Enterprise Threat Detection
SAP HEC / Hosting
ERP
ERP
ERP
ERP
ERP
ERP ERP
Managed Service
30PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• SAP Enterprise Threat Detection provided in the Cloud Appliance
Library is a quick and very easy way to consume the SAP Enterprise
Threat Detection solution in the cloud.
• Within this one-day workshop companies can evaluate the SAP
Enterprise Threat Detection solution on a Cloud Appliance Library.
• The One Day Experience Workshop can connect to a companies
S/4 Application or use the existing S/4 HANA in the CAL.
One Day Experience Workshop
https://blogs.sap.com/2019/12/13/sap-enterprise-threat-detection-as-a-one-day-experience/
S/4 HANA Enterprise
Threat Detection
S/4 HANA
Cloud Appliance Library
31PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
• With the one-day experience together with one of our highly
experienced SAP security consultants you can analyze and monitor
suspicious activities in the SAP S/4HANA application, create Attack
Detection Patterns, process alerts or you can train the system to
learn a new log source by making use of the log learning application.
• This experience workshop is free of additional costs.
One Day Experience Workshop
S/4 HANA Enterprise
Threat Detection
S/4 HANA
Cloud Appliance Library
https://blogs.sap.com/2019/12/13/sap-enterprise-threat-detection-as-a-one-day-experience/
32PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Preparation:
• Select the use cases from our list / or propose own use cases to be shown in the workshop.
• Agree on the workshop date.
• Decide on whether you use the cloud environment only or include an own S/4 system.
• If an on system is used:
• You will get the connection enabling document.
• Select the appropriate system usually not a PRD system.
• Enable secure connections in that system.
• Open ports for communication.
• Make sure systems can connect 2 weeks prior the workshop.
One Day Experience Workshop
S/4 HANA Enterprise Threat Detection
S/4 HANA
Cloud Appliance Library
https://blogs.sap.com/2019/12/13/sap-enterprise-threat-detection-as-a-one-day-experience/
33PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Enterprise Threat Detection gives transparency in real time to suspicious (user) behavior an anomalies in SAP business applications to identify and stop security breaches in real-time.
Enterprise Threat Detection uses highly efficient and automated processes based on HANA technology and Machine learning to track hacker activity using SAP's predefined and easy customizable attack paths.
Stop security breaches in today’s SAP business applications.
Contact information:
▪ Arndt Lingscheid
▪ SAP Enterprise Threat Detection,
▪ IBSO Products
▪ SAP SE Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany
Thank you.
© 2020 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
www.sap.com/contactsap
Follow us