Introducing SAP Enterprise Threat Detection

• Enhanced security: Monitor and improve security to help keep systems secure in a continuously changing cybersecurity threat environment.
• Neutralized threats: Gain transparency, simplify the analysis of suspicious activities, identify security gaps, and understand business impacts.
• Protected operations: Safeguard the operation of SAP applications and improve the continuity of your business operations.

• Analyze a vast quantity of log data and correlate information to get a complete picture of your IT landscape activities
• Perform forensic threat detection to discover previously unknown attack variants
• Customize the integration of third-party systems and infrastructure components
• Use an exclusive kernel API to send logs directly to SAP Enterprise Threat Detection to make manipulation more difficult

• Find SAP software-specific threats related to known attacks by using detection patterns
• Create attack detection patterns without the need for extra code
• Conduct attack investigations based on generated and published alerts to enable integration with external processes and solutions
• Include user pseudonymization and resolution with special authorization when evidence of an attack or misuse arises

• Detect threats at the application server level and the database level
• Integrate your entire IT landscape with SAP solutions

Users can easily access relevant information about cyberattacks with an easy and intuitive interface.

The investigations can be filtered by severity, ID, creation date, description, and customer message. The chosen report can immediately be downloaded and reviewed by the end user.

The report includes an overview of what has happened and when. It consists of a free text description from the investigator about the investigation's results and recommended mitigation steps for further clarification. All technical details, such as the triggering events, are also provided with the report.

This enables the customer to take the right mitigation action at the right time. Overall, this managed cybersecurity service offered by SAP fills a significant gap by opening the black box and enabling continuous monitoring of SAP business applications as standard cybersecurity frameworks require.

SAP ETD gathers information, or logs, from your active systems. This process is called aggregation. The collected data is then pseudonymized for privacy, enriched, and normalized.

After this, the treated log data is loaded into another tool called SAP HANA, which stores and manages the data.

Now, let's consider these predefined attack patterns. They are a set of rules that SAP ETD uses to identify potential threats by comparing them with the log data. SAP developed these patterns based on various sources, including an ERP Auditing Guide by DSAG and findings from their Anomaly Detection Lab. They also include patterns based on input from a System Status Monitor developed from SAP security notes.

The patterns follow specific themes and are grouped into categories called workspaces. Examples of these patterns detect repeated failed attempts to log in (Brute Force Attack), suspicious logins, or attempts to access critical resources. Other patterns can indicate service disruptions (denial of service), unauthorized debugging, or suspicious data manipulation.

Simply put, SAP ETD uses your system's log data and checks it against patterns that indicate a threat. If it spots a match, you get an alert so you can investigate further and protect your system.

Read more information on the SAP Enterprise Threat Detection webpage.

You can now describe the SAP Enterprise Threat Detection solution, including its key benefits and features.