What does SAP Enterprise Threat Detection, cloud edition look like?
To simplify access to relevant information about cyber attacks, we created a clearly designed user interface that is easy and intuitive to use.
The performed investigations can be filtered by severity, ID, creation date, description, and customer message. The chosen report can immediately be downloaded and reviewed by the end user.
The report includes an overview of what has happened and when and additionally includes a free text description from the investigator about the results of the investigation and recommended mitigation steps for further clarification. All technical details such as the triggering events are also provided with the report.
This enables the customer to take the right mitigation action at the right time. Overall, this managed cyber security service offered by SAP fills a significant gap by opening the black box and enabling continuous monitoring of SAP business applications as it's required by standard cyber security frameworks.
SAP Enterprise Threat Detection (ETD) Architecture
SAP ETD gathers information, or logs, from your active systems. This process is called aggregation. The collected data is then pseudonymized for privacy, enriched, and normalized.
After this, the treated log data is loaded into another tool called SAP HANA, which stores and manages the data.
Now let's consider these predefined attack patterns. They are a set of rules that SAP ETD uses to identify potential threats by comparing them with the log data. SAP has developed these patterns based on various sources including an ERP Auditing Guide by DSAG and findings from their Anomaly Detection Lab. They also include patterns based on input from a System Status Monitor developed from SAP security notes.
The patterns follow certain themes and are grouped into categories called workspaces. Examples of these patterns are ones that detect repeated failed attempts to login (Brute Force Attack), suspicious logins, or attempts to access critical resources. Other patterns can indicate service disruptions (denial of service), unauthorized debugging, or suspicious data manipulation.
In simple terms, SAP ETD uses the log data from your system and checks it against patterns that might indicate a threat. If it spots a match, you get an alert so you can investigate further and protect your system.