3 Reasons to start monitoring SAP
There appears to be a new trend for companies to centralize their log sources into Security Information and Event Management (SIEM) solutions. The time has come to look at SAP. This article explains why.
SIEM solutions were created out of the necessity to deal with a flood of alerts coming from various sources within the company network and Intrusion Protection and Intrusion Detection Systems. Since Gartner coined the term “SIEM” (for Security Information and Event Management), these solutions have evolved into information platforms. They not only collect logs from firewalls and other devices but can also correlate events using patterns and machine learning. Security teams use these insights to develop an understand for their baseline to detect anomalies and to support their tactics of defense. The goal being to detecting attacks almost in real-time and therefore being able to react before significant damage can occur.
SIEM systems, however, have traditionally focused on infrastructure components, such as firewalls and networks – applications were until recently not within their usual focus. SAP systems are particularly hard to integrate, as their logs are not available in the standardized syslog format. In other words, SIEM solutions pretty much excluded SAP systems – and no one seemed to notice for quite a while. Only recently, solutions such as our SecurityBridge Cybersecurity Platform, have been able to close the information gap and connect SAP systems, their events and information, to SIEM solutions.
But why monitor SAP system at all? Isn’t it enough to focus on the infrastructure? The answer is simple: definitely not. Here are three reasons why SAP landscapes should be monitored for security risks
SAP systems contain your most valuable data.
So, let’s say you have a house and you want an early intruder-detection system. Would you buy surveillance cameras for the garage, where you keep all the long-forgotten stuff? Or would you rather place it close to your safe where all the important and valuable assets are located? You might argue that the garage is a good place to monitor, as this is likely where the intruder can get in. True – and this is what SIEM systems do. Would you go without watching the safe, then? Probably not.
Infrastructure can be bypassed when SAP systems are connected to the network.
Let’s stick with the analogy of the house for a second. You are monitoring your garage – but there’s another door that leads directly into your house where the safe is located. This door can only be opened by authorized users. But some users have a general key, that’s worked since the safe was built, and no one has bothered to change their keys. Additionally, this door is somewhat more unstable than the garage door. Better keep a watch on it, too. While this analogy seems a bit obvious at first glance, it unfortunately passes most reality checks – SAP systems are often less secure than other systems, sometimes because the security department doesn’t see the SAP landscape within their responsibility, and sometimes due to the complexity of SAP systems, which are 6-7 times more complex than a given operating system.
SAP systems are complex
As mentioned above, SAP systems are increasingly complex, while or because most business transactions are passed through them. The complexity doesn’t stop at mostly static security relevant settings, however, quite the contrary, SAP systems also record quite a few security relevant events. Although SAP events are buried under tons of business logs within change documents, system logs, and access logs contain the information needed to detect an ongoing cyberattack. Digging them out, is not enough. Events need to be put into context in order to be able to decide whether any given behavior can be considered “normal”. Managing this complexity not only requires technology – it mainly necessitates expert knowledge on SAP processes. This might be one reason why regular SIEM providers shy away from including SAP systems in their portfolio – they simply don’t know enough to interpret SAP products.
As with the technology infrastructure, SAP systems generate more and more data, owing to a higher amount of business processes added to the ERP infrastructure, and an increasing demand for connectivity to the outside world and more users accessing those systems. This openness demands a comprehensive security solution which not only focuses on static security challenges such as hardening systems or securing custom applications. It calls for a comprehensive security solution that combines real-time monitoring with intelligent threat analysis. For SAP systems, which more often than not contain the business secrets and privacy information for every company, ensuring continuous monitoring for potential risks becomes imperative.
SecurityBridge is a modern SAP Security Platform, natively build in SAP. It uses an ABAP based Intrusion Detection System (IDS) to guard your SAP landscape 24/7. Its frontend is build with Fiori, which provides you an intelligent insight on the security posture of your ABAP, Java and HANA based systems.
Contact us to learn how SecurityBridge enables intelligent, continuous real-time monitoring of SAP systems.