Mastering SIEM for SAP: Actionable Strategies for CISOs
Chapters
Share Article
In one of our previous articles, the Top 3 CISO pitfalls to avoid for achieving NIS-2 compliance in SAP, we also covered the challenge of integrating SAP into an SIEM. When it comes to setting up an effective SIEM solution, one of the key recommendations for CISOs is to make sure they integrate all security-related signals from their entire IT environment across all technology stacks. However, this is easier said than done, as once they go beyond the IT infrastructure and operating system layer, they face many proprietary APIs when trying to pull security audit logs, especially from applications. Additionally, the specific data models of these applications make it difficult to correlate events and create decision-enabling messages for the SOC team.
SAP applications are probably the most complex IT system environments that companies leverage today to run their business processes. In most organizations, only the SAP operations team has insight into these environments, which makes it quite challenging for CISO offices to integrate SAP Security into their enterprise SIEM strategy. A successful SAP security posture requires insight into and a strong understanding of the SAP specifics, data model, and architecture, not just for the “old” core applications but also the new cloud apps SAP has acquired over the past decades. All these factors create a special SAP “IT universe” that is highly vulnerable if not properly protected against cyberattacks.
Imagine taking an SAP-native, comprehensive platform for SAP security and integrating it with one of the most capable SIEM solutions on the market, using only one single connector. This enables you to combine the best of both worlds, allowing your SOC team to seamlessly cover security for the entire IT enterprise, from the network up to the application layer.
By integrating the SecurityBridge Platform as an SIEM for SAP into enterprise SIEM solutions like Microsoft Sentinel, Splunk, or QRadar, companies running SAP at the core of their business can achieve a very powerful security posture across their entire enterprise IT. Here are some key success factors for this approach.
Keep Operational Costs Low
SIEM solutions are typically priced based on log volume, but up to 90% of SAP Security audit log records are usually considered to be irrelevant or “background noise.” To keep operational costs low, CISOs must pre-filter the SAP audit logs before uploading them into their SIEM. It is certainly not a good deal to pay for 100% of the data while using only 10% of it.
The best way to filter SAP Security audit logs while preserving and enriching the events’ context is to perform this within the SAP environment. The SecurityBridge Platform uses remotely maintained agents to filter logs on every monitored SAP system or leverages APIs for cloud environments, like SAP BTP. It then feeds the data into a central SAP system for event correlation, including cross-system correlation of user activities. In addition, SecurityBridge transforms the cryptic raw SAP log records into meaningful messages.
The enterprise SIEM solution receives these pre-filtered events with decision-enabling information through a single integration channel from SecurityBridge. This acts like a pre-staged SIEM for SAP with more than 1000 out-of-the-box security monitoring rules. This also eliminates the need to create SAP Security audit rules in Microsoft Sentinel, Splunk, or QRadar, keeping the implementation and operational costs at a minimum.
Provide SOC Teams With SAP Security Knowledge
SOC teams typically have a broad understanding of securing IT environments, but they need specialized SAP Security knowledge at their fingertips for a swift and efficient response to cyber threats against SAP environments.
Although the SAP Security events delivered by SecurtiyBridge are already easy for SOC teams to digest even without much SAP background, the integration approach doesn’t stop after the events are handed over to the enterprise SIEM. With the backlink provided along with the CEF (Common Event Format) record, the SIEM user can have a 360° insight into the event context provided by the SecurityBridge application.
This insight contains additional valuable SAP Security knowledge for the SOC team, like risk descriptions and recommended actions for responding to the security incident. In addition, SecurityBridge provides a full security profile of the acting SAP user, such as typical working hours and a timeline of other events caused by the same user or endpoint. This includes a full audit trail before and after critical activities, leveraging SecurityBridge’s unique HyperLogging technology.
The SecurityBridge Platform also seamlessly connects the dots between SAP Security monitoring events and the latest vulnerability assessment results of the affected SAP environments. SOC teams must understand the impact of SAP system configurations, missing SAP Security patches, or vulnerable custom applications on the current security issue they are investigating.
Increase Efficiency with SAP-native Solutions
SIEM solutions use a normalized event model to correlate data from various sensors and sources across all technology stacks. While this works quite well for IT infrastructures or small and simple applications, it is rather inefficient to apply it in complex SAP environments.
The SecurityBridge Platform transforms the heterogeneous and comprehensive event context into a condensed event message that contains all necessary information for SIEM solutions. It also supports AI capabilities, e.g. in Microsoft Sentinel, by providing data in the standardized CEF format that is commonly used in SIEM solutions. This makes the integration between SAP and the SIEM very efficient and ensures that no important security information is filtered out while delivering only the necessary events to the SOC team.
As an SAP-native application, the SecurityBridge Platform runs as a certified SAP add-on within the SAP technology stack, leveraging its full potential to gather all necessary context information. This enables powerful event filtering or correlation and for creating meaningful messages for the SOC team. This cannot be achieved efficiently through SAP APIs if at all.
Furthermore, SOC teams benefit from the SAP Security knowledge of experts with decades of experience. This expertise is backed into the SecurityBridge rule sets with more than 1000 pre-defined SAP-specific use cases. This enables the SOC team to respond quickly and efficiently to any cyber threat against their SAP environment.
Interested in learning more about adopting SIEM for SAP with SecuriyBridge and integrating it into Microsoft Sentinel, Splunk, or QRadar?
Contact us and we will be happy to tell you more about our guided approach to SAP Security excellence. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
