Skip to content
Linkedin Twitter Facebook Xing

SAP Threat Monitoring

SAP Threat Monitoring is a complex and multi-layered function that is especially important for any organization running SAP products. Mission-critical business applications, including SAP S/4HANA, confront security departments with specific challenges. This section examines the challenges and takes a practical approach to implement SAP threat detection. Cloud adoption and all its facets, whether it be IaaS, PaaS, or SaaS, are also contributing to the increasing demand for SAP real-time monitoring. 

The need is supported by many organizations already having the unpleasant experience of a cyber incident. Cyber incidents have already had a detrimental effect on many organizations in the past. Even those who have escaped an incident so far know it is only a matter of time before they are affected.  

Those who used to focus on network and infrastructure monitoring, such as virus infection, network traffic, OS logs, etc., now realize how high the risk of an insider attack on mission-critical business applications can be. At the same time, they know that these critical areas are not yet on the monitoring map. SAP applications are a black box for security analysts in the SOC. We will help you to change this.  

Legislation mandating attack detection is being introduced in various countries across the EU. The spearhead of this movement is the German law ITSiG 2.0, which mandates attack detection for critical infrastructures. This will be followed by NIS2, a directive that has come into effect at the EU level.

What is SAP Threat Monitoring?

The abbreviation SOC stands for Security Operation Center. Security analysts and forensic experts work there, trying to find the needle in the digital haystack of the entire corporate IT. The SOC uses Security Information and Event Management Systems (SIEM). These software solutions can identify attacks by combining logs from various sources and correlating related actions. 

With its integrated solution approach, SecurityBridge Threat Detection for SAP solves many of the customer’s requirements and addresses many of their specific challenges. Even professional attack methods must be detected quickly so that a swift response can be initiated. This also includes the art of recognizing abnormal behavior, both from end users and SAP system processes. Pattern recognition, statistical analysis, and data mining are valuable tools to analyze the countless sources of information that SAP S/4HANA offers you. 

Angriffserkennung für SAP
  • SAP Cybersecurity, SAP Threat Monitoring, Security News

IT-SiG 2.0 – Angriffserkennung für SAP ab 1. Mai 2023 ein muss 

Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.

Learn more

SAP Attackers

Why is it so difficult to connect SAP systems to a SOC?

The abbreviation SOC stands for Security Operation Center. Security analysts and forensic experts work there, trying to find the needle in the digital haystack of the entire corporate IT. Security Information and Event Management Systems (SIEM) are used in the SOC. These software solutions pull together logs from various sources of information and correlate related actions to provide an inference of an attack.

Especially because there are some specific challenges for SAP customers to master. SecurityBridge Threat Detection for SAP solves many of these requirements and offers an integrated solution approach that has convinced many SAP customers. To efficiently detect even professional attack methods, promptly, so that a swift response can be initiated, an enormous head start in knowledge is required. This also includes the art of recognizing abnormal behavior, both from end users and SAP system processes. Pattern recognition, statistical analysis, and data mining are valuable and necessary tools to analyze the countless sources of information that SAP S/4HANA offers you.

IT-SiG 2.0 – Angriffserkennung für SAP ab 1. Mai 2023 ein muss 

Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.

Who are the typical SAP attackers?

We are asked many times and have already addressed this in our open webinars (link to event recordings overview), which SAP attackers exist? With this blog, we would like to share some insight and answer this question.

SIEM, from log evaluation to SAP attack detection

To detect attacks on SAP, you need to evaluate the security logs in SAP. While many organizations have spent the past few years protecting the perimeter, business-critical systems are now becoming the priority of security operations. In this article, we will look at what an SAP SIEM might look like and what data and processes are necessary to enable desired conclusions.

The initial situation for many companies

It is common for companies to start with a similar scenario when looking for SAP Threat Monitoring. Usually, management understands how critical the in-house SAP landscape is for operations. Regulations and legal demands underline the requirement.

Companies looking for SAP attack detection usually already have Security Information and Event Management (SIEM) used by the Security Operation Center (SOC). Security operations are typically well understood by them. It’s not a question of knowledge and understanding, so what’s the problem? SAP attacks are not comparable to classic IT security incidents such as phishing, DDoS, or malware attacks. The intent is often fraudulent if application security is undermined. It requires a deep understanding to detect suspicious activities in the SAP applications. Even our experts often experience significant mistakes. Enterprises try to apply the established expertise, processes, and procedures from the IT security department to the SAP applications without understanding and adapting them first.

SAP Security Dashboard

Questions (FAQ)

Is there a difference between SAP Threat Monitoring and SAP Threat Detection?

No, often, the terms are used as synonyms.

What is SAP Enterprise Threat Detection (ETD)?

SAP Enterprise Threat Detection is a Big Data tool that collects SAP application logs that can be analyzed by the client using forensic data tools. Data is collected from various SAP systems in the customer landscape via a log streaming method into a dedicated SAP S/4HANA instance. The SAP HANA database is used to ensure the necessary processing speed and is, therefore, a mandatory requirement.  

What is SAP in Cybersecurity?

Unfortunately, application security is still a challenge for many IT security managers. Therefore, this area, including SAP, is only sparsely considered in many organizations and is far from being covered. A rapid awakening is currently taking place here, as legal requirements are on the way, which prescribes attack detection for the critical applications of those companies that contribute to public life, GDP, or supply.  

Is SAP Security part of Cybersecurity?

The domain of SAP security remains in the SAP department. SAP Basis is responsible for secure installation and configuration. Separate teams handle user administration and authorization management. SAP integration and development are also available. Interaction with information security experts often takes place in the context of change projects, but usually much too infrequently. 

How to improve your SAP Threat Detection?

SecurityBridge Threat Detection analyses all human activity and machine to machine communication within an SAP application, covering all SAP systems such as ERP, SRM, SCM or HCM. The findings of Threat Detection sensors are shared with other SecurityBridge components to deliver an elegant “one-platform” experience.

Learn more
SAP Threat Monitoring

Latest Resources

  • White Paper

How SecurityBridge Supports NIST CSF in SAP Environments

Download the White Paper "Bridging the Gap - How SecurityBridge Supports NIST CSF in SAP Environments". Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Learn more

  • White Paper

Which cybersecurity framework is the best fit for SAP application security?

Download the White Paper "Which cybersecurity framework is the best fit for SAP application security?" to learn more about the available frameworks, the challenges when adopting a framework, and more.

Learn more

  • White Paper

Your Road to SAP Security

Download the White Paper "YOUR ROAD TO SAP SECURITY" to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Learn more

  • White Paper

Top mistakes to avoid in SAP security

Within this whitepaper you will learn about the key mistakes that can be avoided when it comes to SAP Security. History has shown that many companies have suffered from cyber incidents, moreover, not all incidents are reported or have been made available to the public.

Learn more

  • Report

SAP Security Product Comparison Report

Download the SAP Security Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.

Learn more

  • Video

How remote working affects your SAP security posture

Remote work is posing new challenges to companies' SAP security posture. In our webinar on May 7th, we showcased a potential attack on an SAP system, using techniques which are common tools among hackers. Using a password spray attack, we first tried to gain access to the system and subsequently extracted the password hashes of all users.

Learn more