In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP
How to avoid huge and fluctuating SAP-SIEM data costs by using SecurityBridge Threat Detection
For real-time SAP Threat Detection, it is quite common to monitor SAP systems from a Security Operations Centre (SOC) by using central SIEM solutions. However, traditionally, these SIEM solutions are not ‘SAP-aware’ and should be fed with SAP security–relevant data to get the most out of them and secure the entire organization.
Without a specialized SAP Threat Detection solution, there is generally one option: to send all SAP security events to SIEM, which leads to very high and unpredictable data costs. Extracting the relevant threats from that enormous number of unfiltered events is a huge job for SIEM vendors as it requires a deep knowledge of SAP specifics.
What are SIEM solutions?
There are many definitions, but, in our view, the one from Microsoft explains it straightforwardly:
Security Information and Event Management (SIEM) is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations. SIEM combines both security information management (SIM) and security event management (SEM) into one security management system. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis and takes appropriate action. In short, SIEM gives organizations visibility into activity within their network so they can respond swiftly to potential cyberattacks and meet compliance requirements.
When combined with SAP-specific information, fed from a Threat Detection solution, SIEM solutions offer great visibility into activity in their SAP landscape. They provide superb means of swift response, integration with Incident Management, and other solutions to have a more complete SAP protection in place.
What do they cost?
Nowadays, many SIEM solutions charge customers based on the amount of data fed to them. The more data sent, the higher the monthly charges. This might lead to high costs, especially in the SAP world where many different SAP logs and data sources exist, quickly generating enormous amounts of events. When sending all SAP security events from all these data sources unfiltered to SIEM solutions, they easily generate many gigabytes of data daily.
What alternatives exist to minimize the data stream towards SIEM solutions?
There are several ways to restrict the number of events sent to SIEM solutions. To start with, you can tune the source by not having SAP systems generate detailed events in the first place. This will limit the number of events being generated and hence limit the number of events sent to SIEM solutions. However, this is not a good approach as in the case of an attack or other cases when forensic research is needed, you might not have the full picture of what happened in your SAP systems, leading to less overall security.
A more pragmatic approach, as applied in the SecurityBridge Threat Detection solution, is to send only qualified threats (based on rules and logic) to SIEM solutions, along with the involved events attached that led to the threat alert. This ensures that on the SIEM side, action can only be taken based on the relevant events, reducing the amount of data sent to SIEM drastically (>90%) and resulting in substantial cost reductions.
Threat Detection capabilities for SAP landscapes are being introduced into the SAP ecosystem at a steady pace. The integration with SIEM solutions is a logical and crucial next step, where it is important to be aware of possible (high) cost increases when all events are sent unfiltered to these SIEM solutions.
The SecurityBridge Threat Detection solution takes a more pragmatic approach and only sends qualified threats to SIEM with the underlying triggering events from the data sources involved. This leads to a drastic cost reduction as many SIEM vendors charge customers based on the amount of ingress data into SIEM systems.
Are you interested to learn more? Contact us and we will be happy to tell you more about our SAP Security capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Find recent Security Advisories for SAP©
Leiter des Forschungslabors ist Joris Van De Vis, Director of Security Research bei SecurityBridge und Mitgründer des SAP-Sicherheits-Spezialisten Protect4S, der seit September 2013 zu SecurityBridge