Skip to content

Cross-layered detection and response (XDR) for SAP

In this article, we want to share our thoughts on the meaning of cross-layered detection and response and elaborate on why we think it’s an important step to maturity for IT-Security.

Gartner recently introduced the term XDR. It stands for Extended Detection and Response and is defined as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”.

Gartner’s definition describes an „XDR system“ as a central system that can actively respond to issues and helps to decrease response time.

Why is it important?

Attackers don’t care about the segregation of responsibility or domain experience that exists within an organization. On the contrary, in a targeted attack, they even strategically exploit these vulnerabilities and attack the weaknesses in organizational structures. We have seen Threat actors orchestrate their activities using tactics, techniques and procedures (TTPs) with this knowledge in mind. 

In a hypothetical attack scenario where SAP HR is targeted, the attacker may attempt to gain access to the system, leaving a trail of clues at the network level.

For SAP experts, there’s an obvious need to know that this is happening. Unfortunately, they don’t typically know about the activity due to a missing link in the organization. Log levels and monitoring efforts can be increased, but only if the SAP team responsible knows that their system is the target of a threat actor. This is not only true for scenarios where the attacker successfully exploits an SAP vulnerability, it also relates to attack attempts.

With cross-layered detection and response methodology in place, the application security team would be alerted to the attacker and expect to see them reaching the borders of their system. They can shine the spotlight on the intruder and collect all evidence about the ongoing attack. Once the attack is confirmed, and before any harm can be done to the system, the SAP team can trigger network action to remove the malicious terminal.

How does XDR work?

The XDR application helps break down information silos and facilitates an accurate response. In doing so it needs to collect and correlate data across critical enterprise applications, email, endpoints, servers, cloud workloads, and networks, enabling visibility and context into advanced threats. Many different security solutions exist today. The top three are:

  • security information and event management (SIEM) tools,
  • intrusion detection system (IDS) application and
  • endpoint detection and response (EDR) services.

XDR tries to define an alternative to traditional reactive approaches that provide only layered visibility into attacks and sets the focus on the response.

Security onion-layer digramm
Security layer diagram SAP

Is it relevant for SAP?

Looking beyond the definition provided by Gartner and setting a focus on the targets and methods described by XDR we believe these are definitely beneficial for any organization wanting to protect their SAP systems. Particularly the following is needed to raise the protection level against sophisticated attack and exploitation methods:

  • converting a large stream of logs from SAP and other sources into a much smaller number of incidents
  • providing integrated incident response options that have the necessary context from all security components
  • providing response options that go beyond application points
  • providing automation capabilities
  • reducing training efforts by providing context-rich security information for all domain level experts

At SecurityBridge we work to break down information silos and domain-level knowledge borders, by providing out-of-the-box integration and connecting SAP to security management systems. We engage members of different security teams to collaborate by using a universal language, which results in a cohesive security solution.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

IT-Onlinekonferenz 2023 – Managed SAP Security Services: Die Geheimwaffe für eine sichere Zukunft

Cyberkriminalität erfordert immer bessere IT-Sicherheitsmaßnahmen. Managed Security Services, die von externen Anbietern bereitgestellt werden, sind im Trend. Im Bereich SAP Security fehlen oft interne Ressourcen, um komplexe Systeme zu überwachen und effektive Sicherheitsmaßnahmen umzusetzen. Erfahren Sie in unserem Webinar, wie wir die Expertise eines Beratungsunternehmens und einer spezialisierten Software-Lösung in Managed SAP Security Services kombinieren, um eine effektive Lösung für diese Herausforderungen zu bieten. Entdecken Sie bewährte Verfahren, wie z.B. proaktive Überwachung, Compliance-Sicherstellung und schnelle Reaktion auf Sicherheitsvorfälle. Schützen Sie Ihre SAP-Umgebung sicher und zuverlässig, ohne interne Ressourcen zu belasten. Verpassen Sie nicht die Gelegenheit, die Geheimwaffe für eine sichere Zukunft kennenzulernen. Teilnahme am 10.05. um 13:30 Uhr.

Meet us at SAPINSIDER 2022 – in Las Vegas

June 19-21, 2022 the US team of SecurityBridge will be at the SAPinsider Event in Las Vegas. You will find our booth in the Cybersecurity area.
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
we are hiring - career page
SecurityBridge is a leading provider of cutting-edge cybersecurity for SAP, catering to businesses of all sizes. We are expanding our operation to the US market and are looking for an experienced Sales Representative to join our team. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, and cybersecurity.