sap enterprise threat detection overview
DESCRIPTION
The interconnected nature of modern business systems means that successful companies with critical business on SAP software must effectively manage exposure to external and internal threats. SAP Enterprise Threat Detection helps you identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before serious damage occurs. More information: http://scn.sap.com/community/securityTRANSCRIPT
SAP Enterprise Threat DetectionOverview
October 15, 2014 Public
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAP'sstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 3Public
Agenda
The challenge
The solution
Ad hoc analysis in action
Real-time security analysis in action
Technical aspects
Summary
The challenge
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 5Public
The threat environment is changing and becoming more dangerous
Alarm System
Anti-virus
MonitoringSystem
Traditional defenses no longer provide sufficientprotection for business-critical softwareMore exposure to risk:
Interconnected systems, mobile applications, …Increased interest in SAP software by cybercriminalsThreats from inside nullify technical precautions
Attackers will penetrate to your critical systemsWhat will you do then?
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 6Public
IT security organizations have serious blind spots
Cybercriminals are working in the dark areas ofthe IT landscape
What‘s going on?Are there unexpected activities in the landscape?Are there ongoing attacks?Who is involved?What end-to-end attack actions took place?What was the damage?
If you cannot look, you cannot seeIf you cannot see, you cannot react effectively
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 7Public
What are the current threats? – A big-data solution is needed
Vast quantity of security-relevant dataA tiny fraction is indicative of a particularthreat
You must react in real time to neutralizesome attacks
To react in real time you must:Analyze in real timeUnderstand in real timeGet actionable information in real time
The solution
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 9Public
The missing piece to defend against cyber-attacks
What does it do?Automatically detects suspicious activitiesEnables real-time analysis of security events
How does it do it?Stores security events in a central databaseEnriches events with context informationAutomatically evaluates attack detection patterns togenerate alerts
SAP Enterprise Threat Detection is based onSAP HANA and SAP Event Stream Processor
SAP Enterprise Threat Detection
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 10Public
SAP Enterprise Threat DetectionMain use cases
Real-time security monitoringGather events from the landscapeEvaluate attack detection patternsReact on critical alertsGain an overview of the threat situation
Ad hoc analysisAnalyze existing suspicionsPerform forensic investigationSupport compliance processes
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 11Public
SAPSystemLog DataExtractor
SAPSystemLog DataExtractor
SAPSystemLog DataExtractor
SAPSystemLog DataExtractor SAP
SystemLog DataExtractor
SAPSystemLog DataExtractor
MonitoredLandscape
Overview of how threat detection works
SAPSystem User Interface
DashboardAlerts & KPIs
Browsing & Analysis,Pattern Creation
Pattern Configuration,Scheduling, & Monitoring
SAP Enterprise Threat Detection
Non-SAPSystem
Log DataExtractor
SAP HANAESP
(Event StreamProcessor)
Push
Systems provide log data Normalize & enrichlog data
Evaluate & analyzeGenerate Alerts
Ad hoc analysis in action
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 13Public
Launch pad
The launch pad is the main entry point to thetools in SAP Enterprise Threat DetectionThe Browse Events tile takes you to the toolwhere you do ad hoc analysis and createattack detection patterns
http://<HANAserver>:<port>/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 14Public
Browsing events
When you browse events you are essentially applying filters tothe normalized log data that exists in the SAP HANA database
A series of filter is referred to as a pathVisualize the filtered data to look for standout valuesGenerate attack detection patterns from paths
Example of finding an indication of attackA number of attempts with different users against the same system,or with the same user against multiple systems, in a short period oftime would be suspicious.A security analyst has spotted unusual activity in some systems anddecides to see what has been happening in the last day using theevent browser
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 15Public
Example of browsing events
Filter the events of thelast day
47 are failed logonsVisualize the number offailed logons by terminaland userSelect a user for furtherinvestigation
What has he been doingin the last hour?
Real-time security analysis in action
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 17Public
Launch pad
The launch pad is the main entry point to thetools in SAP Enterprise Threat DetectionYou can navigate to tools for:
An overview of what is happening in themonitored landscapeWorking with alerts and investigationsConfiguring and executing patternsViewing the results of executed patterns
http://<HANAserver>:<port>/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 18Public
Patterns generate alerts when an attack is detected
Example of real-time analysisAn operator looks at recent activity in thelandscape and from the dashboard toolsdetermines that there is abnormal activityin a particular systemHe groups significant alerts into aninvestigation and sets the severity to veryhigh for follow up by an analystThe analyst uses the browsing tools todetermine the impact of the attack anddecide on what countermeasures need tobe taken
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 19Public
Working with alerts
Use the dashboard to get anoverview
Find related alerts and assign toan investigation
Analyze key events
Technical aspects
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 21Public
Non-SAP System
Pushing log data to SAP Enterprise Threat Detection
HANA
SAP Enterprise Threat Detection
ESPREST
ServiceLog
Extractor
SAP System
JSON/REST
request
Push
Monitored systems:Push their log dataSchedule the date transferMinimize transferred data by usingdeltasABAP systems have a log extractorto support the transfer of data
Event Stream Processor (ESP):Exposes a REST service to receivelog data– Currently there is no pull servicePushes the log data to the HANAdatabase
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 22Public
… Log
Data model of SAP Enterprise Threat Detection
Normalization of log dataInformation content of the source isnot reducedUnified representation of timestamps, user identities, …Maintenance of additionalinformation
Data model is generic enough tocover customer-specificscenarios
HTTP Log
SecurityAudit Log
System Log
UserChange Log
BusinessTransaction
LogRead
Access Log
Customer-specific Log
Unified Log
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 23Public
Data model of SAP Enterprise Threat DetectionHow the normalized data looks
Log ViewerTechnical view of the logs
HeaderContains the mostcommon fields for ABAP,network, and system logs
DetailsContains additionalinformation in Name andValue fields
Summary
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 25Public
SAP Enterprise Threat DetectionA big-data solution to a serious security challenge
BIG DATA ACQUIRE ANALYZE ACT REAL RESULTS
REAL TIME
Vast amount of logdata scattered acrossthe landscape.
Bring data together inone place with acommon format.
Evaluate attackdetection patterns.Browse & analyze.
Lock user account,cut off connection, …
Detect attacks earlyand prevent harm.
Business goals…• Protect the integrity of my business processes• Prevent theft or manipulation of business data
… translate into technical questions:• Are there unexpected activities in my landscape?• Who is the attacker?• What attack actions took place?
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 26Public
Key takeaways
Technological breakthroughs in processing bigdata enable real-time monitoring and analysisof large landscapes
SAP HANA leads the way in real-time dataprocessing
SAP Enterprise Threat Detection leverages SAPHANA to greatly improve your overall systemsecurity
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 27Public
Further Information
Get more information and updates
SAP Enterprise Threat Detectionhttp://scn.sap.com/docs/DOC-58501
Security Communityhttp://scn.sap.com/community/security
Documentation on SAP Help Portalhttp://help.sap.com/sapetd
Community Network
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 28Public
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or anSAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademarkinformation and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time forany reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.