SAP Enterprise Threat DetectionOverview

October 15, 2014 Public

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public

Disclaimer

This presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAP'sstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 3Public

Agenda

The challenge

The solution

Ad hoc analysis in action

Real-time security analysis in action

Technical aspects

Summary

The challenge

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 5Public

The threat environment is changing and becoming more dangerous

Alarm System

Anti-virus

MonitoringSystem

Traditional defenses no longer provide sufficientprotection for business-critical softwareMore exposure to risk:

Interconnected systems, mobile applications, …Increased interest in SAP software by cybercriminalsThreats from inside nullify technical precautions

Attackers will penetrate to your critical systemsWhat will you do then?

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 6Public

IT security organizations have serious blind spots

Cybercriminals are working in the dark areas ofthe IT landscape

What‘s going on?Are there unexpected activities in the landscape?Are there ongoing attacks?Who is involved?What end-to-end attack actions took place?What was the damage?

If you cannot look, you cannot seeIf you cannot see, you cannot react effectively

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 7Public

What are the current threats? – A big-data solution is needed

Vast quantity of security-relevant dataA tiny fraction is indicative of a particularthreat

You must react in real time to neutralizesome attacks

To react in real time you must:Analyze in real timeUnderstand in real timeGet actionable information in real time

The solution

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 9Public

The missing piece to defend against cyber-attacks

What does it do?Automatically detects suspicious activitiesEnables real-time analysis of security events

How does it do it?Stores security events in a central databaseEnriches events with context informationAutomatically evaluates attack detection patterns togenerate alerts

SAP Enterprise Threat Detection is based onSAP HANA and SAP Event Stream Processor

SAP Enterprise Threat Detection

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 10Public

SAP Enterprise Threat DetectionMain use cases

Real-time security monitoringGather events from the landscapeEvaluate attack detection patternsReact on critical alertsGain an overview of the threat situation

Ad hoc analysisAnalyze existing suspicionsPerform forensic investigationSupport compliance processes

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 11Public

SAPSystemLog DataExtractor

SAPSystemLog DataExtractor

SAPSystemLog DataExtractor

SAPSystemLog DataExtractor SAP

SystemLog DataExtractor

SAPSystemLog DataExtractor

MonitoredLandscape

Overview of how threat detection works

SAPSystem User Interface

DashboardAlerts & KPIs

Browsing & Analysis,Pattern Creation

Pattern Configuration,Scheduling, & Monitoring

SAP Enterprise Threat Detection

Non-SAPSystem

Log DataExtractor

SAP HANAESP

(Event StreamProcessor)

Push

Systems provide log data Normalize & enrichlog data

Evaluate & analyzeGenerate Alerts

Ad hoc analysis in action

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 13Public

Launch pad

The launch pad is the main entry point to thetools in SAP Enterprise Threat DetectionThe Browse Events tile takes you to the toolwhere you do ad hoc analysis and createattack detection patterns

http://<HANAserver>:<port>/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 14Public

Browsing events

When you browse events you are essentially applying filters tothe normalized log data that exists in the SAP HANA database

A series of filter is referred to as a pathVisualize the filtered data to look for standout valuesGenerate attack detection patterns from paths

Example of finding an indication of attackA number of attempts with different users against the same system,or with the same user against multiple systems, in a short period oftime would be suspicious.A security analyst has spotted unusual activity in some systems anddecides to see what has been happening in the last day using theevent browser

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 15Public

Example of browsing events

Filter the events of thelast day

47 are failed logonsVisualize the number offailed logons by terminaland userSelect a user for furtherinvestigation

What has he been doingin the last hour?

Real-time security analysis in action

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 17Public

Launch pad

The launch pad is the main entry point to thetools in SAP Enterprise Threat DetectionYou can navigate to tools for:

An overview of what is happening in themonitored landscapeWorking with alerts and investigationsConfiguring and executing patternsViewing the results of executed patterns

http://<HANAserver>:<port>/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 18Public

Patterns generate alerts when an attack is detected

Example of real-time analysisAn operator looks at recent activity in thelandscape and from the dashboard toolsdetermines that there is abnormal activityin a particular systemHe groups significant alerts into aninvestigation and sets the severity to veryhigh for follow up by an analystThe analyst uses the browsing tools todetermine the impact of the attack anddecide on what countermeasures need tobe taken

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 19Public

Working with alerts

Use the dashboard to get anoverview

Find related alerts and assign toan investigation

Analyze key events

Technical aspects

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 21Public

Non-SAP System

Pushing log data to SAP Enterprise Threat Detection

HANA

SAP Enterprise Threat Detection

ESPREST

ServiceLog

Extractor

SAP System

JSON/REST

request

Push

Monitored systems:Push their log dataSchedule the date transferMinimize transferred data by usingdeltasABAP systems have a log extractorto support the transfer of data

Event Stream Processor (ESP):Exposes a REST service to receivelog data– Currently there is no pull servicePushes the log data to the HANAdatabase

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 22Public

… Log

Data model of SAP Enterprise Threat Detection

Normalization of log dataInformation content of the source isnot reducedUnified representation of timestamps, user identities, …Maintenance of additionalinformation

Data model is generic enough tocover customer-specificscenarios

HTTP Log

SecurityAudit Log

System Log

UserChange Log

BusinessTransaction

LogRead

Access Log

Customer-specific Log

Unified Log

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 23Public

Data model of SAP Enterprise Threat DetectionHow the normalized data looks

Log ViewerTechnical view of the logs

HeaderContains the mostcommon fields for ABAP,network, and system logs

DetailsContains additionalinformation in Name andValue fields

Summary

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 25Public

SAP Enterprise Threat DetectionA big-data solution to a serious security challenge

BIG DATA ACQUIRE ANALYZE ACT REAL RESULTS

REAL TIME

Vast amount of logdata scattered acrossthe landscape.

Bring data together inone place with acommon format.

Evaluate attackdetection patterns.Browse & analyze.

Lock user account,cut off connection, …

Detect attacks earlyand prevent harm.

Business goals…• Protect the integrity of my business processes• Prevent theft or manipulation of business data

… translate into technical questions:• Are there unexpected activities in my landscape?• Who is the attacker?• What attack actions took place?

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 26Public

Key takeaways

Technological breakthroughs in processing bigdata enable real-time monitoring and analysisof large landscapes

SAP HANA leads the way in real-time dataprocessing

SAP Enterprise Threat Detection leverages SAPHANA to greatly improve your overall systemsecurity

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 27Public

Further Information

Get more information and updates

SAP Enterprise Threat Detectionhttp://scn.sap.com/docs/DOC-58501

Security Communityhttp://scn.sap.com/community/security

Documentation on SAP Help Portalhttp://help.sap.com/sapetd

Community Network

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 28Public

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or anSAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademarkinformation and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time forany reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.