Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SAP Enterprise Threat Detection 
Overview 
October 15, 2014 Public
Disclaimer 
This presentation outlines our general product direction and should not be relied on in making a 
purchase dec...
Agenda 
The challenge 
The solution 
Ad hoc analysis in action 
Real-time security analysis in action 
Technical aspects 
...
The challenge
The threat environment is changing and becoming more dangerous 
Monitoring 
System 
Alarm System 
Anti-virus 
Traditional ...
IT security organizations have serious blind spots 
Cybercriminals are working in the dark areas of 
the IT landscape 
Wha...
What are the current threats? – A big-data solution is needed 
Vast quantity of security-relevant data 
y A tiny fraction ...
The solution
The missing piece to defend against cyber-attacks 
What does it do? 
y Automatically detects suspicious activities 
y Enab...
SAP Enterprise Threat Detection 
Main use cases 
Real-time security monitoring 
y Gather events from the landscape 
y Eval...
Overview of how threat detection works 
SAP 
System 
Log Data 
Extractor 
SAP 
System 
Log Data 
Extractor SAP 
SAP 
Syste...
Ad hoc analysis in action
Launch pad 
The launch pad is the main entry point to the 
tools in SAP Enterprise Threat Detection 
The Browse Events til...
Browsing events 
When you browse events you are essentially applying filters to 
the normalized log data that exists in th...
Example of browsing events 
Filter the events of the 
last day 
y 47 are failed logons 
Visualize the number of 
failed lo...
Real-time security analysis in action
Launch pad 
The launch pad is the main entry point to the 
tools in SAP Enterprise Threat Detection 
You can navigate to t...
Patterns generate alerts when an attack is detected 
Example of real-time analysis 
y An operator looks at recent activity...
Working with alerts 
Use the dashboard to get an 
overview 
Find related alerts and assign to 
an investigation 
Analyze k...
Technical aspects
Pushing log data to SAP Enterprise Threat Detection 
SAP System 
Log 
Extractor 
JSON/REST 
request 
Non-SAP System 
SAP E...
Data model of SAP Enterprise Threat Detection 
Security 
Audit Log 
Business 
Transaction 
… Log 
Normalization of log dat...
Data model of SAP Enterprise Threat Detection 
How the normalized data looks 
Log Viewer 
y Technical view of the logs 
He...
Summary
SAP Enterprise Threat Detection 
A big-data solution to a serious security challenge 
Business goals… 
• Protect the integ...
Key takeaways 
Technological breakthroughs in processing big 
data enable real-time monitoring and analysis 
of large land...
Further Information 
Community Network 
Get more information and updates 
SAP Enterprise Threat Detection 
http://scn.sap....
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 
No part of this publication may be reproduced or transmit...
Upcoming SlideShare
Loading in …5
×

SAP Enterprise Threat Detection Overview

2,057 views

Published on

The interconnected nature of modern business systems means that successful companies with critical business on SAP software must effectively manage exposure to external and internal threats. SAP Enterprise Threat Detection helps you identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before serious damage occurs. More information: http://scn.sap.com/community/security

Published in: Technology
  • Be the first to comment

SAP Enterprise Threat Detection Overview

  1. 1. SAP Enterprise Threat Detection Overview October 15, 2014 Public
  2. 2. Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 2
  3. 3. Agenda The challenge The solution Ad hoc analysis in action Real-time security analysis in action Technical aspects Summary © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 3
  4. 4. The challenge
  5. 5. The threat environment is changing and becoming more dangerous Monitoring System Alarm System Anti-virus Traditional defenses no longer provide sufficient protection for business-critical software More exposure to risk: y Interconnected systems, mobile applications, … y Increased interest in SAP software by cybercriminals y Threats from inside nullify technical precautions Attackers will penetrate to your critical systems y What will you do then? © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 5
  6. 6. IT security organizations have serious blind spots Cybercriminals are working in the dark areas of the IT landscape What‘s going on? y Are there unexpected activities in the landscape? y Are there ongoing attacks? y Who is involved? y What end-to-end attack actions took place? y What was the damage? If you cannot look, you cannot see y If you cannot see, you cannot react effectively © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 6
  7. 7. What are the current threats? – A big-data solution is needed Vast quantity of security-relevant data y A tiny fraction is indicative of a particular threat You must react in real time to neutralize some attacks To react in real time you must: y Analyze in real time y Understand in real time y Get actionable information in real time © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 7
  8. 8. The solution
  9. 9. The missing piece to defend against cyber-attacks What does it do? y Automatically detects suspicious activities y Enables real-time analysis of security events How does it do it? y Stores security events in a central database y Enriches events with context information y Automatically evaluates attack detection patterns to generate alerts SAP Enterprise Threat Detection is based on SAP HANA and SAP Event Stream Processor SAP Enterprise Threat Detection © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 9
  10. 10. SAP Enterprise Threat Detection Main use cases Real-time security monitoring y Gather events from the landscape y Evaluate attack detection patterns y React on critical alerts y Gain an overview of the threat situation Ad hoc analysis y Analyze existing suspicions y Perform forensic investigation y Support compliance processes © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 10
  11. 11. Overview of how threat detection works SAP System Log Data Extractor SAP System Log Data Extractor SAP SAP System Log Data Extractor SAP System Log Data Extractor SAP Enterprise Threat Detection SAP System User Interface Log Data Extractor System Log Data Extractor SAP System Log Data Extractor Monitored Landscape Dashboard Alerts & KPIs Browsing & Analysis, Pattern Creation Pattern Configuration, Scheduling, & Monitoring Non-SAP System SAP HANA ESP (Event Stream Processor) Push Systems provide log data Normalize & enrich log data Evaluate & analyze Generate Alerts © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 11
  12. 12. Ad hoc analysis in action
  13. 13. Launch pad The launch pad is the main entry point to the tools in SAP Enterprise Threat Detection The Browse Events tile takes you to the tool where you do ad hoc analysis and create attack detection patterns http://<HANAserver>:<port>/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 13
  14. 14. Browsing events When you browse events you are essentially applying filters to the normalized log data that exists in the SAP HANA database y A series of filter is referred to as a path y Visualize the filtered data to look for standout values y Generate attack detection patterns from paths Example of finding an indication of attack y A number of attempts with different users against the same system, or with the same user against multiple systems, in a short period of time would be suspicious. y A security analyst has spotted unusual activity in some systems and decides to see what has been happening in the last day using the event browser © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 14
  15. 15. Example of browsing events Filter the events of the last day y 47 are failed logons Visualize the number of failed logons by terminal and user Select a user for further investigation y What has he been doing in the last hour? © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 15
  16. 16. Real-time security analysis in action
  17. 17. Launch pad The launch pad is the main entry point to the tools in SAP Enterprise Threat Detection You can navigate to tools for: y An overview of what is happening in the monitored landscape y Working with alerts and investigations y Configuring and executing patterns y Viewing the results of executed patterns http://<HANAserver>:<port>/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 17
  18. 18. Patterns generate alerts when an attack is detected Example of real-time analysis y An operator looks at recent activity in the landscape and from the dashboard tools determines that there is abnormal activity in a particular system y He groups significant alerts into an investigation and sets the severity to very high for follow up by an analyst y The analyst uses the browsing tools to determine the impact of the attack and decide on what countermeasures need to be taken © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 18
  19. 19. Working with alerts Use the dashboard to get an overview Find related alerts and assign to an investigation Analyze key events © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 19
  20. 20. Technical aspects
  21. 21. Pushing log data to SAP Enterprise Threat Detection SAP System Log Extractor JSON/REST request Non-SAP System SAP Enterprise Threat Detection HANA ESP REST Service Push Monitored systems: y Push their log data y Schedule the date transfer y Minimize transferred data by using deltas y ABAP systems have a log extractor to support the transfer of data Event Stream Processor (ESP): y Exposes a REST service to receive log data – Currently there is no pull service y Pushes the log data to the HANA database © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 21
  22. 22. Data model of SAP Enterprise Threat Detection Security Audit Log Business Transaction … Log Normalization of log data y Information content of the source is not reduced y Unified representation of time stamps, user identities, … y Maintenance of additional information Data model is generic enough to cover customer-specific scenarios User Change Log HTTP Log System Log Log Read Access Log Customer-specific Log Unified Log © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 22
  23. 23. Data model of SAP Enterprise Threat Detection How the normalized data looks Log Viewer y Technical view of the logs Header y Contains the most common fields for ABAP, network, and system logs Details y Contains additional information in Name and Value fields © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 23
  24. 24. Summary
  25. 25. SAP Enterprise Threat Detection A big-data solution to a serious security challenge Business goals… • Protect the integrity of my business processes • Prevent theft or manipulation of business data … translate into technical questions: • Are there unexpected activities in my landscape? • Who is the attacker? • What attack actions took place? BIG DATA ACQUIRE ANALYZE ACT REAL RESULTS Evaluate attack detection patterns. Browse & analyze. REAL TIME Vast amount of log data scattered across the landscape. Bring data together in one place with a common format. Lock user account, cut off connection, … Detect attacks early and prevent harm. © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 25
  26. 26. Key takeaways Technological breakthroughs in processing big data enable real-time monitoring and analysis of large landscapes SAP HANA leads the way in real-time data processing SAP Enterprise Threat Detection leverages SAP HANA to greatly improve your overall system security © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 26
  27. 27. Further Information Community Network Get more information and updates SAP Enterprise Threat Detection http://scn.sap.com/docs/DOC-58501 Security Community http://scn.sap.com/community/security Documentation on SAP Help Portal http://help.sap.com/sapetd © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 27
  28. 28. © 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. © 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 28

×