In this digital age, your business’ systems are increasingly susceptible to security breaches. That is a simple matter of fact. Last year alone, an estimated 8 billion records were breached across over 3,000 data compromises, affecting over 350 million people! This is the highest number of data compromises and the highest year-on-year jump in such incidents since 2005.
From a business perspective, the loss of sensitive corporate data is damning and can result in phenomenal fiscal losses. Accordingly, the ability to detect possible breaches early on is a necessity as part of a business’ battery of security measures. SAP is well-attuned to this need, with the latest update of its Enterprise Threat Detection (ETD) product having been rolled out this March. In this blog, Absoft breaks down what ETD is, what it does, and how Absoft can leverage its functionality to bolster your system’s security.
Have a question or need help with your SAP system? Get in touch!Â
Table of Contents
What is ETD?
ETD provides an extra layer of monitoring and auditing for an SAP system, specifically designed to detect potentially malicious users and allow you to prevent further incidents from occurring in the future. Operating on the HANA database, it integrates with and pulls logs from across the whole system—whether it’s SAP or not. Once it identifies such behaviours, it alerts a responsible person or team to process and investigate the incident.
It must be noted here that ETD is no substitute for other security measures. Instead, it works best as part of a larger security framework in conjunction with preventative methods like MFA (multifactor authentication), patching, firewalls, and antiviruses. ETD detects, logs, and alerts suspicious user behaviour for a technical person or team to resolve.
How does it work?
SAP ETD constantly monitors and collects logs from the system landscape and normalises the data for storage into a customer-specific HANA tenant. A pattern execution engine analyses the log data and runs them against lists of patterns predetermined by SAP or provided by the user. These patterns are tailored to encompass the telltale signs of malicious activity and include but aren’t limited to:
- Access to critical database tables via transactions
- Access to critical database tables via RFC
- Change of HR Critical Role
- Debugging in critical systems
- HTTP unexpected methods
- Logon success from the same user from different Terminal IDs
- Failed logon from the same Terminal ID with different users
- Manual execution of critical Function Module in SE37
- Multiple downloads by one user
- Reference user assignment
- Sensitive Data Access by RAL Purpose (Read Access Log)
- Table dropped or altered
If the logs match any of these patterns—indicating a potential attack—the program raises an alert for processing to the responsible person or team. It is then up to them to determine if the alert represents a genuine attack and its severity. Regardless of whether there has been an attack, they produce a report on their investigation. In the case of an attack, whoever is responsible for maintaining the landscape must address the attack in progress and make the necessary corrections to improve security and prevent such incidents from occurring in the future.
What version of SAP ETD is best for my business?
Currently, two editions of SAP ETD are available for customers depending on their SAP solution: Private and Public.
The Private Edition runs on-premise on an SAP HANA database. It features the most significant degree of customisability of all the versions, enabling users to create lists of patterns for the system to match against.
The Public Edition runs on the cloud via BTP, and as of March, there are two new distinct versions, Basic and Security by Partner. Under the Basic version, options for customisation are more limited than in the private version, with only 40-70 standard patterns. However, customers are offered Cloud Application Services (CAS) packages, which function as bespoke managed services from SAP. SAP automates the reporting and alerting functionality, and the processing and investigating are handled by a partner. Security by Partner, meanwhile, offers more configuration options for the customer’s SAP provider and partner, including directly monitoring alerts and creating patterns, all in a no-code UI.
Moreover, the Public Edition comes with the latest innovations directly from SAP for the most up-to-date system operations and to keep the program in line with industry best-practice.
What can Absoft do?
The Private Edition offers greater customisability, allowing partners to be involved in every step of the product’s operation, from workshopping and implementation to alerting and investigation once the system is live. In contrast, the Public Edition, especially the Basic version, has a more standardised setup with SAP automating many aspects. A technical expert is still required, however, to process alerts, apply corrections, and generate reports. The Security by Partner version allows partners to actively monitor alerts and configure options, including setting up patterns. CAS packages remain available for customers under this version.
Conclusion
SAP ETD is an indispensable tool for the security of any business’ landscape, complementing other methods like patching and firewalls. It provides additional monitoring and auditing of the overall solution, alerting users and teams of suspicious activity for a security analyst, such as an SAP Partner and provider, to correct. Further, several permutations of the product are available depending on a customer’s needs.
To learn more about how the Absoft team can make your system safer and more secure, please reach out now!
