Even though this blog discusses some serious topics related to security of mission-critical SAP applications, why not start it with a fun trivia question? So, here it is: “What does SAP stand for?” As per the company’s website, SAP is an acronym for the organization’s original German name “Systemanalyse Programmentwicklung,” which stands for System Analysis Program Development in English.
Founded in 1972, SAP is a global leader in enterprise application software. The company has the largest market share in supply chain management, procurement, travel and expense management, enterprise resource planning software and other categories. 99 of the 100 biggest businesses in the world use SAP products and services.
Similar to other complex enterprise systems, organizations’ SAP environments face cybersecurity risks that can be exploited by both external attackers and malicious insiders.
Many SAP applications support critical business functions and handle sensitive data—from intellectual property to employee and customer information. Consequently, SAP has a robust program for security, compliance and privacy. Nevertheless, similar to other complex enterprise systems, organizations’ SAP environments face cybersecurity risks that can be exploited by both external attackers and malicious insiders.
What makes the SecOps teams’ job challenging is the limited visibility they have into SAP environments and difficulty utilizing core security tools and processes to safeguard SAP assets and data.
Addressing these risks is a collective responsibility of IT, identity, security operations (SecOps) and other teams. But when it comes to potentially malicious behavior and actual cyberattacks, SecOps is on point to rapidly detect, investigate and respond to them. What makes the SecOps teams’ job challenging is the limited visibility they have into SAP environments and difficulty utilizing core security tools and processes to safeguard SAP assets and data. There are three main reasons for this:
- SAP deployments spanning on-premises and multi-cloud infrastructure make it challenging for many a security solution to provide SecOps teams the required level of visibility.
- Conventional tools to monitor and secure SAP deployments have traditionally stood apart from the core security analytics and operations stack. Consequently, SecOps teams have not always been able to put them to good use.
- The diversity of log formats produced by SAP systems, applications and products makes it challenging to scrutinize SAP threat data using mainstream security analytics solutions.
To ensure better protection of high-value SAP assets and data, SecOps teams should bring their organizations’ SAP estates into the fold of core threat monitoring, detection, investigation and response workflows. With this goal in mind, Splunk has developed, in consultation with SAP, Splunk® Security for SAP® solutions, an SAP Endorsed Application that allows security teams to leverage Splunk to monitor, identify and address threats impacting SAP environments. Consequently, SecOps teams can have better attack-surface coverage and help their organizations reduce business risk by lowering the likelihood of business disruptions and data breaches resulting from a successful attack on their SAP estate.
These benefits stem from the following Splunk Security for SAP solutions’ capabilities:
- Increased visibility into SAP applications and data
- Pre-built, SAP-specific security dashboards and detections
- Cross-correlation and analyses of SAP events and alerts with other security-relevant data in Splunk
- Consolidation and prioritization of threats by business risk for more efficient incident investigation and response using Risk-Based Alerting in Splunk Enterprise Security
Splunk Security for SAP solutions runs on the Splunk data platform (Splunk Cloud or Splunk Enterprise) and delivers maximum security value when deployed in conjunction with Splunk Enterprise Security. Splunk Security for SAP solutions includes 3 components:
- Splunk Security for SAP solutions technical add-on
- Splunk Security for SAP solutions application
- SAP Enterprise Threat Detection (ETD)
Splunk Security for SAP solutions uniquely leverages ETD to collect data from a broad range of SAP sources, such as SAP NetWeaver, SAP HANA, SAP Commerce, SAP BTP and many others. ETD also normalizes the data and produces a variety of log types, such as business transaction, security audit, RFC gateway, user change, access, system and other logs. ETD then enriches logs with contextual information and generates alerts based on specific, customizable patterns.
The Splunk Security for SAP solutions technical add-on retrieves alerts and related triggering events from ETD and makes them available for cross-correlation with security telemetry from other sources and for further analysis and investigation using Splunk Platform or Splunk Enterprise Security. For example, suspicious activities within SAP, such as lateral movement between development and production systems or unusual privilege escalation, can be further investigated within Splunk to determine if they may be part of a larger attack.
The Splunk Security for SAP solutions application provides SAP-specific, pre-built correlation searches and dashboards for essential analysis and visualization of SAP threat data. Some examples of information included in the dashboards follow:
- Number of alerts by category, including, among others, suspicious access to critical resources, critical authorization assignment, suspicious and failed logons, cross communications (e.g., RFC calls from non-productive to productive systems) and web security (e.g., unexpected HTTP methods)
- Number of alerts by severity
- Alerts by actor [pseudonym], system and host name
- Geo locations from which alerts were received
With Splunk Security for SAP solutions, SecOps teams can combine SAP security-relevant data and context with other security and infrastructure telemetry in Splunk to help improve the quality of detections and reduce security risks around their organizations’ most critical business applications and data.