The Obstacles to Putting SAP in the SIEM

SAP is used by 92% of Forbes Global 2000 companies, stores 70% of all corporate data globally and touches 77% of the world’s transactional revenue so its reputation as a market leader in enterprise application software is undeniable. But its ubiquity, longevity and access to sensitive data also makes it a prime target.

SAP systems, from enterprise resource planning (ERP) and human capital management to sales, stakeholder relationship management (SRM), and customer relationship management (CRM), hold valuable digital assets – be it intellectual property, company secrets, employee data, and more. This data is used for business planning, product lifecycle management, business intelligence, or other vital operational procedures.

Unfortunately, this also makes them highly attractive targets to cybercriminals and fraudsters, leading to data theft or modification which facilitates financial fraud and attacks that aim to disable or disrupt critical operations. Several attack vectors exist in SAP. Customer and supplier portal attacks, for example, have seen the creation of backdoor users in the SAP J2EE User Management Engine that are then used to obtain access to SAP Portals and Process Integration platforms. Further, attacks through SAP proprietary protocols are executed by performing operating system commands with the privileges of the SAP administrator.

Properly protecting SAP systems against such threats is therefore vital. However, doing so effectively continues to be a significant challenge for many firms.  

The divide between SAP and SIEM

Security is of course a priority for SAP. In March 2015, the company released SAP Enterprise Threat Detection (ETD), the “SAP SIEM”, to provide its customers with the ability to detect and respond to cyberattacks targeting its applications. This operates in a similar manner to any other SIEM (Security Information and Event Management) solution, leveraging log data to provide real-time insight into suspicious activity taking place in SAP systems that can be used to identify and address threats at speed before any serious damage occurs.

Over time the SAP SIEM has become more sophisticated. Today, for example, it’s able to consider contextual data including the role or location of a system where a suspected attack has occurred to make analysis more accurate, and remediation faster and easier.

Between these routine improvements, as well as the preservation of the information that SAP provides, and preventing hackers from covering their tracks effectively, SAP ETD offers several clear benefits. However, equally, there are a series of challenges associated with its deployment.

Chiefly, the platform is only able to monitor SAP security information. This means it is unable to support the correlation of SAP data and events with other data collected by central SIEM systems.

SAP systems are complex and multifaceted. From ERP Central Component (ECC) to Business Warehouse, Human Capital Management, and the many other products under the SAP umbrella, each application has its own distinct security specialisations, nomenclature and rulesets. While one SAP application uses multiple logs to capture security-relevant events, these aren’t presented in a universal standardised format or structure within the application, much less between SAP applications.

This makes it extremely difficult for SIEM systems to interpret SAP logs and data – a situation which often leaves SAP security isolated away from the central cybersecurity strategy. These siloes mean that SAP systems can’t utilise crucial, contextual security information from the surrounding IT infrastructure, as well as being unable to take advantage of competencies in the cybersecurity team.

The result is a split security structure that leaves many security teams unable to view their organisation’s security through a holistic, 360-degree lens. Not only do the resultant inefficiencies create operational challenges for already highly pressurised security teams, but equally they may leave SAP systems and the vitally important data that they store more vulnerable to cybercriminals.

Enter Business Critical Security (BCS)

Given the growing volume and sophistication of cyberattacks today, bridging the gap between SAP systems and the central SIEMs has never been more critical. In doing so, firms will be empowered to correlate SAP data with other events to see the bigger picture, enhancing everything from automated response, case management, log storage, and event log management to assist in subsequent investigations.

Further, it also allows SAP security specialists to leverage a host of more advanced security tools deployed in SIEM platforms. This includes user and entity behaviour analytics (UEBA), capable of supplementing the standard rule-based approach (known threats) with the capability to detect unknown threats and unknown suspicious behaviour. For example, this could help flag a highly privileged SAP account executing an unusual financial transaction within permissible limits after falling victim to a phishing attack.

For this gap to be bridged, the language barriers between SAP systems and central SIEMs need to be broken down. Here, a modern Business Critical Security (BCS) solution can help translate SAP data to align with standardised security terminology before being fed into the SIEM system.

Such tools can bring critical application activity under the central security monitoring of the SIEM, continuously monitoring their business-critical data to detect and quickly respond to fraud and threats in SAP. Not only do they help to eliminate the problem of siloed SAP, but they equally improve operations by empowering security teams with easy-to-use dashboards and comprehensive reports.

For firms that are becoming increasingly reliant on SAP applications, BCS is a must to maximise security. These tools enable the clear mapping of identified threats within a single platform, helping cybersecurity analysts to understand and remediate threats quickly and easily. But when looking at complementary security technologies, it’s also worth considering their ability to support future versions of SAP.

The cloud-based offering, S/4HANA, offers numerous benefits over its on-premise predecessor, ECC, and many organisations will be looking to migrate. Therefore, any SIEM investment needs to be futureproof and be able to cater for both SAP versions.

What is exciting, however, is that bringing SAP into the cybersecurity fold promises to provide much more visibility. Creating a holistic view of all threats will enable speedier detection and response to incidents, making it much easier to secure the precious data housed in SAP systems.  

Print Friendly, PDF & Email
Regional Director UK&I at

Tim Wallen is responsible for driving strategic growth in the UK and Ireland and leads a growing team in Logpoint sales, marketing and technical professionals. He is passionate about digital transformation and how it is changing industries and working lives. Tim is a seasoned cybersecurity leader with nearly 20 years of industry experience from senior sales and management positions within high-growth and established vendors including FireMon, ForeScout, Check Point, McAfee and IBM.

Leave a Reply

Your email address will not be published. Required fields are marked *