SAP ETD is a real-time security event management and monitoring solution designed to protect SAP systems. It can help you detect, analyze, and block cyber attacks as they occur to prevent and minimize consequential damages.
SAP ETD forms an important part of an SAP security strategy. It provides monitoring, detection, and response capabilities to maintain security in an ever-evolving cyber security threat landscape. It sends actionable alerts to help neutralize threats to business-critical assets and minimize the scope of the attack.
Here are some of the key features of SAP ETD:
Log correlation and analysis
Automated threat detection and alerting
Easy integration across SAP solutions
SAP Enterprise Threat Detection is one of several SAP tools covering the various aspects of an organization’s security strategy, including protection, threat identification, and recovery.
SAP ETD is SAP’s leading solution for detecting and responding to threats. It is an important part of an SAP toolkit, alongside SAP EarlyWatch Alert, SAP Focused Run, SAP Code Vulnerability Assessment (CVA), and Identity and Access Management (IAM). Additional SAP compliance tools complementing SAP ETD include Data Custodian, UI Data Protection Masking, UI Data Protection Logging, and Business Integrity Screening.
SAP ETD uses a more technical approach than other solutions. It tracks security events occurring within SAP application platforms like SAP ECC and SAP S/4HANA. It works on the application layer to identify suspicious activity in business systems based on event semantics.
SAP ETD offers two main advantages for enhancing security solutions like SIEM. First, it bases license costs on predictable, monitored users, so customers don’t have to worry about scaling license models. Second, it understands SAP event semantics, reducing the configuration burden in a SIEM system and bridging the gap between IT infrastructure and SAP security.
SAP ETD supports various SAP HANA-based analytical capabilities, including machine learning-based anomaly detection and pattern recognition. Its monitoring capabilities provide insights into event histories for threat hunting and forensic analytics.
SAP ETD Architecture
In addition to SAP HANA, the SAP ETD architecture comprises a log preprocessor that normalizes and enriches log data. It can pseudo-anonymize user identities, learn and translate new log types, and collect context and log data from various sources, including non-SAP systems.
SAP ETD offers several interfaces and dashboards. It has standard threat detection patterns for different scenarios, with SAP regularly adding new threat detection patterns. SAP ETD provides a more advanced solution than most SIEM toolkits by creating patterns based on security event analytics.
Integrations
SAP ETD integrates with other systems using interfaces based on methods like JSON and LEEF. It supports specialized detectors and email event notifications. JSON, in particular, enables easy integration with most target systems.
SAP ETD also offers archiving capabilities, supporting archives of both original and normalized data (i.e., pre-processed data sent to SAP HANA for analysis). Archiving is important for in-depth analysis and forensics, especially for persistent events. It also provides useful data for auditors, given that SAP logs contain readable data.
SAP ETD and SIEM products may overlap in some areas but cover different aspects. SAP ETD enables you to gain visibility into the SAP application level, while most SIEM products cannot track this information.
Monitor the SAP application level
SAP ETD and SIEM solutions monitor log file information. However, each product focuses on different aspects. SIEM products typically focus on the infrastructure level and can monitor either part of the SAP application level or cannot monitor SAP at all. It means you cannot use these SIEM tools to see events such as debugging and authorization changes.
SAP ETD collects data from sources at the SAP application level – information that different SAP applications write in SAP log files. It enables you to monitor actions in SAP log files, and gain visibility into debugging, authorization changes, calls to critical transactions, and metadata like employee positions.
Monitor the infrastructure and network level
If the organization does not have important information in SAP applications, you can decide not to monitor activities occurring at the SAP application level. However, 95% of attacks on data in SAP applications originate from internal sources. Typically, these attacks are executed directly at the application level and cannot be detected when monitoring is focused only on infrastructure or database.
There are two main ways to establish integration between SAP and SIEM tools:
SAP does not recommend using direct integration with SAP log files because SAP log files, such as the Business Transaction log, can produce more than one TB of data per day. As a result, the performance of your SIEM tool may be negatively impacted. It may also affect the cost of your SIEM license, as many agreements have per-event or log pricing.
Instead of integrating with SAP log files, you can supplement your SIEM with features that do not exist in most SIEM tools, including:
Once you integrate SAP ETD with a SIEM product, the SIEM starts publishing the alerts created by SAP ETD. This integration enables you to gain visibility into SAP applications from within your SIEM, providing SAP ETD capabilities alongside existing SIEM features.
Pathlock Solution Overview
Learn how Pathlock’s threat detection capabilities continuously scan your SAP applications for threat identification and provide you with the information you need to implement an effective response.
Many companies are now running SAP solutions in the cloud or via SAP S/4HANA. This shift is an opportunity to strengthen security measures, reduce risks and improve compliance for SAP deployments.
A key challenge in SAP security is that attackers, whether outsiders or insiders, target the valuable data in an SAP system and can find ways to access and compromise it directly while security teams are guarding the network perimeter.
SAP now provides managed security services for SAP Enterprise Threat Detection. These include prioritized risk-based alerts with 24x7x365 monitoring of an entire ERP environment by SAP security experts. The service provides monthly reports detailing all suspicious activity detected and how it was handled.
While this provides effective protection that covers most auditor requirements, some companies may need additional support and flexibility. The Enhanced Edition of the service gives companies the option to extend their service level agreements, for example, to provide rapid response to anomalies, forensic analysis, and greater flexibility in creating and updating detection rules.
Managing security across SAP systems manually is a time-consuming and risk-prone activity that can lead to missed threats and a lack of compliance. Manually monitoring known vulnerabilities, patch levels, activity logs, and custom code and transports takes an army of trained security professionals to do properly.
Furthermore, many of the existing solutions to SAP security are lacking in one or more key areas, including:
Fortunately, Pathlock’s solutions can assist in automating your SAP security program and monitoring all of your SAP systems while hardening them to prevent future attacks. With Pathlock in place, you can enjoy peace of mind and protection in the following areas:
Interested to find out how Pathlock can fill the gaps in your SAP security program? Request a demo of Pathlock today. We can even provide a security assessment to let you know exactly where the gaps in your SAP security strategy lie and how to fix them.
Share