Request a demo

What Is SAP Enterprise Threat Detection (SAP ETD)?

Shiv Sujir - October 06, 2022

SAP ETD is a real-time security event management and monitoring solution designed to protect SAP systems. It can help you detect, analyze, and block cyber attacks as they occur to prevent and minimize consequential damages.

SAP ETD forms an important part of an SAP security strategy. It provides monitoring, detection, and response capabilities to maintain security in an ever-evolving cyber security threat landscape. It sends actionable alerts to help neutralize threats to business-critical assets and minimize the scope of the attack.

SAP Enterprise Threat Detection Key Features

Here are some of the key features of SAP ETD:

Log correlation and analysis

  • Analyze vast amounts of log data and correlate information for a comprehensive view of all activity in SAP environments.
  • Perform forensic threat detection to uncover previously unknown inside and outside attack variants.
  • Integrate custom third-party systems and infrastructure components.
  • Send logs directly to SAP ETD from SAP components via a dedicated kernel API to prevent tampering by attackers.

Automated threat detection and alerting

  • Use attack detection mode to find SAP software-specific threats related to known attacks.
  • Create attack detection patterns using a visual UI.
  • Receive notifications or publish alerts to other security tools.
  • If there is evidence of attack or abuse, receive special authorization for security analysts with pseudonymization of sensitive user data.

Easy integration across SAP solutions

  • Threat detection at the application server and database level.
  • Integration with SAP solutions across your IT environment.

How SAP ETD Works

SAP Enterprise Threat Detection is one of several SAP tools covering the various aspects of an organization’s security strategy, including protection, threat identification, and recovery.

SAP ETD is SAP’s leading solution for detecting and responding to threats. It is an important part of an SAP toolkit, alongside SAP EarlyWatch Alert, SAP Focused Run, SAP Code Vulnerability Assessment (CVA), and Identity and Access Management (IAM). Additional SAP compliance tools complementing SAP ETD include Data Custodian, UI Data Protection Masking, UI Data Protection Logging, and Business Integrity Screening.

SAP ETD uses a more technical approach than other solutions. It tracks security events occurring within SAP application platforms like SAP ECC and SAP S/4HANA. It works on the application layer to identify suspicious activity in business systems based on event semantics.

Key Advantages of SAP ETD

SAP ETD offers two main advantages for enhancing security solutions like SIEM. First, it bases license costs on predictable, monitored users, so customers don’t have to worry about scaling license models. Second, it understands SAP event semantics, reducing the configuration burden in a SIEM system and bridging the gap between IT infrastructure and SAP security.

SAP ETD supports various SAP HANA-based analytical capabilities, including machine learning-based anomaly detection and pattern recognition. Its monitoring capabilities provide insights into event histories for threat hunting and forensic analytics.

SAP ETD Architecture

In addition to SAP HANA, the SAP ETD architecture comprises a log preprocessor that normalizes and enriches log data. It can pseudo-anonymize user identities, learn and translate new log types, and collect context and log data from various sources, including non-SAP systems.

SAP ETD offers several interfaces and dashboards. It has standard threat detection patterns for different scenarios, with SAP regularly adding new threat detection patterns. SAP ETD provides a more advanced solution than most SIEM toolkits by creating patterns based on security event analytics.

Integrations

SAP ETD integrates with other systems using interfaces based on methods like JSON and LEEF. It supports specialized detectors and email event notifications. JSON, in particular, enables easy integration with most target systems.

SAP ETD also offers archiving capabilities, supporting archives of both original and normalized data (i.e., pre-processed data sent to SAP HANA for analysis). Archiving is important for in-depth analysis and forensics, especially for persistent events. It also provides useful data for auditors, given that SAP logs contain readable data.

SAP ETD and SIEM [C]

SAP ETD and SIEM products may overlap in some areas but cover different aspects. SAP ETD enables you to gain visibility into the SAP application level, while most SIEM products cannot track this information.

Monitor the SAP application level

SAP ETD and SIEM solutions monitor log file information. However, each product focuses on different aspects. SIEM products typically focus on the infrastructure level and can monitor either part of the SAP application level or cannot monitor SAP at all. It means you cannot use these SIEM tools to see events such as debugging and authorization changes.

SAP ETD collects data from sources at the SAP application level – information that different SAP applications write in SAP log files. It enables you to monitor actions in SAP log files, and gain visibility into debugging, authorization changes, calls to critical transactions, and metadata like employee positions.

Monitor the infrastructure and network level

If the organization does not have important information in SAP applications, you can decide not to monitor activities occurring at the SAP application level. However, 95% of attacks on data in SAP applications originate from internal sources. Typically, these attacks are executed directly at the application level and cannot be detected when monitoring is focused only on infrastructure or database.

Integrating SAP with SIEM

There are two main ways to establish integration between SAP and SIEM tools:

  • Directly integrating SAP log file information into a SIEM product.
  • Integrating SAP ETD or a similar solution like Pathlock’s Control Platform with a SIEM product using API connectivity with JSON or LEEF Format.

SAP does not recommend using direct integration with SAP log files because SAP log files, such as the Business Transaction log, can produce more than one TB of data per day. As a result, the performance of your SIEM tool may be negatively impacted. It may also affect the cost of your SIEM license, as many agreements have per-event or log pricing.

SAP ETD features you will not find in SIEM

Instead of integrating with SAP log files, you can supplement your SIEM with features that do not exist in most SIEM tools, including:

  1. Updates – SAP updates security patterns constantly, delivering the latest protections directly to customers. Updates can include patches and patterns for newly disclosed SAP vulnerabilities.
  2. Logging attack activities – threat actors typically try to cover their tracks by deleting entries in log files. SAP ETD duplicates logfile information in real-time – logging and saving attack activities so that it still exists even if threat actors delete this information.
  3. Integration with SAP Cloud – SAP ETD 2.0 supports integration with SAP Cloud Platform (SCP). Once you integrate the two, SAP ETD starts monitoring attacks on SCP.

Once you integrate SAP ETD with a SIEM product, the SIEM starts publishing the alerts created by SAP ETD. This integration enables you to gain visibility into SAP applications from within your SIEM, providing SAP ETD capabilities alongside existing SIEM features.

SAP Managed Enterprise Threat Detection Managed Services

Many companies are now running SAP solutions in the cloud or via SAP S/4HANA. This shift is an opportunity to strengthen security measures, reduce risks and improve compliance for SAP deployments.

A key challenge in SAP security is that attackers, whether outsiders or insiders, target the valuable data in an SAP system and can find ways to access and compromise it directly while security teams are guarding the network perimeter.

SAP now provides managed security services for SAP Enterprise Threat Detection. These include prioritized risk-based alerts with 24x7x365 monitoring of an entire ERP environment by SAP security experts. The service provides monthly reports detailing all suspicious activity detected and how it was handled.

While this provides effective protection that covers most auditor requirements, some companies may need additional support and flexibility. The Enhanced Edition of the service gives companies the option to extend their service level agreements, for example, to provide rapid response to anomalies, forensic analysis, and greater flexibility in creating and updating detection rules.

SAP Security with Pathlock

Managing security across SAP systems manually is a time-consuming and risk-prone activity that can lead to missed threats and a lack of compliance. Manually monitoring known vulnerabilities, patch levels, activity logs, and custom code and transports takes an army of trained security professionals to do properly.

Furthermore, many of the existing solutions to SAP security are lacking in one or more key areas, including:

  1. High cost of licensing
  2. Long time to implement
  3. Limited functionality only covering one area
  4. Lack of coverage across the SAP landscape

Fortunately, Pathlock’s solutions can assist in automating your SAP security program and monitoring all of your SAP systems while hardening them to prevent future attacks. With Pathlock in place, you can enjoy peace of mind and protection in the following areas:

  1. Vulnerability scanning: assess your SAP environments against a set of over 4,000 known security vulnerabilities to ensure every one of your systems is patched to the current level.
  2. Code Scanning: scan your custom ABAP code and transports for any malicious or misformed logic that could put your data and SAP uptime at risk.
  3. Threat detection: monitor logs for any suspicious or unusual behavior which may signal a compromised account or an internal threat, and send alerts to your SIEM of choice (LogRhythm, Splunk, qRadar).
  4. Control monitoring: automatically assess compliance posture in real-time against various frameworks like SOX, with out-of-the-box reports on control effectiveness.

Interested to find out how Pathlock can fill the gaps in your SAP security program? Request a demo of Pathlock today. We can even provide a security assessment to let you know exactly where the gaps in your SAP security strategy lie and how to fix them.

Table of contents