Over the past few years, both the types of attackers and the types of attacks have changed. Cyber-attacks today are primarily performed by organized crime and nation-states, which have defined attack targets. Critical business systems, line-of-production systems, and in particular sensitive information is at the center of attention today. Detecting and managing attacks on IT systems is becoming a serious problem. Cyber criminals are using increasingly sophisticated techniques to infiltrate organizational IT systems to commit crimes including data theft, denial of service and blackmail.
Organizations need platforms that are capable of running complex analytics in real-time, based on current and historical data. Such solutions must be capable of identifying complex, long-running attack patterns and anomalies, the latter being indicators for both new types of attacks and fraudulent activities. Real Time Security Intelligence (RTSI) provides these capabilities, enabling organizations to identify threats in real-time, powered by advanced data and analysis platforms.
As of today, traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. These tools are effective at removing certain kinds of weaknesses. They also generate alerts when suspicious events occur, however the volume of events is such that it is almost impossible to investigate each in real-time. While these devices remain an essential part of the defence, for the agile connected business they are not able to detect a range of threats including the use of compromised credentials and zero day attacks.
SIEM (Security Information and Event Management) is promoted as a solution to these problems. In reality, however, SIEM is really a set of tools that can be configured and used to analyse event data after the fact and to produce reports for auditing and compliance purposes. While it is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage.
This has led to the emergence of a new set of technologies, Real Time Security Intelligence (RTSI). These tools are intended to detect threats in time to enable action to be taken before damage is done. They use techniques taken from big data and business intelligence to integrate the massive amount of data generated from multiple sources and reduce it a small number of alarms where there is a high confidence that there is a real threat.
At the current state of the art for RTSI, Managed Services is an essential component. This is because of the rapid evolution of threats, which makes it almost impossible for a single organization to keep up to date, and the complexity of the analysis that is required to identify how to distinguish these. This up to date knowledge needs to be delivered as part of the RTSI solution.
The volume of threats to IT systems, their potential impact and the difficulty to detect them are the reasons why real time security intelligence has become important. However, RTSI technology is at an early stage and the problem of calibrating normal activity using some tools still requires considerable skill. It is important to look for a solution that can easily build on the knowledge and experience of the IT security community, vendors and service providers. End user organizations should always opt for solutions that include managed services and pre-configured analytics, not just tools.
SAP Enterprise Threat Detection (ETD) is a new SAP security offering that falls into the market segment of RTSI. It supports key capabilities of identifying attacks based on pre-defined attack detection patterns. SAP ETD supports both real-time analytics and forensic activities. A particular strength is the deep integration into SAP business systems, allowing customers to specifically identify attacks and fraud targeted at these systems with their critical role in many of today’s organizations. However, SAP ETD is not restricted to analyzing security events from SAP systems, but supports input data from both SIEM solutions and other types of log and event systems.