Executive View

SAP Enterprise Threat Detection

In these days of ever-increasing cyber-attacks, organizations have to move beyond preventative actions towards detection and response. This no longer applies to the network and operating system level only, but involves business systems such as SAP S/4HANA. Identifying, analyzing, and responding to threats that occur within the application layer is a must for protecting the core business systems.

Martin Kuppinger

mk@kuppingercole.com

1 Introduction

Over the past few years, both the types of attackers and the types of attacks have changed. Many cyberattacks today are performed by organized crime and state actors, performing targeted, long-running attacks. Critical business systems, line-of-production systems, and in particular sensitive information such as intellectual properties, e.g. in the context of industrial espionage, is at the center of attention today. Detecting and managing attacks on IT systems is becoming a serious problem. Cybercriminals are using increasingly sophisticated techniques to infiltrate organizational IT systems to commit crimes including data theft, denial of service and blackmail.

Organizations need platforms that are capable of running complex analytics in real-time, based on current and historical data. Such solutions must be capable of identifying complex, long-running attack patterns and anomalies, the latter being indicators for both new types of attacks and fraudulent activities. Modern platforms in the areas of SIEM (Security Information and Event Monitoring) and SOAR (Security Orchestration, Automation, and Response), altogether with a range of targeted solutions, provides these capabilities, enabling organizations to identify threats in real-time, powered by advanced data and analysis platforms.

As of today, traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. These tools are effective at removing certain kinds of weaknesses. They also generate alerts when suspicious events occur, however the volume of events is such that it is almost impossible to investigate each in real-time. While these devices remain an essential part of the defence, for the agile connected business they are not able to detect a range of threats including the use of compromised credentials and zero-day attacks.

We observe a rapidly emerging market for solutions that help in addressing these challenges, centred around terms such as SIEM and SOAR, and many of these increasingly making use of advanced analytics, partially powered by technologies that are positioned as AI (Artificial Intelligence) and ML (Machine Learning). These tools are intended to detect threats in time to enable action to be taken before damage is done. They use techniques taken from big data and business intelligence to integrate the massive amount of data generated from multiple sources and reduce it a small number of alarms where there is a high confidence that there is a real threat.

From a business perspective and with respect to the specific requirements in protecting core business systems, there are two major evolutions we have observed over the past year. One is the well-established perspective that organizations must look for comprehensive approaches that cover the entire cycle from identifying attacks to protecting against these, detecting attacks, responding to them, and enabling a rapid recovery from such attacks. This goes well beyond the traditional focus on protection.

The other evolution is the extension in focus, beyond network security. Comprehensive approaches must cover all levels of security, including application and data. This requires tools that can integrate deeply with the applications that must be protected, such as business applications. Cybersecurity also must align with the compliance tooling. While compliance is about formally meeting requirements, cybersecurity is about taking the right actions. However, taking certain cybersecurity measures is part of compliance, and failing in cybersecurity frequently also is perceived as non-compliance.SAP Enterprise Threat Detection (ETD) is a SAP security offering that can be considered being a part of the SIEM market segment, however being targeted at the application layer, and tailored to the needs of securing SAP infrastructures. Thus, it is more complementary to other solutions. SAP ETD supports key capabilities of identifying attacks based on pre-defined attack detection patterns. It also supports both real-time analytics and forensic activities such as threat hunting. A particular strength is the deep integration into SAP business systems, allowing customers to specifically identify attacks and fraud targeted at these systems with their critical role in many of today’s organizations.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.