GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
SAP Security - Enterprise Threat Detection Methodology for QRadar - SIEM
1. ESNCESNCESNC
Security Solutions for SAP Applications
SAP Security Monitoring with IBM QRadar and Enterprise Threat Monitor
www.enterprise-threat-monitor.com
Enterprise
ThreatMonitor™
2. !
The US Inves,ga,on Services (USIS) Breach
Confiden'al data for 27,000 Department of Homeland Security (DHS)
employees breached through SAP system. USIS’s DHS contract
canceled; company filed for bankruptcy.
Recent IBM study shows average data breach is costly
$3.79 million is the average total cost of a single data breach.
23% increase in total cost associated with data breach since 2013.
Ebay, JP Morgan Chase, Bri,sh Airways, UPS suffered major data breaches
Source: http://www.nextgov.com, IBM - 2015 Cost of Data Breach Study
Hackers Stole over $31 Million from Russian Central Bank this December
NSA: “41% of cyber-a0acks target the energy industry, and in par<cular oil and gas companies.”
Security Breaches Are a Big Problem
3. 87% of the Global 2000
companies rely on SAP
FI
• Bank accounts
• Pricing
strategy
HR
• Salary infos
• PII
• SSN
BW
• Vendors
• Strategy
details
CRM • Customer info
• Credit cards
SRM
• RfPs, bids
• Business
negotiations
• Supplier info
SAP is the heart of the enterprise
- Sensi<ve data is stored on SAP
- Hackers are constantly discovering new
methods to a0ack business systems
4. CONFIDENTIAL AND PROPRIETARY
Someone steals the password of a
service user and uses it to
download customer master data?
Someone uses debug/replace to
bypass authoriza'on checks and
delete/change business data?
An external consultant misuses
his rights and views sensi've
employee salary informa'on?
Blind spot: User activity
and insider threats
****
$
Can you detect if…
5. CONFIDENTIAL AND PROPRIETARY
Introducing Enterprise Threat Monitor
for SAP Applications
Find the hackers in your SAP landscape
- Iden<fy a0acks in real <me.
- Analyze threats quickly and neutralize
before they can cause serious damage.
Enterprise
ThreatMonitor™
6. CONFIDENTIAL AND PROPRIETARY
ETM has over 300 high quality SAP threat
detection cases ready for QRadar
- Uses its built-in threat detec'on paUerns to
detect suspicious ac'vi'es and aUacks
- Eliminates false posi'ves by its adap've noise
reduc'on engine
- Resul'ng high quality, pre-correlated
offenses are sent to QRadar
Enterprise
ThreatMonitor™
SAP specific
correlation
IBM QRadar Integration
HR
ERP CRM
ETM sends alerts in real-time
Secure Portal
7. CONFIDENTIAL AND PROPRIETARY
Sample Use Cases
- SAP debugging is used for bypassing transac'on authoriza'ons
- An unauthorized user assigned a cri<cal SAP role to another
user
- A user downloaded customer master or payroll data to its PC
- Users are sharing their SAP accounts
- Failed logons of mul'ple SAP users from the same worksta'on
- A produc<on SAP system is opened to changes
- An opera'ng system command is executed on SAP gateway
Find out if:
8. CONFIDENTIAL AND PROPRIETARY
QRadar Integration Steps
- Download Enterprise Threat Monitor:
• hUps://www.enterprise-threat-monitor.com/download
- Follow the steps for connec<ng to SAP:
• hUps://www.enterprise-threat-monitor.com/installa'on
- Use built-in SIEM wizard to add your QRadar system.
- Import ETM log source extension and configure event
proper'es, QID mappings, and QRadar specific se_ngs
using ETM’s step-by-step guide.
- DONE!
From 0 to real-time SAP security monitoring
SAP specific
correlation
Enterprise
ThreatMonitor™
9. www.enterprise-threat-monitor.com
secure@esnc.de
ESNCESNCESNC
Security Solutions for SAP Applications
Thank you
Enterprise Threat Monitor is a registered trademark of ESNC GmbH, Germany. This document contains references to products of SAP SE. SAP, ABAP, SAPGUI and other named SAP products and associated logos are brand names or
registered trademarks of SAP SE in Germany and other countries in the world. HP and ArcSight are registered trademarks of HewleF-Packard Development Company, L.P. Splunk is a registered trademark of Splunk, Inc. IBM and
QRadar are trademarks of InternaMonal Business Machines CorporaMon. The contents of this document is proprietary.
www.esnc.de |
Nördliche Münchnerstr. 15a, 80807
Grunwald by Munich/Germany
Try ETM 14 days for free
www.enterprise-threat-monitor.com