Soccer team in a huddle

How SAP Enterprise Threat Detection Works

September 21, 2015 by Andreas Schmitz

Hackers have many tricks up their sleeves – from Trojans and spear phishing to malware as a service – so companies must react fast if under attack. Read how SAP is using pattern recognition in log files to counter growing cybercrime.

When a member of the German parliament recently logged on to his own personal laptop in the Bundestag building’s secure network in Berlin, he did as he did every day. He wrote e-mails, read the latest reports from the governmental committees, looked up telephone numbers, and did some Internet research. He had completely forgotten about the thumb drive that he had plugged into his laptop days before. And he was completely unaware of the Trojan that spread like wildfire and wreaked havoc in the Bundestag IT systems.

“That was a typical attack, one that can happen to any company,” explains Martin Müller, IT security expert at SAP.

The SAP Enterprise Threat Detection application rapidly detects such incidents and enables organizations to react appropriately.

What can SAP Enterprise Threat Detection do?

Finding and isolating cybercriminals and analyzing their attacks is the ultimate challenge for security teams and represents the smartest layer of protection in the SAP’s security suite cosmos. While security information event management (SIEM) generally concentrates its real-time analysis on the technical components such as networks, routers, and infrastructure, SAP Enterprise Threat Detection focuses on the central log files of the applications being used.

Who thought of SAP Enterprise Threat Detection with real-time analysis?

The idea to create SAP Enterprise Threat Detection stemmed from SAP’s own development department some years ago.

“SAP IT wasn’t satisfied with the functions in the SIEM product deployed in the area of SAP integration,” explains Müller. “The colleagues there believed that SAP applications must be even better protected.”

They worked on the principle that mechanisms to protect SAP applications should be derived from the security events user-side, because that’s where valuable information about SAP applications can be found. Rules were defined to find out which users do unusual things.

The SAP IT department runs SAP Enterprise Threat Detection to identify software security events and warn the security officers of attacks on SAP applications. If, for example, an employee logs on at 8:00 a.m. in Walldorf and then logs on an hour later in Munich, the system raises the alarm, because it is unlikely that it is one and the same person – the two cities are considerably more than an hour’s drive apart. This is probably a case of identity theft. Even if an account manager who usually works in SAP CRM logs onto the SAP BW system and browses critical financial data, the system issues an alert about this abnormal activity.

“The patterns determine what constitutes an alert,” Müller explains.

What does SAP Enterprise Threat Detection do when a user’s identity is hijacked, as in spear phishing?

In spear phishing, hackers target a specific computer and, from there, try to obtain as many passwords and user names as possible and gather as much SAP system information as they can. The perpetrators find out the names of friends of their victim by using Facebook or other social networks.

“They then exploit the supposed relationship of trust and send e-mails that are apparently from friends and have files attached, for example, Excel spreadsheets,” says Müller. “The system warns the user about opening the attachment, but this warning usually goes unheeded.” And in an instant, the Trojan has entered the company’s system. “This can and will happen to any company,” Müller continues.

At this moment, SAP Enterprise Threat Detection reacts and issues a warning. It quickly becomes clear which computer was targeted, because the number of failed attempts to log on to other computers from it immediately increases dramatically. The more failed remote function calls come from the computer, the clearer it becomes that a dictionary attack is underway in the background, with the goal of harvesting as many passwords and user names as possible to ultimately gain access to valuable company information.

“In such a case, the computer must be isolated as quickly as possible. This then puts an end to the attack,” Müller says. The sooner this happens, the better.

What motives do cybercriminals have?

Not all attacks are politically motivated, as the one on the German Bundestag was. If a manufacturing company is targeted and the perpetrators manage to get into the production systems, the company’s most valuable assets are at stake, for example, construction plans for machines, concepts for new developments and prototypes.

“Not only is the company’s reputation in danger, but its whole economic basis is jeopardized,” says Müller – at the latest when a very similar product is launched by a competitor at a significantly lower price. Other motives that cybercriminals have include the specific manipulation of data and a desire to impact the availability of Web sites.

Yet, companies rarely report such incidents for fear of damaging their own reputation. On July 1, however, the IT Security Act became law in Germany. It obliges companies to report cyberattacks against them to the German Federal Office for Information Security (BSI). If they do not, they run the risk of being fined hundreds of thousands of euros.

If the Trojan has been active in the system for a while and if too many computers are infected – as was the case with the Japanese electronics corporation Sony at the end of last year – the computers must be completely wiped or, in some cases, even replaced. Whether the Bundestag will have to resort to such measures remains to be seen.

Image: Shutterstock

Tags: , ,

Leave a Reply