According to a recent article by Christoph Nagy, CEO of SecurityBridge, it is crucial for organizations to evaluate the security logs of their SAP systems in order to detect potential attacks. While many organizations have primarily focused on protecting their perimeter, attention is now shifting to securing business-critical systems. In order to achieve this goal, Nagy suggests implementing a Service Advertising Protocol (SAP) Security Information Event Management (SIEM) solution to ensure the safety of SAP systems.

SIEM, an abbreviation for Security Information Event Management, is a widely used security solution that reads security logs from various sources and uses an intelligent aggregation of the data to derive conclusions about suspicious activities or malicious user behavior. Nagy notes that well-known vendors, such as Splunk, IBM QRadar, and MS Sentinel, offer SIEM solutions, among many other providers.

To achieve efficient SAP SIEM, companies must first understand which SAP logs are critical to read out. SAP produces many protocols and logs that are essential to make business process transparency. Nagy mentions that it is not an easy task since most SIEM adapters for SAP take an all-or-nothing approach, meaning that all entries must be transferred, although only a small percentage is necessary for SAP security monitoring. The selective transfer of the entries required for the correlation would also impact the licensing costs of the SIEM product used.

Nagy also indicates that the following SAP logs are security-relevant: SAP Security Audit Log, SAP System log, SAP HANA audit log, SAP Gateway log, SAP Java audit log, and SAP Profile parameter. Furthermore, for additional conclusions in the Threat Monitoring for SAP process, companies must transfer the user master and selectively change documents.

In order to create reliable alerts, the SIEM process must prompt the correct reading of data and normalization of the various source formats. Many SIEMs attempt to divide data into categories directly in the onboarding process, with essential customer input during the definition phase. Nagy also notes that validations must be in place to ensure the integrity of the monitoring solution, including those logs altered by insiders. Once the integrity of the information is assured, the web of correlations can start.

Defining normal and anomalous actions require in-depth knowledge of SAP security. Nagy states that organizations must have expertise in critical remote-enabled function modules, as well as database tables with sensitive content, to enable detection of malicious SAP activities.

In conclusion, organizations must prioritize the security of their business-critical systems, such as SAP, to reduce the risks of cyber-attacks. Implementing a SAP SIEM solution can provide an enhanced level of protection, but it requires expertise and attention to detail in the implementation process. With the correct SAP logs, adequate data, and reliable validation principles in place, SIEM can help detect suspicious activities or malicious user behavior, and even deter potential attacks.

Lidhja e burimit