Most enterprise businesses today run SAP, and for good reason – over the years, SAP has evolved to become a complex, all-encompassing system that drives multiple business applications and is the custodian for massive amounts of critical, sensitive data.
SAP systems in use by customers are growing in complexity as organizations expand beyond base capabilities. This growth causes security risk to rise. Organizations are slow to apply patches and updates, as they fear business disruption, and eventually end up having modules that are outdated with respect to security patching. This hesitation allows threats to emerge across modules, so threat correlation is also an important part of ensuring SAP security.
Therefore, a holistic approach to SAP security through comprehensive threat detection and analytics, effectively correlating alerts to identify real threats, is essential. Securonix SAP Analytics delivers that holistic approach for enterprises.
SAP Security Monitoring
Securonix has built in API connectors to natively collect transaction logs necessary for monitoring SAP. The connector is programmed to pull the following information from SAP:
- Account information
- Access privileges (roles, t-codes, authorizations, etc.)
- Usage security events
(Securonix uses a non-dialog account in SAP to connect and fetch the required data.)
Why Securonix for SAP Security Monitoring
- Streamlined, direct connecter-based integration enables fast event gathering.
- Complete SAP log coverage, including SM19/SM20, MONI, GRC/Firefighter, CDHDR, and CDPOS.
- Data Insights: Securonix for SAP enables you to visualize activities and changes in your SAP infrastructure with out-of-the-box dashboards and reports that can be easily customized.
- Enrich data with additional context to use for threat modeling.
- Link information from multiple SAP transaction types for comprehensive threat identification.
Multi-Level Security Monitoring Across Account Activity, Access, and Usage
The Securonix platform monitors several SAP transaction types using behavioral and peer analytics to identify anomalous privilege assignments, activities by rogue accounts unassociated with actual users, privileged account misuse (such as SAP_ALL privilege accounts), as well as account activity changes and transaction spikes. With monitoring support across multiple SAP data sources combined with a large packaged content library for threat identification, Securonix provides support for a large and growing range of SAP security use cases.
Sample Use Case: Identity and Access Analytics
A key use case for Securonix with SAP is the identification of identity misuse. Securonix utilizes SAP access and user activity data to identify activity from orphaned or dormant accounts, abandoned accounts with no password changes and users with system level access who perform activities that are not consistent with their past or peer group behavior. Securonix uses these and other indicators for identifying identity issues and privilege misuse, among other threats.
Some other key use cases include:
- Suspicious SAP role and account modifications.
- Unusual or rare t-code usage.
- Authentication attempts from rare geolocations.
- Critical/secure t-code execution.
- Suspicious activity for system/high privilege accounts.
- Suspicious application interactions.
- Device issues leading to privilege anomalies.
- Unauthorized or excessive access privileges.
- Segregation of duties (SoD) violations and misuse.