SAP Security Monitoring with Securonix

Most enterprise businesses today run SAP, and for good reason – over the years, SAP has evolved to become a complex, all-encompassing system that drives multiple business applications and is the custodian for massive amounts of critical, sensitive data.

SAP systems in use by customers are growing in complexity as organizations expand beyond base capabilities. This growth causes security risk to rise. Organizations are slow to apply patches and updates, as they fear business disruption, and eventually end up having modules that are outdated with respect to security patching. This hesitation allows threats to emerge across modules, so threat correlation is also an important part of ensuring SAP security.

Therefore, a holistic approach to SAP security through comprehensive threat detection and analytics, effectively correlating alerts to identify real threats, is essential. Securonix SAP Analytics delivers that holistic approach for enterprises.

SAP Security Challenges

There are several security challenges that can put your SAP business-critical applications and sensitive data at risk:

  • Unauthorized or excessive access privileges
  • Misuse of privileged accounts (i.e., firefighter accounts)
  • Misconfigurations or unauthorized configuration changes
  • Misuse of sensitive transaction codes (t-codes)
  • Account compromise and unauthorized logins

The SAP logging mechanism is cumbersome and can make monitoring security events challenging. With multiple logs to track and different items of information stored in different locations, both collection and analysis (with correlation) become essential and complex.

SAP Security Monitoring with Securonix

Securonix has built in API connectors to natively collect transaction logs necessary for monitoring SAP. The connector is programmed to pull the following information from SAP:

  • Account information
  • Access privileges (roles, t-codes, authorizations, etc.)
  • Usage security events

(Securonix uses a non-dialog account in SAP to connect and fetch the required data.)

SAP Security Monitoring with Securonix

Why Securonix for SAP Security Monitoring

  • Streamlined, direct connecter-based integration enables fast event gathering.
  • Complete SAP log coverage, including SM19/SM20, MONI, GRC/Firefighter, CDHDR, and CDPOS.
  • Data Insights: Securonix for SAP enables you to visualize activities and changes in your SAP infrastructure with out-of-the-box dashboards and reports that can be easily customized.
  • Enrich data with additional context to use for threat modeling.
  • Link information from multiple SAP transaction types for comprehensive threat identification.
Multi-Level Security Monitoring Across Account Activity, Access, and Usage

Multi-Level Security Monitoring Across Account Activity, Access, and Usage

The Securonix platform monitors several SAP transaction types using behavioral and peer analytics to identify anomalous privilege assignments, activities by rogue accounts unassociated with actual users, privileged account misuse (such as SAP_ALL privilege accounts), as well as account activity changes and transaction spikes. With monitoring support across multiple SAP data sources combined with a large packaged content library for threat identification, Securonix provides support for a large and growing range of SAP security use cases.

Sample Use Case: Identity and Access Analytics

A key use case for Securonix with SAP is the identification of identity misuse. Securonix utilizes SAP access and user activity data to identify activity from orphaned or dormant accounts, abandoned accounts with no password changes and users with system level access who perform activities that are not consistent with their past or peer group behavior. Securonix uses these and other indicators for identifying identity issues and privilege misuse, among other threats.

Some other key use cases include:

  • Suspicious SAP role and account modifications.
  • Unusual or rare t-code usage.
  • Authentication attempts from rare geolocations.
  • Critical/secure t-code execution.
  • Suspicious activity for system/high privilege accounts.
  • Suspicious application interactions.
  • Device issues leading to privilege anomalies.
  • Unauthorized or excessive access privileges.
  • Segregation of duties (SoD) violations and misuse.
Sample Use Case: Identity and Access Analytics