Page 91 - Cyber Defense eMagazine April 2023
P. 91

What data from SAP Applications needs to be collected?

            Before deep diving into the process flow, we must look at which SAP logs have to be read out. SAP
            produces many protocols and logs that are necessary to create transparency in the business process.

            This  is  not  easy,  especially  since  most  SIEM  adapters  for  SAP  take  an  all-or-nothing  approach  for
            onboarding new log sources. For example, if we took the SAP system log, all entries must be transferred,
            although only 5% would be necessary for SAP Security Monitoring.

             A selective transfer of the entries necessary for the correlation would also have a positive side effect on
            the licensing costs for the SIEM product used, given that these usually are paid according to "log volume
            per day". Back to the question - which SAP logs are security-relevant? These are only the most relevant
            logs:

               4.  SAP Security Audit Log
               5.  SAP System log
               6.  SAP HANA audit log
               7.  SAP Gateway log
               8.  SAP Java audit log
               9.  SAP Profile parameter

            For further conclusions in the Threat Monitoring for SAP process, you must transfer the user master and
            selectively change documents.



            Bird's-eye view of SAP SIEM


            For enterprise-wide attack detection, our goal is to combine as much information as possible. This is the
            only way to define the attack patterns that are afterward continuously searched for.

            In the SIEM, it will combine the SAP logs with security logs from other sources:


               •  Server and Desktop OS
               •  Firewall / VPN
               •  Physical infrastructure (e.g., access control systems)
               •  IPS and IDS
               •  Identity Management
               •  System Health, Performance Monitoring Information
               •  Network and accessories
               •  Anti-Virus
               •  Databases

            You must take the following steps in the SIEM process to create reliable alerts. First, you must read the
            data promptly. This also involves the normalization of the different source formats. Traditionally, mapping
            the SAP logs already presents the first challenge to customers since the event logs (e.g., CEF) can
            handle hardware or operating system logs better than the application logs.





                                                                                                              91
   86   87   88   89   90   91   92   93   94   95   96