Page 92 - Cyber Defense eMagazine April 2023
P. 92

Many SIEMs try dividing the data into categories directly in the onboarding process. The customer defines
            these categories during the definition phase and can become a valuable tool later during processing.

            Validations must be in place to ensure the integrity of the monitoring solution including those logs that
            are not disabled and (or) manipulated. Especially with SAP, an insider can change the logs already in
            the application stack or flip a switch that prevents the output of security-relevant information.

            Once the integrity of the data is ensured, the correlation can begin. This area is extensive and can be
            very specific, which depends on the customer deployment scenario. As a rule, the actors are identified
            and then attributed. Actors can be, for example, Windows users or an SAP account. Attribution is the
            process responsible for assigning attributes and properties. Information about the threat actor will be
            enhanced, with various attributes, such as the used operating system, SAP log-on version, geo-location,
            and IP-Range.

            With all this information, you can now create alarms. For example, if a user who usually works at the U.S.
            office and with a Windows laptop now logs in from Asia and uses a Linux system, this could lead to an
            alarm. Of course, to detect SAP insider attacks, the information must be specific and detailed.


            Detection of malicious SAP activities and distinguishing them from “regular” admin activities requires
            defining what is normal, and which activity represents an anomaly. In-depth knowledge of SAP security
            is necessary for this. Critical, remote-enabled function modules, as well as database tables with sensitive
            content, must be known.





            About the Author

            Christoph  Nagy  has  20  years  of  working  experience  within  the  SAP
            industry. He has utilized this knowledge as a founding member and CEO
            at SecurityBridge–a global SAP security provider, serving many of the
            world's leading brands and now operating in the U.S. Through his efforts,
            the SecurityBridge Platform for SAP has become renowned as a strategic
            security  solution  for  automated analysis of  SAP  security  settings,  and
            detection  of  cyber-attacks  in  real-time.  Prior  to  SecurityBridge,  Nagy
            applied his skills as a SAP technology consultant at Adidas and Audi.
            Christoph can be reached online at [email protected].




















                                                                                                              92
   87   88   89   90   91   92   93   94   95   96   97