IT security - on the trail of hackers

Hacking still has something awe-inspiring about it for many people. You have a technically extremely skilled nerd sitting in a dark basement, surrounded by many monitors on which several command line windows are open.

And in practice? The situation there is that a great deal of technical know-how is of course required to penetrate systems from the outside, and the same applies to "hacking" SAP systems. However, most of this is not insider knowledge; it is freely available on the Internet.

Take a few minutes and google "SAP hacking" or "SAP password cracking". You will be surprised about the results and after a few minutes you will know, for example, how passwords can be cracked and which software you can download as freeware for this purpose.

The possibilities for hacking an SAP system are manifold, as are the possible goals pursued with it. This can be data theft, monetary manipulation or the negative influence of business processes.

To monitor security-critical processes in SAP systems and concrete attacks in real time, SAP has developed Enterprise Threat Detection (ETD). The software is optimized for monitoring SAP products including the Hana database.

However, third-party products can also be connected. The SAP ETD is designed as SIEM software (Security Information and Event Management), but can also be used for continuous monitoring as part of the administrative day-to-day business or to forward the alerts to another SIEM software.

The basic principle of SAP ETD is to collect logs from the various systems, analyze them automatically according to predefined criteria, and issue alerts when findings are made.

The logs are transferred from the original system to the SAP ETD in real time, which means that any manipulations to the logs (e.g. deleting them) no longer affect traceability.

A large number of standard analyses, so-called patterns, are already supplied for evaluation. These are automatically analyzed by the SAP ETD when new logs are transferred.

Here, not only individual log entries are evaluated, but complex search patterns that can also be evaluated across multiple logs and systems.

For example, it is possible to monitor whether a new user is created and a logon is performed with him from the same workstation or whether data has been manipulated via debugging. In case of a hit, an alarm can be generated and a message can be triggered to the responsible persons.

This increases system security many times over. Although most companies have strict security concepts, real-time monitoring hardly ever takes place.

Critical operations such as the reading of password hashes or the use of developer rights in production systems are only identified in the course of downstream checks (if at all).

Due to the increasing number of attacks on IT systems, the use of SIEM software is almost mandatory. Until now, the focus has been on operating systems and firewalls in particular.

However, since the truly mission-critical data is stored and processed in the ERP systems, these must be integrated into the monitoring.

When using SAP ERP/S/4 Hana, the SAP ETD is a very efficient way to do this. Thanks to the standard patterns contained in the SAP ETD, the system can be put into production with manageable effort.

For many companies, the option of SAP ETD as a managed service will be of interest, as in this case the system does not have to be operated by the company itself.