Defeating the Insider Threat

The sheer volume of transactions, data, bits, and bytes involved in executing your business’s processes is unimaginable. Every day, over your network and the internet, end-to-end business processes create and expose data at innumerable points. This data is a treasure trove to criminals and threat actors  looking to wreak havoc upon companies, business networks, and individuals, robbing them of privacy, data, financial assets, and intellectual property.

To get at this gold mine of information, hackers are attacking your company at its perimeter both virtually and physically. IT administrators see attacks at the firewall 24/7 and do their best to keep the “bad guys” out. If the bad guys can’t get in, however, their next best option is to recruit a “good guy” already on the inside. In a recent survey of 800 IT professionals from around the globe, over 83% indicated that the insider threat is as much a concern for them as the cyber threats from beyond the perimeter of the firewall.¹ 

SAP professionals are well aware of the type of data and information that flows through end-to-end business processes in the SAP landscape, such as order-to-cash and procure-to-pay, or within business network solutions themselves, such as employee personally identifiable information (PII), vendor and customer master data, pricing data, company financials, and product and manufacturing design processes. Each of these forms of data is a primary target for criminals and can be accessed by a variety of knowledgeable SAP administrators, developers, power users, consultants, and even end users.

This is why SAP National Security Services, Inc., at the request of its customers, began co-innovating with customers to develop solutions to address the growing concerns of the insider threat.

Protecting Your Systems with SAP Solution Manager

One system that can be very beneficial in the fight against security threats is SAP Solution Manager. The solution is used for application lifecycle management, but the platform can be used to consolidate information that can help organizations track potential intrusions or fraudulent behavior — it’s just a matter of finding and using that information.

An SAP center of expertise or operations control center can leverage SAP Solution Manager to provide status and runtime information for monitoring key end-to-end business processes (such as order- to-cash or procure-to-pay) to enable companies to “Run SAP Like a Factory.” Our SAP MaxSecure technical quality managers at a Fortune 500 aerospace and defense company began a co-innovation project to build custom dashboards for the operations control center focused on key security concerns, such as threat monitoring. SAP Solution Manager includes a dashboard factory plug-in that companies can use to deploy standard Run SAP Like a Factory dashboards, which they can then customize to their needs.

The result was a threat monitoring dashboard that displays information in a centralized interface, is accessible from desktop and mobile browsers, and provides transparency and alerting capabilities that can help administrators, security professionals, and senior leadership uncover possible malicious activities (see Figure 1). The threat monitoring dashboard is based on the dashboard factory framework, which was introduced as part of SAP Solution Manager 7.1 Support Package 13, and will be included in SAP Solution Manager 7.2 as well. The OneServiceTools download (ST-OST), which activates the dashboard factory, is available to SAP MaxAttention customers.

The threat monitoring dashboard centralized interface is divided into five strategic areas:

• Database actions and events
• Application and system events monitoring
• Change monitoring
• Authentication and authorization monitoring
• SAP-related network traffic patterns

The database actions and events log mass database actions (such as deletes, updates, and inserts) from the SAP application and can be configured to monitor specific tables or transactions.

The application and events monitoring functionality allows the security team to centralize and leverage existing alerts from the Run SAP Like a Factory Technical Monitoring framework. Monitoring of planned and unplanned downtime, transaction SM21 alerts, and memory and disk usage alerts are standard metrics that can be incorporated into the threat monitoring view.

The change monitoring framework is proactive and quantifies the number of users who have access to critical transactions (via table access or reading logs or spools, for example) or the ability to bypass security procedures.

The authentication and authorization monitoring functionality is highly configurable and can find failed user and Remote Function Call logon attempts, leverage the security log, and eventually read access logging.

Finally, SAP-related network traffic patterns identify gateway load, system load, and other interfaces while preparing companies to monitor the next generation of front-end load from user interfaces such as SAP Fiori.

Learn More

Today’s IT organizations are facing an increasing number of external cyber threats from around the globe. But internal threats are not to be ignored. In some cases they pose an even greater threat to the security of your IT infrastructure, business network, data, intellectual property, and financial health. SAP National Security Services, Inc. provides SAP MaxSecure Support, which is SAP MaxAttention for clients with specific security requirements. For more information, visit www.SAPNS2.com.

^{1 Vormetric, “2015 Vormetric Insider Threat Report” (2015;  Report pdf). [back]}