In this third blog post about how SAP runs SAP Enterprise Threat Detection I would like to introduce the ‘Security Expert’ in the Security Monitoring Center team and the ‘Forensic Lab’ application.

In the previous blog post ‘From Alert To Investigation’ we reviewed the daily tasks of the Monitoring Agent. This person is doing a first review of incoming alerts, consolidates similar alerts into one investigation, adds all collected information and moves the task to the Security Expert. This means the Security Expert is in a key position and will decide, if the data included in the investigation indicate a threat without any doubt, or if this is an unidentified false-positive, or anything else.

For this job the Security Expert has quite a number of applications in his Fiori Launchpad group. Especially the ‘Open Investigations on My Name’ and the ‘Very High Severity Investigations’ overview allow to have a clear view on the overall status.

You can influence the status and visibility of an investigation with three attributes:

• Severity
  • Very High
  • High
  • Medium
  • Low

• Status
  • Open
  • In Process
  • Completed
  • Canceled

• Management Visibility
  • Not Needed
  • For Information
  • For Action

A severity ‘Very High’ will highlight the investigation in the equivalent tile for the Security Expert. The management visibility ‘For Information’ and ‘For Action’ will do the same for the Service Manager.

The Forensic Lab plays a dual role for the Security Expert. In the following video ‘Detect the execution of critical reports in your SAP system’ we will see an example how to use the Forensic Lab to access log raw data via the Pattern. Next week I want to look into the Security Expert tasks to build new Pattern and to optimize the existing Pattern and Value Lists.

The video step-by-step:

#1 Attack: In this case the attacker runs the report RSBDCOS0 in the SAP system, which allows him to execute Operating System commands.

#2 Detect: Our Monitoring Agent in the Security Monitoring Center is using the Monitoring application in Enterprise Threat Detection to receive the alert, which is generated by the pattern in the Event Stream Processor. The Monitoring Agent can jump directly into the Forensic Lab for analysis, without leaving the application. (Afterwards he will collect the alerts and create an investigation, but that’s missing in the video.)

#3 Analyze: In the Forensic Lab the Security Expert sees the ‘SAP_CriticalReports’ Pattern, which created the alert. In this application he can directly access the relevant raw data from the system logs and identify the theat. After a threat is confirmed the Service Manger can resolve the user identity in the relevant log data.

#4 Verify: To proof the threat and to see additional information about the attack the Security Expert reviews the application log data in the source system. Afterwards he will have a look at the details in the system log data. Here the unauthorized operations system commands are visible and the threat is confirmed.

And what will be step 5 for the Security Expert? He will enhance the ‘SAP_CriticalReports’ Pattern with system log data to see the complete attack directly in the ETD solution, but we will talk about this next week.

Matthias