Why having a SIEM solution is not enough
At the end of 2022, we proudly released our new solution: Protect4S SAP Threat Detection. A specialized application for detecting a variety of security threats that may occur in SAP landscapes. We believe that having a dedicated Threat Detection solution is crucial for any organization that is serious about protecting their SAP landscape from security threats. However, many organizations that are concerned with threat detection have already implemented a so-called SIEM solution or are seriously considering this as an option. In this blog we will highlight the key advantages of a Threat Detection solution and shortly compare this with a SIEM solution.
Benefits and challenges of SIEM solutions
SIEM is the abbreviation of ‘Security Information and Event Management’. A SIEM solution typically ingests and analyses various types of data, coming from various sources like network devices, servers, IDPS systems, applications etc. It has the ability to aggregate this data and detect and investigate security threats quickly as well as to comply with regulatory requirements. With these characteristics, a SIEM solution looks to be the go-to solution for any application to be analysed. Just connect log sources, watch the data go in and easily identify security threats. In theory, this looks good. In reality, things are not that simple…
Despite the benefits of SIEM solutions, they come with a number of challenges as well. In summary these are:
- Complex configuration. The configuration of a SIEM solution is often considered complex, requiring specialised knowledge and expertise.
- Context. Identifying a potential threat requires knowledge of the context of the event, especially for correlation of events from different sources.
- Correctness. Finetuning a SIEM solution for actual potential threats with a low number of false positives proves to be a difficult task.
- Cost. The cost of purchasing, configuring and operating a SIEM solution is often considered substantial, especially for smaller organisations.
These challenges are recognized in general and certainly apply to SAP landscapes as well. In a SAP landscape, security related data resides in various components, in various formats, requiring access at different levels. Specific configuration may be needed to even generate the data that is required and sometimes this data is only accessible via proprietary technology, like SAP RFC for example. It indeed requires specialized knowledge, expertise and insight in the technical architecture of components as well as the context of events to know what may constitute a threat in the SAP ecosystem. A typical SIEM solution is much more generic in nature, lacks seamless integration with SAP components and cannot be configured to ‘just’ connect and get the required data across and identify threats. As said, it is just not that simple.
Added value of Protect4S Threat Detection
The concerns mentioned above demonstrate the added value of a solution like Protect4S Threat Detection. It narrows the gap between the specifics of the SAP ecosystem and the generic characteristics of a typical SIEM solution. It does so by offering key capabilities like:
- The definition of potential threats is built into the application based on in-depth SAP experience. These definitions are known as ‘use cases’. The required data for these use cases is clearly defined and prerequisites for extraction, like configuration settings in the SAP system, are clearly documented.
- The extraction logic to retrieve data is built into the application so that data is extracted robustly and efficiently, given the specific characteristics of the data source, like data formats, required protocols etc. This extraction allows for a near real-time identification of security threats.
- Finetuning of threats is built into the application based on common SAP best practices. Depending on the use case, several settings can be made to generate threats more precisely and account for common exception situations.
These capabilities enable efficient and effective detection of SAP security threats. Additionally, Protect4S Threat Detection offers integration to SIEM solutions to forward identified threats. This way, the benefits of both solutions can be combined in a complementary setup. The Protect4S Threat Detection application identifying threats with its unique SAP native features. And the connected SIEM solution, only receiving the actual potential threats, without the ‘noise’ of irrelevant data, offering the benefits of a centralized entry point for all SIEM related data in an organisation.
The Protect4S SAP Threat Detection solution is built with the philosophy to help customers continuously improve SAP cybersecurity through automation and simplicity of use.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn. Contact us for more information of our products or request a demo!