Seamless integration of threats
Introduction
Since the release of our Threat Detection solution, we have been working extensively on expanding functionality in various ways. One of these is support for integration with IBM’s SIEM solution QRadar. This enables customers who have implemented QRadar to integrate SAP Threat Detection seamlessly with their security processes. In this blog we share a preview of this integration.
Integration overview
SAP Threat Detection analyses information from SAP systems and identifies security threats in real-time that can be analysed further. This can be done in the application itself, or threats can be sent by email as we wrote in one of our previous blogs. Ideally though, these threats are processed in a SIEM solution where all kinds of security events are analysed by a Security Operation Center (SOC).
The advantage of having a solution like SAP Threat Detection is that the analysis and threat identification is done separately and only threats are being forwarded to SIEM. There is no need to try and analyse numerous ‘raw’ events in SIEM and determine whether there is a security issue. SAP Threat Detection already did that. This means that once a potential threat is identified and sent to SIEM, this can immediately be picked up, saving time and storage.
“Seamless integration, saving time and storage, allowing immediate action”
IBM QRadar is a well-established SIEM solution used by many organisations. Integration of SAP Threat Detection with QRadar fully automates sending of threats to QRadar for further processing. This process is depicted below in high-level:
As shown above, events are analysed by SAP Threat Detection and threats are identified where relevant. If so, threats are send to QRadar immediately (following a so-called ‘push-principle’). From a technical point of view, the integration is based on the ‘HTTP Receiver protocol’ offered by QRadar. For more information, see the following link.
Example
Let’s have a look at an example of what the integration looks like. For this, we will use the example of a user that starts a critical transaction in a monitored SAP ABAP system by SAP Threat Detection, in this case transaction SE38. This is considered a critical transaction because it allows the execution of programs with direct risk to the system. In SAP Threat Detection, this can be identified with the configuration of use case S-000070-01: Execution of critical transactions.
- Connection configuration
We assume that both a SAP Threat Detection and QRadar system exist and that the QRadar system has a functioning ‘log source’ using the HTTP Receiver protocol for the integration. This requires a number of technical prerequisites which we won’t go into detail here.
The connection can be setup as follows:
From the application settings in SAP Threat Detection, IBM QRadar can be selected as the SIEM to use. A hostname and port of the configured log source of the QRadar installation needs to be specified. Note that although plain HTTP is supported for the connection by the QRadar HTTP receiver, a setup using SAP Threat Detection can only be done using HTTPS. If desired with client authentication (not shown here).
- Start of transaction SE38 in a monitored system by Protect4S SAP Threat Detection
Here, we simply logon to a system that is monitored by the SAP Threat Detection system and start transaction SE38 in an attempt to execute programs. Note that no program is accessed yet, only the transaction is started.
- This action is logged as an ‘event’ by the monitored system and identified by the threat detection application as a ‘threat’. The threat can be viewed in detail in the threat application itself, as shown below:
- Following the SIEM configuration, the threat is sent to the defined QRadar system immediately. This is sent out in JSON format and processed as an offense in QRadar. All fields are available for further analysis. See below the corresponding threat in QRadar together with other examples.
With threats being successfully received by the QRadar system, several overviews, analyses can be made using QRadar functionality.
For the integration between SAP Threat Detection and QRadar, see our online guide. Configuration of incoming events can be done manually by QRadar users after setting up the technical connection. To ease the integration though, a content package will be made available soon at the IBM APP exchange page. This will contain a full DSM configuration and pre-defined searches to work with. The above screenshot is taken from a first version of this configuration.
Conclusion
We are happy to have added the integration feature to QRadar so that threat information can be analysed and followed-up more easily using this SIEM solution. By adding integration features like this, we ensure that our customers can use the application the way that works best for their processes and organisation.
Feel free to contact us about the capabilities of our solutions Vulnerability Management and Threat Detection.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
