Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

Security Threats in an SAP environment:

Especially in the SAP environment, the strain on employees is often very high. The most diverse business requirements must be implemented first. The wishes of the business departments are usually manifold.

On the other side, we know that SAP systems are a key target for hackers, economic spies and insiders. The crown jewels of companies are often located in SAP systems. The challenge is to detect and prevent attacks on this data. But this requires special know-how. To use internal resources seems too expensive to many customers, because the manpower is urgently needed in other places.

Specific requirements for handling a Security Information and Event Management (SIEM) system need to be done. Known attack patterns are constantly supplemented by SAP and must be mapped in the systems. As usual for monitoring products, time is needed to investigate the generated alerts. Was the alert an attack or maybe a false positive? What happens when an attack has been successfully detected? How should a customer react? What steps does a customer have to take to defend himself against the attack?

These are the next questions we need to find an answer for!


How to overcome security threats?

A direct integration of SAP log files into classical SIEM systems cannot be the solution here. An SAP application has far too many specifics that need to be taken into account if you are targeting a practical and sustainable solution against security threats in SAP environments. Conspicuous activities can often only be seen in the correlation of entries in the different log files. Typical attack patterns are provided directly by SAP. Every 2-months, SAP provides new patterns based on the experience of our customers and partners. Do you get such a content from a SIEM vendor too? The next challenge is to detect attacks on SAP systems based on security patches that have not been installed. In addition, nobody is looking into the huge amount of data provided in the different security relevant logfiles. For bigger companies the amount of data can be more than 3 TB every day. And who wants to feed classical SIEM systems with 3 TB a day without getting the wanted protection just for compliance reasons?

A classical SIEM solution alone cannot help here...

Therefore, many customers in large enterprises use SAP Enterprise Threat Detection on the SAP application level for monitoring the SAP environment and integrate the alerts of SAP ETD into an existing classical SIEM solution for further processing and correlation with events on the IT infrastructure level. This can be easily done by using the Alert Publishing API supported with SAP ETD. Alerts from the SIEM solution can also be forwarded to SAP ETD. As an example, a suspicious entity such as an IP address has been detected on the infrastructure level and to get an understanding what harm this IP address else has done, this IP can be further investigated in SAP ETD on the application level.

When it comes to how to start the implementation of an SAP Security Information and Event Monitoring solution, it is highly recommended to follow a step-by-step approach. Start monitoring your SAP applications and protect your most critical data by implementing the most critical use cases. Enhance the use cases based on your risk analysis.

Either way, you have an alarm system for SAP applications with typical Attack Detection Patterns, that are provided directly by SAP. Focus: Protect the most important data stored in SAP systems!

Managed service for IT Infrastructure and monitoring of suspicious activities:

Based on these requirements, many companies need support to run an SAP Security Information and Event Monitoring solution. This can be provided with a managed services approach. These services can contain the software (SAP Enterprise Threat Detection), the hosting of the solution in a secure data center and additional services for daily operations.

a) Managed Security Services


The “Managed Security Service” helps customers to manage suspicious activities in the IT landscape. It does not matter where the SAP systems are located and operated. On Premise or Hosting scenarios are both supported. SAP security experts evaluate the alerts and investigations. Special alarm system scenarios can be tailored to minimize project costs and maximize the security level for the most important data. In a workshop with the customer, an experienced security consultant defines together with the customer what the most important data for the company is and how this data can be protected in the future.

Internal and external attackers leave traces while gaining access and can be detected before the actual attack starts. This is the reason 24*7 or 8*5 (hours*days) approaches are not always necessary. It may be enough if an experienced security expert works one hour on Monday and Friday to detect and evaluate anomalies in the SAP systems. These settings have already been established by SAP customers. Customers can define the volume of the service based on a Service Level Agreement (SLA) according to their individual needs. Customers get easy and comprehensive reporting functions concerning suspicious activities. Only in the case of an attempted or successful attack, the customer will be alerted by the managed service team and the further reactions will be evaluated.

b) Hosting

A lot of customers look for support in the hosting area. For SAP Enterprise Threat Detection hosting solutions are possible too. It starts with the installation of SAP HANA Platform, the SAP HANA Streaming Analytics and SAP ETD. Sizing based on the expected log volume is included. The application can be operated in different data centers, based on the offer of SAP and the hosting partners. Customers can choose different certificates and ISO standards. Even a hosting of SAP ETD only is possible. In this scenario SAP systems can be run On Premise, only SAP Enterprise Threat Detection will be installed in the data center.


Summary: Protection against attacks on SAP application level is already possible today through different services from SAP and partners. This can be achieved without additional burdon on valuable internal resources. Different service level agreements assure a tailored service to guarantee the business needs of your company.

Don’t be afraid of SAP attacks. Our Managed Security Services help protect your business.


Further information:

If you need more information, explore the following link to the SAP Community: