MS Sentinel: the new era of SAP cyber security

From finance to logistics to human resource management, companies base their key business processes on SAP solutions. Advanced, highly-integrated, business process-critical IT systems, and at the same time a very attractive target for cybercriminals. Therefore, in an era of growing digital threats and tightening EU regulations, such as the NIS2 directive, companies are increasingly turning to advanced solutions to monitor and protect these systems, including Security Information and Event Management (SIEM) systems.

SAP environments can sometimes be very sophisticated and individually tailored to the needs of individual companies. This makes them act as the integrated nervous system of an organization, connecting its various departments, allowing them to streamline operations and make better decisions. At the same time, this complexity makes it difficult to protect the systems.

The wide range of products, functionalities and modules translates into tens of thousands of transactions that need to be managed and controlled. At the same time, the complexity of the systems architecture, the way permissions are managed or the interface with numerous external components is a major challenge in terms of ensuring cyber security. This is difficult to accomplish without the right tools and expertise.

The traditional division of competencies in the SAP ecosystem typically looks like this:

• SAP Basis technical layer (infrastructure, operating system, database, technical parameters),
• modules (application settings),
• satellite equipment and systems – often from third-party companies,

This disjointedness results in difficulties already at the stage of identifying who is really responsible for the security of the environment as a business unitary whole. An island approach to security management (“each area is responsible for its own part") is ineffective against most threats. Therefore, in order to secure their key systems and produce a new quality in security management, organizations must support themselves with modern SIEM-class platforms.

The Microsoft Sentinel solution for SAP applications is the answer to these challenges. Thanks to its flexibility and scalability, it is ideal for monitoring SAP environments – both on-premise and in the cloud, using:

• correlation of logs collected from different sources,
• threat analysis using artificial intelligence,
• Automation of incident response.

SAP generates huge volumes of logs, only a small fraction of which are relevant to security. The correlation function, with appropriate rules, filters events, assigns business relevance and prioritizes by risk. This allows the teams of the SOC (Security Operations Center) to focus on real threats, instead of drowning in irrelevant alerts.

On the SAP systems side, integration with Sentinel requires consideration of certain boundary conditions:

• SAP NetWeaver 7.5+ with active security audit (RSAU_CONFIG);
• SAP roles: /MSFTSEN/SENTINEL_CONNECTOR and /MSFTSEN/SENTINEL_AGENT_BASIC assigned to a technical user;
• Transaction access: SU01, PFCG, STMS_IMPORT, RSAU_CONFIG;
• SAP Notes: 3390051 and 382318 – NetWeaver configuration under Sentinel integration.

Thanks to automated reporting, cybersecurity administrators don’t need to know the details of the SAP environment – Sentinel pinpoints specific, named threats – whether they are repeated authentication attempts, changes in user privileges or mass data downloads. The system not only detects threats, but also enables their automatic neutralization thanks to SOAR (Security Orchestration, Automation and Response) functions – you can, for example, block a user, trigger alerts or initiate processes in accordance with the security policy.

Also of no small importance is the fact that Microsoft Sentinel has passed certification for environments: SAP S/4HANA Cloud, SAP S/4 on-premises and RISE with SAP. It supports both cloud and hybrid environments, making it a universal tool, regardless of the architecture of the environment. And SAP security ceases to be insular and becomes comprehensive and manageable.

Microsoft Sentinel also fits into the requirements of Article 21 of the NIS2 directive – as one of the technical means necessary for effective IT incident management, incident reporting or risk management support and business continuity. SAP, as a critical system, must be covered by these requirements. And Sentinel will support the organization in meeting these obligations by automating, centralizing and documenting security-related activities.

A large part of the companies using SAP are operators of key or important services, which in the near future – after the amendment of the National Cyber Security System Act – will be required to implement regulations under the NIS2 Directive. Among the obligated companies are those in the energy, transportation, manufacturing, healthcare and other industries.

SAP security is not a luxury – it’s a necessity. In a world where data is the most valuable asset and cyber threats evolve day by day, integrating SAP with a modern SIEM, such as Microsoft Sentinel, gives organizations a real advantage. Implementing the solution is a step towards modern security management, but also a response to the requirements of the NIS2 directive, thus turning technology into a business protection strategy. Organizations that opt for such a solution gain not only regulatory compliance, but also a real increase in the security level of their key systems.

• Unauthorized changes to the system
• Escalation of powers
• Attempts to circumvent SAP security mechanisms
• Creating “backdoors" and external interfaces
• Mass data retrieval (exfiltration)
• Access attempts from suspicious IP addresses