Buyers Guide to SAP Enterprise Threat Detection
SAP Enterprise Threat Detection (ETD) is the premier solution from SAP for identifying and responding to cyber attacks in SAP applications. ETD collects and analyzes log data from SAP systems and uses predefined patterns to detect Indicators of Compromise (IOCs) and trigger alerts for suspected security incidents. ETD includes graphical tools to support log analysis and detailed forensic investigation. Users can also create and publish custom patterns and alerts.
In addition to identifying potential threats, SAP ETD monitors the implementation status of required security notes in SAP solutions. Users can review the details of relevant notes including CVSS information and maintain the processing status of each note.
Anomaly detection is also supported by SAP ETD. The solution includes several patterns for anomalies, defined as events that deviate from normal or usual behavior in system landscapes.
ETD is a powerful solution capable of detecting and responding to cyber threats against SAP solutions in real time. It is available as an on-premise or cloud deployment, and can even be licensed as a managed service.
However, there are several drawbacks with SAP ETD, especially in comparison to alternative solutions available from SAP partners.
Unlike solutions such as the Cybersecurity Extension for SAP that use an addon approach to implementing advanced threat and response for SAP applications, ETD requires additional servers and infrastructure to host required components including SAP HANA, Kafka, Zookeeper, and streaming tools. This leads to more complex installation and maintenance procedures compared to software addons that can be installed and maintained in existing systems within SAP landscapes with comparatively low effort.
ETD is also bundled with relatively few attack detection patterns. The most current version and support package level of the on-premise edition of ETD includes approximately 175 patterns. The cloud edition of ETD provides fewer than 50 patterns. The recent release of the Cybersecurity Extension for SAP delivers far more coverage with over 1000 built-in patterns.
Furthermore, although ETD is capable of monitoring SAP infrastructure including third party databases and operating systems, standard patterns in ETD include very few patterns for the database and OS layer. In contrast, the Cybersecurity Extension for SAP includes hundreds of patterns not only for SAP databases such as HANA and ASE but operating systems including SUSE Enterprise Linux, Red Hat Enterprise Linux, and Windows Server.
However, the most important drawback of SAP ETD is that it does not support the full suite of cybersecurity capabilities to address cyber risks in SAP solutions. ETD provides coverage for treat detection and patch management. However, it does not provide any support for other important areas such as access control, vulnerability management, custom code security, and compliance monitoring. Coverage for such areas would require the licensing of additional solutions from SAP or integrating capabilities from other platforms such as SAP Solution Manager. Full-suite solutions such as the Cybersecurity Extension for SAP provide integrated capabilities across all cybersecurity scenarios through a single, unified product and license. In addition to comprehensive threat detection and response with anomaly detection, the Cybersecurity Extension for SAP monitors critical access and segregation of duties risks for SAP solutions such as ECC and S/4HANA. It also performs automated vulnerability scans to detect more than 5000 vulnerabilities in SAP applications and infrastructure. Finally, it performs automated audits to detect compliance gaps with more than 15 regulatory and security frameworks and standards, including GDPR, NIST, PCI-DSS and the SAP Security Baseline.