Considering that any breach in Microsoft SAP applications could have catastrophic consequences for us, we knew that we needed a solution that enabled rapid vulnerability detection and monitoring capabilities to reduce risks to the organization. We needed an internally managed and configured SIEM solution that could baseline user behaviors and detect anomalies across SAP to include the OS and network layer, the database layer, and the application and business logic layers.<\/p>\n
\u2014Kusuma Sri Veeranki, senior software engineer and SAP security lead, Microsoft Digital<\/p>\n<\/blockquote>\n
At the same time, Microsoft also wanted to implement a centralized SIEM solution that detects and<\/em> helps prevent threats. The SIEM tools in use were effective, but the monitoring structure was inherently reactive because it didn\u2019t allow for real-time monitoring. When a potential threat or an active security incident was identified, an alert was generated. However, the time to assess and remediate threats was variable, and response lags were common. Further, the process for addressing some vulnerabilities involved patching, for example, so any exposure remained viable until patches were applied across the system. Finally, there wasn’t an easy way to follow an SAP security alert through the system to determine the remedial actions taken within Microsoft and by whom.<\/p>\nMicrosoft also recognized that the existing SAP SIEM solution didn\u2019t always meet its stringent compliance requirements and didn\u2019t permit sufficient visibility into the entire threat environment. And from an enterprise-wide perspective, Microsoft was essentially operating separate corporate and SAP security solutions, an outdated model that the company sought to replace. The new monitoring solution, when operational, would include a separate Sentinel instance for SAP but would also fully integrate with the Microsoft corporate Security Operations Center (SOC).<\/p>\n
We\u2019re excited to be able to use the capabilities that Sentinel provides our customers out of the box along with SAP specific capabilities on an initiative as important as Microsoft SAP security. This represents a new approach in SIEM solutions.<\/p>\n
\u2014Yoav Daniely, principal group product manager, Microsoft Security, Compliance, Identity, and Management<\/p>\n<\/blockquote>\n
\u201cConsidering that any breach in Microsoft SAP applications could have catastrophic consequences for us, we knew that we needed a solution that enabled rapid vulnerability detection and monitoring capabilities to reduce risks to the organization,\u201d says Kusuma Sri Veeranki, a senior software engineer and SAP security lead for Microsoft Digital, the organization that powers, protects, and transforms the company. \u201cWe needed an internally managed and configured SIEM solution that could baseline user behaviors and detect anomalies across SAP to include the OS and network layer, the database layer, and the application and business logic layers.\u201d<\/p>\n
The ideal solution, Veeranki says, would also permit visibility into all other systems, products, and applications that interconnect with SAP.<\/p>\n
SAP as Microsoft Sentinel \u2019customer zero\u2019<\/h2>\n To develop its new SIEM solution for SAP, the organization decided to use Microsoft Sentinel, a relatively new product, in conjunction with Microsoft\u2019s existing security, orchestration, automation, and response (SOAR) platform. Developed initially for Microsoft Azure, Microsoft Sentinel is designed to collect data and monitor suspicious activities at cloud scale by using sophisticated analytics and threat intelligence. Recently cited in a Forrester Consulting study as an efficient, highly scalable, and flexible SIEM solution that incorporates Azure Log Analytics, Sentinel is also the first cloud-native product in the market.<\/p>\n
Our objective is to deliver a configurable solution that has the ability to monitor end-to-end processes and take the appropriate action as defined within the system, including those that should be stopped. Many of the current products on the market are SAP-centric but are limited in their integration capabilities. So, we\u2019re customer zero for leveraging Microsoft Sentinel for SAP security and for enabling that cross-correlation capability.<\/p>\n
\u2014Aaron Hillard, principal software engineering manager and SAP security lead, Microsoft Digital<\/p>\n<\/blockquote>\n
\u201cWe\u2019re excited to be able to use the capabilities that Sentinel provides our customers out of the box along with SAP specific capabilities on an initiative as important as Microsoft SAP security,\u201d says Yoav Daniely, principal group product manager on the Microsoft Security, Compliance, Identity, and Management (SCIM) team. \u201cThis represents a new approach in SIEM solutions.\u201d<\/p>\n
To configure Microsoft Sentinel to monitor the entire Microsoft SAP environment\u2014it includes 15 SAP production systems including six Sarbanes-Oxley (SOX) systems\u2014the engineering team and the Microsoft Azure product group recognized that the solution also needed to provide cross-correlation coverage. Cross correlation is the ability to surveil the entire organization to include junctures where SAP integrates with other systems and applications such as Microsoft Dynamics 365. For example, Sentinel could detect a hypothetical scenario in which a user who creates a new payee in Dynamics but also “pays” that customer in SAP without the activity being detected.<\/p>\nMicrosoft Sentinel for SAP monitoring solution highlights.<\/figcaption><\/figure>\n\u201cOur objective is to deliver a configurable solution that has the ability to monitor end-to-end processes and take the appropriate action as defined within the system, including those that should be stopped,\u201d says Aaron Hillard, principal software engineering manager and SAP security lead in Microsoft Digital. \u201cMany of the current products on the market are SAP-centric but are limited in their integration capabilities. So, we\u2019re customer zero for leveraging Microsoft Sentinel for SAP security and for enabling that cross-correlation capability.\u201d<\/p>\n
Ultimately, the goal is to equip Microsoft Sentinel to assess and respond dynamically to all security threats across all enterprise hosts, platforms, applications, and business processes, and then provide automated remediation as feasible and appropriate. The risk scenarios that Microsoft Sentinel addresses will continue to expand as the product evolves.<\/p>\n
\u201cSentinel gives us the ability to monitor the data and activities holistically, because Microsoft, like many other enterprises, uses numerous systems throughout the operations environment,\u201d Veeranki says. \u201cThat\u2019s a key differentiator of Sentinel compared to SIEM systems that are designed purely for SAP.\u201d<\/p>\n
Microsoft Sentinel incorporates advanced machine learning and AI capabilities that identify suspicious patterns and activities that previously defied detection. Additionally, it is able to readily integrate numerous platforms and products that enterprise companies use and enable organizations to customize configuration to meet their security-monitoring needs.<\/p>\n
Managing massive inputs efficiently with an innovative data connector<\/h2>\n To date, the Microsoft SAP and Microsoft Sentinel SAP threat monitoring engineering teams identified an initial 27 initial high-risk scenarios that encompass a broad range of use cases. These use cases involve changes in system, client, or audit-log configuration, and suspicious or unauthorized user logins, data access, or role assignments. Monitoring also covers account-modification or password-change activities, and any audit-log manipulation or brute-force attack, among others. Other risk scenarios are being identified with respect to highly sensitive business and financial threats, and the teams are developing and completing proofs of concept for those scenarios. The SAP and Sentinel teams will continue to expand the threat-detection capabilities of Microsoft Sentinel and the risk scenarios that it addresses the product evolves.<\/p>\n
The Microsoft SAP footprint is massive and change management within the platforms is highly complex. Therefore, to prevent system overload because of memory requirements, the engineering team must deploy a robust yet nimble mechanism to accommodate the vast amount of data coming into Microsoft Sentinel. To that end, the engineering team developed a Microsoft Sentinel-specific data connector that manages SAP inputs in a manner that\u2019s specific to the underlying applications. The connector facilitates a complete security solution to visualize, alert, and respond to threats, and it\u2019s easily configurable through built-in watchlists that match specific environment needs.<\/p>\n
The data connector extracts data for monitoring, stores it, and then moves it through Sentinel in an incremental manner that the system can \u201cunderstand,\u201d says Anirudh Dahuja, an SAP platform engineer in Microsoft Digital. \u201cOtherwise, there\u2019s a risk of overloading the system, an issue that we\u2019ve encountered,\u201d he says.<\/p>\n
To accomplish efficient use of the new tool, the engineering team used indexing to accommodate unwieldy tables and expedite querying. The team also incorporated secrets connectivity by using the Microsoft Azure Key Vault, which provides a secure store to create, store, and maintain keys that access and encrypt cloud resources, apps, and solutions. To manage the requisite memory optimization, the team leveraged Docker containers to accommodate the data connector functions before moving data into Microsoft Sentinel using custom Microsoft Azure APIs.<\/p>\n
There\u2019s another challenge that Microsoft Sentinel engineers are experiencing and working to remedy: how to reduce the \u201cnoise\u201d in the monitoring system to differentiate between authorized, permissible activities and real threats that warrant action. Because Sentinel is designed to detect a very broad range of potentially suspicious or intentionally malicious activities, the number of alerts it raised initially produced many false positives.<\/p>\n
\u201cThat\u2019s something we\u2019re working on now\u2014improving alert fidelity and fine-tuning the system to produce fewer false positives,\u201d Veeranki says.<\/p>\n
That\u2019s the biggest advantage of using Sentinel for SAP monitoring\u2014the analytics. There are a lot of other tools in the market that alert you to SAP threats, but that\u2019s where they stop. Microsoft Sentinel offers a scalable cross-platform solution to detect and mitigate threats in near real time. We\u2019re not only detecting threats but also quickly responding to and remediating them.<\/p>\n
\u2014Anirudh Dahuja, SAP platform engineer, Microsoft Digital<\/p>\n<\/blockquote>\n
She adds that Microsoft will continue to share the challenges and remedies that teams discover as the Microsoft Sentinel implementation proceeds. Customers then can accelerate their own implementations by using these learnings.<\/p>\n
<\/p>\n
Tallying early Sentinel benefits and moving forward<\/h2>\n Microsoft Sentinel allows for comprehensive cross correlation across enterprise resources, in addition to SAP, thereby helping identify known and previously difficult-to-detect security threats in near real time. That’s a capability high on the wish list for many of Microsoft\u2019s existing enterprise customers. Interestingly, two other critical Sentinel benefits are emerging. Despite the initiative\u2019s early development stage\u2014it\u2019s been less than a year since its inception\u2014Microsoft Sentinel has proved highly scalable and customizable from the outset. It also promises to engender efficiencies generally for Microsoft security operations, by providing a single SIEM system and \u201cpane of glass\u201d through which to continuously view security logs, alerts, and incidents across the enterprise.<\/p>\n
Further benefits, still in development, are the advanced analytics being integrated to help detect anomalies in activities involving SAP systems and the automated remediation that Microsoft Sentinel will eventually provide. That\u2019s a winning combination, in Dahuja\u2019s view.<\/p>\n
\u201cThat\u2019s the biggest advantage of using Sentinel for SAP monitoring\u2014the analytics. There are a lot of other tools in the market that alert you to SAP threats, but that\u2019s where they stop. Microsoft Sentinel offers a scalable cross-platform solution to detect and mitigate threats in near real time,\u201d Dahuja says. \u201cWe\u2019re not only detecting threats but also quickly responding to and remediating them.\u201d<\/p>\n
<\/p>\n
\nUsing Microsoft Azure AD MFA at Microsoft to enhance remote security.<\/a><\/li>\nMoving to next-generation SIEM with Microsoft Sentinel.<\/a><\/li>\nUsing shielded virtual machines to help protect high-value assets.<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"For any large enterprise like Microsoft, monitoring threats to infrastructure and applications developing and maintaining an always-on Security Information and Event Management (SIEM) solution like Microsoft Sentinel that\u2019s equipped to ward off threats isn\u2019t only a weighty task but also a truly challenging undertaking. The threat landscape is constantly evolving, and data breaches\u2014originating from outside […]<\/p>\n","protected":false},"author":119,"featured_media":13174,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[127,115,188,95],"coauthors":[630],"class_list":["post-7827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dynamics-365","tag-microsoft-azure","tag-sap","tag-security","program-microsoft-digital-technical-stories","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"\n
Microsoft Sentinel: Protecting Microsoft's SAP Workload<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n\t \n\t \n\t \n