Standard protection products’ signature-based, one-size-fits-all approach cannot deal with the custom nature of targeted attacks and their dedicated perpetrators. Advanced attack groups utilize malware, social engineering, and hacker techniques specially customized to the task of evading your defenses and successfully attaining their goals against your company.

By design, they will defeat standard security products utilizing generic signatures. Combating these custom attacks requires a custom defense — a new strategy that recognizes the need for a specific approach and relevant intelligence that is uniquely adapted to each organization and its attackers. A custom defense solution augments an organization’s standard security by detecting and analyzing advanced threats targeting the organization, immediately adapting protection against the attack, and enabling a rapid remediation response.

SAP systems are “high value targets” for an attacker and the data of SAP ERP system can be described as mission critical for every company. Therefore, attacks on such systems should be prevented or at least recognized in an early stage of an attack.

SAP introduced a new solution SAP Enterprise Threat Detection to detect internal or external threats against the business system landscape. The solution detect attacks based on pre-delivered patterns, which monitors the system landscape based suspicious user or system behavior. There are various ways how to attack a SAP system. This could be standard attack techniques like a brute force attack, internal misuse of permission or development rights, exploit unsecure system configuration and identity theft.

Identity theft itself is a very widespread attack and is starting on the employee’s device of a company and not directly against the business system. If an attacker was able to infect a device (personal computer, mobile device …) of an employee with access to the SAP systems, it is possible to steal the SAP credentials and download or manipulate sensitive business information with the permissions of the stolen credentials.

To prevent these kind of threats, it makes sense to integrate modern security solutions like SAP Enterprise Threat Detection and the Trend Micro solutions to combine each of their strengths. SAP Enterprise Threat Detection is specialized to detect threats against business system landscapes and Trend Micro is very strong on the network, infrastructure and endpoint level.

So let us start with an example of an identity theft attack. Modern attacks have often the following structure (simplified for our discussion):

The picture above describes an attack against a device of a business user with high SAP access rights. The first step is to place malware on the device. There are various ways to do it like drive-by-exploits, phishing, mails, USB sticks. After the malware is on the device, it starts to get further instructions from the control server. The malware can monitor the user input and wait until the business user logon to a SAP system with its user and password. If the malware was able to steal the SAP credentials, it can try to emulate a user session against the SAP system.

To counter such attacks, modern security solutions like SAP Enterprise Threat Detection and Trend Micro Deep Discovery Inspector can be combined. Both solutions cover important tasks during an incident. Integration between security solutions is an important factor to fight modern attacks on IT infrastructure.

The big picture of the integrated approach

The picture below shows a target attack against a company. Target is a PC of an employee in a company with a host of permissions in the business systems landscape. Trend Micro is able to collect information on the network level, email communication (in case the malware was send my mail) and endpoint information. Furthermore, Trend Micro can execute potential malware in a sandbox environment to analyze the behavior. SAP Enterprise Threat Detection is tracking the information flow in the business systems, which are in fact the end target of the attack. The solution monitors transaction behavior, add business context information, monitors the audit log (there are much more sources available).

In the end, both solutions provide the IT security team the insight on the infrastructure level and on application/business level to enable to right actions.

What is Trend Micro Deep Discovery in detail?

Trend Micro Deep Discovery is an advanced threat protection platform that enables you to detect, analyze, and respond to today’s stealthy, targeted attacks. Using specialized detection engines, custom sandboxing, and global threat intelligence from the Trend Micro Smart Protection Network, Deep Discovery defends against attacks that are invisible to standard security products.

Deployed individually or as an integrated solution, Deep Discovery solutions for network, email, endpoint, and integrated protection provide advanced threat protection where it matters most to your organization.

Trend Micro Deep Discovery Inspector is a network appliance that monitors traffic across all ports and more than 100+ protocols. Using specialized detection engines and custom sandboxing, it identifies the malware, C&C, and activities signaling an attempted attack. Detection intelligence aids your rapid response.

This is how Deep Discovery Inspector detects attacks & threats and how it reacts (basic overview):

How to integrate Trend Micro Deep Discovery with SAP Enterprise Threat Detection on a technical level

Below a screenshot of Trend Micro Deep Discovery. The solution found a suspicious activity (targeted attack detection) on a PC of an employee. There is one host involved. The goal is now automatically send the information to SAP Enterprise Threat Detection, to raise the sensitivity of the system for all events in relation to the host or to provide the security team the possibility to identify any potential harm in the business landscape.

It is easy to configure Trend Micro Deep Discovery to send alerts to other systems. The goal is now to enable SAP Enterprise Threat Detection to understand the CEF messages from Trend Micro.

To be useful in SAP Enterprise Threat Detection, the information from Deep Discovery must be normalized, so that it can be used in the forensic lab. This is where threats are analyzed and attack detection patterns are created.

In this blog, I am going to describe how this can be achieved in SAP Enterprise Threat Detection 1.0 SP02. There are two main tasks:

1. Importing and running a project on to the SAP Event Stream Processor
2. Preparing the SAP Enterprise Threat Detection knowledge base with the appropriate attributes for the CEF Threat Log

For the latest information, the file for preparing the knowledge base, and the ESP project, refer to SAP Note 2237819 - Integration with Trend Micro.

The Common Event Format (CEF) is one of the syslog formats that Deep Discovery Inspector supports to enable integration with third-party systems. Referring to the Trend Micro Syslog Content Mapping Guide we can see an example of what this looks like in the CEF Threat Log:

CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1175|20|Malware URL requested - Type 1|6|act=10 .201.156.143 dvcmac=00:0C:29:A6:53:0C dvchost=ddi38-143 deviceExternalId=6B593E17AFB7-40FBBB28-A4CE-0462-A536 rt=Mar 09 2015 11:58:25 GMT+08:00 app=HTTP deviceDirection=1 dhost=www.freewebs.com dst=216.52.115.2 dpt=80 dmac=00:1b:21:35:8b:98 shost=172.16.1.197 src=172.16.1.197 spt=12121 smac=fe:ed:be:ef:5a:c6 cs3Label=HostName_Ext cs3=www.freewebs.com fname=setting.doc fileType=0 fsize=0 act=not blocked cn3Label=Threat Type cn3=1 destinationTranslatedAddress=216.52.115.2 sourceTranslatedAddress=172.16.1.197 cnt=1 cs5Label=CCCA_DetectionSource cs5=GLOBAL_INTELLIGENCE cn1Label=CCCA_Detection cn1=1 cat=Callback cs6Label=pAttackPhase cs6=Command and Control Communication

1. Importing and running a project on to the SAP Event Stream Processor

SAP Event Stream Processor (ESP) is part of SAP Enterprise Threat Detection. All events will be later stored in the SAP HANA database but first they will be send to ESP.

The adapter for the CEF threat Log, the ESP project trendmicro_events_over_tcp_in_etd, takes the input over TCP, parses the data, and then distributes the data to the relevant fields of the LogHeader and LogDetail structures. The transfer of the resulting data to the SAP HANA database is done by an existing project, transfer_log, on the SAP Event Stream Processor. The diagram below is of the project trendmicro_events_over_tcp_in_etd.

All you need to do is to import the project trendmicro_events_over_tcp_in_etd into the SAP ESP Studio, adjust the cluster in the CCR file to correspond to the SAP ESP server, make sure that the transfer_log project is already running and then run the project for Trend Micro.

Import

Adjust the cluster on the cluster and bindings tabs:

Run the project:

You can test that the project is working by opening the InputStream for manual input and pasting the example for the CEF Threat Log into the Text field.

2. Preparing the SAP Enterprise Threat Detection knowledge base with the appropriate attributes for the CEF Threat Log

In SAP Enterprise Threat Detection 1.0 SP02, the appropriate attributes for the Trend Micro integration need to be created in the SAP HANA database. The way described here uses the Knowledge Base user interface of SAP Enterprise Threat Detection.

In short, you will start the Launch Pad in SAP Enterprise Threat Detection and click on the Knowledge Base tile. You will then go to the ATTRIBUTES tab of the Knowledge Base and maintain the attributes for Trend Micro CEF Threat Log.

Launchpad:

Knowledge Base ATTRIBUTES Tab:

There are already some attributes visible. You are going to add some new ones.

Open the CSV file containing the attributes. You will copy and paste the values into the Knowledge Base. The Name (Column B) and Data Type (Column D) must be used as is. You may adapt the other values.

For each attribute that you want to be able to use in the Forensic Lab, create the attribute in the Knowledge Base user interface.

Leave the Is Role Dependent field empty. Select Active for the Status (you can change this latter if you do not want the attribute to be visible in the Forensic Lab).

Finally check that you can see the attributes in the Forensic Lab. The attributes should start with DDI.

Conclusion

As a result of the integration, the security team can filter in the forensic lab all events from Trend Micro. The host information of the events can be combined with all available information in SAP Enterprise Threat Detection. Example: Show me all infected devices from Trend Micro and show me all RFC  calls from this host to the SAP landscape to find out any data breaches. The security team can create easily patterns without any programming, so they can get automatically alerted in future in similar situations.