Webinar Recording

Effective Threat Detection for Enterprises Using SAP Applications

Global Solution Owner Cybersecurity and Dataprotection

SAP

Posted on Jun 29, 2022

Determined cyber attackers will nearly always find a way into company systems and networks using tried and trusted techniques. It is therefore essential to assume breach and have the capability to identify, analyze, and neutralize cyber-attacks before they can do any serious damage. But this can be challenging, especially when critical data is stored in business applications on-premise and in the cloud. Join cybersecurity experts from KuppingerCole Analysts and SAP for a discussion on why monitoring the SAP landscape is necessary and how this can be best achieved.

Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will talk about finding the right mix of cross-application solutions for threat detection, SIEM, and SOAR, and specialized solutions for critical environments such as the SAP line of business applications. He also will look at the interplay between security and identity, and how this can all converge in a modern Security Operations Center. Arndt Lingscheid, Solution Owner for SAP GRC – Security and Data Protection at SAP will share his perspectives and provide a detailed overview of SAP Enterprise Threat Detection Cloud Version that is designed to provide expert SAP security monitoring to neutralize threats in real time based on an included Managed Security Service.

Presentation Martin Kuppinger

Presentation Arndt Lingscheid

Lead Sponsor

Video Description

Show Transcript

Good afternoon, ladies gentlemen, welcome everyone. And to our webinar effective threat detection of our enterprises using SAP applications. This webinar is supported by SAP and the speakers today are on link side who's solution. One of our SAP GRC security and data protection at SAP and me Martin coping I'm principle Analyst at copy call Analyst within the next hour or so we will touch, I think, quite, quite a number of aspects when it comes to really effectively implementing security and detecting threats for the S E application landscape.

And before we dive into this object of today's webinar, I will quickly give you some housekeeping information before we then start with the content of the webinar. So first you are mutual, centrally, no need to care about it. We will do a Q and a session by the end of the webinar, and you can enter your questions at any time using the go to webinar control panel, which is usually the right side of your screen.

The more questions, the more interesting it is, we are recording the webinar and we will provide slide for Slidex for download for you as well, so that you can review what we are talking about. And last and least we will run two polls during the webinar and discuss these results time allows during the Q and a session. And that is what I wanna do before we dive into, we move to the, the first part of the presentation of the agenda. I wanna ask you a question about which type of cyber security attacks you perceive as most threatening to your organization.

So as ransomware are the relatively new software supply chain attacks, CEO fraud, or are targeted attacks on critical line of business applications or something else. So please take a little time to provide you perspective the more, the better it is. So I would say another 10 seconds or so, Hey, thank you with that. Let's have a look at, I've said we will look at the poly later results later on the agenda has split us for most of our webinars into three parts.

And the first part I'll talk about threat detection and the breadth versus death aspects we need to look at when we think about threat detection. And the second part, then aren't link of SAP will talk about SAP enterprise threat detection cloud in detail. And finally, we'll do our, as I've already announced our Q and a session. And to start with, with my part, we have a lot of change in the line of business applications, world, where I think that when we go back a few years, that world looked very different from what we frequently find, find today and what we can expect to find tomorrow.

So it's a very fundamental change and what are from my perspective, the, so more the external, the outer Analyst view, the, the two most relevance things to look at that is in one hand, we see an emergence from on premises to hybrid to SA models. And on the other hand, we see some tendency to say, okay, we used whatever for particular problem use that SA vendor or that SA solve SAS vendors.

And again, become acquired by others CPO. So for instance, did quite a number of acquisitions in that space though, we have a trend that goes from this sort of traditional very frequently, more, more single vendor to a more SaaS, but remaining hybrid, somewhere stuck in the middle to certain extent multivendor, but with a main supplier, which very frequently is SAP and will remain SAP. So we have have an level here for the subject of today, the challenges that in the end, more complex world, less and monolithic, a lot of things become more complex.

And so this is something we need to address when we look at it from all the angles we talked about is while ago for, for the GSE part, the access control part in SAP and other applications today, we will focus more on the threat detection aspects. So what does it mean in that world to efficiently protect against threats? And the part I'd like to start with then is the death.

As I said, I'll talk a little bit about breadth that talk about death and the death part. I think that line of business applications are a little bit sort of the, the underestimated threat.

So we, we see a lot of things happening when it comes to access controls and also some to auditing and stuff like that. Firefighters things, procedures, etcetera.

This is, is quite quite established. But when we look at, for instance, where most of the sea, the security information development tools focus on that it's modern network level. It's the identity level. There are things like that, but when we create a graphic and Analyst like metricses, and in one axis, I, in my graphic, I have the business criticality from low to high. And on the other hand, I have the complexity from low to high, and then line of business applications are complex world, and they are an area with a high business criticality.

If these applications fail due to attack your businesses in trouble, they be very severe trouble, even depending on the application and the time of your business. So they are business critical. They are relevant to attackers specifically when it comes to targeted targeted attacks. It's not easy to understand them because you need a lot of specific domain knowledge, the network system centric tools, aren't really focused on these.

And so at the end, what I'd like to bring over as a messages, they need special care by specialized solutions, which provide the depths and analyzes also for the specifics of these applications. So we have this, this challenge that there's a world that is critical and complex, and we need to address it.

The second aspect is press and press is so you don't need to see, to look at the details of this graph graph, but what, what is, this is just sort of an excerpt of an exercise I did with some of my Analyst colleagues a while ago, where we said, okay, how do these, all these acronyms technologies in cybersecurity relate to each other? So XDR to EDR and NDR and MDR and cm to so and so on. And this is part of the result, too many technologies. I think we can't say anymore many technologies. We have too many technologies when we need to understand what we really need.

There are a lot of emerging technologies, some of them at some point even might again, so to speak, disappear, merge to something else. There are many, many overlaps as this graph illustrates, even without looking at the details, think the sheer structure of the craft is all the links shows the complex relationships, but we also have a lot of outdated technologies stuff, which is probably not the most modern and most relevant security technology anymore. So be beyond sort of the scope of this webinar.

One of the things I strongly recommend is step back, look at what you have, sort of collect all the assets of cyber security technology, cyber security tools, try to understand what their, their impact risk mitigation is. Whether you can consolidate, whether you can replace. So do really a sort of a, an assessment and portfolio assessment at the end of the day, to understand how can you optimize what you're doing? How can you better focus?

This is I believe a very important exercise to do one of the things, my colleagues in the advisory of coping call Analyst, for instance, to quite regularly. The other thing is then when we go back to our line of business applications, then the entire complexity in this press versus discussion also means we need also specialization because when we go to sort of a cross systems, threat detection versus SAP centric, threat detection, then cross system looks at network events and system level events.

While specific tools look at SAP specific events, integration capabilities for cross system correlation. And then there are some things in the middle, which are frequently common, but with different focus, like your log event, analyzes to correlation anomaly or outlier detection, alerting, etc. So there's a common set of capabilities, but there's also the need for specialization.

And at the end, also for integration for bringing these worlds together so that you can relate the specific aspects of a line of business application, to the generic aspects of cross system, threat detection, doing that is not easy. And that brings us to services who can help you, who can assist you, who sort to speak as your, your concierge. So you have an internalized C team.

If you're large enough, if not, you might anyway rely on a managed service provider, managed security service provider, a so service, whatever you have, your ICP specialists, you have your managed security service providers, and you have other the cloud service provider. There are different layers and different capabilities. And what you need to do is you need to combine that you might, as I've said, even have for, for sec, for your security operations center for the SAP world, a lot of external partners.

And what from my perspective definitely helps is when you have the right partners infrastructures in place and align them well, the sec, the SAP, the MSSP people, and at the end, the ones which help you running your cloud services, you can't do this yourself anymore. At least most of the organizations can't, and I know many, many LA very large organizations with hundreds of thousands of employees, which massively rely on services on partners and so on. So it's a matter of teamwork. And this means this entire thing goes beyond tools. You need to understand what you need in tools.

There are many tools still, as I've said, try to, to assess which of the tools deliver really the benefit you you want to see, but there are also the processes you need to put in place even more. When you deal with multiple parties, then it's about responsibilities and accountabilities. It's about Rocky metrics or target operating models, where you define how the different people and the different technologies work together. And it's about people and for security, it's about everyone.

It's about security and to people and the specialists from SAP, it's about the it management, but it's also about everyone because everyone is involved in cybersecurity and might be the person first observing something going wrong. So think beyond trusted tool perspective, the tools are important, but without the right framework of people, of services of processes around it, the tool is of little value. But instance also to, you need to plan this, you need to do this at various level. I'm still a big believer in plan, build, run, improve four different levels. Yes. For implementation.

It's agile. Sure. But in the end, it's you do it every second week or so, where do a little bit of a plan build, run, improve cycle for strategy. It's long term. It's about why, what do you need in security? Why do you need security and alignment build, for instance, this is the security and business continuity management and your line of business applications are what can at the end destroy your business if they fail to, to sort tech. And so you need to, to work on the strategy to also continue to improve them, to adapt it to new risks or the architecture. So which elements do you need?

And don't forget things like the line of business applications to put it into place and to run it. And that run thing always will be something which requires, as I've said, certain level of services. This is something which nowadays to a certain extent, comes from the cloud, comes as a service because security is so complex that it's virtually impossible to do it just internally.

So this is where you need to work on and put things like threat detection for your SAP landscape in this context into what does it mean from a strategy, from an architecture, from a implementation and from a operations perspective, this is my message for today. And before I hand over to an link site, I like to come up with my second poll. And that is a very, that's one. That's very simple to answer. It's just yes and no. Do you already have a solution in place for SAP specific threat detection? So another 15, 20 seconds, please provide you your answer here. The more we have the better it is.

Okay. Thank you with that. I'd like to hand over to on link chat and he right now will look at SAP enterprise threat detect cloud edition in detail on it's your turn. So what we've seen on, on, on the news actually is that a system was not available. System is being hacked organization as being hacked. We do see this yeah. Every other week or almost every week, but we sometimes see as well, the additional note that a certain amount of data, a certain amount of critical information has been stolen from an organization may be a credit card information may be product information.

May it be information about a salary of, of certain, certain people within an organization. And that always actually should tell us a little bit, Hey, somebody somehow accessed the real business data of that organization. And then that was populated to, to the internet, or has been so traded on the dark net whatsoever. And this actually tells us, Hey, there could be an SAP system behind this as well, because SAP is the biggest vendor of E R P systems worldwide.

And therefore it is most likely that such systems can be hacked as well, or have been hacked as well, especially when we are looking towards high privileged users, as soon as I can reach a high privileged user with inside of an SAP environment. Yeah. I can do almost anything with inside of an SAP application and then start doing any kind of manipulation with inside of an SAP application as well. And that could also lead to a misstatement of the financial books when we do have a closer look at the types of hacks that can occur there. Okay.

And this is actually why we've invented enterprise threat detection quite a few years back, but nowadays, since we're suffering as well, a huge yeah. Gap in cybersecurity experts, especially when it comes to SAP, we've created SAP enterprise threat detection, cloud edition, and we are delivering a managed service together with this cloud product. So in general, the definition of enterprise threat detection does not really change here. So it gives us really the transparency into any kind of suspicious user behavior.

Any types of anomalies are that are happening inside of the SAP business applications to identify and stop this yeah. Security breaches. So by the end of the day, it is a, a cm solution tailored to the needs of SAP. That's one way to describe it, or another way to describe it. It is user behavioral analysis solution to track hacker's activity.

Therefore enterprise strategy detection actually uses highly efficient and automated processes based on our HANA database technology using machine learning to track hacker activity and uses the redefined and easy customizable attack path patterns of the use cases that we deliver together with enterprise threat detection. So, but now what makes it so special here? Now we deliver everything of enterprise threat detection in the cloud. So years back customers needed to install a HANA database, run enterprise threat detection on top.

Then there's some other components to enterprise threat detection. All that complexity actually is gone now because we have the whole deployment in the cloud and everything is done by SAP in that case. So we have a pure cloud provisioning and that is not integrated with the security managed service. So it does not. That really then helps our customers, that they don't have to have the experts sitting 24 by seven in front of the enterprise threat detection monitor as well.

So this is then the job that SAP can take over here too, and then send an alert as soon as something really critical happens to or within an organization. So then the, the Analyst can take time, look at all the suspicious event and then take the decision, okay, this is a false positive, or now hear something really bad happening with inside of the organization. And then therefore can and start informing the customer via the standard APIs or via an alert email, or directly send this information into the security operation center of an organization.

In addition, then the customer gets it all over reporting of all the different types of incidences that happen throughout the whole month. And, but he can additionally download as it happens, actually each and every single alert and transferred this in addition to his security operation center, into his, and at this information to his generic cm solution, that's how we usually then then call it. So the benefits to this then are pretty clear. Organizations can more concentrate on their own business anymore.

They don't have to have so many SAP security specialists on board, not saying that you don't need any SAP security specialists that would be completely false. You would still need SAP security specialists, but maybe you not, you are not, you're not needing that many security specialists because you still would have to handle the security incident as soon as something happening inside of your organization. And maybe somebody needs to take some action here.

And this is where we then helping the safeguard, the operation, often SAP application and improve, improve the continuity of the business of our customers and enterprise threat detection then helps with the security professionals to protect the IP of an organization. And that overall hopefully makes our customers sleep better by the end of the day. So how does enterprise threat detection works all over? So on one hand, we do have the source systems. They maybe are spread it all over the world worldwide.

And only the only thing now for the on-prem version, a customer would have to add a lock collector to the SAP instance, to pick up the, the, the SAP logs and send them to the enterprise threat detection, cloud addition, which is based on the business technology platform. So then the, the data is being enriched with some contextual data and sent to enterprise threat detection data. Then additionally, as soon as it arrives in enterprise threat detection is normalized. Pseudonymized.

So even our Analyst cannot see who exactly, or which user in your organization is doing something, but we do see the pseudonym to it. And we can inform you then later on who exactly was it when we reveal, so to say the pseudonym and make the real name visible, but there, there, therefore we used to have, or we have to have an additional authorization then, and then we can start analyze all the different types of events that are coming in and start correlating the different types of events, events. This can be really huge amounts of data.

So we are at SAP are talking about 250,000 events that are coming in into our enterprise breath detection, installation. This is huge customers. Usually don't go to this size, but usually customers maybe run 5,000, 15,000, 20,000, maybe 50,000 lock events per second. But you see with the HANA database underneath, that's all, no, that's all, no problem. Then we can start integrating any SAP log into the cloud edition. And within the upcoming releases, we will then be able to add other log non-SAP log information to the cloud enterprise, that detection system as well.

And then we can automatically evaluate and detect with the real use cases that we are delivering to our service here in real time, if something is happening inside of the environment. In addition to that, we can even do then start forensic analysis and to threat modeling. So we can really sit an Analyst in front of the monitoring and say, Hey, come on. We'd like to go for some threat hunting for this and that organization. And then we would be able to do, to do this, to find new attack vector, to find out maybe something else is happening inside of the systems landscape.

So with the security service that is included within enterprise spread detection, that's what we call the basis service. We do do 24 by seven alerting. So you will be able to receive the alerts 24 by seven, and then the, as soon as one alert arrives within inside of the system, the Analyst starts working on analyzing these alert a little bit closer, but if for sure has to do this on risk based in a prioritized or in a risk based and prioritized way. Maybe there's 1000 alerts in different organizations and there's only two, three, maybe four investigators are working at that point in time.

And then they would really have to look, which is the most, which is the highest priority, which do we have to take care of first. That's just the way how we set up this shared managed service. And then the customer, as soon as possible gets a decent information. Is this a true, is this a true positive, or is this a false positive, or maybe we should not even inform him about a false positive for make a clear statement to the customer when he needs to take some action done. We do deliver a comprehensive set of SAP designed standard patterns as well.

So around 50 standard patterns that we do deliver out of the box, and this is what the customer can use with inside of the basis service. And that's where we do then the monthly full report with all incidents. And you can as well receive the lock data than two. If you did not connect it yourself on your end, this has been deployed in different data centers. We can do a local service provisioning here in general. The language is English.

Since we do have Analyst sitting all around the world, adding the extended services to this customers are then able as well to have a special contract with committed response times. As I said, we cannot say always, we are able to deliver a response to an alert within five minutes, but with committed response times we can get to this and then we can start doing any type of individual adapted security Analyst. So we can go for forensic analysis. We can go for threat hunting. We can have any type of customized server label agreements. We can create own customer based patterns and so on.

And so for, so then we can really open up the box for the customers and do whatever an organization usually would do within their own security operations center, enhancing the services bit by bit by bit by bit. And this is what we would have to do taking care of the most critical assets with inside of your organization.

The use case categories are actually very easy to be described is first of all, the use of critical resources, any kind of execution of critical functions, reports, transactions, change, manipulation spy out of business data, or the change of manipulation of any type of critical configuration with inside of the SAP system. For sure any type of user manipulation, like an uplift in roles, or maybe a reference user assignment could lead to that.

A hacker is being able to access a functionality that he normally should not be able to, to reach, or even the user morphing morphing from a technical user, maybe to a dialogue user where I can then lock on. And then for sure, we do have all the whole area of debugging debugging within the in critical system, within the productive environments, when even changing variables during that debugging session or changing the control flow within, within the debugging.

So the, the program starts reacting differently during this debugging session, which could lead to any type of fraud or data spy out there than there as well. And for sure, we have a look at the system access. Usually it is not the yeah, too many failed lock on attempts because the user failed to lock on. He was not able to lock on, but maybe it is five, 10 failed lock ons. And then suddenly the user is being successful, locking onto the next system.

He tried to, to attack with maybe standard user standard passwords, and then he's gonna get inside of the system, but maybe that should really then trigger an alert with the security operations center. Hey, somebody tried at 10 different SAP systems with 3, 4, 5 standard users and standard passwords, and now he's locked onto the productive environment with another user. That's really a suspicious user behavior.

And it's, that's where customers should really have to take care about. And that's how, or what we can then alert in there as well, or any other types of suspicious actions of dynamic program execution, dynamic code changes that are happening in the productive system that usually should not take place in a productive environment. So these are roughly the, the areas where enterprise direct detection then helps the customers for the setup. That's pretty simple. Actually we do have our SAP systems worldwide.

We only would have to install the lock collector, which is an on-prem installation, but it is really only a small Java application that routes all the data coming from the different types of SAP systems into the cloud towards a sub enterprise threat detection cloud edition. So the managed security service can start doing the jobs. And then actually data comes in into enterprise threat detection. We can start enriching the, the information analyze and correlate all the different types of locks integrate all the SAP locks.

Even if you don't have patterns at the very beginning for a specific use case, it is still worthwhile adding more SAP locks to the service because with threat hunting and forensics, we can still go to these locks and start examining these locks and see them in correlation with the other locks and other alerts that occurred within inside of the environment. And same actually applies for the non-SAP locks can be added to the system within a additional service and then can be analyzed as well. And we can start building patterns for this.

And then the automated evaluation takes space within the system. So as the data comes in, it is been analyzed in real time because of we've going do this all on the, based on the HANA technology. And that's really lightning fast. And in addition to this, we can still go at any time to forensic analysis, to yeah. Modeling of new attack path patterns and create new dashboards there and do any type of threat modeling within enterprise threat detection, cloud edition than there as well. So a little bit more technical diagram. Then the system provides the lock data via the law collector.

It goes into the TD streaming into the HANA database, and then we can see all the different information about threat situation last hour. So 31 threads happening here. We have 193 systems connected. We did not have any errors when executing the patterns within the last hour and so on and so forth. But this actually is all stuff that within the managed service customers don't have to take care about because by the end of the day, they're getting an email with the right, with the appropriate information that something has gone wrong with inside of their organization.

So everything is based really in the business technology platform. And we can connect all the SAP on premise system. So you don't have to be in the cloud to being able to use sub enterprise threat detection, cloud addition. You can connect your SAP on premise systems to the cloud where enterprise threat detection is being located. If you do have other applications running on the sub-business tech technology platform, we've already integrated them because there's a standard security audit lock there.

And we are working on adding a Reba fee glass conquer as soon as we do get the lock details from them and learn them in enterprise threat detection. But as well, you can already add all the different SAP system. You might already run within the heck environment or in a PCE environment or from, from SAP, right, connecting, but still to other seam solutions via our API that we deliver with the cloud version as well as soon.

So as soon as an alert occurs, we can then send the information to the third party seam, including the original lock information and the enriched information from enterprise threat detection. So this is really a standard interface here that customers use already, even in the cloud. It's been used very heavily in the on-prem versions already in the past years, but this is available for the cloud as well and can be used for the cloud as well.

And what we've just recently created for enterprise strategy detection is connection to the solar solutions because you might like to take some action as well. So we integrated the automated response solutions that are available as well using actually the same API, because they're gonna be gonna receive the alert, the information about an alert, and then can trigger the right action, maybe towards the up services or block an IP address within the firewall and in the same time terminate a user session with inside of the SAP system.

So that's the reason why we took the more generic approach here, integrate enterprise threat detection into the standard solar solutions via this API, not creating an own additional SAP piece of software that concentrates on automated reactions within an SAP environment. And we've work for example, together with, with 14 net to create such interfaces where now the information flows from enterprise threat detection into their system. And then that system connects with the SAP system and then takes the action with inside of the SAP environment.

So cm and so integration are completely standard nowadays for enterprise threat detection and as well for the cloud edition. Okay. This is a little bit description about the API interface. I think we've discussed this already. And then as soon as the data is being sent from the SAP environment via the lock collector into the HANA tenant of the customer. So every customer has an own HANA tenant within the business technology platform. The patterns are then executed. The engine analyzes all the information.

And then as soon as an alert occurs to security Analyst really then starts doing his job, starts examining the alerts and evaluate is there is something really critical in there. Are there any true or false positive, and then informs the customer as well about the investigation? And then the customer will receive the, the monthly report as well. So I do have a short demo if we still have a little time for, for this. So I can just quickly move this to my presenting screen. So I'm already locked on to enterprise threat detection, cloud addition to our demo system.

So this is where I find my investigation reports and my monthly reports. I can filter via the severity or customer notification or any type of descriptions or an ID, or just simply scroll down. And let's have it look at the different alerts that occurred during the past months within this system.

So for, for example, we do find a potential user account misuse, a debugging or critical function calls or sub star usage here, and, or user admin group assigned a segregation of duties, been violated, or we have some user type change, a reoccurring high amount of failed lock arms. We can as well have look and download the investigation report of prepared this already here for you. And then we can have a look at the investigation report and where we do get a decent description as well.

What happened exactly was inside of this scenario, which user, which time it was, which IP address was involved. And then we get all we relevant, useful information to clarify inside of my organization, what was happening here. Exactly. Maybe yeah. Check on the user himself or block them maybe a user's PC or IP address and whatsoever.

And there, you can see as well the triggering events. So there were several events that actually correlated to this single alert or led to the investigation here. I can then as well, have a look at the monthly reporting and get the monthly reporting here for February. That's where I just simply get a list of all the different types of reports and can then see how many different high notifications I have and medium notifications and low notifications or investigations have been done during the past months. All right. Stepping forward a little bit. Yeah.

That's the slides to the, the PowerPoint of, to the demo that I've done. So it's inside of the presentation. So you can have a later look at this as well. When starting with enterprise threat detection, we usually have some stage where we have the need for sub security monitoring. We have a contract start date, and then between this, we do need about four weeks time to get all the system being set up. And then we can start the preparatory meeting where we start onboarding the customer where we can already send an onboarding guide to the organization, wants to onboard to this service.

And then we can set up the business technology tenant for the system. And then we are gonna go into a joint kickoff in a workshop of a one day workshop where we then start looking at all the basis. Patterns, for example, can do some modifications there and to make it proper use for the organization. And then we can Fastly start with the all over operation within the cloud. So we do have really a goal to be in productive within maybe one, maybe two months, which is a very, very good comparing to older days where customers are struggled quite a lot to set up a technology like this. All right.

For sure. There is additional services that we can deliver around is around this like risk mitigation services, investigation services, and integration services. For sure. I can describe this here a little bit, but I think we have to come to the end here and would like to discuss some of your questions and yeah.

So you, can you, yeah, we at least can have a little chat as well here about some topics you might like to ask. That's the agenda says we are approaching the Q and a, especially we have quite a significant number of questions already here. So let's look how far we come with answering these questions. Some have been touched to a certain extent, but I think it's also good to, to, to go back to these aspects and we will anyway, head over the questions to you afterwards so that you can follow up directly where required.

So one of the questions we have is here that sort of the more, the medium size, maybe also some of the mid-market companies, depending on how you define the market segments, clearly us are, are faced with the challenge of, they should have something like E D in place, but on the other hand, it is still worked from a cost perspective. So are there any plans also for more sort of an it's a B addition, or do you think that what you have already can be well tailored also to let's say they're not that big organizations. Yeah. It's a very, very interesting question. Thanks for, thanks for this.

Anyway, the thing is, it's a little bit funny. Actually, we thought when we created enterprise direct detection cloud edition, it was mainly focusing on yeah. Smaller organization mid-size organizations, because they're struggling most to, to have the security Analyst on board, the security specialists, to be able to run an application like enterprise detection for, so for, for us, it was clear for them. It is the most difficult thing actually in the world. And that's how then we, we set up this shared managed service.

So we have one Analyst, for example, for different types of organization or different organizations. So they can split. We can really split the cost and we can really lower the cost for, for such a service within enterprise threat detection, cloud edition.

But the, the interesting thing, then what happened is among our first 10 customers, we found one of the biggest German yeah. Industry companies. So we can already actually scale for, from very small customers to larger organizations and with the additional services that we can have with the extended services in enterprise threat detection, we can then start tailoring it to each and every single company need and every single company can then do a completely risk based approach with enterprise threat detection.

So some stay with a smaller amount of patterns, which there are okay with and others will go far beyond that. Okay. Great answer. Next question. You talked about 250 K events per second. And one of the questions here is if ETD is in the cloud and consumption for services, a ton of events per second, how do you get all the data fast enough into EDD in the cloud? So isn't the transfer of all that invent information potentially becoming a bottleneck.

Well, as, as far we, as we experienced until now, it is not, I've mentioned the 250,000 events per second, but that's really the internal use that we do have in SAP for our on-prem installation customers, usually our around 5,000, 50,000 events per second. So this is much, much less than 250,000 and the smaller customers we are mainly focusing and targeting with enterprise threat detection, cloud edition are more between yeah, maybe 5,000, 10,000, 15,000 events a second.

And this is really an amount of data that can be transferred easily, but yes, for sure it is by the end of the day, a matter of bandwidth to, to send this data over for being analyzed, that's, that's pretty clear, but we don't have a volume based license metric with an enterprise threat detection. We just simply look at the amount of users that are using the SAP system, and that is the metric for us. So we are not looking at the amount of, of, of, of the data volume that would then increase the, the, the licenses here. Yeah. But we don't do this.

I, I I'm bit believable by the way of, of this approach of licensing, because I think it's not a, not a very good idea to penalize the use of security analytics by charging for the amount of data that is analyzed. This is totally counterproductive. And so we need surely different metricses than the amount of storage or the amount of data, or the amount of bit bandwidth consumed, but it must be, be something which, which enables and encourages to do the analytics instead of saying, okay, I need to be very careful what I put under analyzes because it might become too expensive.

So I think this is definitely a better model than I've seen as several of the vendors in the Siemens source base specifically in the past. It's getting better, but it's still a challenge. Okay.

I, I think we have time for two or three more questions. One is what are the differences in capabilities between the on-prem and the cloud edition?

Yeah, that's a good question, too, for sure. We've created or had to create enterprise direct detection, cloud addition nearly, or almost from scratch new in the business technology platform. So we don't have all capabilities compared to the on-prem version as of now, but since we do have this cybersecurity or this managed service that we can add, we can, we can almost cover most of the functionalities that are not given at the moment within the cloud version. So customers usually don't, don't really recognize.

We still kept our strong analysis engine that we have when within enterprise blood detection, we still have the behind our database underneath. And for sure, within functionality, especially as well in, in reporting enterprise direct detection, cloud edition will grow dramatically within, within the upcoming years. And our future goal for sure is to see functional parity between the both of the products, but already today. One of the biggest targets actually is to consume all SAP locks, all different types of application locks need to go into enterprise brand detection.

This needs to be done for the on-prem board, and this needs to be done for the cloud work. But this is one job because we've unified this. So we still have people working in this area working actually for both products, for example, and this makes, makes fun function parity of the both products coming, coming to us. Yeah. Easy within time. Yes. Okay. To answer one question from my side, which came up a couple of times, yes. The slide ex will be provided for download probably around tomorrow when he go to the webinar link and the recording of the webinar as well. I think one more question.

We, we, we can take, and that is the one I'd like to pick is what is the process to work with SAP to get custom use cases or attack vectors included for all the other questions that are here. As I've said, we will hand over them to a, so that he can follow up directly because we still have some six or eight questions open. Yeah.

That's, that's pretty simple. And as soon as you start talking about enterprise directive tech in cloud edition with your account executive, you just need to drop my name for, for example. And then we can start building upon the, the service actually is being delivered by the CA organization of SAP. And then we can, we can arrange the contract with the CA organization that then can deliver such additional services to enterprise detection, cloud edition. Okay. With that it's time to say, thank you. Thank you to a, for all the insight you provided.

Thank you to SAP for supporting this call webinar. And thank you for all attendees to listening to this webinar of Analyst. Hope to have you soon back at one of our other events, meet I events or virtual events only. And so thank you as I've said, for all the interest into the subject of today's webinar. Excellent.

Thank you, Martin, as well from my end. And thanks to the participants. Have a great time. Bye-bye.

Like this?

Don't like this?

Why don't you like this?

Effective Threat Detection for Enterprises Using SAP Applications