Keynote Mittwoch, 19. März 2014 (09.30 – 10.3009.30 – 10.30)
Applied Security Product Research at SAP AG
Dr. Michael Schmitt, SAP AG
Abstract: Already today SAP provides many different Products, Tools and Features to secure SAP systems against Attacks. Some examples are:
- Security patches to be implemented in the SAP systems
- Pro-Active Code Scans before delivery to find potential vulnerabilities
- Product to do Code Scans at the customer code for SAP systems
- Identity Management product to centrally provide users and authorizations
- A special Single Sign On Product that is optimized for SAP system access
- Secure Audit Log where certain security relevant actions of users are logged
- Support of many Security standards (e.g. in the Web Services Security area)
- Read Access Logging Feature, that logs the viewing of sensitive data
These products/tools are all very helpful. However, if it comes to an attack in the networks, the system landscape or in applications, the above tools mostly provide helpful information to analyze the attack and its impact, but they do not do the analysis, or they just remove known vulnerabilities. By that, SAP customers and companies in general have some challenges today:
Large amount of data
In large enterprises the number of systems, mobile devices and network devices is between several 1.000s and sometimes even more than 100.000s. Additionally, only one SAP system has dozens of different, security relevant logs. Furthermore the number of events occurring in systems and networks is between several 100 Million to even Billions per day. Hence, there are peak sizes of different events of 1 Million Events per Second.
Related issues and consequences
The time slots to detect an attack when the event data is flowing by, are very small. It becomes even more complicated to detect co-incidences of one event to other events in such small time slots.
End to End analysis of an attack over several thousand data sources is rather difficult. Today, often the data must be searched separately from the different sources in order to analyze the end-to-end picture and by that to estimate the impact of an attack to the business. As additionally the search times are partly very long in large amounts of data, the results from the analysis are provided very delayed.
Furthermore, complex attacks consist of combinations of separate single vulnerabilities, including malicious actions on different levels (e.g. network level, database level, application level), which in combination are again more difficult to detect.
As a result, it might happen, that today, attacks are not all detected, although the information about the attack is available but hidden in the bunch of data.
Rule-based analysis of ‘The Known’
In the very most cases, current tools and methodologies focus on the search of attacks by known attack patterns. If the pattern is known, it can be reactively searched for in all the available data sources. These searches are predefined and exclusively designed to find a certain attack. They most likely do not find other attacks.
As a result, we are hence at least partly ‘blind’ about attacks ongoing, which do not adhere to the known/examined patterns.
Looking for solutions
One of the tasks of the applied security product research at SAP is the detailed analysis of the SAP customers’ challenges in the IT security area and the need to find adequate solutions for it. This paper deals with the current research efforts at SAP to address the above mentioned challenges. SAP’s current research focus is the examination of the use of SAP’s in Memory Database approach to become able to analyze the masses of data in real-time, and to enable the detection of different types of attacks. On the one hand these are attacks that can be detected if several data sources from network components and from the application area are combined, furthermore the goal is to do this in near real-time . On the other hand, we look for approaches to detect ‘The Unknown’, e.g. by either making it easy to examine the data with human intelligence, or by using so called predictive analysis tools.
SAP’s future goal is to develop a product that provides these advanced possibilities to detect, analyze, potentially predict and avoid attacks against enterprises.
Michael Schmitt promovierte 1994 in Physik an der TH Darmstadt und ist seit 1999 bei der SAP AG tätig. Dort war er unter anderem in den Bereichen Anwendungsentwicklung, sowie seit 2004 in der Entwicklung von Connectivity- und Security- Features und Produkten als Projektleiter und Abteilungsleiter tätig. Zurzeit ist er als Abteilungsleiter verantwortlich für die Forschung und Entwicklung neuer Sicherheits- Features und Produkte der SAP AG, die unter Ausnutzung neuer Technologien neue Möglichkeiten in der IT Sicherheit eröffnen. In der Abteilung sind zurzeit 10 Studenten in Praxisphasen, eine Master Arbeit und 2 Bachelor Arbeiten im Bereich Forschung zu angewandten Sicherheitsthemen aktiv. Zusätzlich hat die Abteilung eine enge Zusammenarbeit mit SAP Security Research in Sophia Antipolis, Frankreich, sowie mit mehreren großen Kunden der SAP in Europa und USA, die die aktuelle Forschung und Entwicklung aktiv begleiten.