Security information and event management at Basis Consulting

Interview with: Roger Skjetlein

How to improve and automate security threats in your SAP landscape
Customer case for  Zalaris

introduction

Secure placement of your SAP data is, or should be, one of your key prioritization in SAP operation. SAP is the backbone of a company’s business. If you data get exposed, it can result in your customer losing trust and thereby loss of business. In recent years, more and more SAP businesses are opening up access to SAP from the internet. In Basis Consulting, we have seen customers take security shortcuts to get their data online quickly. Unfortunately, security doesn’t always come first and those short cuts you took never seems to be a problem…until you are exposed..

Security can also be boring and it can add some overhead costs that users don’t like. But security projects can also be “fun”. Roger, one of our infrastructure consultants, is doing an interesting development project for security. I caught up with Roger on Friday. He was in his office in Trondheim and we did this interview via Skype.

Roger Skjetlein

Hey Roger. What is this security project you are working on?

Well, I’m now developing a Security Information and Event Management Implementation, aka SIEM.

Good. We should always use at least a four letter acronym. What does SIEM do?

SIEM aims to combine and correlate data logs from multiple sources to enable and give an overview for security threats, not isolated to a typical monitoring system, but the ecosystem as a whole.

Where can you find the sources for those threats?

When you run a SAP datacenter, you don’t only run SAP databases. In a datacenter setup you have several potential ways to get exposed. Besides the SAP system logs, you have IDS (Intrusion Detections Systems) logs, Firewall logs, Web servers logs, operating systems logs and probably some more logs I can’t remember. Those logs are what the SIEM uses. SIEM correlate these logs. Now I have focused on IDS, Webservers and SAP servers. The SIEM system tells me who is accessing what and when. All these data are collected in the SIEM system.

That sounds like a lot of data, Roger. Is it?

Yes. This is Big data.  During a week it gathers around 100.000.000 events.

Where do you store all this data?

I have build a cluster of servers and this cluster is split up in shards were the data gets indexed. The indexes are also replicated between the cluster nodes for High Availability.

Can you tell us what kind of software SIEM is running?

There is a lot of own development and configuration, but the solution is based on elasticsearch. It’s a popular open source code and many of the big companies are using it. Verizon, ebay, Facebook, Orange and many others are using elasticsearch.

Nice one, Roger. What do you get out of this big data?

The SIEM system gives the bigger picture in security threats. Without SIEM you are in a way looking through a keyhole. We can now see the wider context of the traffic to our customers systems. SIEM is  for example a very important tool during a DOS-attacks.

Have you found some possible threats in the SIEM yet?

hmm.. Roger is doing a demo and drills down into to some events. “Look here, Svein. Here we have traffic from “ZmEu”. That looks suspicious. Let’s find out what this is”, Roger says. Within a few clicks Roger can see that ZmEu is a vulnerability scanner which searches for web servers at Basis Consulting that are open to attack through the phpMyAdmin program. Two clicks later, Roger can also identify the geographical location. It’s from a small city outside Shanghai in China. I ask if we should take a plane to Shanghai and visit this scanner-guy? “It’s tempting, Svein, but we have control. We blacklist all hostile traffic. He will need to take his scanner elsewhere”, Roger says.

Roger that, Roger! I hope you have a lot of clean logs and very few events in the SIEM console

Interviewer: Svein Kolden, BC employee – svein@basis-consulting.com

About Basis Consulting
Basis Consulting is certified as SAP Advanced Hosting Partner and SAP certified in SAP HANA Operation Services. Our Data Center is specially designed for SAP. We keep SAP operation secure and simple for our customers.
About Zalaris
Zalaris serve more than 170,000 employees each month, from across multiple industries and with many of the region’s most reputable companies within telecom, retail, insurance and banking. Industries with high security and compliance demand. As Zalaris grow, the need for information security is among the highest priority