Partner - ArcSight for SAP SE Overview

Summary:

This document outlines a partnership between HP/ArcSight to improve SAP solutions focusing on fraud and business risk management, aiming to address regulatory compliance trends and stakeholder expectations in effective risk management. The solution includes integration with ArcSight for enhanced SIEM capabilities within SAP environments, use case development addressing high-risk transactions and sensitive data protection, and potential cost savings through automated monitoring and real-time threat detection. The partnership leverages HP's expertise in IT infrastructure and ArcSight's advanced security analytics capabilities to create a comprehensive framework for SAP users managing regulatory compliance risks effectively. Key components include an integrated solution with four main modules (data gathering, correlation, multi-dimensional, and response/status data staging), integration through the ArcSight Logger API and CEF utilizing Java for SAP environments, use cases addressing high-risk transactions, unauthorized access, and potential misuse of SAP systems by specific individuals like Robert Jackson. The solution aims to prevent fraud, theft, and other malicious activities within organizations by implementing robust security measures such as denial of service attempts, segregation of duties policies, and real-time monitoring using systems like ArcSight. It also helps reduce costs associated with compliance assessment and audit efforts while improving the integrity of SAP systems and data handling practices.

Details:

This document outlines a partnership between HP/ArcSight to enhance SAP solutions, focusing on fraud and business risk management. The solution is designed to address regulatory compliance trends and rising stakeholder expectations in managing risks effectively. Key components include integration with ArcSight for enhanced SIEM capabilities within SAP environments, use case development addressing high-risk transactions and sensitive data protection, and a demonstration of potential cost savings through automated monitoring and real-time threat detection. The solution comprises four main modules: a collection layer for data gathering, an analytical layer for correlation and analysis, a multi-dimensional correlation layer, and a response/status data staging area. Integration with SAP is facilitated through the ArcSight Logger API and CEF (Common Event Format), utilizing Java for SAP environments. Use cases are developed to address specific risk areas such as high-risk transactions, privileged account usage, SAP application configuration settings, and remote interface functions. The partnership aims to leverage HP's expertise in IT infrastructure with ArcSight's advanced security analytics capabilities to create a more comprehensive framework for SAP users to manage regulatory compliance risks effectively. This includes automating manual monitoring processes, minimizing fines from non-compliance, protecting intellectual property, and enhancing overall network security by detecting anomalies that might lead to breaches or fraud. The solution is designed to help organizations reduce costs associated with compliance assessment and audit efforts while improving the integrity of their SAP systems and data handling practices. The document outlines several scenarios involving high-risk transactions, unauthorized access, and potential misuse of SAP systems by an employee named Robert Jackson. These scenarios are designed to illustrate the importance of implementing robust security measures to prevent fraud, theft, and other malicious activities within organizations. Scenario One focuses on managing inherently high-risk transactions where Robert Jackson attempts payment fraud by attempting to disable logging during the payment matching printing process in SAP. This action is detected through physical access badge scanning and unapproved changes in SAP security roles, which are monitored by ArcSight for correlation among sensitive users. Scenario Two revolves around protecting intellectual property, demonstrating how a former contractor was able to extract highly sensitive bill of material data from the SAP system despite its proper termination process being disabled. This is detected through unauthorized access to production environment configurations and direct program execution in an unapproved manner. Scenario Three addresses preventing segregation of duties based fraud where Robert Jackson uses his conflicting system access to divert goods for personal gain, creating false sales orders and linking them to a fictitious customer "local sports" with the intention of selling the diverted goods on eBay. This is detected through configuration settings changes, direct program execution, and remote interface function usage in unapproved manners. To summarize, these scenarios highlight the importance of implementing strong security measures such as denial of service attempts, segregation of duties policies, and real-time monitoring using systems like ArcSight to detect unauthorized activities and potential fraud within SAP systems. The provided text discusses SAP Enterprise View Drill Down Dashboards, which are part of the ArcSight solution for monitoring and analyzing risks associated with user activity in SAP systems. These dashboards provide both high-level overviews and detailed views of suspicious activities, such as violations or high-risk behavior. Key features include statistical risk analysis, pattern discovery, and integration capabilities with SAP GRC (Enterprise Governance, Risk, and Compliance) tools. The ArcSight SAP Enterprise View includes visualizations like the SAP Actor Threat Dashboard, which highlights top high-risk users based on their threat and business risk scores. The SOC may receive notifications about specific individuals, such as Robert Jackson, who have a high threat score warranting further investigation. Additionally, statistical analysis monitors for anomalous transactional rates and pattern discovery that can identify deviations from normal behavior are part of this solution. The integration between ArcSight and SAP GRC (Access Risk Management) includes monitoring actual transaction data to detect segregation of duty violations, detecting anomalies in centralized emergency access, and monitoring unauthorized changes in SAP security roles or user provisioning processes. This integration extends to eGRC by providing control effectiveness test results and key risk indicator inputs for risk analysis. The text also presents several use case examples demonstrating how the ArcSight solution can adaptively monitor risks based on actual activities within an organization. These examples include a former employee accessing SAP, where the system automatically detects and monitors suspicious activity; an administrator misusing privileges to unlock their account using a backdoor method; and another instance of misuse involving privileged users. In summary, the ArcSight SAP Enterprise View provides advanced risk monitoring tools that can adaptively respond to potential threats in real-time, leveraging both automated anomaly detection and pattern analysis capabilities. This solution is designed to complement existing GRC frameworks by offering detailed insights into user activities within SAP systems, thereby enhancing overall security posture. The provided summary discusses various use cases involving shared accounts, sensitive transactions outside of approved maintenance windows, and exited employees with active SAP account access within an organization. It highlights the role of ArcSight SAP Enterprise View in detecting these issues through advanced technology such as multi-dimensional correlation, risk model creation based on user activity against enterprise meta-directories, and adaptive detection methods. The use cases demonstrate how this tool can help organizations mitigate risks associated with shared accounts, unauthorized access to sensitive transactions, and potential misuse by terminated employees. The summary also points out the limitations of current solutions in effectively managing these issues due to limited time scale monitoring capabilities or false positives from exempted systems like specific portal systems. It emphasizes the importance of improved security measures and awareness for at-risk users such as contractors and new employees, which can be enhanced through technologies like ArcSight SAP Enterprise View that provide better management of SAP access privileges and higher awareness of potential risks.