Unmatched SAP Security with Microsoft Sentinel for Gold Mining Company

Goal: Select and implement a SIEM solution that would minimize the risks of insider threats and ensure comprehensive security monitoring of the corporate SAP ERP system, while also meeting the cost-efficiency requirements.

Solution: Infopulse seamlessly integrated Microsoft Sentinel into the client’s hybrid infrastructure, implemented 80+ custom security monitoring rules, and provided consultations on establishing an efficient incident management process that would allow reacting to alerts in near real-time.

Benefits: The capabilities of Microsoft Sentinel coupled with tailored security rules allowed the company to enable the utmost protection of their SAP environments, rapidly detect potential threats, and significantly reduce TCO costs, all while optimizing the work of the internal security team.

Services delivered: Cybersecurity & Security Assessment services, Microsoft Sentinel implementation, SIEM/SOAR Deployment.

After seamlessly integrating Microsoft Sentinel into the client’s complex hybrid infrastructure, Infopulse developed, tested, and deployed 80+ custom security monitoring rules to ensure unmatched data protection for the client’s SAP ERP.  

As a result, the gold mining company received a full range of benefits: 

• Reinforced security posture – the robust security monitoring powered by Microsoft Sentinel helps the gold mining company safeguard their SAP landscape, minimizing the risks of costly data breaches.
• Rapid threat detection – the near real-time incident management system empowered our client with the rapid detection of illegitimate operations and suspicious user behavior.
• Reduced TCO – in addition to having all the required monitoring capabilities, Microsoft Sentinel turned out to be the perfect choice cost-wise and is simpler to deploy, configure, and fine-tune in comparison to alternative SIEM tools.
• Cost optimization – by implementing cloud-based Sentinel, the company could optimize costs for purchasing, setting up, and supporting additional on-premises infrastructure.
• Flawless system interoperability – by integrating Microsoft Sentinel with the client’s on-premises SAP system and the backup cloud-based ERP, Infopulse ensured a smooth flow of security logs across all estates, thus helping the client avoid duplicated efforts and extra costs.
• Streamlined security operations – some security rules were adjusted to exclude the “alert fatigue” for the client’s security operators. Moreover, Infopulse provided in-depth guides on incident analysis and response for the company.

Technical Details

At the beginning of the project, the key task for Infopulse was to ensure seamless interoperability and data exchange between Microsoft Sentinel and the client’s cloud-based and on-premises IT infrastructure. Our team used Microsoft’s proprietary data connectors for SAP applications to integrate Microsoft Sentinel with the client’s backup ERP system that resides in the cloud (Microsoft Azure).  

The integration of Microsoft Sentinel with the client’s SAP ERP was performed via the following approach. Our team configured and deployed a log forwarder – a Linux-based virtual machine that collects the logs from the Cloud and on-premises SAP environment and transfers them to Microsoft Sentinel for further processing.

To connect the company’s on-premises SIEM system IBM QRadar with Microsoft Sentinel, Log Analytics workspace in Microsoft Azure and Cloud REST API connector were used, both being officially supported by Microsoft and IBM platforms.  

Consequently, Infopulse proceeded with the development of 80+ security event monitoring rules that fall into one of three categories:  

• Custom security monitoring rules tailored to the client’s requirements 
• Built-in Microsoft Sentinel rules for monitoring SAP environments
• A set of rules that was based on SAP Enterprise Threat Detection

The implementation of the security rules was highly dependent on the deployed SAP modules and the specifics of the client’s operations. Infopulse worked in close cooperation with the client’s security team, as well as employees from various departments to outline normal and abnormal user behavior across finance and accounting, HR, supply chain management, and other processes. To maintain business continuity for the company, our team did not establish any restrictions – the entire analysis was carried out in the form of a seamless process discovery.

The security rules were designed to combat both intentional and negligent insider threats. Some of the examples include – the detection of unauthorized access attempts, illegitimate operations, or configuration changes in the SAP environment, as well as suspicious user activities, such as direct connection to the database, transferring large volumes of corporate data to a USB flash drive, etc.  

Ultimately, the security monitoring rules developed by Infopulse served as a foundation for enabling near-real-time incident management, which includes the following stages:  

• A security event occurs in the SAP system and generates logs that are transferred to Sentinel
• Microsoft Sentinel analyzes the logs to identify illegitimate actions/abnormalities and triggers an alert
• The security operator analyzes the alert and responds according to the internal security policies

Infopulse thoroughly reviewed and tested each of the 80+ security rules. Upon confirming that the rule was feasible and worked as expected, our team continued to improve it. Certain rules had to be optimized, as they generated too many incidents, which could potentially hamper the work of the security operators. Therefore, to minimize the “alert fatigue” for the client’s security team, some of the rules were implemented in the form of dashboards, regularly checked by the operators. 

Last but not least, to further facilitate the work of the client’s security team, we developed numerous playbooks with detailed instructions on how to analyze and respond to specific security alerts.