Microsoft Security with Partner SecurityBridge

Introduction

In episode 268 of our SAP on Azure video podcast we talk about Security with the partner SecurityBridge.

A few weeks back we have started with sessions really focused on Microsoft Security with SAP. We have a lot of amazing tools that help customers protect their SAP solutions, but there are some really good SAP security partners in the market as well. So with this Martin Pankraz and the team have been working with these partners. Today we want to kick if off with Ivan Mans, who is the CTO at SecurityBridge. Welcome Ivan, welcome Martin to our show

Find all the links mentioned here: https://www.saponazurepodcast.de/episode268

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Security #SecurityBridge

Summary created by AI

• Overview of SecurityBridge and Its Role in SAP Security:
• Ivan Mans from SecurityBridge, together with Holger, Martin, and Goran, discussed SecurityBridge’s background, its evolution as a cybersecurity command center for SAP, and its comprehensive approach to securing SAP environments through vulnerability management, patching, code scanning, and threat detection.
  • SecurityBridge Background and Capabilities: Ivan introduced SecurityBridge as a cybersecurity suite for SAP, highlighting its 26-year history in the SAP space and its focus on providing a single platform for secure SAP operations. The platform covers vulnerability management, patch management, code scanning, and threat detection, aiming to simplify and centralize SAP security for organizations.
  • Evolution of SAP Security Needs: Ivan explained that the SAP security landscape has evolved significantly, with increasing complexity in technology stacks and a growing need for specialized tools to address various attack vectors. SecurityBridge was developed to address these needs by integrating multiple security functions and making them accessible to both SAP and IT security teams.
  • Integration with Microsoft and Partner Ecosystem: Martin and Holger emphasized the importance of partnerships between Microsoft, SAP, and specialized security vendors like SecurityBridge. They described how co-engineering and collaboration with partners bring specialized expertise and fill gaps in the broader security ecosystem, benefiting customers with more comprehensive solutions.
• Bridging SAP and IT Security with SecurityBridge and Microsoft Sentinel:
• Ivan, Martin, and Holger detailed how SecurityBridge integrates with Microsoft Sentinel to bridge the gap between SAP application security and IT security, enabling real-time monitoring, alerting, and actionable insights for both SAP and SOC analysts.
  • Integration Architecture and Data Flow: Ivan and Martin described the integration process, where SecurityBridge collects and normalizes SAP security events and pushes them to Microsoft Sentinel using a push-based architecture. This approach allows organizations to monitor their entire SAP estate centrally, without the need for complex connectivity setups for each individual SAP system.
  • Bridging Different Security Audiences: The team discussed the challenge of translating SAP-specific security events into actionable information for IT security teams and SOC analysts, who may not be familiar with SAP terminology. SecurityBridge enriches and contextualizes SAP events, making them understandable and actionable for non-SAP security professionals.
  • Bidirectional and Contextual Enrichment: SecurityBridge not only sends SAP security data to Sentinel but also leverages Microsoft Entra signals, such as risky user states, to enhance its own threat detection and severity ratings. This bidirectional exchange ensures that both SAP and IT security teams benefit from enriched, context-aware alerts.
  • Unified Threat Detection and Response: By consolidating SAP security data with other organizational security information in Sentinel, organizations gain a unified view of their threat landscape. This enables faster, more informed decision-making and supports automated response actions through playbooks and orchestration.
• Technical Deep Dive: SecurityBridge and Sentinel Integration Process:
• Martin and Ivan provided a step-by-step walkthrough of the technical integration between SecurityBridge and Microsoft Sentinel, including configuration, data flow, and the operational benefits of a push-based architecture for SAP security monitoring.
  • Configuration Steps: The integration process involves creating Azure resources such as data collection rules and endpoints, registering an application in Microsoft Entra, and configuring SecurityBridge to send data securely to Sentinel. Automated deployment options simplify the setup, and detailed instructions are provided for administrators.
  • Push-Based Data Ingestion: SecurityBridge uses a push-based model to send security events to Sentinel, eliminating the need for customers to open firewalls or manage complex networking. This model supports scalability and reduces operational overhead, as all SAP systems connected to SecurityBridge are covered automatically.
  • Monitoring and Validation: Once integrated, administrators can monitor the connection status, data flow, and last received logs directly within Sentinel. This ensures that SAP security events are being ingested in real time and that the integration is functioning as expected.
• Incident Detection, Enrichment, and Response in SAP Environments:
• Martin, Ivan, and Holger demonstrated how SecurityBridge and Sentinel work together to detect, enrich, and respond to security incidents in SAP systems, using real-world scenarios such as MFA bypass and session cookie theft to illustrate the end-to-end process.
  • Incident Detection and Attack Graphs: The team showcased how incidents such as MFA bypass and session cookie theft are detected, correlated, and visualized in Sentinel using attack graphs. SecurityBridge provides detailed SAP context, such as transaction codes and system roles, which are integrated into the incident analysis.
  • Enrichment and Contextualization: SecurityBridge enriches raw SAP audit logs with additional metadata, making it easier for SOC analysts to understand the significance of events, such as whether an action occurred in a production system or involved a risky user. This contextualization supports faster and more accurate incident response.
  • Advanced Hunting and Compliance: Analysts can use advanced hunting queries in Sentinel to investigate SAP security events further, leveraging the full range of logs provided by SecurityBridge. The integration also supports compliance requirements by enabling long-term storage of SAP audit logs in a cost-effective data lake.
  • Automated and Manual Response Actions: The integration supports automated response actions through Sentinel playbooks, such as reactivating audit logs or enforcing multi-factor authentication. SecurityBridge can also trigger immediate actions within SAP systems, reducing the attack surface and supporting rapid containment.
• Collaboration Between SOC and SAP Security Teams:
• Martin, Ivan, and Goran discussed real-world examples of how organizations use SecurityBridge and Sentinel to coordinate incident response between SOC and SAP security teams, defining clear processes for triage, forensics, and resolution.
  • Role-Based Incident Handling: Organizations distinguish between critical and non-critical incidents, routing critical alerts to the SOC team for immediate action and assigning less urgent cases to the SAP security team for further investigation. This ensures 24/7 coverage and leverages the specialized expertise of each team.
  • Process Automation and Outcomes: Automated processes and clear definitions of SAP versus security incidents help reduce false positives and streamline incident resolution. Shared insights and collaboration between teams lead to faster and more effective threat detection and response.
• Customer Feedback and Future Development:
• Martin and Holger invited feedback from customers using SecurityBridge and Sentinel, emphasizing a customer-driven approach to future enhancements and the importance of ongoing collaboration to address emerging security needs. Customer-Driven Backlog: The team encouraged customers to share their experiences and suggest new features or improvements, highlighting that future development priorities will be shaped by real-world needs and feedback from organizations using both SecurityBridge and Sentinel.

• SecurityBridge

• 0:00 Intro
• 1:10 Introducing Ivan Mans & Matrin Pankraz
• 3:00 What is SecurityBridge?
• 6:00 Command Center for SAP
• 8:30 Attack Vectors
• 11:10 One Platform
• 14:30 Secure and defend SAP apps and data on Microsoft Cloud
• 15:15 Attackers think in graphs
• 16:35 Graph powered security enables enterprise-wide visibility
• 17:40 AI first end-to-end security platform
• 20:30 Demo - Defender Portal - SecurityBridge Solution
• 23:45 Demo - Incident detection with SecurityBridge
• 28:10 Demo - Advanced hunting
• 29:50 Demo - KQL queries - Storing information
• 35:50 Unburden the people you have