User behavior anomaly detection
What more can we do about security of our SAP systems? That’s what we asked ourselves few months ago when we experienced a series of phishing attacks. This inspired us to build a solution that would detect a rogue user operating in our landscape. That’s how User Behavior Anomaly Detection was born.
The recipe for our scenario seemed simple: get data, add a bit of machine learning and POOF! We have an anomaly detection tool. But when we took a closer look we realized it would not be so easy.
Getting the right data
First, we had to find out which data could help us tell if user credentials were compromised. A bit of research pointed us to the right direction – SAP trace log. When we confirmed that this source has the data we need, we started looking into how to feed it into our data lake. Problems? These logs are not stored transparently on the file system, they are not stored transparently in the database. You want to access them? Only through SAP and ABAP.
Luckily, we had just the right tool in our shed to do the work. Datavard Glue, besides enabling you to do a table level extraction and transformations, also allows you to prepare your custom ABAP code as a source for data extraction. Thanks to it you can replicate seemingly inaccessible data sources. Few lines of ABAP code later we had data extraction up and running.
Adding machine learning to the mix
Obvious choice for us was using Apache Spark since we have it in our landscape and it is a standard for machine learning. Our data scientists built a simple model that would help us identify anomalies and potentially dangerous behavior based on SAP logs. The ML model actually gets “smarter” as more data flows through it, giving us better confidence and less false positives.
Time to view the results
What we learned in this internal project is that having SAP as a source of data doesn’t have to be difficult as long as you have right tools to do the job. Datavard Glue is simple, yet powerful ETL tool tailored to suit needs of SAP customers.