agileSI - The ultimate solution

agileSI uses agents on the SAP source systems to extract data. agileSI also has a Core that controls the Agents and is a proxy for the ArcSight ESM, collecting the data from the SAP systems and providing CEF formatted output. (CEF=Common Event Format, an ArcSight specific data format that allows to add meta-data to the events and provides easy import of the data into the SIEM tool (figure 3).

Part of the agileSI solution is special analytics content package for ArcSight, which helps to interpret the data and covers use cases for security monitoring driven by recommendations from SAP, the German SAP Users Group (DSAG), common standards and other frameworks.

The agileSI Core and the Agents are ABAP programs that closely integrate with the SAP systems. They are developed adhering to SAP’s best practices and shipped as Add-Ons, ensuring easy deployment and security. The SAP authorization concept works to protect the data in the source systems, the system owner can define which data can be extracted. agileSI has its own authorization objects to protect the administration and other components (such as the Extractors) from unauthorized use. On the transport layer, SAP security functions like Secure Network Communication ensure confidentiality and integrity of the data. The solution is designed to be scalable for large installations (figure 4).

The agileSI Core contains the Service Factory. This is a web interface for the administrator that allows defining the system landscape and also which data will be extracted from the SAP systems. The data extraction can be defined for each system or for groups of systems. The Service Factory holds the configuration of all Agents in the landscape and distributes the local configuration data to the Agents in the source systems.

The agileSI Core can run on any SAP system with an AS ABAP 7.0 or 7.3. So this can be deployed e.g. on the Solution Manager, an SAP application, or on a dedicated server (figure 5). Each Agent (one per source system) contains several Extractors and one Extractor Handler. The Extractors are ABAP programs that can extract data from one type of data source, and run as batch jobs. The Extractor Handler manages the local configuration data and schedules the Extractors (table). 

agileSI can extract almost any information from the systems, as defined by the customer. This allows a range of use cases that goes far beyond the native SAP-SIEM integration, from monitoring the configuration state of the SAP systems to detecting incidents and transaction monitoring. The data provided by the Extractors is in various formats; table data looks different than entries in log files. So for routing these messages, SI uses an internal data format that we call ITCF (iT-CUBE Format). Extractors can pass data in their specific format to the ITCF Connector, which can handle all these data types and transforms the data into ITCF. This data is sent to the SI Core via RFC. agileSI ensures quality of delivery, each message gets sent/delivered exactly once to the Message Receiver in the Core.

The next step is to transform data into the ArcSight CEF and write it to a file. This file can be read and preprocessed by ArcSight’s standard file adapter. agileSI utilizes Domain Field Sets – a new feature of ArcSight ESM V5.x which offers significantly more label+value pairs than standard device custom fields. It allows customizing the name of the label making it easier to identify fields according to their function. Domain fields are “dynamic,” because they can mean different things for different events depending on the domain an event belongs to. The flexibility of dynamic domain field sets within a SIEM is a fundamental technical precondition to integrate business environments that must support monitoring, investigation, and analysis for use cases in multiple business verticals, such as integrating data from SAP and other applications.
ArcSight ESM standard content and agileSI’s special analytics content package supports a number of common use cases out-of-the-box. This content based on data monitors, rules, dashboards, notifications and reports can be modified and enhanced by customers whenever necessary (figure 6). Systems that can be monitored with agileSI are ABAP-based systems (this includes all Business Suite applications) in SAP Mainstream Maintenance mode.

Deployment of the solution is easy, using standard SAP software logistics. When ArcSight already is in use, adding agileSI and SAP monitoring is a matter of days. agileSI will become generally available in October 2011 (release 1.0). Release 1.1 will follow in Q1/2012 and provide additional Extractors and content. By end of year 2011 SI will be certified by SAP.

Key benefits and value propositions

The combined iT-CUBE agileSI / ArcSight ESM solution provides capabilities to extract almost all information from SAP systems and over 350 other devices in the IT landscape. Combined with the powerful correlation engine in ESM and pre-defined content this gives customers the perfect solution for a maximum visibility regarding their most important IT assets and critical processes. Key benefits are:

• Transparency, through continuous monitoring and cross-device/application correlation
• Fulfillment of compliance requirements
• Reduction of audit efforts and costs

The Return On Investment for agileSI comes directly from savings in the daily security operations and lower efforts in audits, as all information is available in a central spot and customers can prove compliance directly.