MAIRE's enhanced security and visibility in SAP environments with Microsoft Sentinel

MAIRE is a leading technology and engineering group focused on advancing the energy transition. The Group provides integrated E&C solutions for the downstream market and sustainable technology solutions through three business lines: sustainable fertilizers, low-carbon energy vectors, and circular solutions. With operations across 50 countries, MAIRE employs nearly 10,500 people, supported by around 50,000 professionals involved in its project worldwide.

Within the MAIRE Group, Tecnimont Services is responsible for developing technological activities in the ICT sector and supporting the entire organization's supply chain. Tecnimont Services houses the Cyber Risk Operations Center (CROC), a unit designed not only to guarantee protection, but to generate antifragility. A paradigm shift: from a model that reacts to events to a system that continuously learns from the context, adapts, and becomes stronger after every pressure and challenge.

The CROC integrates continuous monitoring, intelligence, automation, and risk analysis to translate every signal—technical, operational, or contextual—into actionable business insight. This allows MAIRE to anticipate critical scenarios, drastically reduce response time, and support the execution of the group’s global projects with a more mature and proactive level of control. Collaboration with IT, OT, Identity, Engineering, and Compliance enables the CROC to operate as a risk governance hub, ensuring end-to-end view and continuous alignment with international standards and regulatory requirements.

The CROC is not just an operations center; it is a value enabler, connecting people, processes, and technology to protect the company and strengthen it through every challenge. Its mission is not only to prevent impacts, but to help the MAIRE Group become more robust, faster, and ready whenever the context changes.

"Protecting data and identities is a priority for us. That’s why we implement solutions that ensure reliability, strong monitoring capabilities, and robust governance and control processes," says Andrea Sgarlata, Identity Manager at Tecnimont Services, MAIRE Group.

To protect its data, MAIRE specifically opted for a Security Information and Event Management (SIEM) system like the cloud platform Microsoft Sentinel, providing a comprehensive view of security events and integrating with other detection and response solutions already in place within the company. In particular, Microsoft Sentinel is used to enhance the Group's defense capabilities within the SAP environment, an application accessed by all of the more than 10,000 employees and used to manage the accounts payable cycle. Important business processes occur within the SAP perimeter and essential data for the entire organization resides there. "Gaining greater visibility into the Group's entire accounts payable management environment was crucial. Given the widespread use of the SAP ecosystem within the company, the potential attack surface is significantly broad, and Microsoft Sentinel is helping us keep it constantly under control,” states Sgarlata.

A solid partnership and valued expertise

"As early as 2023, we began evaluating the possibility of developing an in-house solution to protect the entire SAP environment, which had, in the meantime, migrated to the cloud with SAP S/4 HANA, leveraging the Rise offering," recounts Sgarlata.

The increasing criticality of SAP applications and the need for greater visibility into security-related events led MAIRE to decide on adopting Microsoft Sentinel for SAP, leveraging a native offering developed by Microsoft in collaboration with SAP, which includes connectors, monitoring dashboards, and ready-to-use and customizable detection rules.

“Implementation began with the creation of a test environment and with the verification and tuning of detection rules,” says Claudio Susa, Cybersecurity Junior Engineer at Tecnimont Services, MAIRE Group. “With the constant support of Microsoft Italy, we then gradually activated the more than 50 rules currently in use.”

The Cyber Risk Operation Center team, along with vendors and SAP environment specialists, conducted a 30-day Proof of Concept (POC) to accurately estimate log data ingestion costs, thereby optimizing investment forecasts.

"Microsoft's presence and support, both during the architectural design phase and in activating the rules," explains Marco Tozzini, Data & Integration Manager at Tecnimont Services, MAIRE Group, "allowed us to customize the rules according to the specific needs of each department." Susa also adds, "The option of a vendor-based environment was preferred over developing an in-house solution, both for utilizing predefined rules and for leveraging the Microsoft and SAP expertise already available within the Group." 

Cybersecurity is in the details

Microsoft Sentinel provided increased visibility and real-time awareness of everything happening within the SAP environment, detecting anomalous behaviors that previously would have gone unnoticed, such as the creation and use of suspicious user accounts—one of the most dangerous and difficult events to identify in a large corporate population.

"The operational defense process," Tozzini explains, “is now relatively straightforward: events are automatically analyzed, the SOC analyzes incidents, and, if necessary, forwards them to our technical team overseeing SAP for accurate verification and proper alert management.”

Another advantage gained through the adoption of Microsoft Sentinel is the ability to correlate events within the SAP environment with all other events generated by the Group's entire IT ecosystem. Previously, this activity could not be performed automatically by a software solution, nor even manually by a human operator.

Internal processes have been adapted to handle new alerts and to enhance the level of security, but end users have experienced virtually no impact, since—except for rare cases—the management of incidents relies on automated processes with possible involvement of the SOC and of the SAP technical team.

"The increased visibility," Sgarlata adds, “has contributed to reducing operational risk, especially considering that the accounts payable cycle and many business activities are managed via SAP.” Tozzini also states, “Rule tuning is an iterative process, which began during the Proof of Concept and continued into production, to adapt detections to operational particularities and reduce false positives. Being able to start with a predefined set of rules from Microsoft and SAP was a significant time saver for us, but in the future, we will continue to refine these rules and make them increasingly effective for our specific environment.”

The future heads towards customization and AI

MAIRE's next step is to further leverage the potential of the Microsoft Sentinel environment, which offers a wide range of predefined rules, to build customized ones tailored to the Group's processes and specific reality. "This will allow us to better monitor some of the typical behaviors within our processes," Sgarlata concludes, “and more effectively correlate anomalous behaviors with normal user behavior in the SAP environment, extending the analysis to other applications and thus building a truly 360-degree footprint.”

Furthermore, given that Microsoft Sentinel integrates an engine that also leverages AI tools, MAIRE has already planned to evolve the solution towards the design of AI agents and advanced workflows, further enhancing detection and response capabilities. "The main benefit of Sentinel for SAP is its ability to analyze what happens within the application environment in real time. SAP generates an impressive amount of logs, and with the Microsoft solution, we are able to detect suspicious events before they can become a problem,"  concludes Sgarlata.