Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Hooray! We Caught a Thief!

  • Font size: Larger Smaller
  • Hits: 5779
  • Print

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was clear that something “fishy” was going on and actions had to be taken accordingly.

Hooray We Caught a Thief


Some background details:

Irregular Behavior means that an employee (let’s call him John Smith) is using an activity, which is not part of his profile of activities. The profile of activities is created by ProfileTailor Dynamics according to a user’s de-facto usage.

The Data – in this case it was Display Access to infotype 0008 (payroll information) in Human Resources module of SAP®, which is marked as very sensitive.

A High Risk alert type means that the event’s scoring was climbing high, due to irregular and sensitive activities.

The client was advised to locate the exact physical IP address that John Smith was using, and sure enough John Smith was found using previous authorizations, which he no longer should have been using.

How did this happen?

John Smith had just been transferred from one of the payroll teams, where he held authorizations for viewing payrolls. However, when ProfileTailor Dynamics identified that John Smith had left his current position and was moved to a new one – his previously learnt profile was cleared, so that any prior activities would not influence the new business profile in his new position.

So now what?

Two actions were taken, right away:

First, John Smith’s actions were dealt with accordingly, and the incident was communicated internally so that all employees were aware and would beware... The global CISO explained to us that this incident vividly showed the effectiveness of ProfileTailor Dynamics, and the level of security within the company has never been better.

Second, an authorization review process was conducted using ProfileTailor Dynamics, in which all managers were asked to re-approve their employees’ sensitive authorizations. This complicated-sounding process becomes simple and straightforward with ProfileTailor Dynamics, and most important, highly effective. In addition to automating and shortening the review process, unnecessary authorizations were identified and removed, saving money and further increasing security.

CISOs, Internal Auditors, Security & Risk Managers – if you relate to this story in any way, take a closer look at ProfileTailor Dynamics. Learn from John Smith. Let Xpandion help you achieve full control over SAP usage from an application-security point of view.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 21/07/2017


in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Dror Aviv

The SAP Security Paradox: Irregular User Activity

“How Many Times?” We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about...
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


3310 W Braker Lane Suite 300-253

Austin, TX 78758, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India