Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The SAP Security Paradox: Irregular User Activity

  • Font size: Larger Smaller
  • Hits: 6916
  • Print

“How Many Times?”

We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about it? How much money will they lose before they understand that there is a certain amount of usage data that cannot be monitored manually?

b2ap3 thumbnail SAP-Security-and-Irregular-User-Activity

 It’s enigmatic how organizations can invest so much money in high-priced security software, declaring how important fraud prevention is to them, when often they’re looking in the wrong places or they don’t investigate the very thing that should be investigated: user behavior. Sure, they may be checking such security issues like where people are logging into Windows from, or if timecards are stamped properly, but that’s not where the big money is that the thiefs are after, and they’re not seeing the forest through the trees. Instead, they keep getting trapped in the hamster wheel of fraud. Two words: “user behavior.”

Irregular behavior: a needle in the haystack

It all begins with an employee who’s acting irregularly. A warehouse employee is poking around in invoice values, someone from accounting is tapping into HR information, a sales manager is taking a quick look at his friend’s sales figures in order to compare their bonuses. Even if the organization has as little as 400 employees, no person can identify these deviations from normal activity because the amount of usage data to sort through is massive. A person can’t, but software can. Software can learn each employee’s regular behavior, compare it with “good” behavior and send an alert when irregular behavior is being performed. Thus, cases like the ones illustrated above can be quickly eliminated if, beforehand, the customer has implemented profiling-based software and set the proper alerts. Key point: setting alerts.

SAP security denial

From our experience, there are different types of personalities that choose not to implement alerting mechanisms for detecting irregular activity of their employees:

  1. Those that don’t want to know. Why not take the responsibility of knowing? Because with this responsibility comes accountability. If an employee is committing fraud and nobody gets alerted about it, then nobody is held accountable for it, and the security team can’t be blamed for not acting upon it. Ignorance is bliss; what they don’t know won’t hurt them. 
  2. Those that don’t know what to do. These types do find out about the underhanded activity but might not have the resources or desire to take on a new task in order to deal with it. It’s possible, they don’t want to hire an external consultant or simply take a course. They just don’t want to be bothered because they are comfortable.
  3. Those that don’t have the time or money. This type is swamped under a mile high stack of other projects. They know it’s an important issue that must be dealt with, but they can’t think about it for another two years. They’ll say, “Come back then because the management needs me to monitor timecard stamps right now.” It’s a vicious cycle, and truly ironic - they just need to identify who is stealing money and stop wasting time on other minutia. It’s a total catch 22.
  4. Those that simply don’t care enough. I know of a company that was hacked out of $40 million by an internal employee over the course of a few years. When they were approached afterwards with an alerting solution to prevent it from happening again, they said, “It’s not important enough. Lightning doesn’t strike the same place twice. If we were hacked once, we will not be hacked again.” So guess what happened?*
If you don’t get alerts about irregular user activity as part of your SAP security solution, you must – because in 2013 it’s become standard practice. We encourage you to take a step forward in identifying suspicious user activity. Doing so is easier, faster and less expensive than you think. 

If you liked this this blog, read our other blogs that deal with SAP user behavior:

The Dreaded SAP_ALL Power Profile

The Adventures of a Bored Programmer

 *Does lightning strike twice in the same spot? Brent McRoberts of Texas A&M University reports, “Lightning often strikes the same location multiple times. Just look at the Empire State Building, which gets hit by lightning at least 50 times every year, often several times in the same day. The Sears Tower and Cape Canaveral also get hit by lightning several hundred times each year. In general, tall structures, such as buildings or radio or TV transmission towers, are almost certainly going to be hit by lightning.”

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • Guest
    Chris Hauge 04/09/2013

    I think this is spot on, but I wonder what the background is for the claim that this is standard practice in 2013. When approaching management it is always nice to have something tangible when making such a claim.

  • Guest
    Debra Greenstein, Xpandion 10/09/2013

    Thanks for your comment, Chris. This information is based on our vast field experience, and feedback that we get from hundreds of CISOs. I don’t know of any official paper that covers this issue, but you are more than welcome to download the brochure at http://xpandion.com/Security-Authorizations/profiletailor-dynamics-security-authorizations.html. Also, please feel free to give us a call at (800) 707-5144 or email us at info@xpandion.com.

  • Guest
    Guest 04/09/2013

    5- Legal/ethical implications. Looking at user behavior means taking the risk of accusing the wrong person because of false positives, not to mention that real crooks will say that someone broke into their account and did all these awful things - this will be difficult to debunk. Also, would you prefer to work in a company which values Trust or in a company where everyone is considered suspicious by default? Setting up a detection system might be easy and repel fraudsters, but what will be the real cost on team spirit, attractiveness and reputation for the company?

  • Guest
    Debra Greenstein, Xpandion 10/09/2013

    These are very good points, and ones that we always have front of mind.

    There are mechanisms built into the software to avoid false positives – what goes into establishing a solid business profile includes much more than username and activity. You can read a bit more about this mechanism on our newest blog post, here: http://xpandion.com/Blog/do-you-understand-the-meaning-of-behavior-based-profiling.html.

    Your point about legal/ethical implications is true, and different people over the years have told us exactly that. However, as the years pass and computer fraud and leakage of sensitive information not only become riskier, but also cause significant impact on business, the concept is changing to “trust users, however verify that they’re doing right.” To be more direct, CISOs and security managers often claim that each user can be a potential suspect for committing fraud, although of course 99% of users are innocent.

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in Security & AuthorizationsPosted by Dror Aviv

CISO Advice: Shooting Might Not Be The Best Option

One of the perks of being a Senior Implementation Advisor at Xpandion is hearing our customers describe their many juicy company stories. And let me tell you, there are some doozies. This most recent one is a very interesting case.

in Security & AuthorizationsPosted by Debra Greenstein

Could Xpandion Have Rescued Little Red Riding Hood?

We could have changed history! In the famous fairy tale, Little Red Riding Hood approaches “Grandma” who is actually the Big Bad Wolf in disguise. After the initial moment of meeting, she notices that something’s wrong and starts to question her – “What a deep voice you have!” “What big eyes you ha...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India