Hooray! We Caught a Thief!

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was clear that something “fishy” was going on and actions had to be taken accordingly.



Some background details:

Irregular Behavior means that an employee (let’s call him John Smith) is using an activity, which is not part of his profile of activities. The profile of activities is created by ProfileTailor Dynamics according to a user’s de-facto usage.

The Data – in this case it was Display Access to infotype 0008 (payroll information) in Human Resources module of SAP®, which is marked as very sensitive.

A High Risk alert type means that the event’s scoring was climbing high, due to irregular and sensitive activities.
The client was advised to locate the exact physical IP address that John Smith was using, and sure enough John Smith was found using previous authorizations, which he no longer should have been using.

How did this happen?

John Smith had just been transferred from one of the payroll teams, where he held authorizations for viewing payrolls. However, when ProfileTailor Dynamics identified that John Smith had left his current position and was moved to a new one – his previously learnt profile was cleared, so that any prior activities would not influence the new business profile in his new position.

So now what?

Two actions were taken, right away:

First, John Smith’s actions were dealt with accordingly, and the incident was communicated internally so that all employees were aware and would beware… The global CISO explained to us that this incident vividly showed the effectiveness of ProfileTailor Dynamics, and the level of security within the company has never been better.

Second, an authorization review process was conducted using ProfileTailor Dynamics, in which all managers were asked to re-approve their employees’ sensitive authorizations. This complicated-sounding process becomes simple and straightforward with ProfileTailor Dynamics, and most important, highly effective. In addition to automating and shortening the review process, unnecessary authorizations were identified and removed, saving money and further increasing security.

CISOs, Internal Auditors, Security & Risk Managers – if you relate to this story in any way, take a closer look at ProfileTailor Dynamics. Learn from John Smith. Let Xpandion help you achieve full control over SAP usage from an application-security point of view.

Yoav Michaeli

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.