5 Security Threats You Can Address NOW with Salesforce Event Monitoring

By on Sep 14, 2015

“We delivered 234 billion transactions for our customers in the quarter, up 79 percent from a year ago,” said Mark Benioff, CEO of Salesforce, on the release of their recent quarterly results, “That’s an average of nearly 3.7 billion transactions every single business day.” During these results, Salesforce reported a 24 percent year-over-year gain in revenue and further cemented its leadership in the CRM space. With customers such as GE, Wells Fargo, Virgin America, and Toyota spread across industries and business sizes, it is now the de facto CRM application for enterprises. A supposed acquisition offer of a whopping $55 billion by Microsoft is indicative of the strength and potential shown by Salesforce in this space.

The success of applications such as Salesforce are indicative of the massive adoption of cloud by enterprises for critical business functions. But even with this wave of adoption, information security continues to remain a primary concern for companies adopting cloud services. As a CRM application, the Salesforce cloud stores sensitive company information such as customer accounts, contact details, deal information and sales pipelines. To protect this information, Salesforce has enterprise-grade security infrastructure in place, but companies are often vulnerable to threats from insiders, who can either by intent or inadvertently put company data at risk. This is a constant concern for CIOs, who are figuring out how to maintain their end of the ‘shared responsibility’ model when it comes to protecting sensitive customer data.

Salesforce Event Monitoring API Enables Security Intelligence

Recent data breaches headlines at Target, Anthem and others have shown that companies are increasingly vulnerable both from insiders as well as external attacks. While companies have made large investments in protecting themselves from external attacks, many are not equipped to detect insiders who are causing theft and distribution of sensitive information outside the company. This problem is now being addressed using Security Intelligence, which involves monitoring usage data from all employees and leveraging an intelligence model based on multiple data science heuristics to proactively flag security incidents. So, enterprises are looking to invest in solutions that are able to effectively employ security intelligence to analyze user behavior, separate out the abnormal activities from the normal ones, and alert the Infosec team for further action. Cloud Access Security Brokers (CASBs) are gaining traction in this domain because they have access to cloud access and usage data, and they are able to analyze this data to detect information security anomalies.

The Event Monitoring API offered by Salesforce helps to improve security of CRM information because it provides detailed logs on activities by users, admins, and third party applications within Salesforce. The activities covered include: creating or deleting leads, contacts, and opportunities, downloading documents or reports, and creating/updating sharing rules. This log information is ingested by CASBs and by leveraging big data analytics, they enable IT administrators to monitor Salesforce usage and detect threats so they can respond in a timely manner. There are multiple sources of threats that make companies vulnerable, both from insiders and compromised accounts. A combination of Salesforce Event Monitoring API and a CASB will help companies quickly detect and respond to these threats.

  1. Threats from departing employees: According to a research by Symantec, half of the employees who left or lost their jobs in the last 12 months kept confidential corporate data and 40 percent plan to use it in their new jobs. Departing sales people taking contact and opportunity information is a very common insider threat faced by companies. The Salesforce Event Monitoring API captures insider activity including user upload and download information, which can be used by a CASB to detect and remediate this threat. A CASB uses machine learning to determine thresholds on parameters such as amount of data uploaded, reports accessed and login time and uses these thresholds to identify abnormal or unexpected behavior. So, when an employee downloads a piece of information that is not part of the standard workflow, the CASB flags this as an anomaly to the admin. Another less encountered use case involves employees with malicious intent deleting Salesforce content.SI-for-SFDC-blog-image
  2. Threats from unsanctioned third party apps: The Salesforce AppExchange has over 2,700 apps that users can add onto their Salesforce deployment. About 70% are using these apps and close to half of them have installed at least two apps. Once installed, these apps have access to extract all information from the corresponding Salesforce account. This adds vulnerability because third party apps, whose security capabilities have not been verified, now have access to customer information. The event monitoring logs from the APIs include user interactions with apps, so when users install risky apps, the CASBs flag an anomaly for the admin to remediate. However, the effectiveness of this capability depends on how comprehensive and updated a CASB’s cloud registry is. By maintaining the largest registry of cloud services in the industry with detailed security capabilities and recommendations, McAfee is able to provide effective coverage to its customers on almost all unsanctioned apps used by their employees.
  3. Threats from privileged users: The NSA information leak by Edward Snowden was an important reminder of the fact that administrators or privileged users, while being an organization’s strongest line of defense, can also be the cause devastating breaches if they abuse their privileges. So, companies are stepping up on monitoring their ‘gatekeepers’. The event monitoring API can help this cause as it provides details of admin activities such as creating and deleting new users. A CASB can use this information to raise an anomaly when there is unusual activity. For example, if a number of users or accounts get deleted by the admin, then the Infosec team gets alerted for further investigation.
  4. Threats associated with change management: Monitoring of privileged users extends not only to administrators, but also users whose access has been boosted with permission sets. This offers users more flexibility within Salesforce, but enterprises worry that they will modify the Salesforce setup and cause loss of information by deleting tabs, objects, fields and applications, changing page layouts or installing packages or classes. This is yet another anomaly that CASBs can track using information from the event monitoring API. By providing timely alerts on change management, CASB can help minimize the disruptions in the operations of sales and marketing teams and remediate it by putting the right change management processes in place.
  5. Threats from compromised accounts: Recent research by Dell indicated that the underground markets for compromised credentials is booming, implying that hackers are always looking for a way to capture user login credentials. User carelessness is one way in which credentials get compromised, but all accounts are vulnerable to brute force attacks. With advances in computing, hackers are able to crack passwords in minutes. So, if administrators are alerted of a compromised account as soon as possible, they can take remedial actions to minimize its impact. The event monitoring API provides information such as login attempts and location of login and access that can be critical in detecting a compromised accounts. Information on login attempts to an account help detect a brute force attack and location based access helps inform geol-location analytics which help identify cases where users can’t be present at different geographical locations simultaneously. In either of these cases, leading CASBs such as McAfee, also enable administrators with automatic remediation by blocking access to the accounts or forcing multi-factor authentication, minimizing the risk and impact of a breach.SI-for-SFDC-blog-image-2

Marketing experts Don Peppers and Martha Rogers said “The only value your company will ever create is the value that comes from customers— the ones you have now and the ones you will have in the future. Businesses succeed by getting, keeping, and growing customers.” Information on customers is a critical asset that must be protected by enterprises. Salesforce is making significant investments on securing their applications, but under the shared responsibility model, enterprise customers are responsible for access to and usage of data. By using the event monitoring API and a CASB solution, companies can add an additional layer of monitoring and security intelligence to ensure that they are quick to respond to security threats. In an era of increased scrutiny, regulations, and penalties, this infrastructure will enable companies to maintain the necessary auditing, compliance, and governance.

McAfee for Salesforce – Event Monitoring API

Download to learn about how McAfee for Salesforce provides the deepest integration with Salesforce’s Event Monitoring APIs, enabling the industry’s most comprehensive audit, compliance and governance solution for Salesforce.com

Download Now

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs