Threat management and security for Salesforce using Event Monitoring

For an enterprise to be able to manage threats it is imperative to gain visibility into user activities. In industries dealing with sensitive data, user activity logs are the key resource for security audits and compliance maintenance.

In the case of any breach or security incident, having logs of user events plays a crucial role in forensics and creating future security policies.

Access to user activity data and metrics helps CISOs (Chief Information Security Officer) and CIOs (Chief Information Officer) to be in full control of cloud and have visibility over who logins, from where and what activity the users are conducting in the Salesforce org.

How?

“Event monitoring” is a salesforce feature that provides granular details of user activity in your Salesforce organization. Once the feature is enabled in the Salesforce “Setup”, each activity is stored as an event in a log file that can be retrieved from the Salesforce API.

This log file can be parsed to generate information about individual events or track trends in events to swiftly identify abnormal behavior and safeguard the organization’s data.

Salesforce event monitoring provides tracking of key user activities, including:

• Logins
• Logouts
• URI (web clicks in Salesforce Classic)
• Lightning (web clicks, performance, and errors in Lightning Experience and the Salesforce mobile app)
• Visualforce page loads
• API calls
• Apex executions
• Report exports

Easier Said than Done!

Since this event log file is raw data format, a custom parser or a web service is required to translate this data and feed into a log management system such as Security Information and Event Management system called the SIEM.

Many enterprises use tools such as Splunk, ELK, or Graylog to collect and manage network and system logs — these are a type of SIEM used for cybersecurity. Salesforce event monitoring logs can be fed into a SIEM tool to manage and detect abnormal user behavior events.

The example below shows Salesforce user activities log analysis done using a SIEM called GrayLog,

Above is a pie chart of events generated in a Salesforce org categorized by the Event Types, such as rest API calls, Login events, and report exports.

A demo of a web service built to parse Salesforce events and send the Salesforce events to a SIEM is viewable at https://youtu.be/nmv2ykxA7RE

Capabilities

• Dashboards: As shown in the graphic above, the event data can be turned into informational charts to assist in seeing patterns, or identifying abnormalities in user activity.
• Correlation: A technique used to relate multiple data sets enabling complex logic that identifies trends and flags suspicious activity. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution. For example, Salesforce events such as repeated logins and massive report exports can be correlated with other events generated at a network or infrastructure level such as multiple login events, offsite activity etc to detect and intercept suspicious activities.
• Alerting: An automated analysis of correlated events and production of alerts that notify a set of recipients about an immediate triggering of an issue. Alerting can be done via email or custom messaging API.
• Retention: Employing long-term storage of historical user activities can be used to facilitate the correlation of data over time and to provide the retention necessary for compliance requirements. Long-term log data retention is critical in forensic investigations.

Use Cases

Forensic analysis: The ability to search across user events from Salesforce and other system based on a specific time period. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs manually.

Tracing suspicious activities: All Salesforce login attempt events, success or failure, can be fed to a log management system/SIEM and geo tracked to locate any suspicious login activity from an offsite location. You can filter these events to view just remote logins or categorize by usernames to see who recorded the most login and at what times or categorize by event names to see which events occurred the most inside your Salesforce. You can also create custom fields or rules to monitor for and generate an alert when events matching your criteria happens. For instance, if users of a certain organizations login from the United States and suddenly there is a login event tracing back from outside North America is a classic example of a compromised account especially if the event occurs during non-business hours.

Tracking changes to Salesforce organization: Changes to Salesforce org and its objects generates events that can be monitored for a number of reasons including administration audit & compliance purposes, security incident investigation, or better visibility of Salesforce org changes.

Data exfiltration detection: Having logs of each report exported from Salesforce whether, account, contacts, leads or from a custom object by which user at what time and location can be used to detect or identify of data exfiltration attempts. For example, a report export of activity of entire accounts records occurring during non-business hours can be deemed as a suspicious attempt for data exfiltration.

Compliance: Salesforce event data fed into SIEM can be employed towards gathering compliance data, producing reports for governance and auditing processes.

Are you looking to secure your Salesforce org or gain visibility into user activities for security and compliance? Slalom can help — please contact connect@slalom.com