How To Simplify Security, Response, and Compliance in Salesforce

Last month, Own products officially became part of the Salesforce Platform. What does this mean for you? With Own security product capabilities now integrated into Salesforce Shield and Security Center, your organization can strengthen its security posture faster and more comprehensively than ever before. Additionally, the introduction of Backup & Recover, Data Mask & Seed, and Archive bolsters data protection and resilience for Salesforce customers.

The rising stakes – and root causes – of security incidents

SaaS security incidents are becoming more frequent and costly. These incidents include cyberattacks that steal and destroy data, as well as insider threats, which are often due to employee mistakes rather than malicious intent.

In response to these trends, regulators are implementing more stringent incident response and reporting requirements, including the U.S. Securities & Exchange Commission (SEC) and the EU Network & Information Systems Security (NIS 2) that apply to a wide range of organizations in critical sectors. Other regulations specific to financial services companies and Information & Communications Technology (ICT) providers, including the Digital Operational Resilience Act (DORA) and the NYDFS 23 NYCRR 500 have tight timeframes to report characteristics of an incident and measures taken to contain it.

How do these security incidents occur? Within SaaS platforms, possible causes range from admins lacking sufficient training to ‌security controls like multi-factor authentication (MFA) not being utilized.

Other common issues include account takeovers via phishing emails, misconfigurations that expose sensitive data, exposure of API tokens in public repositories, unmasked data in development environments, accidental deletion of data (including metadata and mission-critical data), malicious destruction, and extortion attacks.

In short, everything from honest mistakes to deliberate criminal acts. Beyond avoiding these incidents in the first place, addressing them promptly and effectively reduces disruption and costs, and can prevent issues from escalating.

Best practices for mitigating and addressing security incidents

Implementing effective strategies is crucial for managing and minimizing the impact of security incidents. Here are five best practices to consider.

Practice 1. Detecting threats proactively

Logs are the most valuable resources for detecting and analyzing security incidents. You can see logs for both production Salesforce Orgs and development environments (Sandboxes). The default logs and audit trails available in a Salesforce Org are useful for detecting certain activities, such as configuration changes captured in the setup audit trail and unusual user login events. 

The logs available with Shield are far more comprehensive and detailed, adding an extra layer of security and performance monitoring. Shield Event Monitoring includes both Real-Time Event Monitoring (RTEM) and Event Log Files (ELF). RTEM is specifically designed for security monitoring and provides a data stream of over 20 security-oriented events, often with more details than the ELF for the same event. ELF, on the other hand, delivers a wide variety of events that support security, performance, user adoption, and general observability.

The enhanced risk intelligence provided by new capabilities from Own allows you to take a risk-prioritized approach to event monitoring, focusing on your highest risk data and users. More specifically, event monitoring can concentrate on what Security Center prioritizes as “Objects that Should be Monitored” (OTSBM) and high risk user accounts.

Additionally, Threat Detection events are specifically designed using machine learning to alert on unusual activities. Such events include Report Anomaly, API Anomaly, Guest User Anomaly, Credential Stuffing, and Session Hijacking. Logs of these events provide many of the attributes needed for incident reporting, such as originating IP addresses, indicators of compromise (IoCs), and the scope of the impact.

Practice 2. Monitoring logs regularly 

Security monitoring works best when you’re routinely reviewing configuration changes and activity logs, not just scrambling to look at them after a security incident occurs. Regularly reviewing logs increases the chances of detecting an issue early, before it develops into a more serious problem. This is why cybersecurity regulations require it.

For instance, the New York Department of Financial Services (NYDFS) specifies that covered entities must “implement risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information.” The more familiar your incident responders are with Salesforce logs, the more likely they’ll spot deviations from normal activity and be bet­ter prepared to use the logs when an investigation is needed.

If you only realize after an incident occurs that you need detailed event logs, we have good news. Salesforce recently added Event Log Objects to Shield, enabling easy access to the past 30 days of many event types. It’s also possible for customers using both Shield Event Monitoring and Backup & Recover to export ELF files from their backups.

A smart practice is to collect Salesforce security-related events from all Salesforce Orgs and Sandboxes in a centralized security monitoring system to streamline daily review and analysis. Therefore, it should come as no surprise that some regulations are requiring solutions that centralize security event alerting. Salesforce Security Center 2.0 addresses this need. Security monitoring systems that use AI and Cyber Threat Intelligence (CTI) are especially advantageous for identifying suspicious and anomalous activities in large volumes of Salesforce logs.

The high velocity and volume of activities involved in agentic AI also increase the need to respond rapidly to security incidents in Salesforce environments.

Practice 3. Automating response actions

A proactive consolidated log monitoring strategy can reveal specific activities that are considered ‌high-risk or policy violations within the organization. This approach allows for automated responses to be triggered when such activities are detected. Enhanced Transaction Security is a feature available for some real-time events that can be configured with specific policy rules that trigger a response when violated. 

These responses can include blocking ‌the activity, sending an alert, or requiring MFA. We recommend focusing on the digital assets that are of the highest value and sensitivity, identified during data classification. Specifically, Salesforce activity monitoring and Transaction Security Policies can focus on ‌components containing sensitive information that are in use and widely accessible to focus monitoring efforts.

Practice 4. Scope assessment

Scope assessment is the process of determining the scale and impact of a security incident, including what data was exposed or exfiltrated. In Salesforce environments, this involves examining multiple logs and data sources to understand what occurred. The goal is to balance the need to quickly restore normal operations with a methodical approach to incident response and remediation.

Event Monitoring logs help address key questions during scope assessment, including what accounts were compromised, whether there was lateral movement into other Salesforce Orgs, and what data was exfiltrated. These logs also help reconstruct an event timeline to show the progression from the initial point of exposure, through lateral movement across multiple Salesforce Orgs, to the action on objectives such as data theft, account lockout, and ransom.

Practice 5. Incident response and reporting

After a security incident occurs, organizations have both internal and external reporting requirements. Although specific requirements vary by industry and region, there are several types of information that are commonly included:

• Incident overview: Basic information about the incident, such as event timeline, affected systems, impact level, and discovery method. 
• Indicators of compromise: Specific technical details like IP addresses, domain names, file hashes, log patterns, or other characteristics associated with the incident that can be used to detect future attacks related to the incident. 
• TTPs: If applicable, the tactics, techniques, and procedures used by the attacker during the incident.
• Threat actor information: If known, details about the malicious actor responsible for the attack.
• Root cause and lessons learned: The root cause of the incident, measures that could have prevented it, and the ‘lessons learned’ that will inform future mitigations. Additionally, the tactics and techniques that were used to effect recovery that could be further improved in future incidents. 
• Steps taken to contain and remediate: Actions taken to contain and remediate the incident, such as locking down privileged accounts, implementing the Principle of Least Privilege, and encrypting sensitive fields.

Desirable outcomes of incident response include removing the threat and securing the system to prevent similar problems in the future. Shield provides powerful prevention capabilities for your Salesforce data. It’s important to understand your data architecture so that data items can be correctly identified, labeled, encrypted, and secured. 

The updated functionality of Security Center provides a robust solution for governing security and compliance more efficiently, proactively, and comprehensively. Security Center ensures that: system access is understood and configured securely, sensitive data is properly classified and controlled, and high-risk activities are monitored and remediated.

Protecting data with the Principle of Least Privilege through Security Center can prevent many common mishaps. Identifying the data is critical to comply with data privacy regulations, but also for assessing the scale and severity of impact in case of a data leak, loss, or corruption. 

By consolidating security insights, configuration changes, and alerts from multiple Salesforce Orgs into a centralized console, Security Center facilitates incident analysis and reporting, streamlines risk mitigation activities, and enhances proactive audit capabilities.

Prevention is better than cure, but sometimes it still finds a way

While taking the steps above ‌can help decrease the likelihood of security incidents, no organization is invincible. Data loss and corruption, often resulting from human error, can happen. In fact, the SEC cybersecurity incident disclosure specifically addresses accidental data loss. Data loss and corruption could even be caused by end-user integrations gone wrong, resulting in inadvertent data exposure or damage. 

To protect against data loss or corruption, it’s essential to have automated backups of mission-critical data and metadata. Salesforce Backup & Recover enables rapid and precise restoration of Salesforce Orgs to a known state. Mission-critical, highly dynamic data can even be protected continuously. 

Smart Alerts automatically compare consecutive backups to detect deletion and corruption of valuable data, alerting customers of a problem that might otherwise go undetected and conversely, giving you peace of mind that data is protected and ready should the need arise. 

Ready to learn more? Take a closer look at everything Shield, Security Center, and Backup & Recover can do.