Preventing Data Loss with Salesforce Event Monitoring
-
Upload
salesforce -
Category
Business
-
view
684 -
download
0
Transcript of Preventing Data Loss with Salesforce Event Monitoring
Event Monitoring Breakfast BriefingOctober 26th 2017
Paul Gilmore, Solution EngineerJari Salomaa, Event Monitoring Product ManagerSam Garforth, Solution EngineerAndrea Stout, Legal
Forward-Looking Statements
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Statement under the Private Securities Litigation Reform Act of 1995
More Data Moves to the Cloud Than Ever BeforeOpportunities to create a new kind of customer success
Financial Data
Social Data
Health Data
Web Data
Location Data
Businesses Need to Build Innovative and Trusted AppsBuilding trusted apps can be challenging
A trusted app is….
Secure Compliant
PrivateTransparent
Password Policies
MDM
Two Factor Authentication
SSO
SSO
Identity
IP Login Restriction
s
Data Sharing
RulesData Sharing
Rules
Single Sign On
Password Policies
Identity
MDM
Audit Trail
Sharing Rules
IP Login
Restrictions
Field Level Security
Encryption
HTTPS
Profiles and Permissions
Mobile Security
Compliance and Security Concerns Stall InnovationCIOs are struggling to balance innovation and compliance
Siloed systems, regulatory burdens
Customer expectations
IoT
Internal Processes
Marketing
Service
Sales
of customers are not engaged with companies
77%
Salesforce ShieldEnhanced protection, monitoring, and retention for critical Salesforce data.
Infrastructure Services
Network Services
Application Services
Secure Data Centers
Backup and Disaster Recovery
HTTPS Encryption
Penetration Testing
AdvancedThreat Detection
Identity & Single Sign On
Two Factor Authentication
User Roles & Permissions
Secure Firewalls
Real-time replication
Password Policies
Third Party Certifications
IP Login Restrictions
CustomerAudits
Salesforce ShieldPlatform Encryption
Event Monitoring
Field Audit Trail
Field and Row Security
Enhanced protection, monitoring, and retention for critical Salesforce data. Salesforce Shield
EncryptPlatform Encryption
MonitorEvent Monitoring
AuditField Audit Trail
greater team productivity46%
Encrypted operations / month
>120B
Meet compliance and industry regulationsEncrypt protected data and retain audit logs
Add additional security to your sensitive dataMonitor data access and enforce security policies
Drive Salesforce adoption and optimize performanceEnhance ROI, identify and improve key application usage patterns
Salesforce ShieldEnhanced protection, monitoring, and retention for critical Salesforce data.
Platform Encryption
Seamlessly protect sensitive data at restEncrypt standard & custom fields, files, and attachments
Natively integrated with key Salesforce featuresPreserve key functionality such as search, lookups, validation rules, and chatter
Customer managed keysFlexible key management providing more control and ownership of data security
Encrypt sensitive data at rest while preserving business functionality
Natively Encrypt Your Salesforce Data at RestPlatform Encryption
Customer driven key lifecycle management
Uses secure derived keys that are never persisted in the Salesforce platform
Hardware Security Module based key management infrastructure
FIPS 140-2 compliant
Customer control over policy configuration
Select fields, files, and attachments to be encrypted
Encryption controlled with metadata to take complexity out of deployments
Preserve important functionality like search and business rules
Seamlessly upgraded with every Salesforce release
Standards based encryption built natively into the Salesforce platform
AES encryption using 256bit keys
Layers seamlessly with other Salesforce security features
Encryption Services Key Management Policy Management Platform Integration
Event Monitoring
Monitor and take action on user activityKnow who is accessing data from where
Drive user adoptionAnalyze user behavior to drive training and adoption of Salesforce
Optimize PerformanceProactively identify bottlenecks and high demand pages to improve user experience
Add visibility and automation to your Salesforce data
Field Audit Trail
Ensure data is accurate, complete, and reliableAudit who, what, and when data changes
Establish data retention policiesComply with internal and industry regulations
Track and access data at scaleScalable data storage allows for greater business insights and longer data retention
Strengthen data integrity for compliance and gain business insight
Field Audit TrailStrengthen data integrity for compliance and gain insight
After 18 months
CUSTOM AND STANDARD OBJECTS
CONSOLIDATE
FIELD HISTORY ARCHIVE
After 3 months After 12 months
60fields per
objectAccounts Opptys Custom
Objects
Up to
10years of history
Consistent query performance regardless of scale
Customizable retention policies
Async SOQL support for
data analysis
Learn Salesforce with Trailhead
Jari SalomaaDirector, Product Management
IT Breakfast Briefing: Event MonitoringMonitoring your Salesforce adoption, performance and compliance
User Engagement leads to Retention, which leads to Growth, which leads to $$$
How do you measure
engagement?How many users you have? What is the growth or expansion plan?
How many monthly/weekly/daily active users you have?
Numbers of MAU/WAU/DAU
What are the KPI’s? (key performance indicators)
How to create stickiness and get users to come back?
What is the first time experienceWhat business logic works, what doesn’t work?
What is the Best practice?
Takeaway: why monitoring makes sense
What’s the difference between “out of the box” vs Shield & Event Monitoring?
What’s available?
Salesforce Security Auditing, Analytics, and Actions at a Glance
Health Check Audit Fields Login History Setup Audit Trail Field History Tracking
Field Audit Trail
Event Monitoring
Purpose Audit Org Security
Track who created or last modified a record user and time
Track end-user logins and login attempts (e.g. failures)
Track Administrative changes in setup like escalation of privileges or creation of new fields
Track state changes at the field level Analysis: Track a variety of server interactions including report exports, page views, and document downloads
Action: Automate actionable security policies such as limiting data export or notifying on concurrent login sessions
Example New admin inherits Salesforce Org
Tom Terminated modified the Acme account earlier today
Tom Terminated logged in using Chrome v 42.0 on Mac OSX
Permission set Modify All Data assigned to user Adam Torman
Tom Terminated changed the Case status from Open to Closed
Tom Terminated clicked on Marc Benioff’s patient record and downloaded the 20,000 rows of a customer list
Tom Terminated was prevented downloading the 20,000 rows customer list
Interface Setup UI Record Detail UI and API
Setup UI and API Setup UI and API Setup / Related List UI and API API (CSV download) + Wave Integration
Setup UI
[Profile or Sharing] Permissions Required
View/Edit Health Check
*Read/Query requires sharing access to parent record
Manage User permission
*View Setup and Configuration permission
Configure requires Customize Application permission
*Read/Query requires sharing access to parent record
*View Event Log Files permission AND* View Login Forensics
Author ApexANDCustomize Application
Data Retention Policy
6 months FIFO Life of the record/ 18 Months depending on org inception date
6 months FIFO 6 months FIFO 20 fields for 18 months
60 fields for 10 years
Up to 30 days for Event Log Files and 10 years for Login Forensics
Doesn’t Apply
Pricing $0 $0 $0 $0 $0 ** $add-on $0 - Login/Logout Event Log Files for 1 day
** $add-on - 44 log files for 30 days + Login Forensics + Transaction Security
Online Docs
Health Check Audit Fields Login History Setup Audit Field History Field Audit Event Monitoring Transaction Security
Why customers love Event Monitoring data…
Top Use Cases
Understand Application Adoption and User EngagementWho are your most active or productive usersWhat are your most/least used resourcesIs your application and business logic working - be in your customer's shoes and optimize
Monitor Development and Application Performance Prioritize your application development effortsMake informed, data driven decisionsBe ahead of your customers - don’t wait until they file a support ticket
Ensure Security and ComplianceIdentify and avoid data leakageSpot unusual, suspicious or impossible loginsElevate security with fine grain Transaction Security policiesDon’t just detect - also prevent!
Why Application Analytics is important business, developers and security!
Event Monitoring Features
Add Visibility and Automation to your Salesforce data Event Monitoring with Transaction Security
Event Log Files Real Time Events* Policy Management Machine Learning* Data Visualization
API-first service44 event types
Real time event streaming, policy actions and storage in database
Synchronous policy actions with flow engine or Apex
Anomaly detection for data leakage
Integrated Analytics app and ISV ecosystem
*in pilot
Event Log FilesDaily Event Log Files (GA)Hourly Event Log Files (Pilot - target Beta Spring’18)
Event Log Files - Winter’ 1844 supported types1. Apex Callout
2. Apex Execution
3. Apex SOAP
4. Apex Trigger
5. API
6. Asynchronous Run Report
7. Bulk API
8. Change Set Operation
9. Console
10. Content Distribution
11. Content Document Link
12. Content Transfer
13. Dashboard
14. Document Attachment Downloads
15. External Cross-Org Callout
16. External Custom Apex Callout
17. External OData Callout
18. Knowledge Article View
19. Lightning Error
20. Lightning Interaction
21. Lightning Page View
22. Lightning Performance
23. Login As
24. Login
25. Logout
26. Metadata API Operation
27. Multiblock Report
28. Package Install
29. Queued Execution
30. Report
31. Report Export
32. REST API
33. Sandbox
34. Search
35. Search Click
36. Sites
37. Platform Encryption
38. Time-Based Workflow
39. Transaction Security
40. URI
41. Visualforce Request
42. Wave Change
43. Wave Interaction
44. Wave Performance
Using EM: https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htmSF Object Ref: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm
Real Time Events New Event Monitoring 2.0 architecture
•Streaming user activity in real time through Kafka•Trigger actions or alerts with Condition Builder flows•Retaining Event data in database multiple years
Event Stream, Real Time Policy Actions and Event StoreNew architecture to capture user behavior in Salesforce
Stream, Real Time Policy Actions and StoreNew architecture to capture user behavior in Salesforce
Stream, Real Time Policy Actions and StoreNew architecture to capture user behavior in Salesforce
Policy Management Expanding to no-code policies
•Apex policies (GA)•Lightning based Condition Builder (Pilot)•No coding experience required
Transaction Security Condition BuilderNew architecture to capture user behavior in Salesforce
DEMO!
Machine Learning Post processing of events
•Anomaly Detection for Report Export & Data Leakage Use Case (pilot)•Automated email notifications and alerts to your inbox
Introduction to Anomaly DetectionWhat is it?● Anomaly Detection means identification of
events which do not conform to an expected pattern
● Significant deviation from expected user behavior is reported as an anomaly
● Anomaly Detection Pilot uses artificial intelligence algorithms to track user behavior
● Salesforce does not look at customer data, instead we analyze how the users interact with the data
● Customer has ability to provide feedback whether the detected event pose a high, medium or low risk to their data
● This feedback trains our algorithm to detect suspicious activity more accurately
Salesforce Anomaly Detection*How does it work?
● Salesforce is using profile based event detection algorithm to protect access to the customer data
● Collecting a 60-90 day window of user’s API and Report log lines we formulate a statistical baseline in about 24-48 hrsfrom the actual event
● Statistically significant changes in user behavior can indicate a potential risk (see list of detection rules on the right)
● These could be inside actors, malware on client systems or other potential threats
1. Average row count
2. Average row size
3. Autonomous System Number (ASN)
4. Day of the month
5. Day of the week
6. Hour of the day
7. Implied travel speed
8. IP Geolocation
9. Minute
10. Month of the year
11. Number of columns
12. Number of exception filters
13. Number of column to column filters
14. Number of filters
15. Number of historical filters
16. Number of snap historical filters
*Marketing Cloud, Commerce Cloud, Quip, SalesforceIQ not included in this pilot
Example
Data Visualization Making data to meet your business needs
•Bundled Event Monitoring Analytics App (formerly known as Wave App)•Active ecosystem of ISV solutions for variety of use cases including adoption, performance and security
Use a large ecosystem of partners for insights and policiesExplore the Different Use Case Benefits
Easy to use business analytics for any user
General log collection, analytics Security analytics and security policies
Built for the business minded user and provides user behavioral analytics
Application Performance Monitoring (APM) with Insights
Open source tooling for low-cost but very powerful analytics
Event denormalization for usernames
Event denormalization for usernames, reports, files, dashboards
Event denormalization for usernames, reports, files, dashboards
Event denormalization for usernames, reports, files, dashboards, custom objects
Configurable but not available out of the box
Configurable but not available out of the box
15 events, configurable for 1-30 days with 50 million rows limit (upgradable to Analytics Platform)
All events, no limits available for free for existing Splunk customers
All events, no limits(built into the price)
All events, no limits included in priceSupports Hourly & Real time
All events, no limits All events, no limits with code example for Salesforce connector
10 user licenses included (purchase Analytics Platform licenses for more users)
Cloud vs On-premise pricing (roughly ~100GB is $10k)
$5/user per month with multi-app discounts
$2-$15/user per month- Multi-app discounts- Dedicated technical account manager included
Unlimited users, priced at $250 / 75M Events / month
No user licensing, open source technology “do it yourself”
16 Dashboards for adoption, performance and security
80 dashboards across app management, SFDC adoption and security
Multiple dashboards around security and compliance
Analytic Library of 60+ pre- built reports for security, compliance, performance and usage & adoption, Multiple dashboards
Multiple dashboards for performance monitoring
“Do it yourself”
Contact: Umair Rauf / Jari Salomaa Salesforce
Contact: Elias Haddad, PM Splunk, Jason Conger, SE
Contact: Jennifer Sands PM, Andrew Davidson BD
Contact: Chris Arnold PM FairWarning, Mike Mason
Contract: Heiko Leibenath, Steven Scheinfield BD
Github example code
Summary1. Event Log Files2. Real Time Events 3. Policy Management with Transaction Security4. Machine Learning and Anomaly Detection5. Data Visualization with Event Monitoring Analytics App and
number of ISV solutions