Exploring the examination process of Salesforce security breaches through a forensic lens
Salesforce has introduced a comprehensive forensic guide to assist businesses in investigating security incidents within their environments. The guide consolidates best practices in three central areas: activity logs, user permissions, and backup data.
The Who Sees What Explorer tool in the Security Center allows administrators to view profiles, permission sets, sharing rules, and role hierarchies in a consolidated view. This consolidation is crucial for understanding user access and permissions within an organisation.
Regular log monitoring is another essential practice. By becoming familiar with typical activities in a Salesforce environment, administrators can more easily detect deviations, including external attacks and insider threats. Event Log Files (ELF) in CSV format support security, performance, user acceptance, and general observability.
Real-Time Event Monitoring (RTEM) is a key component of the Salesforce forensic tool. It includes threat detection events that use statistical and machine learning methods to raise alarms for unusual activities. RTEM APIEventStream indicates which datasets and fields were queried during data exfiltration via the API, providing crucial information for incident investigation.
The guide emphasises the importance of following the principle of least privilege to restrict user access and permissions. This principle can help prevent unauthorised access to sensitive data.
Event Log Objects (ELO) provide low-latency logs containing many events currently represented in ELF. Log details, especially from RTEM, can provide crucial information for incident investigation, including data exfiltration details.
Backups are invaluable for ensuring data integrity and restoring damaged data to a known good state. Regularly backing up data serves as a third central information source, enabling the restoration of affected data and providing a reference to track changes.
Transaction Security Policies (TSP) can include blocking activity, sending a warning message, and requiring Multi-Factor Authentication (MFA). TSP can also be combined and trigger a workflow that automates follow-up actions in real-time. Extended transaction security is a feature available for certain RTEM events and can be configured with specific policy rules that trigger a response upon violations.
The tool Salesforce used for forensic purposes to enable access to API calls, report exports, and file downloads is called Shield Event Monitoring. Salesforce Analytics Studio can create threat monitoring and incident investigation dashboards, further aiding in the investigation process.
Companies that proactively prepare for security incidents affecting business-critical Salesforce data are better equipped to identify, investigate, and resolve issues quickly. Restricting guest user permissions in Salesforce Digital Experience portals can prevent unwanted data exposure. Field History Tracking can help determine if certain fields were changed during an incident.
Log details can be used to create time axes for incidents, assess scope, determine cause, notify affected customers, and report to stakeholders or regulatory bodies. By following the guidelines outlined in the Salesforce forensic guide, businesses can strengthen their security posture and respond effectively to security incidents.
