Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preventing Data Loss with Salesforce Event Monitoring

2,745 views

Published on

Please find the slides from our recent Salesforce Shield breakfast briefing in London: Preventing Data Loss with Salesforce Event Monitoring - 26th October.

Published in: Business
  • Be the first to comment

Preventing Data Loss with Salesforce Event Monitoring

  1. 1. Event Monitoring Breakfast Briefing October 26th 2017 ​Paul Gilmore, Solution Engineer ​Jari Salomaa, Event Monitoring Product Manager ​Sam Garforth, Solution Engineer ​Andrea Stout, Legal
  2. 2. Forward-Looking Statements ​This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. ​The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. ​Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements. Statement under the Private Securities Litigation Reform Act of 1995
  3. 3. More Data Moves to the Cloud Than Ever Before Opportunities to create a new kind of customer success Financial Data Social Data Health Data Web Data Location Data
  4. 4. Businesses Need to Build Innovative and Trusted Apps Building trusted apps can be challenging A trusted app is…. Secure Complian t PrivateTransparent Passw ord   Policie s MD M Two   Factor   Authentic ation S S O S S O Ident ity IP  Login   Restriction s Data   Sharin g   Rules Data   Sharin g   Rules Single   Sign  On Password   Policies Identity MDM Audit   Trail Sharing   Rules IP   Login   Restrictions Field  Level   Security Encryption HTTPS Profiles  and   Permissions Mobile   Security
  5. 5. Compliance and Security Concerns Stall Innovation CIOs are struggling to balance innovation and compliance Siloed systems, regulatory burdens Customer expectations IoT Internal Processes Marketing Service Sales of customers are not engaged with companies 77%
  6. 6. Salesforce Shield Enhanced protection, monitoring, and retention for critical Salesforce data. Infrastructure  Services Network  Services Application  Services Secure  Data   Centers Backup  and   Disaster  Recovery HTTPS   Encryption Penetration   Testing Advanced Threat  Detection Identity  &  Single   Sign  On Two  Factor   Authentication User  Roles  &   Permissions Secure   Firewalls Real-­time   replication Password   Policies Third  Party   Certifications IP  Login   Restrictions Customer Audits Salesforce  Shield Platform   Encryption Event   Monitoring Field  Audit   Trail Field  and  Row   Security
  7. 7. ​Enhanced protection, monitoring, and retention for critical Salesforce data. Salesforce Shield Encryp tPlatform Encryption Monitor Event  Monitoring Audi tField Audit Trail
  8. 8. greater team productivity 46% Encrypted operations / month >120B Meet compliance and industry regulations Encrypt protected data and retain audit logs Add additional security to your sensitive data Monitor data access and enforce security policies Drive Salesforce adoption and optimize performance Enhance ROI, identify and improve key application usage patterns Salesforce Shield Enhanced protection, monitoring, and retention for critical Salesforce data.
  9. 9. Platform  Encryption ​Seamlessly protect sensitive data at rest Encrypt standard & custom fields, files, and attachments ​Natively integrated with key Salesforce features Preserve key functionality such as search, lookups, validation rules, and chatter ​Customer managed keys Flexible key management providing more control and ownership of data security Encrypt sensitive data at rest while preserving business functionality
  10. 10. Natively Encrypt Your Salesforce Data at Rest Platform Encryption ​Customer driven key lifecycle management ​Uses secure derived keys that are never persisted in the Salesforce platform ​Hardware Security Module based key management infrastructure ​FIPS 140-2 compliant ​Customer control over policy configuration ​Select fields, files, and attachments to be encrypted ​Encryption controlled with metadata to take complexity out of deployments ​Preserve important functionality like search and business rules ​Seamlessly upgraded with every Salesforce release ​Standards based encryption built natively into the Salesforce platform ​AES encryption using 256bit keys ​Layers seamlessly with other Salesforce security features Encryption Services Key Management Policy Management Platform Integration
  11. 11. Event Monitoring Monitor and take action on user activity Know who is accessing data from where Drive user adoption Analyze user behavior to drive training and adoption of Salesforce Optimize Performance Proactively identify bottlenecks and high demand pages to improve user experience Add visibility and automation to your Salesforce data
  12. 12. Field  Audit  Trail Ensure data is accurate, complete, and reliable Audit who, what, and when data changes Establish data retention policies Comply with internal and industry regulations Track and access data at scale Scalable data storage allows for greater business insights and longer data retention Strengthen data integrity for compliance and gain business insight
  13. 13. Field  Audit  Trail Strengthen data integrity for compliance and gain insight After 18 months CUSTOM AND STANDARD OBJECTS CONSOLIDATE FIELD HISTORY ARCHIVE After 3 months After 12 months 60 fields per object Accounts Opptys Custom Objects Up to 10 years of history Consistent query performance regardless of scale Customizable retention policies Async SOQL support for data analysis
  14. 14. Learn Salesforce  with  Trailhead
  15. 15. Jari Salomaa Director, Product Management IT Breakfast Briefing: Event Monitoring Monitoring your Salesforce adoption, performance and compliance
  16. 16. User Engagement leads to Retention, which leads to Growth, which leads to $$$
  17. 17. How do you measure engagement? How many users you have? What is the growth or expansion plan? How many monthly/weekly/daily active users you have? Numbers of MAU/WAU/DAU What are the KPI’s? (key performance indicators) How to create stickiness and get users to come back? What is the first time experience What business logic works, what doesn’t work? What is the Best practice?
  18. 18. Takeaway: why monitoring makes sense
  19. 19. What’s the difference between “out of the box” vs Shield & Event Monitoring?
  20. 20. What’s available? Salesforce Security Auditing, Analytics, and Actions at a Glance Health  Check Audit  Fields Login  History Setup  Audit  Trail Field  History   Tracking   Field  Audit   Trail Event  Monitoring Purpose Audit  Org   Security Track  who   created  or  last   modified  a  record   user  and  time Track  end-­user   logins  and  login   attempts  (e.g.   failures) Track  Administrative   changes  in  setup   like  escalation  of   privileges  or   creation  of  new   fields Track  state  changes  at  the  field  level Analysis:  Track  a  variety  of   server  interactions  including   report  exports,  page  views,   and  document  downloads Action:  Automate  actionable  security   policies  such  as  limiting  data  export  or   notifying  on  concurrent  login  sessions Example New  admin   inherits   Salesforce  Org Tom  Terminated   modified  the   Acme  account   earlier  today Tom  Terminated     logged  in  using   Chrome  v  42.0  on   Mac  OSX Permission  set   Modify  All  Data   assigned  to  user   Adam  Torman Tom  Terminated    changed  the  Case   status  from  Open  to  Closed Tom  Terminated  clicked  on   Marc  Benioff’s  patient  record   and  downloaded  the  20,000   rows  of  a  customer  list Tom  Terminated  was  prevented   downloading  the  20,000  rows   customer  list Interface Setup  UI Record  Detail  UI   and  API Setup  UI  and  API Setup  UI  and  API Setup  /  Related  List  UI  and  API API  (CSV  download)  +  Wave   Integration Setup  UI [Profile  or   Sharing]   Permission s  Required View/Edit  Health   Check *Read/Query   requires  sharing   access  to  parent   record Manage  User   permission *View  Setup  and   Configuration   permission Configure  requires  Customize   Application  permission *Read/Query  requires  sharing  access   to  parent  record *View  Event  Log  Files   permission  AND *  View  Login  Forensics Author  Apex AND Customize  Application Data   Retention   Policy 6  months  FIFO Life  of  the  record /  18  Months   depending  on  org   inception  date 6  months  FIFO 6  months  FIFO 20  fields  for  18   months 60  fields  for  10   years Up  to  30  days  for  Event  Log   Files  and  10  years  for  Login   Forensics Doesn’t  Apply Pricing $0 $0 $0 $0 $0 **  $add-­on $0  -­ Login/Logout  Event  Log  Files  for  1  day **  $add-­on  -­ 44  log  files  for  30  days  +  Login  Forensics  +  Transaction   Security Online   Docs Health  Check Audit  Fields Login  History Setup  Audit Field  History Field  Audit Event  Monitoring Transaction  Security
  21. 21. Why customers love Event Monitoring data…
  22. 22. Top  Use  Cases Understand  Application   Adoption  and  User   Engagement Who  are  your  most  active  or   productive  users What  are  your  most/least   used  resources Is  your  application  and   business  logic  working  -­ be   in  your  customer's  shoes   and  optimize Monitor  Development  and   Application  Performance   Prioritize  your  application   development  efforts Make  informed,  data  driven   decisions Be  ahead  of  your   customers  -­ don’t  wait   until  they  file  a  support   ticket Ensure  Security  and   Compliance Identify  and  avoid  data   leakage Spot  unusual,  suspicious  or   impossible  logins Elevate  security  with  fine   grain  Transaction  Security   policies Don’t  just  detect  -­ also   prevent! Why  Application  Analytics  is  important  business,  developers  and  security!
  23. 23. Event  Monitoring  Features
  24. 24. Add Visibility and Automation to your Salesforce data Event Monitoring with Transaction Security Event Log Files Real Time Events* Policy Management Machine Learning* Data Visualization API-first service 44 event types Real time event streaming, policy actions and storage in database Synchronous policy actions with flow engine or Apex Anomaly detection for data leakage Integrated Analytics app and ISV ecosystem *in pilot
  25. 25. Event Log Files Daily Event Log Files (GA) Hourly Event Log Files (Pilot - target Beta Spring’18)
  26. 26. Event Log Files - Winter’ 18 44 supported types 1. Apex Callout 2. Apex Execution 3. Apex SOAP 4. Apex Trigger 5. API 6. Asynchronous Run Report 7. Bulk API 8. Change Set Operation 9. Console 10. Content Distribution 11. Content Document Link 12. Content Transfer 13. Dashboard 14. Document Attachment Downloads 15. External Cross-Org Callout 16. External Custom Apex Callout 17. External OData Callout 18. Knowledge Article View 19. Lightning Error 20. Lightning Interaction 21. Lightning Page View 22. Lightning Performance 23. Login As 24. Login 25. Logout 26. Metadata API Operation 27. Multiblock Report 28. Package Install 29. Queued Execution 30. Report 31. Report Export 32. REST API 33. Sandbox 34. Search 35. Search Click 36. Sites 37. Platform Encryption 38. Time-Based Workflow 39. Transaction Security 40. URI 41. Visualforce Request 42. Wave Change 43. Wave Interaction 44. Wave Performance Using EM: https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm SF Object Ref: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm
  27. 27. Real Time Events ​ New Event Monitoring 2.0 architecture •Streaming user activity in real time through Kafka •Trigger actions or alerts with Condition Builder flows •Retaining Event data in database multiple years
  28. 28. Event Stream, Real Time Policy Actions and Event Store New architecture to capture user behavior in Salesforce
  29. 29. Stream, Real Time Policy Actions and Store New architecture to capture user behavior in Salesforce
  30. 30. Stream, Real Time Policy Actions and Store New architecture to capture user behavior in Salesforce
  31. 31. Policy Management ​ Expanding to no-code policies •Apex policies (GA) •Lightning based Condition Builder (Pilot) •No coding experience required
  32. 32. Transaction Security Condition Builder New architecture to capture user behavior in Salesforce
  33. 33. DEMO!
  34. 34. Machine Learning ​ Post processing of events •Anomaly Detection for Report Export & Data Leakage Use Case (pilot) •Automated email notifications and alerts to your inbox
  35. 35. Introduction to Anomaly Detection What is it? ● Anomaly Detection means identification of events which do not conform to an expected pattern ● Significant deviation from expected user behavior is reported as an anomaly ● Anomaly Detection Pilot uses artificial intelligence algorithms to track user behavior ● Salesforce does not look at customer data, instead we analyze how the users interact with the data ● Customer has ability to provide feedback whether the detected event pose a high, medium or low risk to their data ● This feedback trains our algorithm to detect suspicious activity more accurately
  36. 36. Salesforce Anomaly Detection* How does it work? ● Salesforce is using profile based event detection algorithm to protect access to the customer data ● Collecting a 60-90 day window of user’s API and Report log lines we formulate a statistical baseline in about 24-48 hrs from the actual event ● Statistically significant changes in user behavior can indicate a potential risk (see list of detection rules on the right) ● These could be inside actors, malware on client systems or other potential threats 1. Average row count 2. Average row size 3. Autonomous System Number (ASN) 4. Day of the month 5. Day of the week 6. Hour of the day 7. Implied travel speed 8. IP Geolocation 9. Minute 10. Month of the year 11. Number of columns 12. Number of exception filters 13. Number of column to column filters 14. Number of filters 15. Number of historical filters 16. Number of snap historical filters *Marketing Cloud, Commerce Cloud, Quip, SalesforceIQ not included in this pilot
  37. 37. Example
  38. 38. Data Visualization ​ Making data to meet your business needs •Bundled Event Monitoring Analytics App (formerly known as Wave App) •Active ecosystem of ISV solutions for variety of use cases including adoption, performance and security
  39. 39. Use a large ecosystem of partners for insights and policies Explore the Different Use Case Benefits Easy to use business analytics for any user General log collection, analytics Security analytics and security policies Built for the business minded user and provides user behavioral analytics Application Performance Monitoring (APM) with Insights Open source tooling for low-cost but very powerful analytics Event denormalization for usernames Event denormalization for usernames, reports, files, dashboards Event denormalization for usernames, reports, files, dashboards Event denormalization for usernames, reports, files, dashboards, custom objects Configurable but not available out of the box Configurable but not available out of the box 15 events, configurable for 1-30 days with 50 million rows limit (upgradable to Analytics Platform) All events, no limits available for free for existing Splunk customers All events, no limits (built into the price) All events, no limits included in price Supports Hourly & Real time All events, no limits All events, no limits with code example for Salesforce connector 10 user licenses included (purchase Analytics Platform licenses for more users) Cloud vs On-premise pricing (roughly ~100GB is $10k) $5/user per month with multi-app discounts $2-$15/user per month - Multi-app discounts - Dedicated technical account manager included Unlimited users, priced at $250 / 75M Events / month No user licensing, open source technology “do it yourself” 16 Dashboards for adoption, performance and security 80 dashboards across app management, SFDC adoption and security Multiple dashboards around security and compliance Analytic Library of 60+ pre- built reports for security, compliance, performance and usage & adoption, Multiple dashboards Multiple dashboards for performance monitoring “Do it yourself” Contact: Umair Rauf / Jari Salomaa Salesforce Contact: Elias Haddad, PM Splunk, Jason Conger, SE Contact: Jennifer Sands PM, Andrew Davidson BD Contact: Chris Arnold PM FairWarning, Mike Mason Contract: Heiko Leibenath, Steven Scheinfield BD Github example code
  40. 40. Summary 1. Event Log Files 2. Real Time Events 3. Policy Management with Transaction Security 4. Machine Learning and Anomaly Detection 5. Data Visualization with Event Monitoring Analytics App and number of ISV solutions

×