Salesforce Shield is one of the most important tools for mitigating risk in Salesforce, and includes four key components to help customers better secure their Salesforce org. One of those is Event Monitoring, which helps organizations improve data security and forensic investigations within Salesforce. Event Monitoring essentially documents and exports the raw audit log files from your Salesforce orgs. These log files are a record of user activity within your instance – also known as “events.”
By monitoring your org’s events, you can better protect your organizations’ sensitive data and identify abnormal behavior. With the nearly endless amount of activity they can provide however, (especially with larger orgs) you can imagine how the tool could quickly become overwhelming.
At OwnBackup, many of the orgs we support have hundreds to thousands of users, hundreds of objects, 10,000+ fields, and 20 or more different Shield Real Time Event Monitoring events. No admin can (or should for that matter) realistically protect every bit of information in their org. That’s why the first step in effective and efficient monitoring in Salesforce is understanding what to protect through data classification. But what should you do beyond that?
In this blog, we’ll go over some Event Monitoring Basics, explain how OwnBackup Secure can help, and provide a crawl, walk, run approach to getting the most value from Shield Event Monitoring.
The Salesforce Shield Event Monitoring license includes Real Time Event Monitoring (RTEM), which contains three key components for those interested in user activity monitoring for security purposes.
Most security policies dictate that event information be stored for at least 3-6 months to facilitate forensics efforts in the case of a breach or event. Salesforce RTEM provides a minimum of six months of storage, thereby meeting most policy requirements in this regard.
In a forensic effort, you’re likely to be most interested in events like ApiEventStream, BulkApiResultEvent, Lightning/UriEventStream, ListViewEventStream, and ReportEventStream, to rebuild or replay what happened. Consider that some or most of these objects are likely to contain millions of event records to sort through. Some events will be operations against non-sensitive data and routine, while others (in the event of an incident/breach) will be anomalous activity against sensitive data.
How does Secure help?
Shield RTEM contains the powerful ability to stop, and/or notify, anomalous behavior in the org. Not all events can be used in RTEM, but for those that can, event fields such as “Queried Entities” again play a critical role in reducing noise / unwarranted blocking. Key events supporting Queried Entities and other essential event fields are ApiEvent, BulkApiResultEventStore (Query), ListViewEvent, and ReportEvent.
How does Secure help?
Streaming events in near real-time is for active monitoring operations in a Security Operations Center (SOC). SOC personnel are commonly equipped with a Security Incident Event Management (SIEM) system that is fed logs and events from across the enterprise and include the ability to detect, analyze, and respond to security threats before they harm business operations. SIEMs include the ability to create custom rules for filtering, correlating, storing, alerting, etc. all to reduce noise and aid in bringing focus of SOC personnel to potential incidents/breaches in progress. Shield RTEM can feed the SIEM with near real-time user activity related events in support of this mission.
How does Secure help?
If your company is new to Salesforce Shield Event Monitoring, taking the following crawl, walk, run approach (or a modified version of it) can help ensure you realize full value from your investment.
But before you do anything else, use Secure to classify your data quickly and accurately. Trying to use spreadsheets is likely to take months and often results in failure. This is NOT the step to skip, as identifying the “what to protect” is the foundation of an improved org security posture.
The combination of Salesforce Shield Real Time Event Monitoring with OwnBackup Secure can be powerful. Together, the two solutions enable protection and awareness of anomalous behaviors that otherwise cannot be resolved using standard Salesforce security controls on their own.
To learn more, click here to see how OwnBackup can help you implement Salesforce Shield 80% faster with OwnBackup Secure for Shield.