Last week, Own products officially became part of the Salesforce Platform, including Own Secure capabilities that are now integrated into Salesforce Shield and Security Center, empowering organizations to strengthen their security posture more quickly and comprehensively.
The timing of this integration is crucial, as SaaS security incidents are becoming more frequent and costly. These incidents include cyberattacks that steal and destroy data, as well as insider threats, which are often due to employee mistakes rather than malicious intent.
Within Salesforce specifically, possible causes of security incidents range from admins lacking sufficient training to the security controls like multi-factor authentication (MFA) not being utilized. Other common issues include account takeovers via phishing emails, misconfigurations that expose sensitive data, exposure of API tokens in public repositories, unmasked data in development environments, accidental deletion of data (including metadata and mission-critical data), malicious destruction, and extortion attacks. Essentially, everything from accidents to criminal acts. Beyond avoiding these incidents in the first place, addressing them promptly and effectively reduces disruption and costs, and can prevent issues from escalating.
Organizations can counter security incidents more efficiently and effectively using the powerful capabilities of Salesforce Shield. Shield helps prevent and limit the impact of incidents by accelerating protection, detection, scope assessment, and root cause analysis.
Importantly, Shield provides the information needed for incident reporting to satisfy internal requirements and regulatory compliance. Additionally, Security Center now leverages the enhanced automation features from Own to accelerate data classification, permissions management, security insights, risk intelligence, and compliance reporting. The codified expertise now integrated into Shield and Security Center reduces by 80% on average the time to establish and maintain a secure Salesforce Org.
[dark-blue]
Updated Reporting Requirements
In response to these trends, regulators worldwide are implementing more stringent incident response and reporting requirements. Effective incident reporting is critical for decision-making, and cyber threat intelligence (CTI), and can even serve as evidence in legal proceedings.
In 2023, the U.S. Securities & Exchange Commission (SEC) adopted new disclosure requirements, including steps taken to remediate the incident.
In 2024, the New York Department of Financial Services (NYDFS) updated the Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), requiring an initial incident notification within 72 hours and a more comprehensive incident analysis report within 30 days.
CISA provides notification requirements for U.S. Federal government agencies.
From January 2025, the Digital Operational Resilience Act (DORA) requires financial institutions and Information & Communications Technology (ICT) providers to submit initial notification within 24 hours, followed by a more detailed report within 48 hours that includes characteristics of the incident and measures taken to contain the incident.
The Network & Information Systems Security (NIS 2) directive has comparable reporting requirements that apply to a wider range of organizations in critical sectors.
[/dark-blue]
Best Practices for Mitigating and Addressing Salesforce Security Incidents
Detecting threats proactively
Logs are the most valuable resources for detecting and analyzing security incidents in Salesforce environments, including both production orgs and development environments (sandboxes). The default logs and audit trails available in a Salesforce Org are useful for detecting certain activities, such as configuration changes captured in the Setup Audit Trail and unusual user login events.
The logs available with Shield are far more comprehensive and detailed, adding a layer of security and performance monitoring. Salesforce Event Monitoring includes both Real-Time Event Monitoring (RTEM) and Event Log Files (ELF). RTEM is specifically designed for security monitoring and provides a data stream of over 20 security-oriented events, often with more details than the ELF for the same event. ELF, on the other hand, delivers a wide variety of events that support security, performance, user adoption, and general observability.
Additionally, Threat Detection events are specifically designed using machine learning to alert on unusual activities. These include Report Anomaly, API Anomaly, Guest User Anomaly, Credential Stuffing, and Session Hijacking. These logs provide many of the attributes needed for incident reporting, such as originating IP addresses, indicators of compromise (IoCs), and the scope of the impact.
Monitoring logs regularly
Security monitoring is most effective when someone is responsible for routinely reviewing configuration changes and activity logs, rather than only looking at these information sources after a security incident occurs. Regularly reviewing logs increases the chances of detecting an issue early, before it develops into a more serious problem. This is why cybersecurity regulations require it. For instance, the NYDFS specifies that covered entities must “implement risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information.” The more familiar incident responders are with Salesforce logs, the more likely they are to notice deviations from normal activity and be better prepared to use the logs in an investigation.
An effective practice is to collect Salesforce security-related events from all Salesforce Orgs and sandboxes in a centralized security monitoring system to enable daily review and analysis. Therefore, it should come as no surprise that some regulations are requiring solutions that centralize security event alerting. Security monitoring systems that use AI and Cyber Threat Intelligence (CTI) are especially advantageous for identifying suspicious and anomalous activities in large volumes of Salesforce logs.
The high velocity and volume of activities involved in agentic AI increase the need to respond rapidly to security incidents in Salesforce environments.
Automating response actions
A proactive consolidated log monitoring strategy can reveal specific activities that are considered high risk or policy violations within the organization. This approach allows for automated responses to be triggered when such activities are detected. Enhanced Transaction Security is a feature available for some real-time events that can be configured with specific policy rules that trigger a response when violated.
These responses can include blocking the activity, sending an alert, or requiring MFA. It is advisable to focus on the digital assets that are of the highest value and sensitivity, identified during data classification. Specifically, Salesforce activity monitoring and Transaction Security Policies can focus on the components containing sensitive information that are in use and widely accessible to focus monitoring efforts.
Scope Assessment
Scope assessment is the process of determining the scale and impact of a security incident, including what data was exposed or exfiltrated. In Salesforce environments, this involves examining multiple logs and data sources to understand what occurred. The goal is to balance the need to quickly restore normal operations with a methodical approach to incident response and remediation.
Event Monitoring logs help address key questions during scope assessment, including what accounts were compromised, whether there was lateral movement into other Salesforce Orgs, and what data was exfiltrated. These logs also help reconstruct an event timeline to show the progression from the initial point of exposure, through lateral movement across multiple Salesforce Orgs, to the action on objectives such as data theft, account lockout, and ransom.
Incident response and reporting
After a security incident occurs, organizations have both internal and external reporting requirements. Although specific requirements vary by industry and region, there are several types of information that are commonly included:
- Incident overview: Basic information about the incident, such as event timeline, affected systems, impact level, and discovery method.
- Indicators of compromise: Specific technical details like IP addresses, domain names, file hashes, log patterns, or other characteristics associated with the incident that can be used to detect future attacks related to the incident.
- TTPs: If applicable, the tactics, techniques, and procedures used by the attacker during the incident.
- Threat actor information: If known, details about the malicious actor responsible for the attack.
- Root cause and lessons learned: The root cause of the incident, measures that could have prevented it, and the ‘lessons learned’ that will inform future mitigations. Additionally, the tactics and techniques that were used to effect recovery that could be further improved in future incidents.
- Steps taken to contain and remediate: Actions taken to contain and remediate the incident, such as locking down privileged accounts, implementing the Principle of Least Privilege, and encrypting sensitive fields.
[dark-blue]
Rapid Incident Recovery
Security incidents can also include data loss and corruption, often resulting from human error. In fact, the SEC cybersecurity incident disclosure specifically addresses accidental data loss. Data loss and corruption could even be caused by misconfigured AI co-pilots or end-user integrations gone wrong, resulting in inadvertent data exposure or damage.
Through the Shared Responsibility Model, Salesforce is responsible at the platform level, but the customer is responsible for the data. Due to the dynamic nature of Salesforce Orgs and data, when a security incident occurs within a customer’s Org that causes data loss or corruption, there is no assurance that it can be recovered. Therefore, it is essential to have automated backups of mission critical data and metadata.
Salesforce Backup & Recover enables rapid and precise restoration of Salesforce Orgs to a known state. Mission-critical, highly dynamic data can even be protected continuously. The Smart Alerts feature automatically compare consecutive backups to detect deletion and corruption of valuable data, alerting customers of a problem that might otherwise go undetected and conversely giving comfort that data is protected and ready should the need arise. Salesforce supports customers with Data Recovery Readiness and Response (DR3™) assessments to ensure they can respond and recover quickly from data loss incidents.
[/dark-blue]
Prevention is better than cure, but sometimes it still finds a way
Desirable outcomes of incident response include removing the threat and securing the system to prevent similar problems in the future. Most Salesforce security incidents result from misconfiguration and over-provisioning. Shield provides powerful prevention capabilities, but these only work when they are enabled. Understanding your data architecture is important so that data items can be correctly identified, labeled, encrypted, and secured.
The updated functionality of Salesforce Security Center with automated Salesforce security expertise from Own provides a robust and proven solution for governing security and compliance more efficiently, proactively, and comprehensively. This combined solution ensures that system access is understood and configured securely, that sensitive data is properly classified and controlled, and that high-risk activities are monitored and remediated.
Protecting data with the Principle of Least Privilege through Security Center can prevent many common mishaps. Identifying the data is critical to comply with data privacy regulations, but also for assessing the scale and severity of impact in case of a data leak, loss, or corruption. Capabilities such as the Who Sees What Explorer and the Field History Explorer provide additional protection and should be used regularly to ensure the Salesforce Org is operating as designed.
By consolidating security insights, configuration changes, and alerts from multiple Orgs into a centralized console, Security Center facilitates incident analysis and reporting, streamlines risk mitigation activities, and enhances proactive audit capabilities.
Learn more about the enhanced Salesforce Trusted Services solutions here, including Shield, Security Center, and Backup & Recover. You can get more information about Data Recovery Readiness and Response (DR3™) in this datasheet and eBook.
