{"id":790,"date":"2023-08-29T06:24:00","date_gmt":"2023-08-29T06:24:00","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2023\/08\/29\/data-enrichment-and-automation-helping-salesforce-security-overcome-the-threat-identification-challenge-2\/"},"modified":"2023-08-29T06:24:00","modified_gmt":"2023-08-29T06:24:00","slug":"data-enrichment-and-automation-helping-salesforce-security-overcome-the-threat-identification-challenge-2","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2023\/08\/29\/data-enrichment-and-automation-helping-salesforce-security-overcome-the-threat-identification-challenge-2\/","title":{"rendered":"Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge"},"content":{"rendered":"

By Matt Saunders and Scott Nyberg<\/em><\/p>\n

In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional life experiences that have shaped Salesforce Engineering leaders. Meet Matt Saunders, a Principal Member of the Technical Staff at Salesforce, supporting the Detection and Response Machine Learning team. In his role, Matt focuses on safeguarding Salesforce\u2019s network by detecting dangerous threats at their source.<\/p>\n

Read on to learn how Matt and his team leverage data enrichment to enhance threat detection at Salesforce, using a cutting-edge approach that tracks billions of events each day.<\/p>\n

What is your background?<\/strong><\/h4>\n

With over 7 years in cybersecurity and extensive experience in data analytics, my journey has encompassed security incident detection and response, machine learning, threat detection, and security orchestration and automation.<\/p>\n

At Salesforce, I closely collaborate with a diverse team of data scientists, threat researchers, and security specialists on numerous projects ranging from building data pipelines to efficiently processing the data from those pipelines to detecting anomalies and risks within the data.<\/p>\n

What was the greatest challenge your team faced?<\/strong><\/h4>\n

Our team manages the monumental task of tracking billions of daily events originating from the Salesforce CRM platform, as well as Salesforce products such as Heroku, Slack, and Commerce Cloud. Within this sea of data, identifying sources of malicious activity proves extremely challenging as just one in a million events requires our team to raise an alert or take immediate corrective action.<\/p>\n

The data we receive includes traditional identifiers like user IDs and IP addresses, which do not deliver sufficient insights. Diving deeper, IP addresses alone are not good indicators of good or bad activity, since they change often and may be shared by multiple people simultaneously. Operating in this dynamic landscape enables bad actors to constantly switch IP addresses, sharing them unbeknownst to their legitimate owners.<\/p>\n

It remains highly impractical for humans to review even a fraction of this traffic volume. Consequently, the team relies on data enrichment, correlation, and automation to distinguish high-risk events from normal, everyday traffic.<\/p>\n

How does data enrichment, correlation, and automation help address that challenge?<\/strong><\/h4>\n

To provide useful analysis of raw log data, the team cross-references IP addresses with other key internal databases to enrich the data with context and correlate it with other identifiers.<\/p>\n

Enriching the log data with contextual information offers additional analysis and detection options\u2014including the ability to query and group log lines by the geographic location the user resided in.<\/p>\n

For example, instead of merely comparing a user\u2019s IP address to previous history or to a list of addresses that have been reported for bad activity, the team compares the user\u2019s current geographic location or browser features with their previous activities.<\/p>\n

The team then automates thousands of comparisons per second\u2014detecting anomalies in the log stream around the clock without requiring operator intervention. Anomalies are scored according to their risk level. The most serious incidents receive swift attention, either escalated to an administrator, or handled through automated rules.<\/p>\n

Browser fields, such as user agent, can also be used to distinguish between normal and unusual activity and are correlated with the user ID.<\/p>\n

Ultimately, customers benefit because their accounts and data are kept safer, while incident response teams can correlate multiple detections across different customers to identify a pattern of activity, providing much more information about the actors behind it.<\/p>\n

What are your steps for identifying malicious actors?<\/strong><\/h4>\n
\n
\n

My team\u2019s methodological process unveils and reports malicious actors in a six steps:<\/p>\n

Ingest raw log data<\/strong>. The process begins with a volume of log data flowing in from diverse sources. Various formats and identifiers\u2014including widely prevalent IP addresses\u2014are key components of this data collection.<\/p>\n

Smartly organize the logs<\/strong>. The team automatically categorizes logs by type, time, date, and other overarching categories\u2014enabling streamlined queries.<\/p>\n

Infuse context.<\/strong> To add layers of insight, the team infuses raw log data with enriched context. In the case of IP addresses, the team adds information like the probable geographic location and the source IP\u2019s network owner at the time of an event.<\/p>\n

Perform context-driven analysis<\/strong>. Having additional context in-hand allows more analysis opportunities. For instance, comparing a user\u2019s current and historical locations helps formulate a picture on the normalcy or abnormality of their current whereabouts. This comparison would be impossible with an IP address alone.<\/p>\n

Determine anomaly score<\/strong>. Small deviations from established norms collectively define an overall anomaly score. Once the score exceeds a predetermined threshold, a detection event is triggered.<\/p>\n

Inform and engage the consumer<\/strong>. The team closes the loop by informing the affected consumer about the detection event. For example, an unusual login attempt may result in the user receiving a warning message saying, \u201cYour account was accessed from a location near Denver, Colorado\u2014was this you?\u201d This is data the consumer can understand and respond to.<\/p>\n<\/div>\n<\/div>\n

When is the best time to enrich the data?<\/strong><\/h4>\n

The team may enrich as early as possible\u2014during ingestion\u2014or may delay until the final step, when internal users or customers read a notification concerning their account. Both have advantages, supporting different types of enrichments.<\/p>\n

In the first case, logs are enriched with context as early as possible to the time the log was generated. This remains appropriate for managing dynamic identifiers like IP addresses, enabling the team to capture the context of the IP addresses at the event\u2019s inception.<\/p>\n

\n
\n
\n

Early enrichment at ingestion time.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n

Conversely, waiting to enrich until users read their warning message suits scenarios where the team must include the affected users in a report. This requires the user\u2019s updated contact information, even if the report cites data from months ago. Another advantage of delayed enrichment is that data remains independent of the reporting pipeline and data store, empowering the team to add enrichments to their reports on short notice.<\/p>\n

\n

Late enrichment at reporting time.<\/em><\/p>\n<\/div>\n

\n

Learn more<\/strong><\/h4>\n

Interested in more security stories? Read this blog<\/a> to learn how India\u2019s threat detection team specializes in protecting Salesforce\u2019s network by thwarting malicious threats.<\/p>\n

Stay connected \u2014 join our Talent Community<\/a>!<\/p>\n

Check out our Technology and Product teams<\/a> to learn how you can get involved.<\/p>\n

Discover the latest best practices for cybersecurity. Check out the Salesforce Security Blog<\/a>.<\/p>\n<\/div>\n

The post Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge<\/a> appeared first on Salesforce Engineering Blog<\/a>.<\/p>\n

Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"

By Matt Saunders and Scott Nyberg In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional life experiences that have shaped Salesforce Engineering leaders. Meet Matt Saunders, a Principal Member of the Technical Staff at Salesforce, supporting the Detection and Response Machine Learning team. In his role, Matt focuses on safeguarding Salesforce\u2019s network by detecting… Continue reading Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-790","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":754,"url":"https:\/\/fde.cat\/index.php\/2023\/08\/29\/data-enrichment-and-automation-helping-salesforce-security-overcome-the-threat-identification-challenge\/","url_meta":{"origin":790,"position":0},"title":"Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge","date":"August 29, 2023","format":false,"excerpt":"By Matt Saunders and Scott Nyberg In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional life experiences that have shaped Salesforce Engineering leaders. Meet Matt Saunders, a Principal Member of the Technical Staff at Salesforce, supporting the Detection and Response Machine Learning team. In his role, Matt focuses on\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":726,"url":"https:\/\/fde.cat\/index.php\/2023\/06\/21\/tackling-cyber-threats-with-automation-inside-salesforces-cutting-edge-security-strategy\/","url_meta":{"origin":790,"position":1},"title":"Tackling Cyber Threats with Automation: Inside Salesforce\u2019s Cutting-edge Security Strategy","date":"June 21, 2023","format":false,"excerpt":"In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. In this special edition, we meet Avinash Reddy Thumma, lead threat detection engineer for Salesforce. Based in Hyderabad, India, Avinash\u2019s threat detection team specializes in protecting Salesforce\u2019s network by thwarting malicious threats. Read\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":780,"url":"https:\/\/fde.cat\/index.php\/2023\/10\/31\/new-automation-tools-stopping-hundreds-of-future-threats-instantly\/","url_meta":{"origin":790,"position":2},"title":"New Automation Tools: Stopping Hundreds of Future Threats Instantly","date":"October 31, 2023","format":false,"excerpt":"By Yogi Kapur and Scott Nyberg In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. Meet Yogi Kapur, Senior Director of Salesforce\u2019s Global Computer Security Incident Response Team (CSIRT). Based in Hyderabad, India, Yogi leads his cybersecurity analyst team in responding to\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":788,"url":"https:\/\/fde.cat\/index.php\/2023\/10\/31\/new-automation-tools-stopping-hundreds-of-future-threats-instantly-2\/","url_meta":{"origin":790,"position":3},"title":"New Automation Tools: Stopping Hundreds of Future Threats Instantly","date":"October 31, 2023","format":false,"excerpt":"By Yogi Kapur and Scott Nyberg In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. Meet Yogi Kapur, Senior Director of Salesforce\u2019s Global Computer Security Incident Response Team (CSIRT). Based in Hyderabad, India, Yogi leads his cybersecurity analyst team in responding to\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":816,"url":"https:\/\/fde.cat\/index.php\/2024\/01\/23\/the-power-of-ai-strengthening-application-security-by-eliminating-secrets-in-code\/","url_meta":{"origin":790,"position":4},"title":"The Power of AI: Strengthening Application Security by Eliminating Secrets in Code","date":"January 23, 2024","format":false,"excerpt":"By Krishna Pandey and Scott Nyberg. In our \u201cEngineering Energizers\u201d Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. Meet Krishna Pandey, Director of Security Engineering at Salesforce. Based in Bangalore, India, his Application Security Technology (AST) team powers Salesforce\u2019s source code security program, charged with\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":840,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/20\/aiops-engineering-secrets-revealed-how-ai-and-automation-slash-thousands-of-manual-hours-annually\/","url_meta":{"origin":790,"position":5},"title":"AIOps Engineering Secrets Revealed: How AI and Automation Slash Thousands of Manual Hours Annually","date":"March 20, 2024","format":false,"excerpt":"In our \u201cEngineering Energizers\u201d Q&A series, we explore the remarkable journeys of engineering leaders who have made significant contributions in their respective fields. Today, we meet Sravanthi Konduru, a Lead Member of the Technical Staff for Salesforce Engineering, who helps drive the development of the Warden AIOps platform. Explore how\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=790"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/790\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}