In today’s interconnected enterprise and cloud ecosystem, Salesforce is a powerful, secure platform that offers significant benefits for managing strong, lasting customer relationships. However, Salesforce’s success makes it a target for cybercriminal activity. Now used at over 150,000 enterprises worldwide, Salesforce and your Salesforce customer-related data are prominent marks for bad actors and cybercriminals. Let’s discuss how WithSecure Cloud Protection for Salesforce complements Salesforce for organizations of any size.
Shared Responsibility is the first step towards securing Salesforce
Salesforce follows the Shared Responsibility Model, which emphasizes that security is a joint effort between Salesforce and its customers. Other cloud providers, including Amazon Web Services, Google Cloud, and Microsoft Azure, also utilize this model. Simply stated, the Shared Responsibility Model means the cloud provider is responsible for securing their cloud services and the underlying infrastructure. Customers are responsible for protecting their data, even though it is stored in the cloud environment.
Accordingly, customers must understand what security measures Salesforce does not provide to address these gaps. Recognizing the security limitations of what Salesforce offers is an essential first step in developing a comprehensive security strategy for Salesforce.
Scanning for malware, phishing, spam and ransomware is left to the customer
Salesforce is dedicated to establishing standards in SaaS (software-as-a-service) and being a reliable partner in customer security. To enhance the security of a Salesforce instance, Salesforce offers various recommendations for customers to implement. One of the key suggestions is to use security solutions like WithSecure Cloud Protection for Salesforce, which provides spam filtering and malware protection.
Haven’t we solved the malware problem?
Malware, viruses, spam, trojans, etc., continue to wreak havoc on enterprises. According to the recent IBM Cost of a Data Breach Report 2024, the average cost of a malware attack in 2024 is around $5.24 million globally, up 10 percent from 2023. Specific organizational losses have been much higher when factoring in the additional ransomware costs.
There are many effective server, desktop and mobile scanning solutions to thwart malware. However, the rise of cloud-provided applications has further complicated malware detection because, in the case of Salesforce, documents, files, etc., often legitimately bypass enterprise scanning systems.
When a user uploads a file or attachment to Salesforce, no native file scanning is applied. These documents almost always, by their nature, bypass the normal enterprise-level scanning mechanisms. Further, the lack of automatic scanning allows an external user to attach a malicious file, putting Salesforce data at risk.
Today, enterprises need a broad defense and in-depth approach to thwart these threats and complement Salesforce security.
How WithSecure Cloud Protection for Salesforce works
The WithSecure Cloud Protection for Salesforce solution is the simplest way to stop file, URL and QR code-based cyber threats like malware, ransomware and phishing attacks on your Salesforce cloud. Here is how it works:
1. A user, unwittingly or knowingly, uploads malicious files, attachments, URLs or QR codes to a Salesforce platform. It might be from web forms, partner portals, emails, or third-party applications.
2. WithSecure Cloud Protection for Salesforce intercepts and scans all content entering and leaving Salesforce in real-time for threats using a multi-stage threat analysis process. Content can also be scanned retrospectively on-demand.
3. All data stays in the Salesforce cloud. Only suspicious files that cannot be detected as threats based on global threat intelligence checks are evaluated for a deeper behavioral analysis. The files are sent to the WithSecureSecurity Cloud, where they are analyzed in an isolated sandboxing environment to detect even the stealthiest and most sophisticated cyber threats.
4. When a threat is detected, administrators are automatically alerted. The end-user is advised on what to do next, and further use of the content is prevented.
5. Advanced security analytics with full audit trails speed up the incident response. Relevant data, alerts, and workflows can be easily integrated into SIEM or other centralized security systems.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is designed to reduce the risk of advanced cyber threats targeting Salesforce. It offers:
Real-time protection and immediate visibility into your entire environment
Seamless integration with your customizations and workflows
Full support for the infrastructure security controls that Salesforce provides
This solution meets the stringent compliance requirements of modern enterprises and critical public sector organizations, making it an excellent choice for enhancing your Salesforce security.
Developed in collaboration with Salesforce, WithSecure Cloud Protection for Salesforce is used and recommended by Salesforce.
To learn more about WithSecure Cloud Protection for Salesforce:
Learn more about WithSecure Cloud Protection for Salesforce in our newest video, 60 Seconds with WithSecure.
Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance.
As the risk of cyber-attacks increases, understanding how to protect your Salesforce environment from malware becomes a priority. Salesforce’s approach to securing Salesforce is based on the Shared Responsibility Model (SRM). This model can be somewhat intricate to understand. At its most basic level, Salesforce is responsible for securing its infrastructure and ecosystem. In addition, Salesforce offers several specialized, value-added security solutions, such as Salesforce Shield (for platform encryption, event monitoring, and audit reporting), Salesforce Data Mask (enables admins and developers to mask sensitive data in sandboxes such as personally identifiable information (PII) or sales revenue), and the Salesforce Privacy Center (tools to help manage GDPR and PII governance).
However, under the SRM, Salesforce customers – administrators, architects, security teams, and users – must understand their responsibilities. Customers, for example, are responsible for protecting their data, using the right access controls and permission sets, and securing the objects within Salesforce.
Most importantly, in the area of data protection, Salesforce does not offer capabilities for detecting and preventing malware, ransomware or phishing links. Salesforce encourages customers to form a relationship with vendors, such as WithSecure Cloud Protection for Salesforce, to avoid malware and phishing attacks from occurring within their Salesforce.
How does malicious data get into Salesforce?
Salesforce has evolved extensively since its beginning as a sales automation platform in the 1990s. Today, it is used by over 150,000 organizations globally to manage sales and service organizations and to maintain customer relationship data. Users constantly import, share, store and export data files, attachments, URLs and QR codes associated with customers, partners, community members, and internal employees. Typical use cases for importing and exporting files include email-to-case, web-to-case, and third-party custom apps that allow users to upload documents. Each file and attachment uploaded to Salesforce opens the door to malware exposure, which can quickly propagate across the instance.
Malicious files, URLs and QR codes pose risks to Salesforce customers
The presence of malicious files is on the rise within Salesforce. These files contain or are conduits for ransomware, phishing exploits, viruses, worms, keyloggers, trojans, spyware, adware etc. Between Q2 2023 and Q2 2024, there has been a roughly 400% increase in malicious files found within Salesforce.
URLs and QR codes are increasingly the trigger point for malicious activity. To protect Salesforce users, WithSecure Cloud Protection for Salesforce scans hundreds of thousands of URLs each month. On average, 1.5% of URLs uploaded to Salesforce are malicious. And, that percentage will likely grow in the future.
Case Study: An unprotected Salesforce instance leads to a Ransomware attack
An enterprise organization presented WithSecure Cloud Protection for Salesforce with a particular scenario they had experienced. In this scenario, an attacker leveraged Salesforce to infect the company’s network.
The attacker, posing as a customer, sent an email to the company to steal vital data. The email contained a malicious attachment. The enterprise user who received the email opened the attachment. That triggered a few exploitations, leading to malware that infected the user’s machine and installed a keylogger on the infected device. The attacker gained domain administration access and launched a command-and-control power shuttle script, which deployed ransomware at hundreds of workstations within the company’s local area network.
Had this enterprise been using WithSecure Cloud Protection for Salesforce, the preceding scenario would have been much different. WithSecure’s goal is to stop all attacks within the Salesforce cloud.
WithSecure Cloud Protection for Salesforce scans files and attachments. The following screenshot shows the File Protection Settings screen.
If malicious content is detected, WithSecure will quarantine the suspicious file attachments in a safe sandbox environment, as shown in the following screenshot.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious, suspicious and disallowed content from entering your Salesforce environment via files, web links, QR codes and email messages.
WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce meets the strict compliance requirements of modern enterprises and critical public sector organizations. It is an ideal choice for enhancing your Salesforce security.
WithSecure Cloud Protection for Salesforce was designed in collaboration with Salesforce.
Salesforce initially set out to create a sales-focused software app delivered in a revolutionary model: Software-as-a-Service (SaaS). Early versions of the app were modest. It was focused on only sales automation and forecasting. It did not support importing, storing or downloading files or attachments. But, as it grew in popularity, Salesforce grew more sophisticated. Now, it is the world’s leading, preeminent customer relationship management (CRM) service and supports a massive ecosystem including a broad set of internally developed and third-party developed applications.
Files and documents everywhere
Millions of files are uploaded to and exported from Salesforce daily. Administrators, users, executives, etc., interact with forms, templates, reports, email messages, logos, images, etc., for various use cases. Some examples of documents imported/exported from Salesforce include:
Email templates (for example, to promote a new product that salespeople can customize for their customers).
Email-to-Case files (Email-to-Case turns customer emails into cases for the support team).
Documents imported from Salesforce communities.
Some of these files likely contain malicious content from either a malicious user or an unwitting user merely passing along an unvetted file. Further, these documents will usually bypass desktop or server-based virus detection applications. As a result, they represent a threat to the Salesforce instance.
It often comes as a surprise to learn that Salesforce does not include virus or malware scanning for file attachments, documents, URLs or QR codes. Salesforce, like most cloud-based application vendors, follows the Shared Responsibility Model. This model defines that customers are responsible for the security of their data. While Salesforce’s infrastructure security provides an extremely strong foundation, no built-in threat detection exists, as this is the customer’s responsibility. As such, customers must employ tools for malware and phishing attacks.
Users need to take this responsibility seriously. According to Infosecurity Magazine and Proofpoint’s 2024 State of the Phish report, over two-thirds (69%) of organizations experienced a successful ransomware incident in the past year. Malicious files were major contributors.
An example from the Salesforce Trailblazer Community
For example, consider this actual security incident reported to the Salesforce Trailblazer Community:
“We experienced a security breach on one of our Salesforce Orgs the other day, where we use(d) the Email to Case functionality. A file containing malware in a .JS format was attached to a case. A user clicked on it, assuming it is safe to do so, and it wiped out all of her personal files on that laptop, as well as all recently viewed public files.”
Sadly, this customer learned too late about the requirement to fully think through how to secure Salesforce.
Securing Salesforce is always a top priority
Securing and protecting sensitive customer data is critical for the more than 150,000 companies that rely on Salesforce. Salesforce provides industry-leading security for its platform and infrastructure but cannot control customer endpoints. Hence, it is the customer’s responsibility to ensure that those endpoints have up-to-date antivirus protection. As a result, the Salesforce security approach is based on a Shared Responsibility Model. Salesforce relies on third-party partners and vendors to complete and complement the security approach with document and file scanning.
WithSecure™ Cloud Protection for Salesforce
To stay ahead of bad actors, WithSecure Cloud Protection for Salesforce is singularly focused on complementing the Salesforce security stack by providing file and document protection. WithSecure uses advanced threat protection mechanisms and technologies, including AI and cloud sandboxing, to detect, quarantine and neutralize threats in real time. This past year, WithSecure Cloud Protection for Salesforce has forged ahead with industry-leading capabilities to stay ahead of bad actors, including:
Detecting malicious URLs in files: WithSecure Cloud Protection for Salesforce detects and blocks malicious URLs hidden inside files uploaded to Salesforce.
Detecting and blocking shortened URL threats: Shortened URLs can mask risky content while bypassing traditional security controls. WithSecure uncovers and blocks these threats, verifying every link, whether shortened for convenience or to mask something more sinister.
URL protection across custom objects and fields: WithSecure supports URL Protection for Salesforce’s standard and customized objects and fields.
Detecting malicious QR codes in files: WithSecure now includes QR code scanning to defend against quishing attacks across Salesforce. What is a quishing attack? In a quishing attack, bad actors create a QR code and link it to a malicious website. That QR code is then included in a piece of content, which users unwittingly click on.
Enhanced files digital fingerprinting: WithSecure sharpens detection accuracy without impacting performance.
Additional Resources
Learn more about WithSecure Cloud Protection for Salesforce in our newest video, 60 Seconds with WithSecure.
Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance.
What is DORA?
The Digital Operational Resilience Act (DORA) is a European Union regulation crafted to boost the operational resilience of financial institutions. It ensures they can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks. It mandates rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM). The regulation applies as of 17 January 2025.
What’s the purpose of DORA?
DORA aims to ensure EU financial institutions can effectively manage and mitigate ICT risks, diminish the impact of cyber threats, and sustain business continuity during disruptions.
Who does DORA apply to?
DORA applies to the majority of financial institutions operating in the EU. It covers a broad spectrum of financial entities, such as banks, investment firms, payment service providers, insurance companies, and ICT third-party providers like cloud services that support financial institutions.
DORA’s ICT risk management framework mandates that a firm’s management body bears ultimate responsibility for managing ICT risks, setting and approving the digital operational resilience strategy, and approving policies related to the use of ICT Third Party Providers (TPPs), among other duties.
How does DORA change the current regulatory compliance?
There have been previous guidelines similar to DORA such as 2019 EBA Guidelines on ICT Security and Risk Management and the 2020 EIOPA Guidelines on ICT Security and Governance. However, as DORA is primary legislation, the level of supervisory scrutiny that firms are subject to is now increasing significantly.
Key requirements for financial entities:
ICT risk management: Financial entities must develop robust governance and control frameworks to manage ICT risks. This includes risk identification, protection measures, system monitoring, and incident recovery.
Incident reporting: Entities are required to report significant ICT-related incidents to authorities to enhance oversight and facilitate a coordinated sector response.
Testing and audits: Regular testing, including penetration tests and security audits, is mandatory to identify and address vulnerabilities.
Third-party risk management: Financial institutions must ensure that third-party ICT providers adhere to equivalent standards, including conducting thorough due diligence for outsourcing critical functions.
DORA compliance and Salesforce security
DORA mandates comprehensive oversight across critical business areas, focusing on firm management’s accountability for ICT risks. It includes crafting a digital operational resilience strategy and managing ICT Third Party Providers (TPPs). Breaches could lead to penalties enforced by competent authorities.
Salesforce is a cloud-based platform that is critical to many financial organizations and their operations. The financial entity will need to ensure that their use of Salesforce complies with DORA’s requirements regarding ICT risk management, third-party oversight, incident reporting, and testing.
As a leading CRM provider, Salesforce has already taken steps to ensure that the platform’s data governance aligns with DORA – along with other data protection regulations. Collaboration with partners like WithSecure™ is part of Salesforce’s commitment to trust and security according to Natalie Pope, Lead Solutions Engineer at Salesforce: “DORA is an important step in elevating our offerings to financial services customers, ensuring data and operational resilience are at the forefront their business goals and company ethos. Our collaboration with partners like WithSecure™ demonstrate Salesforce’s commitment to our number one value of trust, allowing us to offer robust and compliant solutions as part of a trusted digital infrastructure.”
Key actions to secure Salesforce and comply with DORA
New DORA regulation impacts all SaaS products, including Salesforce. When it comes to Salesforce security and risk management, financial institutions should take action in the following areas:
Set up ongoing auditing practices to continually assess security risk related to Salesforce and other services connected to it. Implement proper security measures to remediate any gaps.
Develop and refine incident management strategies to ensure prompt detection, reporting and resolution of issues. Implement security measures directly for Salesforce that support your strategy.
Review and update contracts with ICT providers to meet DORA standards.
In which Salesforce DORA obligations can WithSecure™ Cloud Protection for Salesforce help
WithSecure™ Cloud Protection for Salesforce stops malware and phishing threats on Salesforce in real-time. It helps financial organizations meet their DORA obligations on Salesforce in the following areas:
DORA mandate for incident reporting:“Financial entities shall report major ICT-related incidents to the relevant competent authority”, “Financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.” (Chapter 19, Article 1)
DORA mandate for detection capabilities:“Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.” (Chapter 2, Article 10)
DORA mandate for incident management: “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” (Chapter 17, Article 1)
How WithSecure™ Cloud Protection for Salesforce helps financial organizations meet their DORA obligations
WithSecure™ Cloud Protection for Salesforce helps financial institutions detect anomalies such as malware and phishing threats on Salesforce. It provides real-time monitoring capabilities into cyber threats and incidents across the Salesforce environment. It empowers financial institutions with automated threat remediation capabilities, along with prompt alerts.
WithSecure™ Cloud Protection for Salesforce’s native reporting features support incident reporting to authorities, as mandated by DORA. Reports offer vast details about the threat, who has interacted with it, and when. This not only enables sufficient reporting to authorities, but also speeds up incident management process significantly. Without the reporting tools with full event logs and forensics trails, investigating a malware outbreak is costly and time consuming.
While remediating the immediate threat of malware, solutions like Cloud Security Access Brokers (CASBs) can introduce more risk by adding vulnerable integrations and data flows to the mix. For this reason, we built the natively integrated, minimally vulnerable and simplified AntiVirus and AntiPhishing solution WithSecure™ Cloud Protection for Salesforce. With this simplified and seamless approach, financial institutes can mitigate risk without invertedly adding more in the process. You can deploy the native security layer in minutes and strengthen your compliance instantly.
WithSecure™ Cloud Protection for Salesforce is built with 30+ years of cyber security experience in close collaboration with Salesforce. The solution has achieved ISAE 3000 Type 2 certification (international equivalent to SOC 2 Type 2), and WithSecure™ is ISO 27001 certified, proving the resilience of operations in accordance with DORA’s third-party risk management agenda.
Ensure Salesforce DORA compliance
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes. Comprehensive reporting capabilities help you meet DORA incident reporting requirements.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Understand and embrace the Shared Responsibility Model, a core tenant of Salesforce’s security strategy and securing Salesforce
Salesforce follows the Shared Responsibility Model and believes security is a shared responsibility between Salesforce and its customers. The same model is used by virtually all cloud providers, including Amazon Web Services, Google Cloud and Microsoft Azure. At the most elemental level, the cloud provider is responsible for the security of their cloud offering and its underlying infrastructure. At the same time, customers (end users) are responsible for the security of the data stored in the cloud environment. With the shared responsibility model, customers must understand what the cloud provider is not doing and fill those security gaps. Recognizing the enterprise has a role in securing its Salesforce instance and understanding the limits of what Salesforce (as a cloud provider) offers is a critical first step to developing a comprehensive Salesforce-related security strategy.
Salesforce provides many tools to help secure your environment, but it’s the enterprise’s role to implement and maintain them correctly
Salesforce provides a 300+ page Salesforce Security Guide covering everything from the basics to advanced security topics. This guide is an excellent resource for enterprise Salesforce security and administration teams as it details specific topics, including health checking, auditing, authentication, user data access, data sharing, permissions, data encryption use, real-time events monitoring and more. While understanding this information is extremely valuable, proper actions by the enterprise are required to ensure a secure Salesforce environment and instance.
For example, Salesforce data-sharing models can be very simple, but a large enterprise will likely require something more complex and nuanced. Selecting the data set that each user, or group of users, can see and ensuring it is properly configured is key. There needs to be a balance between limiting access to data (minimizing risk) versus the convenience of data access for your users. Thus, Salesforce administrators must understand sharing models in-depth to ensure that data is only available and exposed to the proper set of users.
Include a defense-in-depth approach for securing Salesforce with these best practices
Defense-in-depth is a cybersecurity strategy that uses multiple layers of security services and tools to defend an organization’s data assets. The theory behind defense-in-depth is that if one layer of security is penetrated, assets will still be defended by the remaining layers of security. Examples of tools and approaches that can provide a defense-in-depth for your Salesforce instance include:
Multi-factor authentication (MFA): a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or factors) when they log in. MFA today is now ubiquitous for web-based applications. It can help defend against phishing, credential stuffing, and account takeovers and should be considered a requirement for all Salesforce users.
Restricting Login IP Addresses in Profiles: Sales admins can control login access at the user level by specifying a range of allowed IP addresses on a user’s profile. When IP address restrictions are defined for a profile, a login from any other IP address is denied.
Permission Sets: A permission set is a collection of settings and permissions that give users access to various tools and functions. It extends users’ functional access without changing their profiles and is the recommended way to manage your users’ permissions.
Single Sign-On (SSO): SSO is an authentication method that enables users to access multiple applications with one login and one set of credentials. Single sign-on (SSO) can be considered part of a defense-in-depth strategy because it can encourage stronger password hygiene. However, SSO by itself doesn’t thwart identity-based attacks.
Custom Login Flows: A login flow directs users through a login process before they access your Salesforce instance. A login flow can control users’ business processes when they login to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they’re redirected to their Salesforce instance. If unsuccessful, the flow can log out users immediately.
When securing Salesforce don’t forget that sensitive and critical enterprise data can be exported or “leaked”
Securing Salesforce also means monitoring what data can be moved, transferred or leaked out of Salesforce. Users can export data that they have access to. Hence, it is critical to have a monitoring tool to monitor activity and detect/prevent data leakage.
Salesforce supports real-time event monitoring to monitor and detect standard events in Salesforce in near real-time. Event data can then be stored for auditing or reporting purposes. With real-time event monitoring, enterprises can see what data has been accessed, by whom, and whether the data has changed. This proactive monitoring should be part of a comprehensive Salesforce security strategy.
Salesforce does not scan data for malware, but WithSecure Cloud Protection for Salesforce does
The Shared Responsibility Model defines that customers are responsible for the security of their data. While Salesforce’s infrastructure security provides an extremely strong foundation, no built-in threat detection exists, as this is the customer’s responsibility. As such, customers must employ tools for malware and phishing attacks.
WithSecure™ Cloud Protection for Salesforce reduces risk and keeps your enterprise compliant by scanning all Salesforce files, URLs and QR codes for cyber threats. WithSecure Cloud Protection for Salesforce, a native application that runs in your Salesforce environment, prevents malicious and disallowed content from entering your Salesforce environment via files, web links and email messages. The application secures Salesforce to mitigate advanced cyber threats on Salesforce by:
Providing real-time protection and instant visibility
Working seamlessly with enterprise customizations and workflows
Complement the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce meets the strict compliance requirements of modern enterprises and critical public sector organizations. It was designed with Salesforce to make securing Salesforce instances very easy. Together with the Best Practices and other recommendations discussed above, every Salesforce customer can be confident in a more secure environment.
Phishing is not confined to email but is a pervasive threat across our digital infrastructure. Salesforce, with its extensive cloud applications and public-facing nature, is emerging as a prime target for such cyber threats. Comprehensive phishing defenses should include Salesforce as an attack vector.
Phishing attacks have evolved but so have email defenses
While 41% of cyber attacks use phishing tactics, an alarming 26% of these attacks now exploit public-facing applications (like Salesforce), according to IBM’s report. Furthermore, 16% of phishing attacks misuse valid accounts.
Email, the traditional stronghold against phishing, has long been hardened through anti-malware and anti-phishing tools combined with consistent user education, with many providers offering built-in defenses and organizations adopting phishing simulation training. These measures have significantly heightened user vigilance and reduced the click rates on malicious emails.
How Salesforce becomes the entryway for cyber criminals
Salesforce serves as a central hub for diverse interactions across Sales, Service, and Experience Clouds, presenting multiple avenues for cyber threats. Each user interaction, whether from internal or external sources, could potentially introduce malicious content. Salesforce is vulnerable to the same types of attacks that have plagued email for decades.
Internal users frequently engage in routine activities like uploading documents and sharing URLs. For example, a sales representative might attach a contract embedded with malware in Sales Cloud, or a support agent may inadvertently attach a compromised troubleshooting guide in Service Cloud. Similarly, community managers in Experience Cloud might share links that lead to malicious sites.
The risk also involves unauthenticated users such as customers or potential leads who upload attachments in support cases or via Web-to-Lead forms. These necessary business interactions, if unchecked, provide easy entry points for cybercriminals.
Furthermore, authenticated users on Experience Cloud portals often share significant project files or access collaborative spaces, unintentionally spreading malware. The integration of APIs, which connects Salesforce with external systems like ERP software or tools like Slack, adds another layer of vulnerability. Each data transfer across these connections is a potential breach point.
Salesforce security falls short of email security standards
However, the security measures guarding Salesforce have not evolved at the same pace. There are no built-in anti-virus, anti-phishing, or basic spam filters that are standard in email services. This oversight leaves an obvious hole in cybersecurity strategies.
“Salesforce, often overlooked as an attack vector, presents a significant vulnerability in too many cyber security strategies,” notes Anssi Korpilaakso, Director of Sales and Business Operations at WithSecure™. “Our product backend has registered a steady increase in malware and phishing detections on Salesforce in the recent years.”
Salesforce users typically perceive Salesforce as a trusted tool, and are less likely to anticipate or recognize a phishing attack on the platform compared to email. This sense of trust is exactly what attackers who use psychological phishing schemes exploit.
Email: lessons for multi-layered Salesforce security
As cyber criminals continue to refine their strategies and target systems beyond traditional attack vectors like email, organizations must protect every entry point, including Salesforce. Learning from the widely adopted email security measures and applying these lessons to Salesforce helps fortify your digital infrastructure against dynamic cyber threats.
To tackle phishing effectively, you must adopt a multi-layered defense strategy that goes beyond email and encompasses Salesforce, your business critical platform. Here’s how you can start:
User training: Just as with email, the first line of defense is user awareness. Training users to recognize phishing attempts in Salesforce is crucial, as the platform’s familiar and trusted environment may lower their guard against suspicious activities. Although user education is important, you should not expect your Salesforce users to act as phishing detectives.
Integrate real-time threat protection: Given the lack of built-in anti-phishing and anti-malware features in Salesforce, integrating advanced security solutions that can provide real-time threat protection is essential. Solutions like WithSecure™ Cloud Protection for Salesforce offer tailored security measures that fit seamlessly into Salesforce, enhancing security without disrupting user experience.
What to consider when choosing the solution
When selecting a threat protection solution for Salesforce, you should prioritize efficiency, comprehensive coverage, and advanced detection capabilities that match today’s sophisticated cyber threats. Considerations for calculated decision-making:
Prioritize solutions that add minimal complexity and avoid vulnerable integrations, focusing on native, straightforward security layers.
Choose solutions that protect not only internal users but also mitigate the risk of malware spreading to customers and partners interacting with Salesforce by scanning uploads and downloads across various user types.
Consider the evolving nature of threats, such as documents that contain latent phishing links, which may turn malicious after being uploaded to Salesforce, and after the initial scan at the point of upload. Opt for solutions that provide real-time protection, scanning content like files and URLs during all user interactions, not just at the point of upload.
Ensure the solution offers real-time scanning and advanced behavioral analysis to detect embedded malware in seemingly benign documents, moving beyond traditional signature-based methods.
Select solutions that encompass all Salesforce entry points, including custom objects in addition to standard objects, to ensure comprehensive coverage.
Look for deep detection capabilities that can scan for malicious phishing links not only in text and emails but also within files, detect phishing links hidden behind QR codes, and identify zero-day malware in files as well as known threats.
WithSecure™ Cloud Protection for Salesforce eliminates risk of human error in real-time
Robust security measures equivalent to enterprise-grade email security help you experience the full potential of Salesforce without hidden risks. WithSecure™ delivers an advanced antivirus and antiphishing solution tailored uniquely for Salesforce. Developed in collaboration with Salesforce, WithSecure™ Cloud Protection for Salesforce meets the stringent requirements of highly regulated industries and government entities. You get real-time defenses against malware, ransomware, viruses, and phishing attacks, along with full security visibility for threat hunting and incident response. Multi-layer scanning ensures that every entry and touchpoint – from the Sales Cloud negotiations to Service Cloud interactions and Experience Cloud engagements – is covered.
Native integration ensures rapid deployment and comprehensive security without disrupting your existing Salesforce workflows.
Don’t let human error become your vulnerability in Salesforce security – especially when there are straightforward technologies to mitigate the risk. Whenever you are ready to take the next step, our team is ready to guide you in your Salesforce security.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Parking scams using fraudulent QR codes have been wreaking havoc in popular tourist cities across Europe and North America recently. Have you ever considered that malicious QR codes could infiltrate your Salesforce? Read on to learn what QR code attacks look like, why Salesforce is an attractive target for them, and how you can stop them.
The rise of quishing
It’s not long since Police Service of Northern Ireland (PSNI) Cyber Crime Centre, posted a notice about malicious QR codes in phishing attacks. Quishing, or QR code phishing, involves the deceptive use of QR codes to lure unsuspecting individuals into visiting malicious websites. There they are tricked to reveal personal credentials, or unknowingly download malware. QR codes are used for everything from restaurant menus to ticket validations. At the the same time, cybercriminals have found ample opportunities for exploitation. Distinguishing between legitimate and fraudulent QR codes is difficult for human eyes. Fortunately, there are preventive security technologies – now also for Salesforce.
Examples of quishing attacks in the wild
A typical quishing email might mimic an official communication from a known corporation. It can for example urge the recipient to scan a QR code to handle something urgent, like reset a password or verify an account.
Another method involves embedding a QR code inside a seemingly innocent message related to work processes like payroll or security updates. One of the recent examples targeted a major energy company in the US with a campaign that imitated a Microsoft security notification.
On the other hand, scammers have also found ways to abuse QR codes scams in public spaces. Such example is the recent QR parking scam in popular tourist cities across UK. The scam involves malicious QR codes, often placed on parking meters, that direct users to phishing websites. Unsuspecting victims enter personal information, including payment details, under the guise of paying for parking. As a result, they potentially face double trouble with both financial fraud and a parking ticket.
10,000 victims have already fallen for the said parking scam in a matter of two months. Therat actors have launched similar campaigns across Europe, United states and Canada. These scams often target tourists who are not familiar with the local parking apps, thus easier to deceive.
The quishing attack kill-chain
In the digital world, quishing typically begins with a QR code sent via email or text. The recipient then scans the code with a mobile device. The victim is then redirected to a harmful site.
The phishing site typically mimics a legitimate business resource, login page, or document portal. The page then prompts the employee to enter their credentials or download a file.
By entering their credentials, employees inadvertently provide attackers with access to their corporate accounts. Attackers can use the credentials to harvest sensitive information or launch an attack within the organization.
The process capitalizes on the established trust in QR codes. QR codes are handy to roll out covert operations. Quishing attacks are often harder to detect than traditional phishing attacks, or ones with the malicious link plainly imbedded in the message text. As these codes simply appear as nondescript, benign images, they bypass usual text-based URL scans implemented by most email and collaboration security systems.
QR code phishing tactics:
Integration in familiar platforms: Quishing often uses popular platforms to reach a broad audience, and to exploit trusted services and brand names to increase the success rate of attacks.
Sophistication in execution: By embedding malicous QR codes within messages, attackers can bypass conventional security measures which might not scan URLs embedded in images.
The psychological play: The decision to scan a QR code often happens impulsively, thanks to the established norm of their use in safe contexts. This impulsivity is what quishers count on, reducing the victim’s likelihood of pausing to consider the potential dangers.
What makes QR code phishing especially tricky on Salesforce
All in all, malicious QR codes pose a significant threat to enterprises, and when delivered through platforms like Salesforce, they can be particularly effective and damaging. Here’s why Salesforce is a lucrative vector for such attacks, and why you should secure your platform without delay:
High trust environment
Users view Salesforce as a trusted platform for daily tasks in sales management, and customer support. Employees are less vigilant about scrutinizing communications received through this platform, assuming a baseline level of security and trust. This trust can make QR codes sent through Salesforce particularly effective as employees may be quicker to scan them without suspicion. The scam itself could even leverage Salesforce’s brand identity. QR codes also employ common and seemingly harmless image types, decreasing suspicions.
Widespread use in organizations
Especially large enterprises use Salefsorce widely, which provides a broad attack surface. Malicious QR codes distributed through Salesforce can potentially reach a large number of users quickly, making it the attackers dream.
Mobile device engagement
Salesforce is frequently accessed via mobile devices, which aligns well with the nature of QR code scanning. Mobile devices are often less secure than desktops, with users typically having weaker security controls and being more prone to overlook security prompts when they are on the move. If bring-your-own-device (BYOD) is allowed, the mobile device may be a personal unmanaged device, with even weaker security measures in place.
No antiphishing blocking the way
While Salesforce offers robust security features, there are no antiphishing capabilities by default. There likely is no layer of protection in the Salesforce environment to detect or prevent the distribution of malicious QR codes, opening a pathway for the attackers.
You need more than awareness to prevent Salesforce QR code quishing
While educating users about the potential threats of randomly scanning QR codes is without a doubt important, true prevention requires a multifaceted approach:
Advanced threat protection: You should implement antiphishing security solutions that can recognize and examine QR codes within Salesforce uploads, analyzing the linked URLs for malicious content before they reach end users.
Regular security audits: Incorporating QR code-based phishing into routine security audits and risk assessments helps identify and remediate security gaps. Make sure to ensure that Salesforce is covered thoroughly in security audits.
Limit access privileges: Although Salesforce has enforced multi-factor authentication for MFA for internal users, it’s wise to limit access rights to what a user’s role requires, and follow the least privilege approach.
Update software and configurations: Ensure all integrations are updated with the latest security patches, and verify that your antiphishing scanning solution is properly configured to detect malicious QR codes.
Limit use of BYOD: Some of the biggest vulnerabilities lie when employees use personal devices outside corporate security measures to access phishing sites that harvest account credentials.
Educate Salesforce users: Continuously educate users about the risks associated with QR codes, emphasizing the need for vigilance even when using trusted platforms like Salesforce.
Block malicious QR codes on Salesforce automatically
You need a blend of vigilance and advanced security solutions to prevent covert phishing tactics like quishing. Luckily you can protect your data and Salesforce users from these hidden scams behind simple scans. WithSecure™ Cloud Protection for Salesforce scans malicious URLs in Salesforce text fields, behind QR codes and within uploaded documents. Our AntiQuishing feature was built as a response to a real-life phishing attack that our enterprise customer faced, where Salesforce was the target of malicious QR codes.
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
This time our threat landscape focus is on ransomware and its implications for cloud services, specifically Salesforce. With attackers increasingly targeting cloud services and public-facing apps, and a 366% increase in malicious file detections on Salesforce in Q2 2024 compared to Q2 2023, ransomware is not a threat to be taken lightly in any Salesforce security strategy.
Cyber threat landscape shifts toward cloud and SaaS exploitation
Cyber threat landscape is seeing an increased focus on the cloud. Attackers have recently leveraged legitimate file transfer and cloud services to facilitate their operations more and more. These services offer a low-key and cost-effective infrastructure which tends not to trigger security alerts as some more traditional methods might.
Symantec’s Threat Hunter Team has recently identified three new espionage operations utilizing cloud services and has uncovered additional malicious tools in development:
GoGra (Trojan.Gogra): Targets a South Asian media organization using Microsoft’s Graph API for C&C communications via email, encrypting messages with AES-256. Developed in Go, active since November 2023.
Firefly Tool: Used by the Firefly group to exfiltrate data from a Southeast Asian military organization. It searches for and uploads .jpg files (actually encrypted RARs) from System32, using Google Drive.
Trojan.Grager: Targets entities in Taiwan, Hong Kong, and Vietnam, using Microsoft’s Graph API via OneDrive for C&C. Distributed through a Trojanized 7-Zip installer, linked to the UNC5330 group.
MoonTag: A developing backdoor associated with a Chinese-speaking actor, noted for its use of the Graph API and discussed in a Google Group.
Salesforce and SaaS applications are targets of UNC3944 threat group
Salesforce and SaaS are becoming more prevalent in the threat landscape. Google Threat Intelligence has observed the activities of UNC3944, a financially motivated threat group that has been active since at least May 2022, and has recently targeted SaaS applications. Initially focused on credential harvesting and SIM swapping, UNC3944 has since shifted to primarily conducting data theft extortion, expanding their target industries and utilizing fearmongering tactics for access. They’ve adapted their methods to include theft from SaaS applications to attacker-owned cloud storage and have employed various advanced techniques to facilitate their attacks.
UNC3944 accessed Salesforce among other SaaS applications using stolen credentials facilitated by single sign-on systems. They conducted reconnaissance within these platforms, likely targeting data for exfiltration, and using third-party cloud synchronization tools like Airbyte and Fivetran to transfer data to external cloud storage.
Key Tactics, Techniques, and Procedures (TTPs) of UNC3944:
Social engineering: They have successfully manipulated corporate help desks using victims’ personal information to gain access to privileged accounts and bypass multi-factor authentication (MFA).
Abuse of SaaS permissions: UNC3944 exploited permissions in applications like Okta to broaden their access within targets’ systems, encompassing both on-premises infrastructure and cloud-based applications.
Virtual machine compromise: The group has created new virtual machines using administrative privileges obtained through SSO applications, using them for subsequent malicious activities and to bypass traditional security controls.
The use of cloud services by attackers is becoming a preferred method for maintaining stealth and managing cost-effective operations. The attackers are learning from each other, adopting successful techniques across various espionage and cybercriminal groups. Extensive coverage of cloud and SaaS environments in security strategies has never been more critical.
Disney moves away from Slack after a data breach of 1 TB – likely caused by a human error
In a major data breach, Disney experienced a significant compromise of corporate data, possibly due to vulnerabilities on an employee’s personal gaming computer. This breach led to the downloading of over 1TB of data through Slack, which resulted in the suspension of the platform for internal communications.
Our team doesn’t have the forensics data of the case, but some experts claim that the breach was not a direct result of flaws in Disney’s or Slack’s systems. Instead, it allegedly occurred because an employee inadvertently installed a malware-infected game modification. This malware, an Information Stealer, captured credentials and accessed Slack, where it exploited the employee’s compromised computer. The lack of Multi-Factor Authentication (MFA) on the password vault allowed attackers to access vast amounts of sensitive data easily.
Some experts suspect that the attackers were helped by an insider, and others that the breach was a result of a general lack of defensive mechanisms at Disney’s end.
A teenager leveraged Slack and stole details about unreleased GTA 6 from the gaming company Rockstar in 2022. The attacker was sentenced to life.
In 2023, another threat actor exploited access to Slack channels to initiate a malware attack on MGM Resorts, a major global casino and resort.
Almost half of ServiceNow KB instances leak sensitive data
A study by AppOmni revealed that over the past year nearly 45% of ServiceNow Knowledge Base (KB) instances were leaking sensitive data, including personal identifiers, internal system details, and live system credentials. The culprit of these breaches were outdated or misconfigured access controls. This is possibly due to widespread misunderstanding of KB access controls or replicating misconfigurations across instances.
Despite ServiceNow’s 2023 security updates aimed at restricting unauthenticated data access, many of these updates were ineffective for KBs, which often contain highly sensitive internal data. The company has responded by collaborating with customers so that KB access control misconfigurations are fixed.
The disruption has led to a sharp decrease in the number of victims, with reported cases falling to single digits. Despite these setbacks, there have been notable attempts to revamp their operations. For example. they have made experimental changes to their data leak sites (DLS) and updates to their DDoS protections. These maneuvers suggest a strategic recalibration aimed at evading detection and sustaining their criminal activities.
Despite significant law enforcement interventions, the Lockbit group’s ability to adapt and attempt to rebuild its infrastructure is indicative of the resilience and persistence of modern ransomware operations. These groups are quick to learn from interventions, often emerging more sophisticated and harder to combat.
Ransomware-as-a-Service is the business model of cyber crime in 2024
The disruption on major ransomware groups has led to a reshuffling of ransomware affiliates, gravitating towards established Ransomware-as-a-Service (RaaS) networks. RaaS is a subscription-based model that enables affiliates to use pre-developed ransomware tools to execute cyberattacks. Similar to software-as-a-service (SaaS) offerings, RaaS providers offer their malicious software on a rental or commission basis, providing updates and support.
All in all, the professionalization of ransomware operations through RaaS models presents new challenges for cybersecurity defenses. These models facilitate a lower barrier to entry for inexperienced cybercriminals and enable rapid scaling of operations. The attraction of RaaS platforms has flooded in new ransomware variants, correspondingly calling for layered defense strategies.
New threats on the block: new groups form as old dismantle
Our research team has also witnessed the rise of new players such as Cicada3301, SenSayQ, and WikiLeaksV2. Each group has demonstrated distinct patterns of targeting and victimology, such as targeting financial software companies and leaking sensitive health sector data. With this in mind, these emerging groups underscore the dynamic nature of the ransomware ecosystem. They continually evolve with new tactics and targets.
The group dynamics are in a constant flux. For example, from the total number of 67 operational ransomware groups our research team has tracked in 2023, 31 have not been operational in Q2 2024. Our team has seen 31 new ransomware groups in 2024. It’s unlikely that many, if any of these projects will survive.
RansomHub’s fast advancement and aggressive affiliate strategy
RansomHub, a new extortion platform operational since early 2024 and believed to be based in Russia, has quickly established itself by offering lucrative terms to affiliates, significantly impacting the ransomware affiliate market. RansomHub is disrupting the RaaS field by letting affiliates accept payment from the victims directly, before sending their share to the RansomHub. What’s more, by allowing affiliates to keep a major portion of the ransom and only taking a small commission, RansomHub has managed to attract experienced groups like ScatteredSpider and members of Lockbit.
RansomHub’s operational capacity, threat level and the number of victims have consequently increased. According to our research team, RansomHub is in fact currently the most active platform observed in the field. In the same fashion, ZeroFox accounts the platform to be responsible for 14.2 % of all cyber attacks in Q3 2024. The majority of victims are in North America (39.4%) and Europe (34.3%). Victims are across diverse sectors, for example manufacturing, retail, healthcare, technology.
At the same time, CISA, along with the FBI, MS-ISAC, and HHS, issued a joint Cybersecurity Advisory on RansomHub Ransomware. This advisory offers network defenders key details such as indicators of compromise (IOCs), tactics, techniques and procedures (TTPs) tied to RansomHub, drawing on findings from recent FBI investigations and third-party reports.
RansomHub has been using sophisticated EDR-killing executable tooling. It disables endpoint detection and response (EDR) software and gains escalated privileges on compromised devices, while designed to bypass several common anti-malware tools. The malware has been found in many formats such as EXEs and PowerShell scripts.
Real-life impacts of ransomware fallouts
Financially driven ransomware attacks can have notoriously severe impacts on victims. Overall, our research team has found that ransom payments and incidents remain higher in the first half of 2024 compared to previous years.
Dark Angels behind a record ransom payment
In early 2024, Zscaler and Chainalysis detected a monumental ransom payment of $75 million directed to a cryptocurrency wallet managed by the Dark Angels ransomware group. The identification of the victim was not disclosed as per standard reporting practices, but it is strongly suggested that the payor was Cencora, a Fortune 50 pharmaceutical company. Why so? Cencora publicly acknowledged a ransomware attack and data theft in February 2024, making them a probable candidate. The company, valued at $10 billion with annual revenues reaching $262 billion in 2023, found the payment necessary to restore operations and prevent further data leaks.
Further investigations reveal that the attack’s ramifications extended beyond Cencora. The company, along with at least two of its subsidiaries, reported stolen data to regulators, implicating a broader network of affected entities. In May, additional disclosures indicated that the data breach had impacted numerous major pharmaceutical companies including Pfizer, Bayer and Novartis, among others. These partners also experienced breaches connected to Cencora’s compromised systems, specifically through the Lash group subsidiary.
The sizable ransom from this single incident highlights Dank Angels’ impact. The strategy employed by Dark Angels suggests a focus on high-value targets – often termed “big game hunting” – which involves fewer, highly profitable attacks rather than numerous smaller-scale ones. It’s difficult to say whether Dark Angels have an intentional strategy of big game hunting, or if they just got lucky.
There were no major outages or operational disruptions reported (at least so far). However, the widespread effects of this attack, involving a network of companies with a combined revenue in the trillions, illustrate the extensive potential for damage and disruption caused by ransomware operations targeting major players in critical industries.
Japanese media giant’s market value plummets in the ransomware attack aftermath
Another example, the ransomware strike on Japanese media company Kadokawa Corporation served as a stark reminder of the broad and enduring impacts such attacks can have on businesses. The assault not only disrupted daily operations but also inflicted severe financial and reputational damage. Prior to the attack in early June, Kadokawa’s market value stood at approximately JP¥465 billion (USD$3 billion). Following the incident, its share price plummeted by 15%. Subsequently, this erased JP¥70 billion (USD$500 million) from its market capitalization. This significant drop in share price, which appears solely attributed to the ransomware attack, underscores the high stakes of cybersecurity in protecting not just operational capabilities but also financial stability and public perception.
Public health at stake
The National Health Laboratory Service (NHLS) of South Africa suffered a ransomware attack on June 22nd. The attack continued to disrupt services into July. This attack has been particularly critical as it hindered access to laboratory test results amid an outbreak of mpox disease. This incident demonstrates how significantly ransomware impacts public health and safety of citizens globally.
To pay or not to pay
Ransomware groups often aim to build trust with victims by promising data recovery upon ransom payment, giving false hopes that this will restore normal operations. Ransomware operators often brand themselves as ‘pentesters’ with the intention to appear professional and reassure victims about data deletion and decryption.
Despite this, the majority of organizations paying ransoms suffer subsequent attacks, often facing even higher demands than before. Cybereason reaserch claims that percentage of victims facing a second attack is as high as 78%.
Ransomware operators are unreliable and their assurances of not targeting victims again should not be trusted. Therefore, paying a ransom based on trust in these actors is not advisable. Acknowledging research that quantifies the deceitfulness of ransomware actors is crucial, as it together with prohibiting legislation significantly influences the ransomware landscape.
Salesforce security implications of the current threat landscape
The emergence of new ransomware groups and the evolving tactics suggest that Salesforce environments are likely to be increasingly targeted as an alternative to traditional and easier to detect vectors. In fact, we’ve detected a 366% increase in malicious files on Salesforce in Q2 2024 compared to Q2 2023.
For Salesforce, it’s important to stay vigilant against ransomware campaigns that leverage Salesforce as a channel for malware delivery or social engineering tactics to lure users to phishing sites. Besides human errors, novel campaigns can target vulnerabilities in cloud environments or through third-party integrations.
Salesforce security recommendations simply put
Constantly transforming threats require a layered and proactive approach to cybersecurity. No silver bullets. Because of that, we’ve compiled a comprehensive list of Salesforce security recommendations in light of recent cyber crime developments:
Auditing: Activate comprehensive auditing that covers cloud environments including Salesforce to identify and patch security gaps.
AntiVirus: Threat protection such as WithSecure™ Cloud Protection for Salesforce solutions at the entry-point such as Salesforce together with endpoint security will block the majority of file-based ransomware threats. Make sure that the solution has up-to-date threat intelligence source.
Employee training and awareness: Social engineering remains a significant threat vector. Training Salesforce users to recognize phishing attempts and other social engineering tactics is critical.
AntiPhishing: By implementing an antiphishing solution on Salesforce level, you can automatically stop phishing attacks. It’s important to go beyond traditional attack vectors like email.
Strengthened access controls: Enforce strict conditional access to mitigate credential compromise. Salesforce environments should adopt the principle of least privilege. Routinely audit permissions.
Third-party risk management: As Salesforce often integrates with numerous third-party applications, ensuring these connections are secure is essential to prevent ransomware spread or data leaks. You should choose security tools based on integration simplicity, preferring native solutions.
Data management policies: The revelation that Lockbit held onto data it claimed to have deleted is a crucial reminder of the risks involved in data handling and storage. You should implement robust data encryption, regular audits, and follow strict data handling and deletion protocols to minimize potential damage.
Limit BYOD: The breach of Disney’s Slack data resulted from a malware infection on an employee’s personal device – a reminder to limit allowing personal devices into corporate systems.
Extortion preparation and response: You should include Salesforce in incident response strategies. This means close collaboration between security and Salesforce teams, having secure and tested Salesforce backups and a clear communication plan for dealing with ransom demands.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
With Dreamforce 2024 upon us, WithSecure™ Cloud Protection for Salesforce is excited to announce customer and product milestones that underscore how we have become the leading trusted and natively integrated solution for securing Salesforce. We would not have achieved these milestones without the support of our customers and partners and, of course, Salesforce. And, speaking of Dreamforce, the Cloud Protection for Salesforce team will be at Booth 2005 to answer your Salesforce security questions regarding malware, ransomware, and other threats to your Salesforce instance.
Leading Brands Trust Cloud Protection for Salesforce
Joining the ranks of companies like Coca-Cola Bottlers, Southern Glazers and SiriusXM, Cloud Protection for Salesforce added 44 new customers in the first six months of 2024. “Even in this tough economic climate, Cloud Protection for Salesforce has delivered unmatched security and compliance protection for enterprise and public sector organizations,” said Lance Jacobs, Vice President of Cloud Protection for Salesforce. “Our customer growth reflects the surging popularity of the Salesforce platform as a core enterprise solution that is increasingly the target of nefarious threat actors. That is why an easy-to-deploy, easy-to-use security solution to defend from malware, phishing and ransomware attacks is in high demand.”
Learn more about Cloud Protection for Salesforce
“By using WithSecure for Cloud Protection, customers can satisfy their security obligations as defined by the Shared Responsibility Model,” said Juhana Autio, General Manager of Cloud Protection for Salesforce. “Our natively-integrated application stops cyber threats like ransomware and phishing in real-time. We scan Salesforce’s incoming and outgoing data for cyber threats, such as files and URLs. The WithSecure for Cloud Protection solution is up and operating in minutes, leaves customers’ customizations untouched, and keeps Salesforce running undisrupted. That is why over 200 enterprises and public sector organizations worldwide use Cloud Protection for Salesforce and why it is a recommended security solution by Salesforce.”
New Product Features Further Ease Salesforce Security
Cloud Protection for Salesforce works closely with Salesforce and customers to develop new mission-critical features and capabilities. New features are added every quarter. Here are some of the latest additions now available on Salesforce AppExchange:
URL Protection Within Files: Malicious links can lurk inside files, waiting to be clicked. WithSecure™ Cloud Protection for Salesforce detects and blocks malicious URLs hidden inside files uploaded to Salesforce.
QR Code Scanning: WithSecure™ Cloud Protection for Salesforce also scans URLs behind QR codes uploaded to Salesforce. QR codes pose a risk as they can lure users to access dangerous phishing sites with their mobile devices.
Shortened URL Protection: Shortened URLs are often a mask for risky content and can bypass traditional security controls. WithSecure™ Cloud Protection for Salesforce now uncovers and blocks these threats, ensuring that every link is verified, whether shortened for convenience or masking a threat.
URL Protection for Salesforce Custom Objects: URL Protection has expanded to include both Salesforce’s standard objects and custom ones. Custom objects, tailored to specific company or industry needs, are unique database tables that store organization-specific information. Now, Salesforce users can build custom workflows with enhanced security.
Presence and Demonstrations at Dreamforce 2024
Cloud Protection for Salesforce will showcase live demonstrations at Dreamforce 2024, booth 2005. Security experts and consultants will be available to discuss all matters related to Salesforce security and how Cloud Protection for Salesforce can address an enterprise’s Salesforce security requirements. Visitors can pre-book meeting times with Cloud Protection for Salesforce experts.
Additional Resources
Learn more about Cloud Protection for Salesforce, take a test drive and read user reviews on Salesforce AppExchange
Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance
Follow us on LinkedIn and read the Cloud Protection for Salesforce blog
In the wake of the fallout from the outage, IT teams are rapidly reevaluating their testing methodologies, incident response strategies and plans. Additionally, enterprises are rethinking the automated, manual and human oversight of code development, testing and deployment.
The CrowdStrike incident falls into the category of ‘unknown unknowns’—unexpected or unforeseeable conditions that represent a risk because they cannot be expected based on past experience or events.
A quick CrowdStrike recap: A single computer update took down computer systems across the globe
CrowdStrike is a cybersecurity company based in Austin, Texas, USA. It provides endpoint protection, threat intelligence and response services to customers of all sizes across many different industries. CrowdStrike’s core technology, the Falcon platform, stops breaches using cloud-delivered technologies that prevent malware and other attacks.
CrowdStrike has an outstanding track record and is an excellent company. Customers and competitors view CrowdStrike as an industry-leading, top-tier organization. Their impressive customer roster and global deployments underscore their success.
As part of a regular operational update on Friday, July 19, 2024, CrowdStrike pushed a configuration update for the Windows sensor to gather telemetry on possible novel threat techniques. Included in that update were changes to the Rapid Response Content, designed to respond to the changing threat landscape at operational speed. The Rapid Response Content update contained an undetected error, resulting in a Windows system crash. Detailed information about the error and the systems impacted can be found here.
The crash was not foreseen or anticipated based on prior events, nor was the resulting damage and inconvenience expected or forecast. The incident impacted at least 8.5 million Windows devices globally (though Microsoft now believes the number of devices involved was higher), causing major service disruptions across industries and geographies.
Early on during the incident, CrowdStrike took immediate action to remedy the situation, and they should be applauded for their rapid and transparent response to the crisis.
The biggest worldwide workstation shutdown
Even with their rapid response, CrowdStrike could not stop the avalanche of IT disruption that followed. WithSecure’s Chief Research Officer Mikko Hyppönen, quoted in Wired, said, “It’s the biggest case in history. We’ve never had a worldwide workstation outage like this.” According to insurer Parametrix, U.S. Fortune 500 companies, excluding Microsoft, face an estimated $5.4 billion in financial losses from the CrowdStrike event.
How can enterprises defend against “unknown unknowns” and mitigate cybersecurity vulnerabilities?
CrowdStrike has documented and made public the events that led to the incident. However, in the aftermath, enterprises everywhere are (or should be) evaluating their incident response strategies and plans, including:
Continuous, robust automated testing procedures and protocols with human and AI oversight
Incident Response strategies, plans and procedures:
Continual Learning and Adaptation
Ongoing testing and training
Securing Salesforce: Defending against the often overlooked ‘known knowns’
One lesson learned from this incident is that security teams must double down against the more obvious IT vulnerabilities and cover any existing gaps: The known-knowns.
For example, nearly every Fortune 500 organization uses Salesforce to manage customer relationships. However, many of those organizations assume that Salesforce takes ownership of all security aspects of their product offering. They do, but only up to a point.
The Shared Responsibility Model (SRM), used by most cloud providers, is used by Salesforce for securing Salesforce. This security and compliance architecture model delineates the respective cloud provider and customer responsibilities for securing the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system, network controls and access rights.
For example, Salesforce doesn’t scan incoming data for cyber threats – that’s your responsibility as the customer.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious and disallowed content from entering your Salesforce environment via files, web links and email messages.
WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce is a highly certified solution. It meets the strict compliance requirements of modern enterprises and critical public sector organizations. Furthermore, It is an ideal choice for enhancing your Salesforce security. WithSecure Cloud Protection for Salesforce was designed for Salesforce, together with Salesforce.
While it may be impossible to defend against unknown unknowns, defending against the ‘known knowns’ and securing Salesforce is much easier. Get to know WithSecure Cloud Protection for Salesforce, or use the form below to contact our team to discuss your Salesforce security requirements.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.