Most companies operate within expanded digital ecosystems that include hundreds or even thousands of third party suppliers and partners. Threat actors are exploiting these connections to circumvent traditional security measures and reach their targets.
Here, we’re focusing on how supply chain tactics can be used to exploit Salesforce platform through integration with third party systems. As a critical part of thousands of organizations’ customer relationship infrastructures, Salesforce cloud is a one of attractive targets for threat actors seeking access to sensitive data.
Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains.
A plausible supply chain attack may begin with the threat actor discovering a vulnerable system connected or integrated with Salesforce platform. The vulnerable system can be any software or application sending or receiving structured or unstructed data to/from Salesforce platform via REST, SOAP or other APIs. The attacker can exploit a known or unknown vulnerability (such as notorious Log4j bug) within the application to compromise it and gain access to its capabilities.
If the vulnerable application has privileged access to the Salesforce platform, the attacker will be able to change permissions, modify sharing rules or tamper data in order to disguise lateral movement and abuse Salesforce’s own connections to further their attack.
Even without priveled access, the attacker may seek to exploit Salesforce platform by attaching malicious files or sending phishing links to Chatter, Case, Account, Lead or other standard or custom objects usually present in Sales, Service or Exprerience Cloud environments.
Salesforce users then download a malicious file or open a phising link from their endpoint device. The end point device may be unprotected, misconfigured or have a vulnerability, which would enable the attacker to run malicious payload or steal user credentials. Depending on how the Salesforce system is used by the organization, this could hit employees, partners, and customers.
From here the adversary can launch their real attack, likely establishing command and control (C&C) functionality in the user’s device to take over their machine and utilise its access permissions. Now the attacker can begin exfiltrating critical data or planting more malware in the network of the organization, or even expanding to other third parties.
Watch this short dynamic video to see the anatomy of such an attack in action.
*Gartner Press Release, “Top Trends in Cybersecurity 2022”, Published 18 February 2022 By Analysts: Peter Firstbrook, Sam Olyaei, Pete Shoard, Katell Thielemann, Mary Ruddy, Felix Gaehtgens, Richard Addiscott, William Candrick. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
While many of these risks can be complex and difficult to mitigate, human error happens to be both one of the most significant as well as one of the simplest to deal with. In order to ensure that human error is minimised, it’s vital to set up Salesforce automation functions and ensure all staff are fully trained in Salesforce security essentials.
This article will provide insight and tips regarding Salesforce automation and training, as well as highlight potential areas of risk. Nevertheless, even when these steps are correctly implemented, human error can only ever be reduced, not eliminated, which is why cloud security products like WithSecure Cloud Protection for Salesforce will remain indispensable in 2023 and beyond.
Salesforce Automation and Training
There are many repetitive and time-consuming tasks on the Salesforce platform that can be automated using built-in tools. Potential automations include things like sending emails, creating reports or notifications, tracking customer interactions, and more. Automating these types of tasks eliminates the need for manual effort and reduces the likelihood of errors due to human oversight or miscommunication between departments or teams.
In addition to automating tasks within your Salesforce platform, it is important to also ensure that employees who work with the system are properly trained on how to use it correctly. Training should include topics such as how to securely store data (e.g., setting strong passwords), how to spot phishing scams and other cyber security threats, and how to handle data correctly to avoid deletions or repetitions. Providing regular training sessions on these topics helps ensure that employees understand proper procedures for working with Salesforce and reduces the risk of error due to lack of knowledge or understanding.
The importance of these kinds of measures is difficult to overstate, as bad actors usually only need to compromise one small link in the chain in order to gain access to the sensitive data being stored and transferred on Salesforce. One weak password or one small lapse in judgement can leave you vulnerable to a costly attack, making it essential to have robust cyber security systems in place to complement and support well-trained personnel.
WithSecure Cloud Protection for Salesforce
Even with Salesforce cyber security best practices in place, without professional cyber security systems in place, there is still potential for attackers to find a way in. This is why WithSecure Cloud Protection for Salesforce has become increasingly essential heading into 2023; our cloud-based security solution leverages advanced analytics techniques like machine learning and artificial intelligence (AI) to automate the detection and removal of advanced threats such as malware or phishing attacks before they reach users.
This kind of proactive defense against cyber threats such as malicious code injections – which would otherwise go unnoticed until it’s too late – is something no amount of manual monitoring could ever hope to achieve on its own. If a potentially malicious file is detected, WithSecure Cloud Protection for Salesforce is also able to provide visibility into what has happened, when and who has interacted with it, helping identify chinks in your armour and bolster your defenses against future attacks.
Take Action and Protect Your Data
Salesforce is undeniably indispensable to thousands of businesses around the world, but using cloud-based technology does expose companies to a number of different risks, including those due to human error. By utilizing automation tools within your platform and providing employees with regular training sessions, you can significantly reduce the chances of security breaches due to lack of knowledge or oversight on their part alone. However, even with these precautions in place, there remains potential for mistakes which could have serious repercussions if not caught quickly enough – making WithSecure Cloud Protection for Salesforce an invaluable tool for companies using Salesforce in 2023 and beyond.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
In our Ebook Securing Salesforce: Know Your Responsibilities, Protect Your Data, we explain how to quickly and simply take charge of Salesforce security, and find out if you may already have harmful content living rent free in your platform.
In this paper you will:
Learn more about the Salesforce shared responsibility model, and where your data might already be at risk
Discover ways to improve business collaboration between the C-suite, sales and marketing, and IT to ensure no Salesforce security loopholes
See real world examples of how global organizations use WithSecure™ Cloud Protection for Salesforce to gain real-time visibility into their Salesforce activity to mitigate threats before they enter the platform
Come away with a step-by-step action plan for keeping your data safe
Now is the time to start making changes so that you can continue to grow your customer base with confidence.
Ransomware and phishing are top concerns – for security and Salesforce
the time to execute ransomware attacks has dropped 94% over the last few years (IBM 2023)
3 ways our Salesforce security solution helps you do your job, securely
1. Real-time visibility of threats for peace of mind
Get clarity on whether you have already unwittingly let malicious content enter your databases through your customer, partner, or supplier engagement channels. Our solution monitors and prevents new threats around-the-clock.
2. Security that sits seamlessly alongside your workflow
Our Salesforce-approved security solution works smoothly and securely in the background, meaning no disruption to Salesforce teams’ activities
3. Bespoke protection to grow your customer base with confidence
Give your team the confidence to focus on their jobs and grow your business without worrying about viruses, phishing links, trojans, ransomware, and other advanced malware.
Interested in knowing more? Download our ebook and start engaging your Salesforce ecosystem securely with worry-free digital journeys.Content here
GET THE FREE EBOOK
Securing Salesforce: Know Your Responsibilities, Protect Your Data
In our Ebook Securing Salesforce: Know Your Responsibilities, Protect Your Data, we explain how to quickly and simply take charge of Salesforce security, and find out if you may already have harmful content living rent free in your platform.
Salesforce Cloud applications like Sales Cloud, Service Cloud or Experience Cloud are now a business-critical service for organizations across a wide range of industries and verticals. Unfortunately, their popularity has attracted the attention of cyber criminals looking to use them as a way to illegitimately gain access to these companies’ data and networks.
Cloud computing has become an increasingly popular means of storing and accessing data remotely. As one of the leading vendors of cloud-based CRM solutions and other valuable business apps, Salesforce has implemented strict security measures to protect its cloud and network infrastructure. In the cloud realm, a shared responsibility model defines the security responsibilities of both cloud providers and consumers. Under this model, the data owner holds the primary responsibility of securing data that flows in and out of their Salesforce environment.
The business benefits of using cloud-based applications like Salesforce are huge and hugely outweigh the additional security risks they introduce. However,it is essential that you are aware of the nature and extent of these risks so you can decide what action you need to take to mitigate them.
If you want to proactively secure your Salesforce Cloud environment, it is important to understand the methods attackers are using and what can be done to combat them. These methods range from phishing and sending malicious urls via email to social engineering and taking advantage of client-facing platforms to directly upload weaponized content to the cloud.
In this whitepaper we’ll break down three of the most typical attack scenarios by looking at what cyber security experts call the “Kill Chain”. We will also discuss how WithSecureTM can help to disrupt that Kill Chain with the solution designed for Salesforce Cloud.
Threat actors: who wants to steal our data and why?
As more and more businesses have shifted their operations to the cloud, criminals have become aware that large troves of valuable and sensitive data are held in cloud environments. However, different threat actors have very different motivations and levels of sophistication, and it is important to understand who they are and why they might be attacking you.
The pyramid above demonstrates the hierarchy of attackers. If you’re targeted by one of the actors at the top, they’re very likely to succeed, nation states and serious organized crime groups have huge resources to put behind acquiring data that they have identified as strategically important. In general, the larger the organization the higher the likelihood is of them being attacked.
Basic cyber training and antivirus software will likely protect you from most of what comes from the base of the pyramid, so it’s the middle that represents the biggest threat to most small and medium-sized organizations.
The cyber Kill Chain
Using the Kill Chain to assess how an advanced threat actor would approach your organization makes it easier to understand which steps, at a minimum, an attacker would have to take to succeed in an attack against your company. This allows you to build preventative or detective controls to counter them.
The WithSecure™ Kill Chain model is adapted from one originally created by Lockheed-Martin that is widely used and accepted in the industry. We have added some additional steps from our own experience of researching and combatting attacks.
The other end of the spectrum
If none of the above applies, then there’s MDR. On-premise IT, the need to fulfill new security requirements as part of an ISO27001 accreditation, false positive rates of over 10% and threats from within and without all lend themselves to an MDR approach, especially one with some serious UEBA (User Entity and Behavior Analytics) chops. The same applies if you’re struggling with hiring or retaining skilled staff: assured response, the need to free up your existing IT security resource or the need to increase the capability of your team are all indicators that MDR might be the right option. The same applies if there’s no institutional threat hunting knowledge or if your security team can’t respond to alerts: MDR, either our own Countercept MDR or a managed EDR service from one of our partners, may well fit the bill. Local partners providing MDR are particularly valuable in situations where your organization has industry-specific requirements or prefers services delivered in languages other than international English. If a 24/7 service is not vital, a partner managed service is also appropriate in some cases. Finally, if you value a continuous feed of security insights and posture improvement recommendations when your organization isn’t under attack, then Countercept MDR is a really good fit; our threat hunters spend a great deal of their time researching threats and thinking like attackers, and passing these insights on to customers is part of their job.
What happens during each phase of the kill chain
Reconnaissance
This is the phase where a potential attacker looks at your organization and network from the outside, searching for vulnerabilities that they could potentially exploit.
In a Salesforce context this could mean discovering your Community portals, Web-to-case forms or the email address that’s used for email-to-case flow
Objective
The last stage of the Kill Chain is reached when the attacker completes at least part of their objectives successfully.
This could encompass a range of things such as stealing data, manipulating a target, making a fraudulent payment or damaging the system depending on the attacker’s motivations
Internal reconnaissance
Once an attacker has access to your system they will carry out another stage of reconnaissance to try to discover more about your organization and network.
In Salesforce this could mean accessing contact details of partners and customers within your CRM or finding out what other systems that are connected to Salesforce
Persistence
Once an attacker gains access to your network they want to remain inside and undetected. This way they can continue to steal data or achieve their other objectives.
They do this with various methods like sending malicious files or URLs to other users that can be internal or external to the Salesforce Cloud environment.
C2
C2 is the abbreviation security experts use for Command and Control. This is the stage where an attacker uses the compromised system to activate or control malware in the organization’s network.
Lateral movement
Internal reconnaissance enables an attacker to identify other areas of your organization’s network and infrastructure that may hold the data they are looking for.They can then use a variety of techniques to gain access to these areas
Exploitation
Exploitation, often referred to as code execution, is the phase of an attack where malicious code is executed on the target environment.
Exploitation can occur in various ways such as abusing functionality of file formats such as Microsoft Office document, PDF files, and scripts. Attackers can also exploit known or unknown (so-called zero-day) vulnerabilities in popular software
Delivery / weaponization
If the medium of the attack is email, this literally means the delivery of the email to your employee. Attacks could also be carried out via Salesforce Communities, direct file uploads or URLs shared via Salesforce. Weaponization is sometimes listed as an additional step and could take place before or after delivery.
This is where the attacker uses what they found out in the reconnaissance phase to put malicious content into the delivery method.
Traditionally this would be done prior to sending, but a new technique that attackers use is to send a URL which is not yet infected and therefore looks perfectly legitimate to standard security solutions, before adding the payload to it later
External vs internal threats
At WithSecure™ we distinguish between internal and external threats, based on the initial method of infiltration which takes place prior to or simultaneously with the reconnaissance and weaponization phases.
An external threat is typified by an attacker that seeks to “become your customer” or gain trust in a similar way. Imagine a recruitment firm that takes on a new candidate not knowing that this person is really a cybercriminal. The attacker would likely send a real CV initially and exchange non-infected emails to build trust before weaponizing and carrying out an attack later.
An internal threat on the other hand has an attacker that already has access on behalf of the internal user. Maybe they bought it, either directly or online, or maybe they stole it using a phishing attack. Either way they can easily skip to delivery with very specific targeting.
The Kill Chain framework is not a one-size-fits-all solution for all types of cyberattacks. Some attacks may skip certain stages entirely, or use different techniques to achieve their objectives. However, understanding the Kill Chain framework and how different threat actors may approach each stage can help organizations better prepare for and defend against cyberattacks.
Salesforce Kill Chain examples
Attacking via Community portal
This is an example of an external Kill Chain, the attacker is acting as a member of your community who would have legitimate access to your Community Portal.
Reconnaissance: The attacker registers and creates a new user account in the community portal.
Weaponization: The attacker creates a weaponized document with a vulnerability exploit.
Delivery: The attacker uploads the weaponized file to the community portal. The file is saved in Salesforce Experience Cloud.
Exploitation: Failing intervention an internal user opens the file and the weaponized payload is executed within the vulnerable application on their device.
C2 / Persistence: The attacker now has access to this user’s device and can proceed to lateral movement.
Objective: The attacker works to ex-filtrate confidential or sensitive data from the organization.
Exploiting email-to-case
This is another external Kill Chain, where an attacker uses email-to-case to penetrate via Salesforce Service Cloud. They will be posing as a customer or user of your service.
Reconnaissance: The attacker finds out the email address used for sending customer support requests.
Delivery: The attacker creates a website for a phishing attack and sends the link in an email message to create an email-to-case request for customer support. The link is saved in the Salesforce org.
Weaponization: The attacker waits a while and then adds the malicious code to the website they have created.
Exploitation: Failing intervention an internal user opens the link and the malicious is executed within the vulnerable application on their device.
C2 / Persistence: The attacker now has access to this user’s device and can proceed to lateral movement.
Objective: The attacker works to ex-filtrate confidential or sensitive data from the organization.
Supply chain attack
Salesforce supports various ways to integrate with, and extend the capabilities of the Salesforce Lightning platform. Organizations may use solutions that can create, update and read content and these solutions would use native Salesforce APIs that are trusted by default. This Kill Chain shows how an attacker could use a third-party application to breach Salesforce Lightning.
Reconnaissance: The attacker discovers an exploit AppExchange app or compromises an external system that your organization is using that has integration with Salesforce Lightning. s to Salesforce.
Weaponization: The attacker creates a weaponized document with a vulnerability exploit or malicious payload.
Delivery: The attacker pushes the weaponized file through the thirdparty application. The file will be trusted by default because it comes from a whitelisted source.
Exploitation: Failing intervention an internal user opens the file and the weaponized payload is executed.
C2 / Persistence: The attacker now has access to this user’s device and can proceed to lateral movement
Objective: The attacker works to ex-filtrate confidential or sensitive data from the organization.
Product introduction
WithSecure’s Cloud Protection for Salesforce effectively combats all the previously mentioned attack scenarios, and more. Our solution actively scans files and URLs every time they are uploaded to, downloaded from or clicked on within Salesforce, providing real-time detection and blocking of malicious content, including malware and phishing links.
Our Cloud Protection solution is particularly effective against advanced attack methods like the email-to-case approach, where attackers use dormant malicious payloads to evade security systems.
Working alongside Salesforce, our Cloud Protection solution is designed to complement their security capabilities, with no overlap between our solution and Salesforce’s built-in or add-on security tools. With our click-and-go deployment, you get instant protection without any tedious deployment projects.
Additionally, our solution provides constant visibility into your content security status and offers comprehensive reports and analytics to help you hunt threats. Plus, integrating it into your SIEM is easy.
When it comes to defending against sophisticated cyber attacks, it’s crucial to have security measures in place across multiple fronts and layers. This includes systematically addressing vulnerabilities, implementing preventive threat protection on devices and cloud applications, and responding quickly to threats to minimize damages.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Maximizing Protection for Your Salesforce Cloud: How The Cyber Kill Chain Can Help
As more and more companies adopt Salesforce Cloud applications to scale service processes, enhance the customer experience and drive efficiency by enabling better collaboration between teams, they become increasingly critical to the success of organizations across various industries. However, with this increased popularity comes a higher risk of cyber attacks. Cybercriminals are always on the lookout for new ways to access sensitive data and networks, and Salesforce Cloud is no exception.
It’s important to note that while Salesforce does provide infrastructure-level security measures such as replication, backup and disaster recovery, as well as encrypted network services and advanced threat detection, it’s ultimately the responsibility of each company to ensure the security of their data and access controls. The benefits of using cloud-based applications like Salesforce far outweigh the potential security risks, but it’s crucial to understand these risks and take action to mitigate them.
One way to proactively secure your Salesforce Cloud environment is by understanding the methods used by attackers. These can range from phishing and malicious URLs to social engineering and weaponized content uploads. To help with this, we’ll explore the concept of the Cyber Kill Chain, a framework developed by Lockheed Martin to assist organizations in identifying and defending against cyber attacks.
What is the Cyber Kill Chain?
The Cyber Kill Chain is a methodology for identifying and understanding the various stages of a cyber attack. Developed by Lockheed Martin in 2011, the framework is used to help organizations understand the different stages of an attack and how they can be detected and prevented. It’s made up of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
However, from our own experience of researching and combating attacks, we’ve added some additional steps that you may find useful. The WithSecure™ Kill Chain model consists of eight stages:
Reconnaissance
The attacker gathers information about the target, such as its vulnerabilities and potential entry points. In a Salesforce context, this could mean discovering your Community portals, Web-to-case forms or the email addresses that are used for the email-to-case flow.
Delivery/Weaponization
Once the attacker has identified a potential target, they will create and deliver the malware or weaponized payload to the target’s systems. This could be done through a phishing email, exploit kits or other means. This may also be done via Salesforce Communities, direct file uploads or URLs shared via Salesforce.
Exploitation
In this stage, the attacker uses the weaponized payload to exploit vulnerabilities in the target’s systems. This allows them to gain access and begin to move laterally within the network. Exploitation can occur in various ways, including abusing the functionality of file formats such as Microsoft Office documents and PDF files.
Command and control
Once the attacker has gained access to the network, they will establish a command and control (C2) infrastructure to maintain control over the compromised systems. This could include creating a backdoor or installing a remote access tool.
Persistence
The attacker will now focus on maintaining their presence and avoiding detection on the target’s systems, in case they are discovered and removed. This allows the malicious code to remain in place to steal more data or carry out other nefarious actions — which they may achieve by continuing to send malicious code to internal or external users of the Salesforce Cloud environment.
Internal reconnaissance
Once a malicious actor gains access to your system, they may conduct a deeper reconnaissance mission to find out more about the inner workings of your organization and network. In Salesforce, this could mean accessing contact details of partners and customers within your CRM or scavenging for information about other systems connected to Salesforce.
Lateral movement
Internal reconnaissance allows an attacker to locate other parts of your organization’s network that may hold the data they are seeking. Once access is obtained, attackers can use a variety of techniques to gain further entry into targeted systems.
Objective
When a malicious actor successfully completes at least part of their objectives, it means that the last stage in the Kill Chain has been reached. This could mean a number of things — such as stealing data (or simply viewing it), manipulating targets or making fraudulent payments — depending on what they are trying to achieve.
One thing to note is that The Cyber Kill Chain is often compared to the Mitre Att&ck framework, which is another popular methodology for understanding and responding to cyber-attacks. Both frameworks have similar threat detection goals, but the Cyber Kill Chain is more focused on the specific stages of an attack, while the Mitre Att&ck framework focuses more deeply on the tactics and techniques used by attackers.
Data Theft and System Breaches: The Motivations Behind Cybercriminals and Their Tactics
Due to the growing popularity of cloud-based computing, criminals have become aware that large troves of valuable and sensitive data are held in these environments. But many types of malicious actors exist, and each has its own motives for stealing sensitive information. It’s important to understand who these attackers are — and why they target certain organizations. By order from most to least threatening, the most common threat actors include:
Nation states: As the most dangerous threat actors, nation states have the ability to use sophisticated techniques and tradecraft. They also have the resources — both financial and human — to invest in research and development of new attack methods. Fortunately, this kind of attack is highly unlikely to happen to most businesses.
Serious organized crime groups: These are groups that have the resources and expertise to carry out large-scale attacks and profit from the sale of stolen data. They may target financial institutions, healthcare organizations and other businesses that handle sensitive information.
Highly capable criminal groups: Commonly known as hackers-for-hire, criminal groups may also target organizations for financial gain or to disrupt business operations. They may use phishing, malware and other techniques to gain access to sensitive information.
Motivated individuals: This category covers people with a specific motivation — a grudge against your company, for example — who will target you because of that anger with the purpose of making a financial gain.
Script kiddies: These individuals are often young, tech-savvy and may not have a specific motivation to target organizations. They simply want to explore the concept of hacking and may look for vulnerabilities in websites or networks to exploit. For example, a hacker sends out a mass email or instant-message spam, hoping that at least some recipients will respond by clicking on a malicious link or opening an attachment.
“Security leaders in finance industry state that compliance to industry standards is one of their top 5 security priorities.”
Source: F-Secure 2021 Priorities for European Security Leaders
Unlock the full potential of your business by investing in WithSecure™ Cloud Protection for Salesforce
When it comes to protecting your organization’s Salesforce data, it’s essential to take a proactive approach to ensure that it remains secure at all times. This is whereWithSecure™ Cloud Protection for Salesforce comes in — it’s designed to safeguard your cloud environment against advanced cyber threats such as ransomware, zero-day malware, viruses, trojans and phishing links.
With our Cloud Protection, you can run your digital operations on Salesforce without disruption, as each customer interaction is secured in real time. You get constant clarity of your content security status and can see what is happening in your environment. Developed in close collaboration with Salesforce, the solution is ISO 27001 and ISAE 3000 (SOC 2) certified and complements the platform’s native security capabilities seamlessly.
Additionally, WithSecure’s solution scans URLs every time they’re clicked, which helps to combat situations like the email-to-case Kill Chain where attackers leave a waiting period before weaponizing to attempt to fool the information security system.
Designed and created in collaboration with Salesforce, WithSecure’s Cloud Protection is a tailor-made solution recommended by Salesforce. It can be acquired directly from the AppExchange , and its Cloud-to-Cloud architecture means there is no need for middleware. Our click-and-go deployment means instant value with no time-consuming implementation process.
Ready to take your security efforts to the next level?
Our team of experienced security professionals is at the forefront of the cybersecurity world, constantly gaining valuable insights to ensure your security is always ahead of the curve. With over three decades of experience, we have what it takes to keep you protected from the ever-evolving threat landscape.
With offices in Europe, North America and Asia Pacific, as well as over 100,000 corporate customers, our reputation as a trusted security provider is unparalleled. Our corporate security revenue has been consistently growing year-on-year since 2015, and we have serviced over 300 enterprises through our consulting services.
Founded in 1988 and listed on the NASDAQ OMX Helsinki Ltd, trust us to take your cybersecurity efforts to the next level. Don’t just take our word for it, check out our customer success stories and see how WithSecure™ has made a difference.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
It’s estimated that nearly half of all breaches today involve attackers exploiting cloud infrastructures. The last few years have seen major incidents of this nature, such as breaches at Facebook and Kaseya.
In a hybrid, multi-cloud world, it is critical to maintain visibility across key points of your infrastructure, as well as receiving prompt threat alerts and being prepared to act on them quickly.
However, finding the right solution can be challenging. The cloud security market is crowded, and specific platforms, like Salesforce, are best protected by specialist solutions designed for the job.
Cloud Access Security Broker (CASB) is a common choice for most cloud security needs. A traditional CASB is an intermediary between users and cloud service providers, helping with compliance and data protection.
While useful tools, CASBs can present issues. They are often complex, draining time and resources to manage. In addition, their positioning, between the user and the cloud, can lead to security and performance problems.
First, here’s an overview of the key differences:
Real-time protection against advanced cyber threats
WithSecure™ Cloud Protection for Salesforce Real-time protection against advanced cyber threats
Scans files in real-time upon upload and download
Click-time URL protection
On-demand and automated environment scans
Native integration with Salesforce platform offers seamless protection
Protects users regardless of the device used, including BYOD
CASB solutions
CASB solutions are not primarily built for advanced threat protection
Often only scan files once; often provide no scanning upon download, providing no protection over malicious payloads
Many rely on periodic scans or batch processing, causing delays in detections
API-based integration can cause time lag between identifying and blocking threats
Often offer no protection against malicious URLs
Requires the company to set user / device policies and configure the solution
Visibility
WithSecure™ Cloud Protection for Salesforce
Real-time visibility into cloud data and content interactions (what, who, when, where)
Full audit trails for threat hunting and forensics
CASB solutions
May not have the same level of granularity as a natively integrated solution
Can provide visibility into broader set of cloud apps
Tracking interactions with the specific file is impossible
Operational efficiency and cost-effectiveness
WithSecure™ Cloud Protection for Salesforce
Deployment is quick and easy with a click-and-go process in just minutes
Instantly protects business-critical platforms without the need for mapping out a long-term security strategy
User-friendly interface with familiar Salesforce controls; minimal training required for administrators
Maintenance is simple and highly automated, resulting in low total cost of ownership (TCO)
Managed directly from the Salesforce portal
Integrates with workflows, alerts, and metadata to SIEM and other third-party systems
Scanning is fast with minimal impact on performance
Usage-based licensing; you pay for what you use
No additional Salesforce licensing costs; doesn’t consume Salesforce APIs
CASB solutions
Complex, time-consuming, and costly deployment with configurations that require expertise
Requires understanding of cloud applications
Separate management portal is necessary
Complex license agreements with potential for paying for unused features
Latency and performance overhead due to all traffic passing through the CASB
May not integrate well with existing security solutions and technologies
Consumes Salesforce API calls
Data integrity and confidentiality
WithSecure™ Cloud Protection for Salesforce
The solution runs within Salesforce platform
Your data stays securely stored in Salesforce cloud
CASB solutions
CASB is positioned between user and cloud service
CASB solutions use forward or reverse proxy mechanism
Risk of compromised encryption of files during transit
CASB may break encryption to inspect data exchanges
Now let’s go a bit deeper:
CASBs provide useful features that are particularly valuable for: cloud environment assessment, user behavioural control, and policy regulation. However, they are not built primarily for active threat protection, so enterprises relying on CASBs for cloud security will lack the real-time protection which is critical against more advanced threats.
Many CASB solutions rely on periodic scans or batch processing and, often, only scan a file or link once. This leads to dangerous delays in identifying threats, and leaving the system vulnerable to multi-stage attacks or links, that are changed, after initial delivery, to become malicious. CASBs also lack sandboxing capabilities, so they can’t perform in-depth heuristic analysis for files.
Further, you will typically need to set use and device policies, configuring the solution to match, which means there is no protection for external or BYOD users – a big issue if you collaborate with partners through Salesforce.
In comparison, ‘WithSecure™️ Cloud Protection for Salesforce’ provides, by conducting real-time scans of all files upon both upload and download, comprehensive protection against malware threats. It also offers click-time URL protection, with links being scanned both when they are uploaded and when a user clicks them to detect any changes.
You can initiate on-demand and automated scans for your entire environment and cover all users regardless of their devices.
Visibility
Alongside their features, CASBs are designed to provide comprehensive visibility into cloud services and secure multiple cloud applications. But they likely don’t have the same level of granularity as a natively integrated solution. Tracking interactions, with the specific file, is impossible if you encounter an incident.
WithSecure™️ Cloud Protection for Salesforce provides comprehensive, real-time visibility into data on your platform, including the ability to track interactions with content. This gives you the “who, what, when, and where”, allowing you to understand exactly what has happened, and what you should do next. It also offers comprehensive Salesforce-native analytics capabilities, as well as full audit trails for efficient threat hunting and forensic investigations – ideal for meeting regulatory compliance demands.
Operational efficiency and cost-effectiveness
Complexity is another common issue with traditional CASB solutions. They are often complex to deploy, requiring time, expertise, and significant cost to become fully operational. Managing the solution and its integrations can be resource-intensive and requires specialist skills and knowledge, driving up costs and hitting your ROI.
Further, the way these solutions are positioned, between the user and the cloud environment, can cause detection latency and performance overhead issues.
Integration with existing systems can also be an issue, especially if you hope to use one CASB across your Salesforce and other cloud environments. You’ll often need to use a separate portal for management that is not connected to your other tools . Further, one CASB may not cover all your platforms in any case, necessitating multiple CASBs from different vendors.
In contrast, WithSecure™️ Cloud Protection for Salesforce was designed to function as a native application that blends seamlessly into your Salesforce environment. A user-friendly interface and familiar controls require minimal training for administrators. Maintaining it is a breeze, with high automation and no extra portals, leading to a low cost of ownership.
Integrating workflows, alerts, and metadata with Security information and event management (SIEM) and other third-party systems is simple and easy, scanning rapidly without sacrificing performance. Licensing is also based on usage, with no additional Salesforce licensing fees or API consumption.
With a click-and-go approach to deployment, you can be up and running in mere minutes. A user-friendly interface means with familiar and straightforward Salesforce controls means you don’t need specialist skills or training.
Data confidentiality and integrity
As well as issues with advanced threat detection, CASBs can inadvertently expose businesses to other security problems. These solutions typically sit between the user and cloud service, leading to potential security risks, such as compromised file encryption during transit.
WithSecure™️ Cloud Protection for Salesforce avoids this issue by running within the Salesforce platform, ensuring that your data remains securely stored within the environment.
Find out what WithSecure™ Cloud Protection for Salesforce can do for you
CASBs are valuable tools that will go a long way in keeping your cloud environments secure and compliant. But when it comes to taking strong preventive measures and gaining more granular visibility, WithSecure™ Cloud Protection for Salesforce offers a fast, user-friendly, and cost-effective solution, that natively integrates into your Salesforce environment.
You get real-time protection against advanced cyber threats such as sophisticated malware, ransomware, and phishing attacks providing comprehensive granular visibility into your content security status.
There is no tedious implementation period; you can achieve instant value with our click-and-go deployment. Why not head over to AppExchange for a test drive now?
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
With all the various options for Salesforce security, where should you focus?
Every modern enterprise today sits at the center of a vast and complex network of digital suppliers. Affordable high-speed internet and the vast and fast-growing global cloud market mean that organizations can easily outsoWe conducted global survey to ask thousands of IT-professionals how they deal with cloud security. To back up this data with Salesforce-specific insights we took detection data from WithSecure Cloud Protection for Salesforce product to share with you what we have seen in 2022. Based on these sources our experts give their recommendations where to focus your security efforts in 2023. urce anything they need to grow their business. Specialist software solutions can be accessed through SaaS models, or firms can acquire components and plugins to heavily customize their own infrastructure.
IT leaders top 5 security challenges in 2022.
Cloud and collaboration
Cloud platforms like Salesforce have become essential for maintaining remote and hybrid working strategies accelerated by the pandemic, as well as delivering advantages in terms of improved efficiency and agility, and reduced costs and resources. However, this more diffuse IT environment also creates more moving parts, many of which are out of direct control.
Ensuring security of cloud-based collaboration applications, such as Salesforce and Office 365.
Ensuring the security of an increasingly diverse pool of devices, services and software.
Preventing advanced e-mail-based threats, such as phishing or business email compromise (BEC).
Preventing Data Breaches
Ensuring protection against malware and ransomware.
Our deep dive article on Salesforce security priorities outlines the trends we found in our Pulse 2023 survey.
46% of organizations detected one or more targeted attacks in their cloud platforms in the last 12 months
The fact that a quarter of respondents believed they were the victim of a targeted attack in the last 12 months demonstrates that adversaries have become more sophisticated and organised. However, many organisations are making the attackers’ lives easy by failing to properly configure and monitor their cloud environments.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
The digital supply chain offers unparalleled flexibility and freedom, enabling organizations to rapidly acquire new capabilities and seize opportunities. But it also comes at the cost of increased cyber risk exposure.
Introducing a web of thousands of moving parts makes it extremely challenging to maintain effective visibility of the IT estate and identify potential vulnerabilities.
However, threat actors are also actively seeking to exploit these connections. Attacking third party connections such as SaaS suppliers or software plugin developers enables cyber criminals to bypass security defenses and potentially strike at the heart of an organization’s network. This connectivity can be exploited to deploy malware, including highly destructive targeted ransomware, within the target business, exfiltrate high-value data, or establish command-and-control.
Gartner® has named digital supply chain risk as one of the leading security and risk management trends for 2022 and predicts that, “by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”1
Indeed, it has already been estimated that supply chain attacks have tripled in 2021 alone. Some of the biggest data breaches of the last year have centered on digital supply chains.
Log4Shell
This high-profile exploit affected the popular Apache Log4j 2 java library used for logging error messages. The vulnerability, officially CVE-2021-44228, enabled an attacker to gain remote access to a device running certain versions of Log4j 2 through text messages. The flaw was discovered and quickly patched in December 2021 but may have been around since as early as 2013. It is thought that nearly half of all organizations may have bene targeted using the vulnerability at some point.
Okta
In March 2022, secure MFA provider Okta announced that it had suffered a major security breach in January that impacted hundreds of customers. The breach demonstrated how third-party connections are targeted and exploited, as it began with the compromise of a sub processor supplying Okta. The attackers, a hacking group known as Lapsus$, was then able to enter customer networks and access data using a remote desktop tool.
Office 365
Threat actors have increasingly targeted the extended Office 365 environment in targeted phishing attacks. The victims are first hit with an email prompting them to login into their 365 account and verify a new application. Rather than the usual imitation phishing site, the email links through to the user’s genuine Office 365 login page. The threat is the application itself, which will provide the attacker with access to the user’s files and emails. Because it is already within the environment, the rogue application can circumvent the need for multifactor authentication (MFA).
SolarWinds
Despite occurring in 2020, the SolarWinds attack remains the most notorious example of a high-end digital supply chain attack. Widely believed to be the work of Russian-backed operatives, the incident saw software vendor SolarWinds breached in a sophisticated multi-pronged attack that targeted its popular Orion solution. The perpetrators covertly injected malicious code into an update for the software, enabling them to access the networks of thousands of users, including governmental bodies such as the US Treasury and Justice department.
How third-party integrations introduce new threats to Salesforce
Salesforce is an essential asset for many organizations, often playing a defining role in their entire customer management and digital experience strategy. As such, there is a huge market demand for the ability to customize and configure the environment to suit different operational needs
The Salesforce platform can be heavily customized and extended with third party applications, components and cloud services. Salesforce AppExchange, the platform’s official app store, offers more than 3,400 apps, and organizations can also connect their Salesforce environments with external systems or applications via SOAP or REST APIs. Those systems may be hosted in different cloud environments and use a variety of proprietary or open-source software. In addition, Salesforce platform supports traditional email or web-form based integration
With so many options, enterprises are guaranteed to find third-party support for any adaptions and extensions they want to apply to their Salesforce environment. However, each new addition also increases the organization’s exposure to digital supply chain risk.
There are multiple potential threats here:
Malicious imposters
Compromised software
Vulnerable code
The threat within
Like any other digital environment, Salesforce can become highly vulnerable when it has not been correctly configured.
Misconfigured applications and ineffective identity management can quickly leave the environment exposed. Threat actors are adept at sniffing out poorly secured user accounts and applications that have been left with their default settings in place. Weak access controls make it far easier for cyber attackers to infiltrate the environment.
This is a serious issue even before the introduction of hundreds of new elements through third party applications and components. It can be particularly problematic for larger organizations, where a lack of coordination across branches and departments means the environment is bloated by redundant apps and plugins for the same tasks. Smaller firms meanwhile may be more streamlined but will be more likely to add new components on the fly without effective safeguards.
It should be noted that Salesforce has since taken steps to make poorly configured sharing rules more visible to help reduce the risk and has published release updates that change default settings to more secure ones. Salesforce Optimizer, a Lightning Experience application, can for example be used to conduct regular checks and highlight any potential issues around guest users.
Anatomy of a Salesforce supply chain attack
The scope and complexity of the Salesforce environent meand there are multiple ways it can be targeted and exploided as part of a digital supply chain attack. Here’s two examples of attach scenarios.
Scenario 1: Vulnerable third-party system
Here, the attacker identifies a vulnerability in a software application integrated with Salesforce, such as a tool that retrieves data for analysis, and exploits it to achieve remote access of the system. The vulnerable application is connected to Salesforce via API, and since these usually have a higher trust level than a human user, the attacker is able to access the system with relative ease.
The attacker may seek to steal or damage data within Salesforce but can also use the platform’s capabilities as part of their attack chain. For example, malicious documents and URLs can be seeded throughout the environment to be clicked and downloaded by unsuspecting users, including employees, customers, and other connections. These users can then be compromised, and their system access exploited to continue the attack on the rest of the company’s IT infrastructure.
Scenario 2: Compromised development tools
In this scenario, the threat actor first targets either a source code repository or the CI/CD system of a software vendor in order to introduce malicious code into its product. The initial system access can be achieved in multiple ways, with the use of phishing to acquire user credentials being one of the most common tactics, as demonstrated by SolarWinds.
The application or component is then integrated into the Salesforce environment, enabling the attacker to exploit its connectivity to compromise other users and endpoints. Again, from here they can achieve whatever malicious goals they have. The process may even repeat itself, with the targeted organization serving as yet another steppingstone in an extended supply chain attack.
The attacker may access the Salesforce instance directly on the first pass or may implement a backdoor and wait until the integrator has production access later on. There is a tendency for developers to blindly trust in the security of their tools, particularly if they come from a known vendor. However, as SolarWinds demonstrates, even a well-established vendor can be a source of risk if they are compromised by organized attackers.
Best practice for mitigating digital supply chain risk
Cyber security is a complex issue that cannot be solved by a single magic bullet. This is especially true for a cloud environment as large and dense as Salesforce. As such, mitigating the risk of digital supply chain attacks on Salesforce requires a multi-layered approach that combines the right security solutions with the right processes and policies. Some of the most important elements to a Salesforce security strategy include:
To ensure the security of the Salesforce environment, thorough vetting of all applications and components is necessary, including researching vulnerabilities and previous incidents, verifying issue resolutions, and implementing an Application Portfolio Management process. Additionally, organizations should assess the security measures of third-party vendors and consider security requirements in service level agreements, while being cautious of geopolitical factors to mitigate the risk of nation state-backed attacks.
2. Risk mapping potential breach impact
Organizations must thoroughly evaluate how an asset fits within their Salesforce environment and assess the potential consequences of a breach, taking into account its capabilities and connections to Salesforce and the broader IT infrastructure. Enterprises should carefully weigh the risk versus the benefits of introducing a new component and incorporate this analysis into their overall security strategy.
3. Gaining a centralized view of third-party assets
In complex Salesforce environments with numerous third-party components, administrators should prioritize gaining visibility to minimize blind spots and mitigate incidents. By focusing on important and high-risk elements first, implementing structured policies for introducing new assets, and gradually expanding control, they can maintain visibility and prevent the addition of redundant applications.
4. Eliminate misconfiguration and access issues
Besides focusing on the digital supply chain, organizations should also pay attention to their internal processes to mitigate cybersecurity risks. Conducting audits to ensure correct configuration and access management in the Salesforce environment, setting minimum access levels, disabling unnecessary sharing capabilities, and adopting a least privilege approach for user profiles and automated systems are essential measures. Regular reviews of new features and periodic in-depth assessments of system configurations are necessary, and seeking specialized expertise can help ensure comprehensive security.
5. Block malicious content on Salesforce
To prevent supply chain attacks and exploit through Salesforce, organizations need a comprehensive security approach that includes endpoint, network, and cloud-based protection. WithSecure offers solutions to prevent, detect, and respond to modern attacks, including their Cloud Protection for Salesforce, which scans all content in real-time to identify and block malicious files and URLs uploaded to the platform, ensuring strong protection without impacting user experience.
6. Implementing an effective response plan
Given the inevitability of data breaches, organizations should prepare for the possibility of a digital supply chain attack on their Salesforce environment by implementing an effective incident response and remediation plan. Utilizing services like Salesforce Shield, with features such as detailed logging and per-field encryption, can aid in incident detection and analysis. Additionally, having access to specialized skills and tools, such as those provided by a specialist partner, can help identify and remove threats within the environment, while implementing regular system backups and alternative communication methods can mitigate the impact of a compromised Salesforce environment on business operations.
Getting ahead of digital supply chain risk in 2023
Supply chain risk is growing rapidly as threat actors seek new attack paths to evade defenses
The extended Salesforce environment is vulnerable as an attack path unless organizations take precautions
Businesses should prepare now before they fall victim
Supply chain risk is an unavoidable part of doing business in the digital era. Enterprises must be aware that the threat is increasing as both their own supply chains expand, and threat actors continue to look for new opportunities to evade security defenses.
As their digital footprints expand and connect with more third parties, organizations must ensure that their ability to monitor and control the extended supply chain keeps pace.
Salesforce must factor prominently in these security plans as both a crucial CRM system, and as an environment that can be home to hundreds of different third-party elements.
While Salesforce has accountability for securing its own infrastructure, users are liable for the third-party components and content that enters the environment – an approach known as the shared responsibility model.
High-profile incidents like SolarWinds, Kaseya and Log4J have continued to dominate the headlines and raise awareness of supply chain risk. However, Salesforce is not yet part of this conversation.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Introducing WithSecure Cloud Protection for Salesforce Orion 2.4 which enhances your defenses against URL-based cyber threats within Salesforce. This release extends URL scanning to include files, highly requested custom objects and fields, and shortened URLs.
Read on to find out how we are relentlessly enhancing Salesforce security capabilities to protect some of the largest enterprises and critical public organizations in the world.
Detect malicious URLs in files
Files uploaded to your Salesforce platform present a cybersecurity risk, more than just them being malware. Malicious links can lurk in file attachments, waiting to be clicked.
Now, you can detect and block malicious URLs hidden inside files uploaded to your Salesforce platform. Detected threats will appear in the File Events report for admins. This functionality is automatically enabled as part of the File Protection feature when Adavanced Threat Analysis is turned on. You can find instructions on how to turn it on from our user guide.
Shortened URLs are often a mask for risky content and can bypass traditional security controls. Our latest release now uncovers and blocks these threats, ensuring that every link is verified, whether shortened for convenience or masking something more sinister. This functionality is automatically enabled as part of the URL Protection feature.
URL Protection is now expanded from Salesforce’s standard objects and fields to also cover your customized ones. The update has been much requested among users, and is unique. You can now freely build your custom workflows – more securely than ever.
In the version 2.4, we are releasing a tech preview version of the feature that requires scripting to set-up. Please contact our Customer Success team who will assist you with the configuration. Direct UI configuration will be released a bit later.
Admin tip #1: We strongly recommend turning automated updates on to keep your environment secured with the latest defense mechanisms, and to save time and effort. Please note that the version 2.0 is scheduled for End-of-Life (EOL) on May 24th 2024. By using the latest version you not only get the benefits of the latest features , but also the most stable protection for your Salesforce environment.
Admin tip #2: To get the best value from WithSecure Cloud Protection for Salesforce, we recommend you to enable the connected app, which gives you access to the advanced security capabilities such as Advanced Threat Analysis.
Admin tip #3: To scan URLs in files, make sure that you have connected app enabled, and Advanced Threat Analysis enabled in the File Protection feature.
Admin tip #4: You can find all updates from new enhancements to what pesky bugs have been fixed in the release notes.
Fun facts – greetings from the team
Kicking off our annual release series for 2024, we introduce ‘Orion’. Our tradition of naming releases after famous roller coasters continues, embodying the thrilling progress in our work – and in the lives of cyber defenders. The name Orion was chosen not just for its cool factor, but as a symbol of the limitless heights and broad scope we aim for with our Salesforce security solution. It represents a new chapter in refining and enhancing our product to support your Salesforce security needs, promising a steady ascent and an exciting journey with Orion.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
In our product release of WithSecure Cloud Protection for Salesforce, Boulder 2.3, we provide you greater detection capabilities against disguised malicious files. We also enable you to report false positive and negative detections straight from the app. More details in the release notes.
Stay ahead of the curve with:
In-app reporting: False positives and missed detections can now be reported instantaneously within the app.
Intelligent File Type Recognition: Sophisticated analysis of a file’s content bolsters defenses against covertly dangerous files.
License model revision: The user licenses section now mirrors our updated licensing framework for streamlined access and comprehension.
Expansion of data centers: With new centers in Australia and Singapore, we bring improved performance and stricter data residency control.
Large file scanning: Our File Protection feature has been bolstered, scanning even larger files for potential threats.
Government Cloud support: Extending our protective measures to Government Cloud products, ensuring that even the most sensitive operations are secured.
Intelligent File Type Recognition
Hackers disguise malware by renaming dangerous files to appear harmless—like masking an executable (.exe) as an image (.jpeg).
Advanced threat protection counters this by examining a file’s actual content, not just its name, to uncover hidden dangers.
Intelligent File Type Recognition enhances detection in your Salesforce environment. It probes a file’s true behavior, not just its nominal type, identifying real threats that names alone can conceal.
The in-depth analysis is conducted automatically as part of the File Protection feature—no extra configuration required.
Learn more about file type spoofing attacks – and why you should not trust the file names
You can let us know right in the app if something safe is flagged or something malicious gets through.
New data centers available in Australia and Singapore
We have launched new Security Cloud regions in Singapore and Australia for WithSecure™ Cloud Protection for Salesforce. With the new data centers, we can offer you enhanced performance and more control of your data.
Local data processing: Optimize compliance and speed with data centers now in Australia and Singapore
Easy in-app configuration: Quickly choose your data processing location within the app
Automatic region selection: Set to ‘Automatic’ for the best performance based on your location
What are data residency and sovereignty and why you should care
WithSecure™ Cloud Protection for Salesforce now extends to Salesforce Government Cloud. This expansion ensures that government agencies and public sector organizations leveraging Salesforce’s Government Cloud can now benefit from the same real-time protection against cyber threats as any commercial organizations.
With our app, public sector agencies can confidently manage their operations and handle sensitive and classified information in Salesforce, while ensuring compliance with stringent government security standards and regulations.
Administration tip: automated updates save your time and effort
We strongly recommend turning automated updates on to keep your environment secured with the latest defense mechanisms, and to save time and effort.
Check out our simple instructions for automated updates
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.