An employee had been approached by one of the company’s competitors to extract customer data for competitive advantage. The employee used their permissions within Salesforce, running reports and working with dashboards to extract the requested data over several chunks (in order not to be caught by the DLP rule that sets a threshold for the number of rows extracted via report/dashboard).
The sequence of activities performed by an employee during a working session in Salesforce.
TrackerIQ learned session profiles for the entire organization, and used these working profiles to detect abnormal/suspicious sessions (i.e. journeys). The assumption is that although export of individual reports is common, sequences of exporting data via reports in a detailed mode, combined with the relevant dashboard activities, are highly unusual.
Even anomalies that were not malicious were important, enabling detection of potential data leakage and requests that employees explain why data was exported.
Monitoring employee activities and generating alerts about abnormal journeys, even if these journeys are not malicious, is important as a preventive control, given the small number of alerts generated (a few each month). The alternative resulted in true data leakage going undetected, as when the organization had previously implemented a rule to detect reports with large numbers of rows and received tens of alerts a week (false positives).
Insurance, publicly traded.
SaaS (Salesforce Sales Cloud).
The application is the company’s main CRM system used by employees to manage customer interactions.
Audit logs generated by Salesforce and available under its Event Monitoring license. These log files audit user (i.e. employee) activities in Salesforce.