Event Monitoring

 Adam Torman  Director, Product Management  atorman@salesforce.com  @atorman  

Use Powerful Insights to Improve Performance and Security

 Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

 This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

 The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

 Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Safe Harbor

1.  Why Event Monitoring

2.  What is Event Monitoring

3.  Customer Stories

1.  Cisco

2.  Lending Point

3.  SolarCity

4.  What does the future hold

What will we cover today Agenda

Why Event Monitoring +  what is Event Monitoring

Companies Are Running Their Business on the App Cloud

How do I know what my users are doing on the system? How can I ensure we are getting the best use of the platform? How do I provide the best support to my users?

1.  Support

•  Provide better, data-driven support for your end users

2.  Audit

•  Improve the security of your data

3.  Optimize

•  Fine-tune your application portfolio and business process

Visibility into user actions and behavior for every Salesforce application Event Monitoring

How does it work?

•  Capture Data –  29 event types

captured –  30 days of events

retained –  One day lag from

event occurrence to when it is available in the API

1 •  Analyze the data –  Use any analytics tool –  Leverage pre-built

integrations with AppExchange partners

–  Option to export to CSV file

2 •  Take Action –  Improve app

performance –  Initiatives to increase

adoption –  Modify governance

policies –  Automation using

triggers and workflow

3

Cisco Systems, Inc Using Event Logs for Customer Data Protection

Bill Schongar Technical Leader bschonga@cisco.com @uilleam

Cisco is the worldwide leader in IT that helps companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected.

At Cisco customers come first and an integral part of our DNA is creating long-lasting customer partnerships and working with them to identify their needs and provide solutions that support their success.

How to detect patterns of inappropriate data access by authorized users Do you really need to see that?

Ideally, we’d like to know:

•  Do users have “enough but not too much” access to do their jobs?

•  Is that access being used effectively and appropriately?

•  Is anything out of the ordinary?

Event Log files give powerful visibility into per-User data access X-Ray vision for Data Access

•  Event Log Data is extracted from SFDC, fed to in-house analytics system

•  Analytics system examines authorized user behaviors for proper and efficient use

•  Dashboards visualize usage patterns, Notifications provide alerting to potential issues

1.  Event Logs are not (“yet”, right Adam?) realtime, so account for the delay in planning your use

2.  In Data Security you learn from your “false positive” alerts. And that’s a good thing.

3.  Open Source Toolchains work very well with ELF (eg Jenkins + Pentaho Community)

4.  Minimize what logs you need until you really need them

5.  ELF + Salesforce Wave would be a very handy thing!

Event log data analysis lessons for the data curious Some lessons learned

Lending Point Solving for Compliance with Event Monitoring

● Franck Fatras ● Founder / CTO ● LendingPoint ● ffatras@lendingpoint.com ● http://www.linkedin.com/in/franckfatras ● 

LendingPoint  Who We Are & Why We Are

 LendingPoint is an online direct lender, extending personal loans to underserved, near-prime consumers

We offer fair rates and terms for consumers who typically do not have access to traditional lending options

Less than perfect credit doesn’t necessarily mean bad credit

We are on a mission to change the lending environment to treat those with fair credit fairly

5  Years  +  

RISK

 

+

-90  Days  

Tradi4onal  Lending  2005  

Pay  Day    Lenders  

Tradi4onal    Banks  

5  Years  +  RISK

 

+

-90  Days  

Tradi4onal  Lending  2014  

What Were We Solving For?

•  We must answer to: • Customers

•  Investors

•  Regulators

•  Financial companies & PII (Personal Identifiable Information)

•  External threats

•  Internal threats

•  Information security

•  Real-time monitoring

A Build vs Buy Decision

 Considerations:

•  Cost to implement

•  Time to market = Cost of Lost opportunities

•  Scalability & Flexibility

•  TCO (Total Cost of Ownership)

•  Learning from others’ pitfalls

Event Monitoring

•  Provides raw data for timely decisions

•  With FairWarning, data is analyzed and customized alerts are built

•  Able to react quickly and efficiently

•  Analyze approximately 50M records a quarter

•  When new requirements arise, new alerts can be created

FairWarning Dashboard

Key Takeaways  Tips and questions to ask when considering a build vs buy decision

Map your timeline - how quickly do you need to be up and running?

Does the solution already exist?

Is it customizable and scalable?

 Think about the costs of not getting to market or implementing quickly

Operational cost/benefit analysis of building versus buying

Solar City Using Event Monitoring to Build a Data-Driven Security Program

Bryan Yeung Senior Manager, Sales and Marketing Systems byeung@solarcity.com @btyeung

Kate Slattery Data Scientist kslattery@solarcity.com @k_slat

Building a Security Program Salesforce Event Monitoring with Splunk

Salesforce Admin Team

2014

2015

Salesforce Users

Use Case Salesforce Event Monitoring with Splunk

Use Case Salesforce Event Monitoring with Splunk

Event Monitoring Roadmap

Setup Audit Trail API

GA Winter

‘16 Monitor Key Setup Events Escalate privileges, Login-As, User creation

Easily Integrate Build new apps or integrate with SIEM systems

Part of the Platform Not an add-on service or part of Salesforce Shield

Real Time Security Actions For User Activity Monitoring

 Customizable Apex Policies  Framework auto-generated policies

 Define Real Time Actions  Notify, Block, Force 2FA, Session Chooser

 Enforce Session Constraints  Control the number of active user sessions

New in Winter

‘16

Transaction Security Policy Framework: Concurrent Sessions

Pre-generated policy to control the number of concurrent user sessions

Control access based on profile, IP address or other common user info

New session chooser page allows users to select sessions to terminate

New in Winter

‘16

Login Forensics

Near Real-time Queryable Events Login

Session Tracking Differentiate actions by each login and device

Customizability Add extensible information like correlation ids

PILOT Summer

‘15

Admin Analytics Wave App

Pre-configured Dashboards and Lenses Audit, Optimize, Adopt

Customizability Edit or create new dashboards on logs

Shareability Share specific log use cases with different groups

PILOT Summer

‘15

Data Leakage Pilot Key Features

  Track who’s accessing your

records

  API only

  SOQL Queryable (with constraints

- see considerations)

  Raw API event data

  Near real-time

  API queries via SOAP, REST, and

BULK APIs

Pilot Summer

‘15

Create powerful new Wave applications

Api Events + Login Events Wave Dashboard

is an example of an application you can build

- it is not shipping with the release

Track trends Login behavior

Find a needle in the haystack of users and

behaviors

Profile API Query access of records including

sensitive data accessed (e.g. PII), rows

processed, and elapsed time by user, object, IP,

and user agent

Apex Limit Event Pilot Key Features

  API Only

  Hard Limits Only

•  e.g. Too Many SOQL Queries

  Near Real-time Events

•  similar to batch Apex

•  < 5 min in general

  Admin Controlled - Org Preference

  6 Hourly Roll-up Metrics

Pilot Summer

‘15

Key Capabilities: Create powerful new applications ApexLimitEvents

Visualforce page with Google Charting API is

an example of an application you can build

- it is not shipping with the release

Track trends in changes over time

Capture most recent ten events

Sample app: http://bit.ly/apexLimitApp

Event Monitoring Roadmap

Apex Limit Event Transaction Security: Concurrent Sessions

Admin Analytics Wave App

Setup Audit Trail API

Reduced Time for Event Log File

Generation

Winter  ‘16   Spring  ‘16   Summer  ‘16   2nd  Half  2016  

Data Leakage Detection

Login Forensics

Today!

Introducing: Salesforce App Cloud

FORCE HEROKU ENTERPRISE THUNDER

AppExchange Trailhead

Shared Identity & Data Model Integration Shield

Trusted and Connected Platform Run all your apps on a trusted platform Speed and Agility Every employee can build fast with clicks or code Complete Enterprise Ecosystem Best place to learn, build, buy, and sell apps

Win one of ten SONOS speakers at the App Cloud Keynote!

App Cloud Product Showcase

Moscone North

IT Ranger Station in the Dev Zone

Moscone West, 2nd Floor

Thursday, September 17, 2pm — Moscone South

Tod Nielsen

EVP, App Cloud Salesforce

Mike Anderson

CIO Crossmark

Herry Stallings

AVP App Dev USAA

Heather Quiqley-Allen

VP Marketing Bosma Enterprises

Learn more about App Cloud:

Q&A

Thank you