By Yogi Kapur and Scott Nyberg
In our “Engineering Energizers” Q&A series, we examine the professional journeys that have shaped Salesforce Engineering leaders. Meet Yogi Kapur, Senior Director of Salesforce’s Global Computer Security Incident Response Team (CSIRT). Based in Hyderabad, India, Yogi leads his cybersecurity analyst team in responding to countless alerts and containing malicious threats.
Read on to learn how Yogi has taken threat response to the next level by incorporating cutting-edge automation tools, enabling his team to scale their protection efforts and adapt to an evolving threat landscape.
What is your team’s mission?
My team serves as the frontline of defense, protecting Salesforce customer data and employee data. Our mission remains highly dynamic and multifaceted. From staying one step ahead of malicious actors and novel vulnerabilities to incorporating new tools that strengthen our cyber defenses and exceed regulation requirements, our team constantly navigates an unparalleled pace of change.
Yogi explains what makes Salesforce Engineering’s culture unique.
What’s the biggest challenge your team has faced?
Our team operates under strict Service Level Agreements, requiring us to efficiently support countless cases and account for sudden surges — when hundreds of alerts sprouted simultaneously.
To meet that strenuous demand, our team formulated an automated categorization solution by closely collaborating with Salesforce’s threat intelligence team. We also introduced risk ratings — enabling us to reevaluate the priority of new alerts, as not every notification needs equal attention.
This enabled our analysts to focus on highly critical cases while empowering automation to manage less severe cases, ensuring every case across the organization is addressed.
How would you describe your automated categorization solution?
Our automation approach encompasses three categories:
- The first category of our automation focuses on user engagement through Slackbot-type functionality. In this context, our team has developed a system that automatically follows up with users via Slack, particularly when responding to security events and alerts.
For example, when an event requires user validation, the Slackbot automation retrieves user details from the alerts and initiates immediate communication. It then sends messages to the users and continues to follow up with them at regular intervals, significantly reducing the manual effort and time analysts would otherwise spend on this task. This approach ensures timely and efficient user engagement and response, enhancing our overall security operations. - The second category uses autoresponders to handle specific issues. For example, in situations where unsolicited external emails are sent to company employees and generate numerous complaints, autoresponder rules are activated. These rules automatically close similar subsequent emails by sending a predefined response.
- The third category automates some end-to-end playbooks that are tailored for specific issues. Playbooks differ in complexity — some can be fully automated while others involve sophisticated steps that require human analysts.
Your team investigates a massive volume of internal emails. What role does automation play in the process?
Automation has helped us successfully close up to 50% of spam and legitimate email cases — radically reducing our workload by eliminating time-consuming manual checks on individual incidents.
To spot possible security threats, such as phishing attempts, the automation system scrutinizes email headers — checking them against its historical record for untrustworthy sources — and flags malicious instances, which are then rapidly removed from affected employees’ inboxes.
Yogi explains what it’s like to work for Salesforce.
How is your team structured?
To maximize the efficiency of our CSIRT team and seamlessly address every security instance, we have adopted four tiers of support:
- Tier Zero: Automation. Removing the need for human management, Tier Zero automation systems leverage machine learning based on historical data. Automation streamlines processes by supporting routine and repetitive tasks.
- Tier One: The Screeners. Tier One analysts handle the initial response of incidents and all incoming security-related issues. They tackle less severe security incidents, which are actually the most common issues CSIRT faces, and elevate more serious matters.
- Tier Two: The Investigators. This team analyzes potentially malicious cases flagged by Salesforce’s threat detection team and Tier One analysts or any other third party tools/sources. Conducting in-depth investigations, the team manages medium-to-high level day-to-day security issues and loops in Tier 3 where needed.
- Tier Three: The Threat Hunters. Tier Three is composed of highly experienced security experts who combine the skill of proactive threat hunting with reactive breach response. Additionally, they act as security architects, playing a central role in devising cyber defenses that help safeguard Salesforce and its customers from future threats.
Learn more
- Read this blog to learn how India’s threat detection team combines advanced correlation and automation platforms to manage millions of daily alerts.
- Stay connected — join our Talent Community!
- Check out our Technology and Product teams to learn how you can get involved.
- Discover the latest best practices for cybersecurity. Check out the Salesforce Security Blog.