As Enverus expanded, its security team needed visibility into the entire data estate, the controls in place, and whether those controls were being enforced, especially within Salesforce, one of its most business-critical platforms.
Enverus partnered with Varonis to gain deep visibility into sensitive data, access, permissions, and activity. Our partnership strengthened security, accelerated investigations, improved threat detection, and helped prevent a major data breach tied to a large-scale SaaS supply chain attack.
Who is Enverus?
Enverus is a decision-support platform serving organizations across the energy and energy infrastructure space, from small independent operators to the world’s largest supermajors. The company manages large volumes of data spanning geophysical, petrophysical, operational, and infrastructure workloads, combining proprietary intellectual property with large public and third-party datasets.
Visibility across a distributed data estate
With data spread across cloud platforms, SaaS applications, and on-premises data centers and databases, each with its own permissions model, configurations, and operational team, Enverus needed consistent data security across its entire environment.
The security team needed to answer fundamental questions:
- What sensitive data exists across the enterprise?
- Where does it live?
- Who can access it?
- Are controls consistently enforced across environments?
A unified platform and security partner
Varonis provided Enverus with unified data security across multiple platforms, including AWS, Azure, Salesforce, and Microsoft 365. Varonis gives the security team a comprehensive view of what sensitive data exists, where it lives, who can access it, and whether controls are consistently enforced.
Varonis mapped identities across platforms and greatly reduced the blast radius. What had previously been difficult to operationalize became straightforward: identify the highest-risk access, right-size permissions, and report progress against enterprise policy. Enverus was able to move beyond static reviews and spreadsheet-driven analysis.
At Enverus, the security and GRC teams define enterprise-wide security and data policies, while application teams own day‑to‑day platform operations. Varonis helps bridge these teams, providing dashboards and reporting, aligning platform controls to enterprise policy, and delivering consistent controls and visibility. The result is a unified approach that supports both security requirements and business objectives.
Simplifying Salesforce data security
Salesforce sits at the center of Enverus’ operations, with numerous integrations, workflows, and data flows moving in and out of the platform. Salesforce combines business-critical data with complex identity controls and numerous integration points, making data security challenging.
Over time, overlapping profiles, permission sets, roles, sharing rules, and connected apps can accumulate, making it difficult to understand a user’s effective permissions or identify excess access. The challenge is compounded by the multitude of apps, agents, APIs, and sandboxes that can move data in and out of production and often retain long-lived tokens or create backdoors.
Enverus needed:
- Complete insight into identity-based permissions within Salesforce
- Clear visibility into data flows and workflows
- Confidence that access controls were aligned with enterprise security and compliance policies
Without a centralized view, answering these questions required manual analysis and spreadsheet-driven reviews that were difficult to operationalize.
Applying identity security to Salesforce
With Varonis, Enverus began applying identity threat detection and response (ITDR) principles directly to Salesforce and other SaaS platforms.
What had once been complex, static spreadsheet reviews became:
- Clear prioritization of high‑risk access
- Actionable insights into who and what needed remediation
- Simple, repeatable reporting aligned to enterprise policy
This transformation empowered both the security team and Salesforce operators to focus on what mattered most.
Improved Salesforce threat detection
In 2025, Enverus’ security operations team processed hundreds of alerts per day across its environment. Salesforce emerged as a particularly important attack surface due to its scale, connectivity, and data sensitivity.
While most observed activity aligned with legitimate business workflows, a small subset required deeper investigation.
Varonis helped to improve threat detection and reduce the deluge of alerts:
- Salesforce‑specific detections and monitoring
- Guidance from a dedicated threat research team
- New detection strategies that had not previously been on Enverus’ radar
This partnership enabled Enverus to investigate novel activity more effectively, validate behavior, and proactively design new detections to reduce future risk.
“It felt like Salesforce‑specific MDR. We gained a trusted partner with deep Salesforce security expertise that we could lean on as an advisor.”
— Alex Acosta, Vice President of Security, Enverus
Spotlight: Protecting against a large-scale SaaS supply chain attacks
In early 2025, by compromising Salesloft’s GitHub repos, a threat actor known UNC6395 stole the OAuth tokens that allowed Drift, a widely used chatbot owned by Salesloft, to connect to customers' Azure, Salesforce, Google Workspace, and other integrated platforms.
Between August 8 and 18, UNC6395 used those tokens to impersonate the trusted Drift application, bypass MFA, and systematically exfiltrate data from more than 700 organizations including Cloudflare, Zscaler, Palo Alto Networks, and Proofpoint.
For most victims, the attack went unnoticed because OAuth abuse appears as normal API traffic, and attackers deleted query jobs to cover their tracks. The majority of affected organizations only learned of the breach when Salesforce and Salesloft notified them more than two weeks after the attack.
Enverus was the exception. With Varonis deployed across the environment, Enverus detected, contained, and neutralized the attack before it fully materialized:
Step 1: Cross-platform detection. Varonis initially flagged Drift activity in Azure as abnormal since its OAuth token refreshes originated from unusual IP addresses and its API call volumes exceeded Drift's baseline for Enverus. As a result, Varonis issued an alert and started checking Drift activity in other systems.
Step 2: Salesforce telemetry confirms the threat. Salesforce Shield Event Monitoring provided detailed logs that allowed Varonis to identify abnormal activity in Salesforce by the Drift connected app, like logins from suspicious IPs and unusual API queries.
Step 3: Varonis MDDR responds. Varonis correlated the Azure and Salesforce signals, and its Managed Data Detection and Response (MDDR) team engaged alongside Enverus' security operations to immediately take a series of actions to prevent a breach:
- Suspended the compromised identity and revoked OAuth tokens
- Classified sensitive fields and attachments to assess potential exposure
- Removed excess high-risk permissions, including Export Reports and Create Public Links
- Remediated overly permissive sharing rules and misconfigured Salesforce Sites
Within two hours, Enverus had full containment and forensic proof that no sensitive data had been exfiltrated.
Looking ahead
Following the success across Enverus’ environment, the team continues to expand its partnership with Varonis. They plan to further build on Salesforce-specific detections, monitoring, and threat prevention strategies while extending visibility and governance across additional platforms.
“Varonis has been highly impactful for us, and it’s something we’re continuing to build on moving forward,” Alex shared.
-1.png)