Using Splunk to Enhance Enterprise Security Capabilities of Google Chrome

The way we work has drastically changed since the start of the pandemic. With more companies adopting remote and hybrid work models, there has been a 600% increase in cybercrime and 65% of organizations have seen a measurable increase in attempted cyberattacks, which is particularly problematic since, according to the 2022 Splunk State of Security report, 78% say remote workers are harder to secure. Security and IT teams need to do everything they can to ensure their business data and employees are protected while balancing the needs for productivity, no matter where the workers are.

With employees spending more time working in browsers, the opportunity for risky browser behavior to have an impact on enterprise resiliency increases. What’s generally considered risky browser behavior? Some examples include:

  • Installing an extension that was impersonating a legitimate one and is now acting maliciously;
  • Accessing content considered dangerous, malicious, or banned/unwanted;
  • Opening, clicking, or visiting a URL that is considered deceptive or malicious;
  • Poor password behavior such as reusing enterprise passwords outside corporate resources or using a password that was exposed in a breach; and
  • Downloading, uploading, or pasting content containing sensitive corporate data.

Google Chrome browser empowers businesses worldwide to work more securely and productively. Chrome continues to increase an organization's ability to protect their digital estate by making valuable browser security insights available to IT and Security teams and providing security event reporting from the browser directly to the Google Admin console. These events cover a wide range of use cases that help detect and mitigate multiple types of attacks, possible vulnerabilities, and high-risk user behavior within managed Chrome browsers. 

As you heard at Splunk .conf23, we are excited to announce that Chrome has partnered with Splunk on a new Google Chrome Add-on for Splunk and Google Chrome App for Splunk that make data ingestion, investigation and response to Chrome security events coming from Chrome Reporting Connectors easier than ever. 

Using the Google Chrome Add-on for Splunk, all of the Chrome Threat and Data Protection events that come through the reporting connector are mapped to the Splunk Common Information Model (CIM) to allow for easy correlation with other data sources and maximum efficiency at search time. The events are mapped to these specific data models — Authentication, Change, DLP, Data Access, Endpoint, Malware and Web. Any existing searches against a data model will automatically begin populating with Chrome events. This is especially relevant for Splunk Enterprise Security customers, as much of the prebuilt content is based on searches against CIM data models.

The Google Chrome App and Add-on for Splunk contain prebuilt dashboards and analytics to help investigate the most critical incidents of risky extension installs, malware transfer and unsafe site visits. The solution also includes incident response or automation based detections that make responding to the most important incidents easy by allowing you to automatically:

  • Block extensions that are risky;
  • Change policies on a user or device that is exhibiting suspicious behavior;
  • Send an email to users who need to remove something from their device or receive training on safe browsing; or
  • Create a ticket in ServiceNow or Jira to document work and pass on to a responsible team.

How to Get Started

Simply navigate over to Splunkbase where you can install the Google Chrome Add-on for Splunk and Google Chrome App for Splunk. If you need helping getting started, take a look at our resources below:

Eradicate the risks that come from risky browser behavior and make your enterprise more resilient by installing the Google Chrome Add-on for Splunk and the Google Chrome App for Splunk today!  

James Brodsky
Posted by

James Brodsky

Long Island->NOVA->Upstate->Global Crossing->CA->IBM->Resolve->Tripwire->Splunk

Show All Tags
Show Less Tags