Get Extended Security Insights from Chrome Browser with Splunk

The way we work has drastically changed since the start of the pandemic. With more companies adopting remote and hybrid work models, there has been a 600% increase in cybercrime and 65% of organizations have seen a measurable increase in attempted cyberattacks, which is particularly problematic since 78% say remote workers are harder to secure. IT teams need to do everything they can to ensure their business data and employees are protected while balancing the needs for productivity, no matter where the workers are.

Google Chrome browser empowers businesses worldwide to work more securely and productively. With employees spending more time working in browsers, having visibility into risky user behavior is critical in making data-driven security decisions. Chrome continues to increase IT’s ability to protect their organization by making valuable security insights available to IT teams and providing security event reporting from the browser directly to the Google Admin console. These events cover a wide range of use cases that help detect and mitigate multiple types of attacks, possible vulnerabilities, and high-risk user behavior within managed Chrome browsers. 

With security being our shared top priority, Chrome has partnered with Splunk on a new integration to collect, analyze, and extract insights from these security events. The events can include password changes, unapproved password reuse, data exfiltration, unsafe site visits, and malware transfer events within managed Chrome browsers. 

Using Chrome Browser Cloud Management, you can now add Splunk as a Chrome Reporting Connector to send these events to Splunk HTTP Event Connector—see Splunk HEC for more details on how to set it up. The Google Admin console and APIs allow administrators to configure which events are sent to Splunk Cloud Platform (or Splunk Enterprise) through custom filtering. By using Splunk as a Chrome Reporting Connector, you can improve the security of the Chrome browser. Head over to Google’s blog post to read more about Chrome Enterprise Connectors Framework.

Let’s go deeper into security and data protection scenarios for enterprises — the use cases below can serve as a starting point for security and operations teams to use Splunk with Chrome. Adding Splunk as a Chrome Reporting Connector empowers you to add an extra layer of security to your Chrome browser by identifying high-risk behavior. The use cases include:

• Malware transfer: User accessed content considered dangerous, malicious, or banned/unwanted content. 
• Content transfer: User uploaded, downloaded, transferred content to or from the Google Chrome browser
• Unsafe site visit: User opened, clicked, or visited a URL that is considered deceptive or malicious by Google Safe Browsing.
• Password reuse: User entered their enterprise password outside corporate resources, i.e., the user used a password on a URL located outside of the list of allowed enterprise login sites (setup required)
• Password change: User changed the password for their signed-in Google account, affecting other services depending on this authorization (setup required)

The following use cases are available to BeyondCorp Enterprise customers through Splunk: 

• Unscanned content transfer: User uploaded, downloaded, or transferred content to or from Google Chrome browser, and the shared file is unscanned during the evaluation of Data Protection rules
• Sensitive data transfer: User downloaded, uploaded, or pasted content that is considered to contain sensitive data, as detected by the Data Protection rules

The use cases above may help identify basic and core scenarios around Google Chrome security capabilities enhanced by Splunk. This initial list only scratches the surface; there are many more real-world scenarios to identify by security and operations teams in your organization. While many of these events do not always introduce malicious activities or compromised accounts, these data points provide more detailed logging information about user behaviors in browsers, so your organization can make better data-driven security decisions. 

Please refer to Protect Chrome users with BeyondCorp Threat and Data Protection and the Google Chrome Technical Add-on for Splunk to get started today or learn more about this integration. You can also read this Google Help Center article on Chrome Enterprise Reporting Connectors.

Learn more about Splunk at RSA Conference

The Splunk team will be at the RSA Conference this year. Stop by booth #5865 on Day 2 at 4pm PT to hear how you can elevate cloud workloads security posture with Splunk and Google Cloud.

Chrome Enterprise Demo Day

To learn more about Chrome Enterprise and hear from Splunk's very own Patrick Coughlin, Group Vice President of Security Markets, check out Chrome Enterprise Demo Day on Wednesday, June 8, from 10-11am PDT.