Introduction
Chrome is trusted by tens of millions of enterprise customers as a safe enterprise browser. Organizations can use Chrome Browser Cloud Management to assist handle Chrome browsers extra successfully. As an admin, they’ll use the Google Admin console to get Chrome to report essential safety occasions to third-party service suppliers reminiscent of Splunk® to create customized enterprise safety remediation workflows.
Security remediation is the method of responding to safety occasions which were triggered by a system or a person. Remediation will be completed manually or robotically, and it is a crucial a part of an enterprise safety program.
Why is Automated Security Remediation Important?
When a safety occasion is recognized, it’s crucial to reply as quickly as potential to stop knowledge exfiltration and to stop the attacker from gaining a foothold within the enterprise. Organizations with mature safety processes make the most of automated remediation to enhance the safety posture by decreasing the time it takes to reply to safety occasions. This permits the often over burdened Security Operations Center (SOC) groups to keep away from alert fatigue.
Automated Security Remediation utilizing Chrome Browser Cloud Management and Splunk
Chrome integrates with Chrome Enterprise Recommended companions reminiscent of Splunk® utilizing Chrome Enterprise Connectors to report safety occasions reminiscent of malware switch, unsafe website visits, password reuse. Other supported occasions will be discovered on our help web page.
The Splunk integration with Chrome browser permits organizations to gather, analyze, and extract insights from safety occasions. The prolonged safety insights into managed browsers will allow SOC groups to carry out higher knowledgeable automated safety remediations utilizing Splunk® Alert Actions.
Splunk Alert Actions are an important functionality for automating safety remediation duties. By creating alert actions, enterprises can automate the method of figuring out, prioritizing, and remediating safety threats.
In Splunk®, SOC groups can use alerts to observe for and reply to particular Chrome Browser Cloud Management occasions. Alerts use a saved search to search for occasions in actual time or on a schedule and might set off an Alert Action when search outcomes meet particular situations as outlined within the diagram beneath.
Use Case
If a person downloads a malicious file after bypassing a Chrome “Dangerous File” message their managed browser/managed CrOS system must be quarantined.
Prerequisites
Setup
- Install the Google Chrome Add-on for Splunk App
Please observe set up directions right here relying in your Splunk Installation to put in the Google Chrome Add-on for Splunk App.
- Setting up Chrome Browser Cloud Management and Splunk Integration
Please observe the information right here to arrange Chrome Browser Cloud Management and Splunk® integration.
- Setting up Chrome Browser Cloud Management API entry
To name the Chrome Browser Cloud Management API, use a service account correctly configured within the Google admin console. Create a (or use an present) service account and obtain the JSON illustration of the important thing.
Create a (or use an present) position within the admin console with all of the “Chrome Management” privileges as proven beneath.
Assign the created position to the service account utilizing the “Assign service accounts” button.
- Setting up Chrome Browser Cloud Management App in Splunk®
Install the App i.e. Alert Action from our Github web page. You will discover that the Splunk App makes use of the beneath directory construction. Please take a while to know the listing construction structure.
- Setting up a Quarantine OU in Chrome Browser Cloud Management
Create a “Quarantine” OU to maneuver managed browsers into. Apply restrictive insurance policies to this OU which is able to then be utilized to managed browsers and managed CrOS units which can be moved to this OU. In our case we set the beneath insurance policies for our “Quarantine” OU referred to as
Investigate.These insurance policies be sure that the quarantined CrOS system/browser can solely open a restricted set of permitted URLS.
Configuration
- Start with a seek for the Chrome Browser Cloud Management occasions within the Google Chrome Add-on for Splunk App. For our occasion we used the beneath search question to seek for recognized malicious file obtain occasions.
- Save the search as an alert. The alert makes use of the saved search to verify for occasions. Adjust the alert sort to configure how typically the search runs. Use a scheduled alert to verify for occasions frequently. Use a real-time alert to observe for occasions constantly. An alert doesn’t should set off each time it generates search outcomes. Set set off situations to handle when the alert triggers. Customize the alert settings as per enterprise safety insurance policies. For our instance we used an actual time alert with a per-result set off. The setup we used is as proven beneath.
As seen within the screenshot we’ve configured the Chrome Browser Cloud Management Remediation Alert Action App with
- The OU Path of the Quarantine OU i.e.
/Investigate - The Customer Id of the workspace area
- Service Account Key JSON worth
Test the setup
Use the testsafebrowsing web site to generate pattern safety occasions to check the setup.
- Open the testsafebrowsing web site
- Click the hyperlink for line merchandise 4 beneath the
Desktop Download Warningspart i.e. “Should show an “uncommon” warning, for .exe” - You will see a
Dangerous Download blockedwarning supplying you with two choices to bothDiscardorKeepthe downloaded file. Click onKeep - This will set off the alert motion and transfer your managed browser or managed CrOS system to the “Quarantine” OU (OU identify Investigate in our instance) with restricted insurance policies.
Conclusion
Security remediation is significant to any group’s safety program. In this weblog we mentioned configuring automated safety remediation of Chrome Browser Cloud Management safety occasions utilizing Splunk alert actions. This scalable strategy can be utilized to guard an organization from on-line safety threats by detecting and rapidly responding to excessive constancy Chrome Browser Cloud Management safety occasions thereby vastly decreasing the time to reply.
Our crew shall be on the Gartner Security and Risk Management Summit in National Harbor, MD, subsequent week. Come see us in motion when you’re attending the summit.