As networks become increasingly complex, the integration of networking and security operations under the umbrella of NetSecOps is not just beneficial—it’s essential. This integration, powered significantly by the capabilities of NetBox Event Streams integrated with SIEM tools like Splunk Enterprise and ElasticSearch, is setting a new standard for how networks are managed and secured.
The Rise of NetSecOps
The NetSecOps movement has been gaining substantial traction, as evidenced by a 2024 survey conducted by Enterprise Management Associates (EMA). This study revealed that nearly half of IT professionals have witnessed either a full or partial merging of networking and security teams within their organizations. The primary driving force behind this integration is the need for enhanced network automation, which promises to streamline operations and boost security measures.
The evolution of NetSecOps is marked by its potential to break down traditional operational silos that have long impeded effective network management, fostering a collaborative environment where both security and network functions thrive together, leading to more robust and agile systems. The “shifting left” concept is vividly illustrated in NetSecOps, where security expertise is embedded early in the network configuration and monitoring processes. This proactive approach includes automating compliance checks and embedding security policies into the deployment phase, ensuring that network configurations align with stringent security standards right from the start.
However, the path to fully integrated NetSecOps is not without its obstacles. One of the most significant challenges lies in the disparate methods of data collection and the varied tools employed by networking and security teams. Networking teams typically concentrate on gathering performance data to ensure network efficiency and uptime, while security teams focus on threat intelligence, identifying potential vulnerabilities and breaches. This division often leads to a lack of shared insights and inefficiencies, as each team may not have immediate access to the other’s critical data, potentially creating gaps in security and network performance data.
NetBox Event Streams: A Game Changer
In response to these challenges, NetBox Labs recently introduced a pivotal new feature: NetBox Event Streams which unlocks event-driven architectures by enabling teams to easily subscribe to network state and management events from the NetBox Cloud Platform, feeding events to other systems or triggering automations.
This capability spans various types of events, from operational updates like the addition of new devices, to security-oriented alerts such as unauthorized access attempts. The real-time nature of these event streams is vital in maintaining synchronicity between network and security operations, ensuring that all actions are based on the most current data, thus enhancing decision-making and operational responsiveness.
Broad Integration with Cloud Services
NetBox Event Streams has been designed with broad compatibility in mind, facilitating integration with major cloud services including AWS Simple Notification Service (SNS), Azure Service Bus, and Google Cloud Pub/Sub Topics. These integrations offer the scalability and flexibility needed to accommodate diverse enterprise environments and their specific needs. Looking ahead, NetBox plans to expand support to include popular streaming platforms like Kafka, MQTT and NATs.io, further broadening its applicability and enhancing its potential to meet the evolving demands of modern network infrastructures.
Automation and Real-Time Analysis
The integration of NetBox Event Streams with Splunk Enterprise and ElasticSearch is changing how networking and security teams interact with their data. By working together from the same shared data, networking and security teams can be more aligned which opens up possibilities for more automation, for example the deployment of configuration updates or the initiation of security scans upon the addition of new devices to the network. The ability to automatically trigger these actions in real-time based on live data feeds turns passive data collection into proactive system management, enabling teams to address issues swiftly and efficiently before they escalate.
Example Use Case: Automated Reporting and Compliance Monitoring
An integral part of maintaining a secure and compliant network infrastructure is the ability to track and document all significant events systematically. Using NetBox Event Streams integrated with Splunk Enterprise allows organizations to streamline this process through automated reporting and enhanced compliance checks.
Scenario: Daily, Weekly, and Monthly Reporting
Imagine an organization that requires daily, weekly, and monthly reports detailing all new device additions and configuration changes within NetBox. Using NetBox Event Streams, all such activities can be logged in real-time, providing a comprehensive dataset of NetBox events.
Integration with Splunk Enterprise:
By hooking into NetBox Event Streams, this data is continuously streamed to Splunk Enterprise, where it is processed and organized.
Splunk’s powerful analytics tools allow the organization to set up automated reports in which the latest information can be viewed in real time or can be sent out on a scheduled basis, depending on the organization’s needs. These reports provide insights into the overall health and security of the network, highlighting new changes and potential vulnerabilities.
The output below shows NetBox authorization events being received and viewed in an example Splunk Enterprise dashboard:
Compliance and Security Monitoring:
Further enhancing the utility of this setup, Splunk can compare the identities of users who have initiated these changes against a pre-approved list of authorized personnel—this list might be synchronized with the permissions settings in NetBox adding an extra line of scrutiny for permission enforcement. If an event is initiated by a user not on this list, Splunk can automatically trigger an alert. This feature is crucial for maintaining strict compliance with internal security policies and external regulatory requirements, ensuring that only authorized personnel can make changes to the network and catching any deviations quickly.
Below is sample JSON data received by Splunk Enterprise via NetBox Event Streams, when a new device has been added into NetBox (some data has been omitted for brevity):
{ [-]
egress_environment: production
egress_id: 6470c3c0-5dc9-418e-9060-7633376a7202
egress_timestamp: 2024-05-07T07:40:17.620300
egress_version: v1.16.1-release-acf3ee7
message: { [-]
data: { [-]
airflow: null
asset_tag: null
custom_fields: { [+]
}
description:
device_role: { [-]
display: Switch
id: 1
name: Switch
slug: switch
url: /api/dcim/device-roles/1/
}
device_type: { [-]
display: 9200
id: 1
manufacturer: { [-]
display: Cisco
id: 1
name: Cisco
slug: cisco
url: /api/dcim/manufacturers/1/
}
model: 9200
slug: 9200
url: /api/dcim/device-types/1/
}
display: Unauthorized Device
primary_ip: null
primary_ip4: null
}
serial:
site: { [-]
display: Test
id: 4
name: Test
slug: test
url: /api/dcim/sites/4/
}
status: { [-]
label: Active
value: active
}
tags: [ [-]
}
event: created
model: device
request_id:
timestamp: 2024-05-07 07:40:17.225665+00:00
username: Alice
}
netbox_id: nb-d33a588923e4
netbox_version: 3.7.5
source_id: 49056ef4-af78-4178-868a-98071805f610
source_timestamp: 2024-05-07T07:40:17.620278
source_type: webhook_event
source_type_docs: https://docs.netboxlabs.com/eventstream/abc
version: 1
}
Practical Benefits:
This automated approach to reporting and compliance monitoring not only saves time but also significantly reduces the possibility of human error in the monitoring process. It provides the security team with actionable insights, enabling them to quickly identify and rectify any unauthorized changes or potential security risks. Moreover, it maintains a continuous and automatically updated audit trail that is invaluable during compliance reviews and audits.
Another benefit is the amount of time that this will save the networking team, as they can concentrate on delivering more features and high value project work, knowing that their NetBox changes are being logged automatically and that the security team has visibility of them from the outset.
Conclusion: Enhancing Network Security and Efficiency Through NetSecOps
The “shifting left” approach in NetSecOps integrates security early into network processes, ensuring network operations meet high security standards from the start. By utilizing NetBox Event Streams to enrich the data already being sent to SIEM tools like Splunk and Elasticsearch this integration boosts operational efficiency and enhances security, leading to more robust network infrastructures.
What’s Next?
If you’re intrigued by the possibilities that NetBox Event Streams can bring to your organization, then it is available now for Private Preview in NetBox Cloud:
- If you’re a NetBox Cloud customer and you’d like to try out NetBox Event Streams, send an email to support@netboxlabs.com
- If you’re not yet a NetBox Cloud customer and you’re interested in learning more about NetBox Event Streams, send an email to info@netboxlabs.com
- View a recording of our recent webinar Introducing Event-Driven Architectures for Networking and Security
- Learn more about the definition of Private Preview and our product life cycle here.