Puppet has unveiled Puppet Remediate, a new product that extends the company’s infrastructure automation software to the security realm, offering its users automated security vulnerability remediation. While some security tools may offer insights into where vulnerabilities exist, Puppet Remediate can take that information and make the changes needed in software and infrastructure to close the vulnerabilities. Puppet Remediate pairs with three leading security vendors — Tenable, Qualys and Rapid7 — to receive vulnerability information, provide vulnerability priority assessments, and then offer remediation actions.
The state of security vulnerability remediation was alarming, and ripe for the type of automation that Puppet brings to infrastructure, said Matt Waxman, vice president of product at Puppet, in an interview with The New Stack.
“What Puppet has done for a long time in a really large scale was help automate the mundane, error-prone, soul-crushing work that a lot of operations teams are faced with on a daily basis. The way that vulnerability management has been for a couple of decades now is a lot of similar types of very error-prone, manual work to remediate vulnerabilities,” said Waxman. “What we’ve seen is sort of mind boggling, but the state of the art is a spreadsheet. Essentially, what is happening is that on a regular basis, the security teams are doing CVE-based scans and they are taking the output of that and filing tickets, creating a spreadsheet, and doing very, very manual oriented things to hand over to the operations team to take remediation actions.”
In a statement, Puppet cites a 2018 report by the Ponemon Institute that found organization spending around 320 hours a week on vulnerability responses. With Puppet Remediate, the company says that this time could be drastically reduced through automation. The product is built using its open source Bolt orchestration tool that connects directly to remote nodes with SSH or WinRM in order to remediate vulnerabilities. Waxman emphasized that remediation means taking action, not simply providing alerts.
“When we talk about remediation, we are literally talking about the act of going and updating a package or executing a command on a given operating system, or shutting down a port on a firewall. We’re not just opening a ticket about it,” said Waxman. “We are actually leveraging Puppet’s automation capabilities and the broad ecosystem that we’ve got to go and execute on that on that action. The operations team gets visibility into which issues have been remediated and can circle back with their security teams because this is an ongoing thing. It doesn’t just happen once.”
That said, remediation is not automatic, though the process is automated. A dashboard shows the vulnerabilities along with their priority — for example, because Puppet is directly connected with the infrastructure, it can know how broad a vulnerability may impact your particular situation, ranking it higher than another vulnerability that only affects a small portion of infrastructure.
Puppet Remediate currently comes with four pre-built remediation tasks, which it says will handle more than 80% of the typical remediation workloads. The product is extensible, however, with Puppet Forge acting as a sort of marketplace for Puppet users to share automation tasks as Bolt Tasks.
Waxman also emphasized that Puppet would work with most any environment, whether containerized, virtualized, or otherwise, with a focus on being able to handle the commonly hybrid and multicloud nature of modern architectures.
“In some cases, you have customers that are taking existing virtual machines and running them in containers. They’re all susceptible to the same types of vulnerabilities. Puppet Remediate supports container-based operating systems as well as any others,” said Waxman. “Our view is on cloud native is that it is one of many architectural paradigms that exist and what most customers are looking for is the ability to manage a hybrid environment or a multicloud environment. The way we approached the problem is basically by delivering a set of use cases that are that are hybrid.”
Puppet is a sponsor of The New Stack.