Those of you who have followed Puppet for sometime probably know that Puppet’s mission is to free IT Ops from repetitive, soul-crushing work and enable them to support organizational goals in a more efficient way.
In the process of doing so we have learnt a lot from our customers. One of the things we’ve learnt in the past few months is how painful and inefficient their vulnerability management workflow is.
The typical workflow for managing vulnerabilities is painful and inefficient.
Based on the information we gained from our customers we built this diagram that shows the typical workflow and five main pain points that often occur when managing vulnerabilities.
Information Security and IT Ops goals can sometimes feel orthogonal though they should be in parallel. You notice how the workflow goes back and forth between the two teams involved in the vulnerability management process — Information Security (InfoSec) and IT Operations (IT Ops) — and how the two teams appear completely disconnected. And as a matter of fact, they are disconnected!
In this workflow (as shown above), the InfoSec team kicks off the process finding vulnerabilities affecting the infrastructure. This team normally use automated tools called vulnerability assessment or vulnerability scanners like Qualys, Tenable and Rapid7. Those tools typically discover vulnerabilities and what assets they exist on.
Unfortunately, the other team involved in the process, IT Ops, doesn’t normally have access to those tools. This is how the process goes:
- InfoSec emails a spreadsheet with the scanner data to IT Ops. How do InfoSec know what’s delivered and reviewed by IT Ops? As only InfoSec teams have access to live vulnerability data from security scans, there is no visibility and ways to track processes between the InfoSec and IT ops teams. The siloed workflows between InfoSec and IT Ops means no control and visibility over who does what and when, which causes delays and inefficiencies.
- The IT ops team manually filters vulnerabilities across thousands of rows in a spreadsheet. They prioritize what vulnerabilities are most critical to deal with first, but the context is missed. Do you know where to find existing vulnerabilities in the infrastructure? Most of the time you aren’t even sure you know what you have running in your infrastructure.
- The remediation of vulnerabilities is usually completed manually, with little or no standardization. Manual tasks are error prone and different members of the team will often perform them in different ways. There is no repeatability and control over what’s done.
- When IT Ops needs to show management or auditors that they’re working on fixing the list of vulnerabilities, they usually build a report manually. This requires lots of time that IT Ops could use elsewhere to bring real value to the organization.
This fragmented and slow workflow has serious implications for the organization
Because the typical workflow doesn’t offer control or single source of truth over the whole process, it has serious implications for the organization:
- The organization is at risk of data breach, resulting in loss of reputation, brand value and shares plunging. Having to prioritize and remediate vulnerabilities manually requires lots of time and often not remediating fast enough puts the company at risk of exposure for too long. As a matter of fact, the majority of vulnerabilities exploited are old and well known but they haven’t been addressed by IT Ops for lack of time or miscommunication with InfoSec.
- IT Operations managers worry about losing good people who are tired of the soul-crushing work, manually filtering and prioritizing vulnerabilities month after month.
- IT operators simply cannot fix vulnerabilities fast enough, and sometimes end up giving up trying to do so.
There is a better way to do vulnerability management
At Puppet we believe there is a better way to go through the vulnerability management workflow. We believe in the power of bringing together the two teams that safeguard the organizations from security breaches. We believe in the power of data sharing and single source of truth as great base for collaboration. And if you’re thinking that all this would require changes into your current processes or team structure, you’re actually wrong.
What Puppet will do for you is support your existing workflow with a new set of features that solve the pain points at every stage of your workflow.
- Instead of having InfoSec emailing a spreadsheet to IT Ops, Puppet makes it easy to get that scanner data automatically, securely, and in real time. We overlay that data with infrastructure data that is continuously discovered across all of your cloud platforms and data centers.
- Instead of spending weeks trying to figure out what is most important to fix, Puppet automatically filters and prioritizes vulnerabilities based on risk and on the hosts they’ve affected. For example, vulnerabilities with the highest risk scores will be prioritized over those with lower scores.
- Instead of spending days manually remediating vulnerabilities, Puppet gives you the remediation solution and a way to immediately take action using agentless tasks or uploading your existing scripts to fix the problem.
- Finally, instead of relying on manual efforts to report on progress, your security team will know when a vulnerability has been remediated when they do the next scan.
The benefits that our customers are getting from a more automated vulnerability management workflow are:
- Reduce the time to remediate vulnerabilities from weeks or days down to less than a day.
- Reduce the number of vulnerabilities in their systems overall.
- Get through audits faster and with less effort.
The product that does all of that is called Puppet Remediate™. Check out more about it on our product page.
Alberta Bosco is a senior product marketing manager at Puppet, and Jonathan Stewart is a senior product manager at Puppet.