Remediating Vulnerabilities with Puppet
The catch-22 of patching vulnerabilities without posing a risk to the business
Patching vulnerabilities can be daunting, especially if the information is confusing, and the process to deploy patches is long. There are going to be times where a zero day presents itself, and the vulnerability requires immediate action. Whether it’s a simple fix or not, the seriousness of some vulnerabilities can put organizations at risk.
Deploying patches, especially for critical infrastructure, takes planning. You can’t have downtime because of the impact that it has on the rest of the business. It needs to be thoughtfully planned in order to minimize the impacts to the business. It’s a fine line between interrupting the business and trying to reduce risk. What’s the happy medium?
How can you get vulnerabilities fixed so they don’t pose a risk to your business, while trying not to interrupt the business at the same time? When that maintenance window becomes available, you need to make sure you have everything you need in order to be successful. Given the timeliness of these vulnerabilities, you have to be fast and efficient.
Leverage Puppet’s PE Patch Management
Patch Management in Puppet Enterprise provides you with up-to-date information on available patches for your systems, as well as mechanisms to deploy those patches during maintenance windows and handling reboots. You can use the built-in
patch_server Task to update systems quickly and effectively, but you can also orchestrate additional steps in the patch process by building a Puppet Plan that handles that. Automating pre-patch health checks
- Creating snapshots/backups prior to patching
- Patching systems in groups sequentially to ensure application uptime
- Validating the systems are still functional after patching
- Rolling back snapshots in case of health failures
- Cleaning up snapshots/backups after successful patching
In the latest updates for Puppet Enterprise 2019.8, you get a built-in
group_patching Plan to help get you started with the basics.
Vulnerability scanners are useful for detecting vulnerabilities due to system misconfiguration or outdated software. They spend a lot of effort ensuring that detection is added to their products in a timely manner, especially when it comes to high visibility zero day vulnerabilities. Action is always required. But before you can take action, you need actionable insight.
Vulnerability scanners are notorious for providing good threat assessment info for the security team, but poorly actionable remediation info for the operations team. In many cases, the operations team receives a PDF or CSV export of the threat assessment data, and then has to spend significant effort to translate the info into real actions that need to be performed on specific systems. All of this takes time, exposing the organization to threats for much longer than desired.
Puppet Remediate helps you solve this problem by automatically correlating the vulnerability data to systems under Puppet management, and providing the means to take action directly on all systems affected by a particular vulnerability. While the action itself tends to be simple in many cases (e.g. update a package or change a configuration setting), the process of identifying where exactly this action needs to happen and correlating it with the vulnerability it remediates is where a lot of efficiency can be gained with Puppet Remediate.
When it comes to addressing vulnerabilities, especially ones that are time sensitive, there are many ways to approach how you can have the greatest impact in your organization. At the end of the day, you want your organization to be protected in order to ensure your customers are protected. Puppet can help your patching program effectively scale so that you can achieve efficacy.
- PE Patch Management docs
- Watch the patching plan in action
- Learn more about Puppet Remediate
- Watch Manage Vulnerabilities with a Common Automation Workflow