Puppet, which automates infrastructure for IT operations, has addressed vulnerability management with its newest offering, Puppet Remediate. Using data from vendor partners Qualys, Tenable and Rapid7, it extends the automation that these vulnerability management solutions provide. While there is a channel component, out of the gate it is limited to two foundational partners, which includes Fishtech in North America.
“Puppet has existed for the better part of a decade,” said Matt Waxman, Head of Product at Puppet. “It started as an open source project, and the purpose has been to eliminate the soul-crushing and error-prone work all types of admins have needed to do to manage their environment. Our use case is focused on three things. The first is helping to enforce policy, whether it be regulatory policy or company policy. The second – which is where this announcement is relevant – is how we help remediate events that occur. And the third is how do you deliver infrastructure together with an application, as in DevOps, where automating the lifecycle allows speeding up of new software.”
Puppet Remediate – unsurprisingly – addresses that second use case, remediation. The company already has product focused on this area. Puppet Enterprise, for example, does remediation of event-based activities, so a SIEM like Splunk uses Puppet data to enrich their data feeds. This is Puppet’s first solution that specifically addresses vulnerability management, however.
“You have security teams responsible for vulnerability scanners, and they do a great job,” Waxman said. “Where they leave off is by putting it into a spreadsheet or PDF, to actually take steps to resolve the issue. How do you actually automate that workflow? That’s the tension point that we are aiming to solve.”
It also explains why three key vulnerability management vendors – Tenable, Qualys and Rapid7 – are partnered with Puppet on Remediate, by providing them with their vulnerability data.
“We are a complement to these vendors, not a competitor,” Waxman stressed. It’s not even a co-opetition relationship
“We extend their core functionality,” he said. “Vulnerability management doesn’t get you to the stage of remediation, but rather to the equivalent of opening a ticket. We look at it from the operations lens – pushing a button to then address the issue in an automated way.” Remediate then provides the immediate ability to take action to remediate vulnerabilities, without requiring any agent technology on the vulnerable systems on both Linux and Windows through SSH and WinRM.
“Remediate is designed to be very easy for teams to get started with,” Waxman said. “It connects to their existing scanner. We pull the data in and overlay it with the infrastructure, and by correlating them together gives the user the ability to prioritize. Remediate has prebuilt tasks within it, and an extensible community ecosystem, done through our marketplace, Puppet Forge. The goal here is to be super simple – not require a steep learning curve.”
Out of the gate, only two of Puppet’s over 100 channel partners globally will be involved, Bitbone, which is German, and Fishtech, which is headquartered in the U.S.
“We have foundational partners who we generally start new products with, and these are two of those,” Waxman said. “We focus on them for the new product launch. These two also sell the three participating vulnerability management vendors. Broadening it out to more partners is based on hitting KPI milestones around feedback and adoption.”
The future product roadmap will continue to revolve around those three core use cases.
“We see them as evergreen, in the evolution of architectures and consumption models from mainframes to servers to cloud to containers, and through compliance and delivery,” Waxman said. “That’s what we will continue to deliver against.”