Interview: Nigel Kersten, Field CTO, Puppet

Written by

This week saw the announcement of a repositioning of a company into the cybersecurity realm, and Infosecurity attended a roundtable to understand what the plans were. The company is Puppet, whose feet have been firmly set in the world of software change in the last decade of its existence, and its focus has been on “automating the delivery and operation of software.”

Field CTO Nigel Kersten said that the concept of Puppet was “about code that declares the state of your infrastructure” as it offers open source and enterprise software, and as it defines the state that security should be in, it has been the “friend of the security team.” It is able to detect issues, patch versions and misconfigurations.

However, with an average 320 hours a week spent on a single vulnerability remediation, the company saw an opportunity and this led to the launch of the vulnerability remediation solution Puppet Remediate, which it “dramatically reduces the time from vulnerability detection to remediation.” Kersten explained that many problems in security come down to a lack of communication as processes are moved between teams who do not collaborate and do not share ownership over the software lifecycle.

“What we’ve seen in the last few years is that SecOps and infosec teams have been seen as separate in the software delivery lifecycle,” he said. “It requires more than shifting left, it is about deeper collaboration. You cannot just take your security people, move them left along the pipeline and expect [them] to match up and get better.”

Along with partners Tenable, Qualys and Rapid7, Puppet Remediate unifies infrastructure data with vulnerability data, allowing IT operations teams to get access to vulnerability data in real-time, prioritize the most critical systems, and identify vulnerabilities within the organization's systems.

The intention of the Remediate product is for infosec teams who “are getting really good at situational awareness to know what vulnerabilities exist in the infrastructure.” Kersten said that infosec teams have good software and visibility of vulnerabilities, but these are often put in a spreadsheet and emailed to the operations team, and the operations team are unable to keep up with the patching cycle, and need to determine what patch is critical. “For operations, it is a manual process and they do what they can and email [the spreadsheet] back to the infosec team and say what they managed to get done.”

In terms of the integration with Tenable, Qualys and Rapid7, Kersten said this “will allow the operations team to complete the tasks that the security team need them to do” and remove the element of the spreadsheet to better understand software access. “What we’re doing is exposing the context around those things and determining what is vulnerable, and allow operations to determine which vulnerabilities affect which hosts."

Kersten said: “Most of security is about doing small things well, but most operations teams do not have a strong automation platform in place.” He added that Remediate is about taking tasks, and remediating actions “as most of the time, the solutions are simple, it’s just the human interactions and process of filling in the spreadsheet, working out what to do, and sending that information back and forth that is the problem.”

Asked by Infosecurity how this is delivered, Kersten said that this is software-based, is installed separately and integrated with an API key. He said: “So all the operations team need to do is go to the infosec team and get an API key - as they will have access control – plug it in as a source, assign Puppet Remediate and decide on the tasks that you want to upload to it as your remediation solution. There is no agent on this.”

The reasons for the need for such a tool are clear, and for a company with a solid foundation in software change, this opportunity to move into cybersecurity should is a welcome one.

What’s hot on Infosecurity Magazine?