December 27, 2022

Making IT Fireproof with Security Automation Tools

Infrastructure Automation
Security & Compliance

Security automation tools can be the first step in preventing IT fires from happening. When IT teams dedicate time to extinguishing security and compliance fires, they’re missing out on valuable time to spend tackling bigger goals. Let’s explore some ways to make your IT fireproof using the preventative power of security automation.  

Table of Contents: 

What Are Security Automation Tools? 

Security automation tools include a range of security tasks, like breach detection and response, that an organization can employ to ensure compliance, security, and overall readiness for unforeseen events.  

Automation, orchestration, and self-service are all three elements that can help IT operations teams to become more resilient in terms of identifying potential security and compliance issues. Continuous security is a huge win for IT teams who are passionate about automation for security outcomes. The efficiency and consistency they gain is a victory for the team—as companies continue to do more with less, they look for automation and integration options to support the work that they do.  

How Security Automation Tools Enable IT Teams to be Proactive  

When IT teams aren’t enabled with proactive solutions like security automation, they struggle with common and time-consuming security frustrations that might look like: 

  • Out-of-band patching, which can be manual and slow when critical vulnerabilities arise 
  • Time-consuming, manual, and sometimes repetitive analysis when security incidents occur 
  • Lack of collaboration with other stakeholder teams 

From our own research, teams that have made the most improvement use automation and integrations while continuously finding more areas in their workflow to automate, integrate, and add self-service capabilities.  

Of course, automation can’t solve everything. Even teams with advanced automation practices still struggle to maintain their overall security posture. Some of their biggest pain points include understanding the latest security regulations and frameworks, as well as working cross-functionally with different stakeholders and teams. Different teams have different priorities, even within the same company. 

We recommend checking out “Fostering a culture of joint accountability for IT, security, and compliance across an organization” for further reading on how to handle the things that are out of automation’s scope.  

Managing IT Security with Puppet

There are many ways in which infrastructure automation tooling can be used to support an organization’s IT security objectives. Puppet is known for infrastructure automation, but Puppet supports also tie back to effective IT security management. Some examples include continuous configuration automation, continuous compliance, and patch management.   

There is a large overlap between the use cases that Puppet supports and the provisions of common security frameworks like NIST CSF and CIS Controls, and others like PCI DSS, ISO 27001, etc. Each of these frameworks and regulations includes requirements for secure compliant configurations, vulnerability management, and patch management.

So, how can Puppet help you be more proactive with your IT security?  

Enforce Compliance at Scale 

Using self-enforcing security provisions like our Compliance Enforcement Modules (CEM), which offer customers a turnkey solution to managing secure configurations. This means that standardization and conformity are delivered to the scale of the organization, with customization capabilities to meet your needs.  

The Puppet team found that most Puppet Enterprise customers preferred to buy Compliance Enforcement Modules as a fully ready-to-deploy, out-of-the-box solution. Developing this kind of content internally is complex and takes a lot of time. It’s not the kind of work many of our customers had the bandwidth for, the skillset for, or wanted to take on. With CEM, Puppet alleviates the burden from the customer and takes care of all the maintenance and updates to the latest benchmark versions. CEM also consistently adds content for new operating systems.  

The content in the modules is directly aligned with Center of Internet Security (CIS) benchmarks for both Windows and Linux. More recently, we've also added support for Red Hat DISA STIG.

Learn about Puppet and Red Hat integrations >>

Streamline Audits 

Continuous compliance visibility and auditor-friendly code saves time when it comes to audits. The combination of Puppet Comply, Puppet Enterprise, and the Compliance Enforcement Modules lets you be audit ready quickly.  

Puppet Comply connects to your Puppet Enterprise instance and allows you to scan IT infrastructure and assess your compliance status against CIS benchmarks, manage policy exceptions, and report on your compliance status. Our Compliance Enforcement Modules (CEM) can be inspected and shown to auditors to confirm enforcement.  

There are many kinds of security frameworks; some that are more general like CIS Controls, NIST CSF, ISO 27001 and some that are more specific to the industry vertical or region like HIPPA or GDPR. Organizations often need to comply with more than one regulation and implement a secure configuration baseline that satisfies each.   

 It’s a good practice to establish a secure baseline with a common control framework. Some great candidates include CIS benchmarks, or perhaps DISA STIG if you work with the US Federal government. CIS benchmarks are also already referenced as a source of industry-accepted secure configuration standards in the requirements of several common frameworks, including PCI DSS, DISA STIGs, FISMA, and FedRAMP. 

Remediate Quickly 

Puppet can help with multi-OS patching, vulnerability prioritization, and orchestrated actions so that vulnerabilities are remediated at scale and with speed.  

Puppet Patch Management is used to orchestrate patching and report on success and patching levels across your entire IT estate. Puppet allows you the flexibility to manually trigger patching, schedule it with the built-in orchestrator, or trigger patching run via the Puppet API. Patching also allows you to differentiate between updates designated as security-related and non-security (when supported by the package manager) and apply one or both sets of updates. But the real value Patch Management brings is in the fine-grained control of patch groups. Check out our webinar on why you should stop putting off patching.

With Puppet’s remediation orchestration, you can accomplish actions using desired state, tasks, or plans. For example, you can start or stop service or uninstall packages if needed.  

Get Started with Security Automation Tools 

Security automation tools can help make your IT team’s day-to-day that much easier, and a lot less reactive. Get started automating today to see the benefits of your new proactive strategy tomorrow.  



Learn More