SecOps Cloud Management Platform Technical vRealize vRealize Automation vRealize Suite

VMware vRealize Automation SaltStack SecOps: Technical Overview Part 2 – Vulnerability Management

Updated November 2021 to include Carbon Black Cloud integration

In my first blog post, I covered the compliance management aspects of SaltStack SecOps. For this post I will cover how vulnerability management works. The process is very similar to how compliance management works, except Common Vulnerabilities and Exposures (CVE) are used to determine your overall vulnerability posture for operating systems under management. Common operating systems are supported including Windows, Red Hat, SUSE, CentOS, and Ubuntu. The CVEs are obtained directly from vendors and a state file is used for assessment and remediation. I’ll start part 2 connected to my Salt Controller in the Vulnerability section of the product.

Resembling the Compliance part of SaltStack SecOps, a summary view is provided which shows you a snapshot of your vulnerability posture, trends, top advisories, and remediations. The policy creation process is also similar on the vulnerability side, but with fewer selection options. You only need to name the policy, choose your targets, and set an assessment schedule or trigger a run now operation. Once the assessment is complete, you will be presented with a view like what is depicted in the screenshot.

Clicking into our Web Servers policy, a more detailed view of the discovered vulnerabilities is displayed. You can choose to filter advisories by severity and click into advisories for more detail on what was found in your environment. From this view, we can remediate or exempt selected advisories across all minions in the selected Target. Additionally, we provide the Common Vulnerability Scoring System (CVSS) score based on v2.0 and v3.0. For many, v3.0’s additional severity ratings and expanded metrics allows better differentiation among vulnerabilities and thus a more accurate picture of vulnerabilities encountered in the environment.

Selecting Minions offers specific information on individual minions. Minions can be remediated or exempted individually, based on your needs, from this view. You also have the ability to run jobs or commands directly from this interface, exactly like the compliance side.

The minions view enables each of the options mentioned previously. Clicking Remediate will initiate a remediation job against the selected minions. All listed vulnerabilities for each minion will be remediated as part of the job.

Navigating to Actions allows you to monitor the job status, examine previous jobs, and view jobs logs to determine what was assessed or remediated.

Clicking Report displays further details about the vulnerability status for minions included in the policy. You can click Download to access a JSON version of the report for external needs.

SaltStack SecOps also includes integrations with 3rd party vulnerability vendors. Choosing the down arrow on the upper right opens a dropdown menu with the option to Upload Vendor Scan Data.

Update – New Carbon Black Cloud integration

With the release of vRA 8.6.1, we now support integration with Carbon Black Cloud. The integration leverages the Kenna OEM relationship with Carbon Black Cloud and is focused on vulnerability management for Windows minions in this release. Support for Linux minions will be released soon. The Carbon Black Cloud integration uses a Token and Org key to connect from SaltStack SecOps.

Once the connector is configured, you will be able to upload vulnerability assessment results for a Windows minion directly from Carbon Black Cloud to a SaltStack SecOps vulnerability policy.

Vulnerabilities from Carbon Black are matched against supported Windows OS vulnerability content in SaltStack SecOps. That means we use the state information from our built-in vulnerability content to remediate minions. The import will show which vulnerabilities are supported for each minion. You can also choose which vulnerabilities will be imported and later remediated against a minion. Once the vulnerabilities are imported to a policy, the process, including remediation runs as usual within SaltStack SecOps. Following remediation, the vulnerability score will update within Carbon Black Cloud for the associated workload. Our Carbon Black team has put together a great set of videos which provide more detail on the integration on their techzone site.

We also support the ability to upload/integrate vendor scan data from Tenable, Rapid7, Qualys, and Kenna Security. Once uploaded, the vulnerability assessment details will update based on the 3rd party data to show your assessed posture in the policy.

After the remediation and post-assessment are complete, the policy details will update to show the minions are no longer vulnerable based on the CVEs used during the assessment. SaltStack has changed the configured state to address vulnerabilities identified within your operating systems.

As you can see, SaltStack SecOps offers robust vulnerability management for operating systems using regularly updated CVEs from vendor sources. Many products can claim to assess and offer some level of remediation, such as powering off VMs or taking a snapshot. Very few products offer full continuous vulnerability and comprehensive state management to the level provided by SaltStack SecOps. Thank you for reading my post!


Leave a Reply

Your email address will not be published. Required fields are marked *