Our virtual user conference SaltConf21 will be November 3-4! Register Now!

Activate SecOps with Vulnerability Remediation Integrated with Tenable

February 11, 2020 - Mehul Revankar

SaltStack Enterprise 6.2 is now generally available and represents our continued commitment to provide innovative solutions for security and IT operations teams. This new SaltStack release integrates with leading infrastructure security tools from Tenable and Splunk to help activate SecOps teams through automated vulnerability remediation. Highlights of this release include: 

  • The ability to use SaltStack Protect to remediate vulnerabilities discovered by Tenable.io vulnerability scans.
  • Event-driven automation integrated with Splunk.

Read the second 6.2 highlights blog post here if you would like to learn more about SaltStack Comply support for Windows Server.

Integrate the best vulnerability management with the best vulnerability remediation

Tenable is widely recognized as one of the best vulnerability management solutions in the industry. According to an analysis by Principled Technologies, Tenable is the number one platform in the market for vulnerability and security configuration covering up to 22% more CVEs than comparable tools.

It’s no surprise that when we talked to our own customers, SaltStack integration with Tenable.io was one of the most sought after features for security operations teams. 

With the release of SaltStack Enterprise 6.2, we are happy to announce the availability of integration with Tenable products; which SaltStack customers can now use to import Tenable.io vulnerability assessment scans into SaltStack Protect (a SaltStack Enterprise add-on module) to automate the remediation of infrastructure vulnerabilities. 

The SaltStack integration with Tenable helps security and IT teams solve a common disconnect I discuss with the Security Weekly team in this webcast. It is the classic SecOps challenge in which security teams perform assessments and then hand off unwieldy spreadsheets or PDF reports that include thousands of un-actionable vulnerabilities for the IT operations team to remediate. 

Here’s a quick video preview of how the SaltStack integration with Tenable works.

Please note, in this release we took a file-based approach to import vulnerabilities from Tenable products, but watch for an API-level integration in an upcoming SaltStack release.

Splunk Integration Example

Splunk has done an amazing job helping security and IT operations teams use data to optimize and secure digital infrastructure. In its simplest form SaltStack Enterprise customers can configure the Splunk Universal Forwarder to feed SaltStack-generated events to Splunk to be indexed.

The Splunk integration combined with another new SaltStack Enterprise 6.2 feature is the ability to forward events to any Salt Returner such as Redis, SQL, or even a local file.

Here’s an example of how the Splunk Universal Forwarder can be configured in the SaltStack Enterprise Operations Framework (raas.conf) to write events to a file. This can then be sent to a monitoring solution such as Splunk, Datadog, ElasticSearch or a similar service.

event_return_queue: 10
event_return_queue_max_seconds: 5

sseapi_rpc_queue:
    name: sseapi-rpc
    strategy: always
    push_interval: 5
    batch_limit: 20
    age_limit: 3600
    size_limit: 360000
    vacuum_interval: 86400
    vacuum_limit: 100000

sseapi_event_queue:
  name: sseapi-events
  strategy: always
  push_interval: 5
  batch_limit: 20
  age_limit: 86400
  size_limit: 35000000
  vacuum_interval: 86400
  vacuum_limit: 350000
  forward:
    - rawfile_json

 Now with these two simple steps the integration is possible:
./splunk add forward-server http://SPLUNK-IP:9997 -auth admin:password (configure forwarder)
./splunk add monitor /tmp/events.json (monitor the file with Splunk forwarder)

Once the forwarding is configured, the SaltStack machine data can then be analyzed in Splunk. Here’s an example:

A similar approach with the Salt Returner would work with other vendors such as Datadog, ElasticSearch, and many other monitoring solutions.

Try SaltStack Software

Join this webinar to see a demo of the SaltStack Enterprise 6.2 release in action. If you want to see for yourself, there are three ways to try SaltStack software depending on your familiarity: