The National Institute of Standards and Technology (NIST) and Microsoft this week announced a joint effort aimed at helping enterprises improve their patching strategies.
Motivated by massive cyber-attacks such as WannaCry and the devastating NotPetya, the the goal of the initiative is to help organizations plan, implement, and improve their enterprise patch management strategies.
Timely patching could have mitigated the rapid spreading that occurred during both attacks, given that they were targeting already fixed vulnerabilities (the EternalBlue and EternalRomance exploits linked to the National Security Agency).
Following these attacks, Microsoft decided to look into why some of its customers did apply the security patches, which had been available for months when NotPetya hit.
Microsoft says that it also listened directly to customer challenges regarding patches, thus discovering that some customers don’t even test a patch before deployment, but merely ask on online forums if anyone has had issues with that patch.
One of the conclusions the tech giant arrived to was that building clearer industry guidance and standards on enterprise patch management was highly important, hence the partnership with the U.S. NIST National Cybersecurity Center of Excellence (NCCoE).
“This project—kicking off soon—will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit,” Microsoft explains.
Among those that shared their experience in patch management include the Center for Internet Security (CIS), the U.S. Department of Homeland Security (DHS) Cybersecurity, and the Cybersecurity and Infrastructure Security Agency (CISA) (formerly US-CERT / DHS NCCIC).
Both vendors that can help with patch management and organizations/individuals who can share information on successful enterprise management programs are welcomed to join the initiative.
Microsoft also points out that applying patches is both a critical part of protecting a system and a social responsibility, given the extent to which society has become dependent on technology.
“This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology,” Microsoft explains.
According to NIST, the relatively small number of root causes for most data breaches, malware infections, and other security incidents can be mitigated by implementing a few relatively simple security hygiene practices.
“Unfortunately, security hygiene is easier said than done. Even though there is widespread recognition that patching software—operating systems, applications, and the like—can be incredibly effective at mitigating security risk, patching is often resource-intensive, and the act of patching itself can reduce system and service availability,” NIST says.
Not testing patches before deployment can break system functionality and disrupt operations, while delays in patch deployment provides attackers with a larger window of opportunity.
The newly announced Critical Cybersecurity Hygiene: Patching the Enterprise project, NIST explains, will look into how commercial and open source tools can help with the patching process. Actionable, prescriptive guidance on the patching life cycle will also be provided.
A NIST Cybersecurity Practice Guide will be published as part of the project, to provide a description of the practical steps needed to implement a cybersecurity reference designed to address the enterprise patching challenge.
Related: Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report
Related: DHS Orders Agencies to Patch Critical Vulnerabilities Within 15 Days