Microsoft has partnered with the NISTNational Cybersecurity Center of Excellence (NCCoE) to develop clearer industry standards and guidelines for best practice patch management.
The duo has asked vendors and organizations to be part of the effort, in specifically those that provide patch management support and enterprise patch management experience.
The two organizations decided to team up after the massive 2017 WannaCry cyber-attack.
Microsoft released a patch for the targeted flaw months before the global cyber incident, but many organizations failed to patch, which allowed the malware to proliferate.
According to Mark Simos, Microsoft’s Cybersecurity Solutions Group lead cybersecurity architect, “We learned a lot from this journey, including how important it is to build clearer industry guidance and standards on enterprise patch management.”
Over the last year, NCCoE and Microsoft have worked closely with the Center for Internet Security, Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (CISA) to better understand the risks and necessary patching processes.
The teams also met with many of their customers for focus groups to better understand why orgvanizations are not actively applying patches.
Microsoft discovered that many organizations were simply struggling to determine the right type of testing to use for patch testing, as well as just how quickly patches should be applied.
This led to them simply not installing some of the patches at all.
The project aims to better help organizations understand the need of patch management and will include building a common enterprise patch management reference architectures and processes.
Vendors will also build and validate implementation instructions at the NCCoE lab, and the results will be shared in a NIST Special publication as a practice guide.
With the healthcare sector seeing a spike in cyber-attacks, a patch management guide would be critical as industry stakeholders have long stressed that patching issues have added significant vulnerabilities to a sector that heavily relies on legacy platforms.
Some of healthcare’s greatest vulnerabilities include patching, data inventory, and a lack of regulatory alignment.
To NIST, the issue goes beyond awareness as there is widespread agreement that patching can be effective at mitigating some security risks.
Organizations are challenged by the resource-intensive patching process, as well as concern that patching can reduce system and service availability.`
Often, attempts to expedite the process, like not testing patches before production deployment can inadvertently break system functionality and disrupt business operations, NIST officials explained.
However, patching delays increase the risk a hacker will take advantage of system vulnerabilities.
For NIST, the partnership with Microsoft will examine how both commercial and open-source tools can help with some of the biggest challenges of patching, including “system characterization and prioritization, patch testing, and patch implementation tracking and verification.”
The ultimate goal is to provide a Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge throughout the device lifecycle.
“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” Simos explained. “In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide.”
“This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology,” he added. “Ultimately, we want to make it easier for everyone to do the right thing and are issuing this call to action.”
You can visit the NCCoE posting in the Federal Register for more information.