Microsoft, NIST Collaborate on Patch Management, Developing Practice Guide

In this era of intense cyber attacks, how do we help organizations plan, implement, and improve an enterprise patch management strategy, asked Microsoft in a new blog post.

“We were particularly concerned with why patches hadn’t been applied, as they had been available for months and had already been used in the WannaCrypt worm—which clearly established a ‘real and present danger’,” wrote Mark Simos, the lead cybersecurity architect in Microsoft’s cybersecurity solutions unit.

To build “clearer industry guidance and standards” on enterprise patch management, Microsoft is partnering with the U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE). The company and the agency are inviting vendors, organizations and individuals with “pertinent learnings that you can share” to join the initiative ([email protected]):

  • Vendor: Any vendor who has technology offerings to help with patch management (scan, report, deploy, measure risk, etc.).
  • Organization or individual: All those who have tips and lessons learned from a successful enterprise management program (or lessons learned from failures, challenges, or any other situations).

In addition to the NIST NCCoE, other federal agencies have been involved, including:

  • Center for Internet Security (CIS)
  • U.S. Department of Homeland Security (DHS) Cybersecurity
  • Cybersecurity and Infrastructure Security Agency (CISA) (formerly US-CERT / DHS NCCIC)

“Microsoft visited a significant number of customers in person (several of which I personally joined) to share what we learned,” Simos said. The plan was to have some “really frank and open discussions” about why organizations really aren’t applying security patches.

While the answers proved to be mostly what Microsoft expected, Simos said, other challenges organizations faced surfaced in questions like:

  • “What sort of testing should we actually be doing for patch testing?”
  • “How fast should I be patching my systems?”
  • Often a common practice for “testing” a patch before a deployment consisted solely of asking whether anyone else had any issues with the patch in an online forum, he said.

“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” Simos said. “In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide.”

Shortly, Microsoft and the NIST NCCoE will kick off a project to build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.