A new project has been launched by Microsoft and the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop guidance on developing and implementing an effective patch management strategy.
Following the (Not)Petya wiper attacks in 2017, Microsoft embarked on a voyage of discovery into why companies had failed to exercise basic cybersecurity hygiene and had not patched their systems, even though patches had been released months previously and could have protected against the attacks.
Over the past 12 months, feedback has been sought from the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the Center for Internet Security on the risk of exploitation and patch management strategies. Microsoft has also sat down with customers to find out more about the challenges they face applying patches and to discover exactly why patching is often delayed and why in some cases patches are not applied.
These meetings revealed many companies were unsure about what they should be doing in terms of patch testing. In some cases, patch testing appeared to consist only of asking questions on online forums to see if anyone had experienced any problems with recently released patches. Many customers were unsure about how fast patches needed to be applied.
The meetings prompted Microsoft to form a partnership with NCCoE to develop an enterprise patch management strategy to help companies plan and implement an effective patching strategy. The aim of the initiative is to devise industry guidance and standards to help companies improve their patch management processes.
The project is just about to commence and will involve developing common patch management architectures and processes. Appropriate vendors will assist by building and validating implementation instructions in the NCCoE lab and the project will ultimately result in a new NIST Special Publication 1800 practice guide on patch management.
An invitation has now been extended to vendors with technology offerings that can help with patch management, such as scanning, reporting, deployment, and risk measurement. Individuals and organizations willing to share patch management tips and tactics, and the lessons they have learned are also welcome to participate.
Any vendor, organization, or individual that wishes to participate should contact the project team on at firstname.lastname@example.org