The pair is also calling on vendors and organizations to join the effort, including those that provide technology offerings for patch management support or those with successful enterprise patch management experience.
According to Mark Simos, Microsoft’s Cybersecurity Solutions Group lead cybersecurity architect, the effort began following the massive 2017 WannaCry cyberattack. Microsoft released a patch for the targeted flaw months before the global cyber incident, but many organizations failed to patch, which allowed the malware to proliferate.
“We learned a lot from this journey, including how important it is to build clearer industry guidance and standards on enterprise patch management,” Simos wrote.
Over the last year, NCCoE and Microsoft have worked closely with the Center for Internet Security, Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (CISA) to better understand the risks and necessary patching processes.
The groups also sat down with their customers to better understand the challenges and just why organizations aren’t applying timely patches. Microsoft found that many organizations were struggling with determining the right type of testing to use for patch testing, as well as just how quickly patches should be applied.
The project will include building a common enterprise patch management reference architectures and processes. Vendors will also build and validate implementation instructions at the NCCoE lab, and the results will be shared in a NIST Special publication as a practice guide.
For the healthcare sector, a patch management guide would be critical as industry stakeholders have long stressed that patching issues have added significant vulnerabilities to a sector that heavily relies on legacy platforms.
In March, CHIME told Sen. Mark Warner, D-Virginia, that patching, data inventory, and a lack of regulatory alignment are some of healthcare’s greatest vulnerabilities.
To NIST, the issue goes beyond awareness as there is widespread agreement that patching can be effective at mitigate some security risks. Organizations are challenged by the resource-intensive patching process, as well as concern that patching can reduce system and service availability.
Often, attempts to expedite the process, like not testing patches before production deployment can inadvertently break system functionality and disrupt business operations, NIST officials explained. However, patching delays increase the risk a hacker will take advantage of system vulnerabilities.
For NIST, the partnership with Microsoft will examine how both commercial and open-source tools can help with some of the biggest challenges of patching, including “system characterization and prioritization, patch testing, and patch implementation tracking and verification.”
Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge throughout the device lifecycle.
“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” Simos explained. “In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide.”
“This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology,” he added. “Ultimately, we want to make it easier for everyone to do the right thing and are issuing this call to action.”
Interest stakeholders should visit the NCCoE posting in the Federal Register for more information.