Microsoft and the US National Institute of Standards and Technology (NIST) have joined forces to create a NIST guide for applying security patches in the enterprise sector.
The two organizations are now inviting other interested parties to provide input for this new guide. The invitation is valid for vendors, companies, or lone individuals alike.
The result of this work will be a NIST Special Publication 1800 practice guide that system administrators can follow to organize or optimize a company’s internal patching procedures.
The guide is expected to have a huge impact since it has the backing of NIST, the US government organization responsible for setting up industry guidelines.
Rooted in the 2017 ransomware outbreaks
Work on this joint Microsoft-NIST partnership began in 2018, as part of a project named the Critical Cybersecurity Hygiene: Patching the Enterprise Project [PDF, NIST homepage].
Microsoft played a crucial role in setting it in motion. The company said it began looking into how companies patch their computer fleets after the three ransomware outbreaks of 2017 — namely WannaCry, NotPetya, and Bad Rabbit.
The OS maker said that many of the organizations that got hit had failed to install patches, even if security updates were available. This led Microsoft to investigate why companies didn’t patch their systems.
“A key part of this learning journey was to sit down and listen directly to our customer’s challenges,” said Mark Simos, Lead Cybersecurity Architect, Cybersecurity Solutions Group at Microsoft.
“Microsoft visited a significant number of customers in person (several of which I personally joined) to share what we learned […] and to have some really frank and open discussions to learn why organizations really aren’t applying security patches,” the Microsoft exec said.
Companies approached patching differently
These meetings revealed that organizations had very different approaches to patching, and delays in applying security updates occurred as a result.
One of the primary reasons invoked in these meetings was that companies didn’t have a patch testing procedure in place, and many were delaying patches in order to make sure bugs or crashes wouldn’t cause downtime in production systems.
Simos said that in some organizations, the process of testing a patch “consisted solely of asking whether anyone else had any issues with the patch in an online forum.”
Furthermore, some companies also said they also didn’t know how fast they should be applying patches, leaving each to interpret and assess the severity of security updates based on their own criteria.
NIST-approved guidance needed
As a result, Microsoft concluded that an industry-wide standard was needed in order to regulate the patching process in enterprise environments.
As part of their joint project, Microsoft and NIST said they plan to look at “how commercial and open source tools can be used to aid with the most challenging aspects of patching general IT systems, including system characterization and prioritization, patch testing, and patch implementation tracking and verification.”
“These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle,” NIST said.
There is no timeline for when this guide will be finalized; however, it’s very rare that a NIST guide has the backing of a major industry player out of the gates, so things are expected to move along quite quickly.