The US Government’s National Institute of Standards and Technology and 8,000,000 pound gorilla Microsoft are working together to provide industry with definitive guidance on keeping systems patched against security vulnerabilities. The two organizations are aiming at:
“Demonstrating a proposed approach for improving enterprise patching practices for general IT systems”
At the end of the day, the output will be a NIST Cybersecurity Practice Guide, which will be made available to the public.
Microsoft and the feds were inspired by 2017’s global ransomware outbreaks which crippled multiple multinational companies and small businesses alike and cost victims billions of dollars in lost revenue and cleanup. Properly patched systems would have limited the damage.
The project description looks quite good. It deals with the entire patch management life cycle, starting with identification of assets, working through the actual vulnerability and identification management process and ending up with the security of the patching infrastructure itself.
I was especially happy to see that the document deals with the problem of un-patchable assets. We all have these on our networks, whether they are that lingering end of life system which can’t be upgraded to systems running applications which cannot deal with patches. Isolation of these systems is discussed – this is important. While best practices demand that we apply every single patch to every single box, there are times when the business needs that we as security professionals are supposed to support don’t allow us to do so.
There is no timeline for the release of the final document yet. NIST is looking for comments from the security community to ensure that the guide reflects a wide range of organizational experience.
While it is still early days for this project, I am pleased to see the government taking concrete steps to guide the custodians of our critical infrastructure in dealing with one of the most basic aspects of cyber security hygiene. I look forward to seeing the results.