Microsoft and NIST Team Up on Patching Guide

Written by

Microsoft has teamed up with the US National Institute of Standards and Technology (NIST) to develop a new guide designed to make enterprise patch management easier.

Microsoft lead cybersecurity architect, Mark Simon, explained that the firm had first worked closely with partners from the Center for Internet Security, Department of Homeland Security (DHS) and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), as well as visiting several customers.

Two common challenges emerging from discussions with the latter revolved around testing of patches and confusion over how quickly they should be implemented.

“This articulated need for good reference processes was further validated by observing that a common practice for ‘testing’ a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” Simon explained.

“This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE [National Cybersecurity Center of Excellence] in collaboration with other industry vendors. This project — kicking off soon — will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.”

Microsoft has extended an open invitation to join the effort to any vendors which have technology that could streamline the patching process, and organizations or individuals who may have wisdom to share — either best practice tips or lessons learned.

Fixing software vulnerabilities has never been more important, especially as society increasingly relies on modern IT systems. The growth of digital transformation projects will only further amplify their importance, argued Simon.

“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” he concluded.

What’s hot on Infosecurity Magazine?