Mark Simos, lead cybersecurity architect for Microsoft’s Enterprise Cybersecurity Group, wrote a blog about the solution developed with NIST. Called “Critical Cybersecurity Hygiene: Patching the Enterprise Project”. NIST is part of the U.S. Department of Commerce. Microsoft says working with the body allows for a smoother patch experience, which it calls patch hygiene. The company says the program was initiated following the WannaCry attacks. Many organizations were left vulnerable to the attack simply because their machines were not patched. Per a description on the NIST Page, the partnership will bring “prescriptive guidance on establishing policies and processes for the entire patching life cycle,” which will get published in an “NIST Cybersecurity Practice Guide.” Neither Microsoft or NIST have said when the hygiene guide will go live. However, it seems some way off as NIST is seeking tech partner vendors to help with the project.
Patch Limitations
Microsoft investigated why users were not patching services and found many enterprises were uncertain on which tests to conduct to find out which patches are needed. Most were simply looking on online forums according to Simos. “This articulated need for good reference processes was further validated by observing that a common practice for ‘testing’ a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” he explained. It’s worth noting Microsoft uses its own Message Center to highlight patches for Windows 10. However, Simos concedes its not the most robust approach.