US agency highlights ‘divide’ between security teams and their colleagues about the value of patching
The US National Institute of Standards and Technology (NIST) has overhauled its enterprise patch management guidance for the first time in nearly a decade.
Whereas the previous, 2013 iteration focused on helping organizations to deploy patch management technologies, the new edition centers on developing strategies for patch management.
Put together by NIST’s National Cybersecurity Center of Excellence (NCCoE), NIST Special Publication (SP) 800-40 Revision 4 “is based on the assumption that […] organizations would benefit more from rethinking their patch management planning than their patch management technology”.
Nevertheless, NIST has also issued a companion publication demonstrating how commercial tools can support enterprises in implementing its revised guidance.
‘Simplify and operationalize’
The new, strategy-focused guidance “discusses common factors that affect enterprise patch management and recommends creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk”.
In doing so, the guidance sets out to bridge the “divide between business/mission owners and security/technology management about the value of patching”, according to NIST.
The companion publication, NIST SP 1800-31, emerged from a collaboration between NCCoE and some of the biggest providers of cybersecurity technologies.
Featuring contributions from the likes of Cisco, IBM, and Microsoft, it outlines how commercial technologies can be deployed to “implement the inventory and patching capabilities organizations need to handle both routine and emergency patching situations”, as well as “implement temporary mitigations, isolation methods, or other alternatives to patching”.
The guidance also recommends “security practices for protecting the patch management systems themselves”.
NIST frames the patching of security vulnerabilities in firmware, operating systems, or applications as a necessary “cost of doing business”.
When neglect of patch management results in serious compromises, these costs are undoubtedly dwarfed by the financial and reputational costs attendant to system downtime, data breaches, and other adverse outcomes.
No organization is more acutely aware of this fact than Equifax, which recently finalized a settlement for the victims of a 2017 data breach that has cost the credit reporting agency years of grief and millions of dollars so far.
The breach, which exposed the personal information of more than 163 million individuals, arose from an Apache Struts vulnerability for which a patch had been available for two months prior to its exploitation by cybercriminals.
Whether through inefficiency, worries about system availability, or various other reasons, many enterprises clearly remain slow to patch systems – even as attackers continue to get faster at exploiting vulnerabilities.
A recent study by cybersecurity firm Rapid7, for instance, found that the average time to exploitation of known vulnerabilities had, year on year, plummeted from 42 to 12 days.
With leading technology vendors demonstrating significant improvements in rolling out patches, NIST will hope the update to its patch management guidance will encourage enterprises to become more nimble too.
YOU MIGHT ALSO LIKE Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation