Microsoft and the US government are asking patch management vendors and end-user organizations to share their experiences about how to swiftly patching security flaws and explain learnings from past failures.
Microsoft is encouraging all patch management vendors and Windows customers to reach out to the U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) for help to solve challenges around patching security flaws in the face of rapidly spreading malware outbreaks .
The joint effort is partly inspired by the devastating NotPetya attack that relied on exploits for the same flaws Microsoft rushed out patches for in response to WannaCry, which happened a few months earlier in May 2017.
“We were particularly concerned with why patches hadn’t been applied, as they had been available for months and had already been used in the WannaCrypt worm—which clearly established a ‘real and present danger’,” said Mark Simos, a lead cybersecurity architect at Microsoft’s cybersecurity solutions group.
Microsoft issued patches for the NSA-developed EternalBlue flaws in March 2017 in the security bulletin MS17-010.
NotPetya began spreading in June 2017, causing over $1 billion in damages to several global firms, including shipping giant Maersk, despite raised awareness of the EternalBlue exploit due to WannaCry. The infections spread rapidly, catching many organizations off guard and leaving them with huge bills linked to production downtime and IT cleanups.
While everyone assumes patches can and should be deployed as quickly as possible, not all organizations have the resources to do so.
Microsoft surveyed 845 IT pros a few months after NotPetya and found that about 80% believed they could patch workstations and servers within 30 days. But NotPetya demonstrated that when faced with rapid cyberattack, patch management in practice might not have been so good.
Microsoft recommends organizations apply patches on all systems within 30 days, validating backups and reducing broad permissions within 90 days, and disabling unneeded legacy protocols in the quarter after and beyond, such as the SMBv1 network sharing protocol.
Microsoft says vendors should contact NIST at email@example.com if they have “technology offerings to help with patch management (scan, report, deploy, measure risk, etc).
It also wants end-user organizations and individuals to share “lessons learned from a successful enterprise management program (or lessons learned from failures, challenges, or any other situations)” with NIST.
Simos frames the program as "patching for social responsibility”, which is a fair description given the economic losses caused by both attacks. WannaCry cost the UK’s National Health Service (NHS) £92 million (AUD$170 million), consisting of £19 million in downtime during the attack and £73 million in IT costs, which mostly occurred in the cleanup.
The project is “kicking off soon”, according to Simos, and will build “common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab.”
The results will be shared in the NIST Special Publication 1800 practice guide, allowing all organizations to benefit from the shared input.
There were two surprise questions that prompted Microsoft to contribute to this project with NIST. These were: What sort of testing should they be doing when testing patches? And how fast should systems be patched?
“This articulated need for good reference processes was further validated by observing that a common practice for “testing” a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” explained Simos.
Additionally, major digital transformation projects over the past decade have made large organizations -- and the people who depend on those services -- much more dependent on technology working.