Getty Images/iStockphoto

NIST Highlights Enterprise Patch Management in Latest Guidance

NIST’s National Cybersecurity Center of Excellence (NCCoE) released final guidance for enterprise patch management.

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released final guidance regarding enterprise patch management to help organizations prevent vulnerabilities and exploitation within their IT systems.

The two publications (SP-800-40 and SP 1800-31) emphasized the need to prioritize patching and preventive maintenance in order to avoid data breaches and operational disruptions. SP-800-40 acts as a guide to enterprise patch management planning, while SP-1800-31 explores use cases and approaches for improving enterprise patching practices for general IT systems.

Although the guidance is not healthcare-specific, the sector should take note of enterprise patch management best practices. Unpatched devices and systems can serve as an easy network entry point for threat actors. Medical devices in particular can be difficult to patch due to their portability and the fact that organizations may not know how many devices are on their networks at any given time.

NCCoE directed its guidance toward chief information officers, cybersecurity directors and managers, chief information security officers (CISOs), and anyone else who might be responsible for managing software risks.

“Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization,” NCCoE explained.

“Patching is more important than ever because of the increasing reliance on technology, but there is often a divide between business/mission owners and security/technology management about the value of patching.”

NCCoE positioned patching as a “cost of doing business,” emphasizing that a thorough enterprise-wide patch management strategy is crucial to avoiding adverse events.

“By default, an organization accepts the risk posed by using its software. Software could have vulnerabilities in it at any time that the organization does not know about, and sometimes previously unknown vulnerabilities are exploited – a zero-day attack,” one of the publications noted.

“Once a new vulnerability becomes publicly known, risk usually increases because attackers are more likely to develop exploits that target the vulnerable software.”

Patching immediately is ideal, but the guide acknowledged that immediate patching can be unrealistic in certain situations. It is important to know how to assess risk properly to manage vulnerability patching. Organizations should keep an asset inventory and learn how new vulnerabilities might affect their most critical assets.

Before deploying a patch, organizations should schedule the deployment, test the patch, and validate it via automation. After deploying, it is imperative that IT teams monitor the deployed patches, the publication explained.

“What has made enterprise patch management tougher recently is how dynamic and dispersed computing assets are, as well as the sheer number of installed software components to patch. In addition, patch management processes and technology take different forms depending on the type of assets (e.g., OT, IoT, mobile, cloud, traditional IT, virtual machines, containers),” the publication pointed out.

“The result is that many organizations are unable to keep up with patching. Patching often becomes primarily reactive (i.e., quickly deploy a patch when a severe vulnerability is being widely exploited) versus proactive (i.e., quickly deploy patches to correct many vulnerabilities before exploitation is likely to occur).”

Reactive patching may leave the door open for threat actors to enter and exploit systems. But the ongoing cybersecurity workforce shortage means that many organizations have short-staffed security teams with less time to devote to proactive and preventive measures.

Even so, implementing response plans and risk management strategies in advance can help organizations save time later.

NCCoE encouraged collaboration across the enterprise, from the c-suite to the security and IT teams. The publication also urged organizations to rely on automation to lighten workloads and operate under the assumption that security incidents will happen.

“To improve enterprise patch management, organizations need to change their culture so that instead of fearing problems and thus delaying risk responses, personnel are prepared to address problems when they occur,” NCCoE stated.

“The organization needs to become more resilient, and everyone in the organization needs to understand that problems caused by patching are a necessary inconvenience that helps prevent major compromises.”

Next Steps

Dig Deeper on Cybersecurity strategies