The National Institute of Standards and Technology (NIST) and Microsoft this week announced a joint effort aimed at helping enterprises improve their patching strategies.
Motivated by massive cyber-attacks such as WannaCry and the devastating NotPetya, the the goal of the initiative is to help organizations plan, implement, and improve their enterprise patch management strategies.
Timely patching could have mitigated the rapid spreading that occurred during both attacks, given that they were targeting already fixed vulnerabilities (the EternalBlue and EternalRomance exploits linked to the National Security Agency).
Following these attacks, Microsoft decided to look into why some of its customers did apply the security patches, which had been available for months when NotPetya hit.
Microsoft says that it also listened directly to customer challenges regarding patches, thus discovering that some customers don’t even test a patch before deployment, but merely ask on online forums if anyone has had issues with that patch.