NIST Patch Management Guidelines Overhauled to Reflect Automation Trend

Anthony Freed
By | October 10, 2012

Posted in: Network Security Trends

Effective software patch management has long been the bane of security managers, network engineers, and system administrators. The process is often costly, requires significant resources, and can potentially result in unforeseen disruptions to network functionality by interfering with other applications or by causing a system reboot during the installation process.

The task is even more daunting for the largest networks, and the implementation of software upgrades is often delayed for weeks or even months, resulting in prolonged vulnerabilities that leave sensitive systems rife for exploitation by attackers.

"It is a practical impossibility for most organizations to implement patch management perfectly. Most businesses and government agencies cannot even identify all of the computers and applications they own, let alone patch them," Richard Stiennon, Chief Research Analyst at IT Harvest, told Security Bistro.

In an effort to streamline the patching process, many organizations have opted to employ automated patch management solutions, such as those based on the Security Content Automation Protocol (SCAP) issued by The National Institute of Standards and Technology (NIST).

This week the NIST issued revised guidelines for automated patch management, and is seeking public comment regarding changes to the agency's recommended best practices. The previous version of the guidelines was originally drafted when patching was accomplished manually, prior to the widespread use of automated processes.

"Professionals need to follow a management process for identifying, acquiring, installing and verifying patches for products and systems. Guide to Enterprise Patch Management Technologies is designed to assist organizations in understanding the basics of patch management technologies," NIST explains on their website.

The revised guidelines seek to better explain the critical importance of effective patch management strategies while providing an overview of the automated technologies available, as well as the establishment of applicable "metrics for measuring the technologies' effectiveness and for comparing the relative importance of patches."

The new guidelines are available here, and feedback on the NIST draft should be submitted to 800-40comments@nist.gov no later than Friday, Oct. 19, 2012.

While automated patch management can provide some insulation from hackers by limiting the potential attack vectors, it is but one small piece of a robust network security strategy that should also include measures to ensure real-time intrusion detection to protect against exploits targeting unmitigated software vulnerabilities for which patches have yet to be issued.

"Sadly, even a perfectly patched environment is completely defenseless against zero-day exploits," Stiennon cautioned.

You May Also Be Interested In: