This September, the National Institute of Standards and Technology (NIST) published a public review copy of their "Guide to Enterprise Patch Management Technologies" (NIST Special Publication 800-40, Revision 3). The NIST tests and develops management and implementation strategies for US Federal IT systems, and collaborates with academic, industry, and government organizations to publish standards and recommendations for information security and threat mitigation.
In addition to defining patch management and discussing the implications of not implementing a patch management process or system in any organization, the NIST's guide shares some helpful recommendations regarding how to select, deploy, and measure a patch management solution in standard and diverse enterprises. Furthermore, the guide references several other publications that go into more detail about related topics that are beyond its own scope. The references include publications about securing mobile devices on enterprise networks and securing full virtualization technologies.
NIST Patching Strategy Recommendations
This publication goes into a nice level of detail about patch management solutions in general, including discussing some of their inherent risks and how to mitigate them. The following is a brief summary of some of the most important takeaways from its sections on patching technologies and implementation/performance metrics (sections 4 and 5, respectively).
- Agent-based patch management technologies are generally the most capable option for patching servers and clients, especially if the enterprise supports computers that aren't always on the local network (laptops, for example). One possible downside of agent-based solutions, however, is that they might not support systems with a non-standard architecture (like appliances or full virtualization systems).
- It's best to start small and test regularly all along the way. From initially deploying the technology, to deploying patches to clients, NIST recommends you start with a small group of target systems and test everything before you push it out to the production environment.
- When you're ready to start measuring the impact of your patching solution, measure adoption rates first, and then move on to measuring more detailed patching statistics and business impacts as the implementation matures. Before measuring anything, though, be sure you clearly define your goals and requirements for the solution to ensure your measurements are relevant.
Acting on the NIST Recommendations
The publication does not go into any detail about specific patching solutions, nor does it recommend one vendor or mechanism over another. However, it's clear to me that Microsoft Windows Server Update Services (WSUS) is a great place for any organization to start in an effort to meet the NIST recommendations. WSUS is free, and it comes standard with Windows Server 2003, Windows Server 2008, and beyond. It provides the agent-based patching functionality the NIST recommends, and its approval features are conducive to small-target testing. Furthermore, WSUS provides built-in reports to measure the patching statistics once you're up and running.
There are a few downsides to WSUS, however. For one thing, WSUS is limited to managing patches for Microsoft products alone. For another, the native reporting available in WSUS is markedly rudimentary. For a truly comprehensive patching solution, consider extending WSUS with a third-party patch management technology like SolarWinds Patch Manager. With Patch Manager, patch management is simplified and you'll have all the capabilities of WSUS with added features that include a rich catalog of third-party patches (including Chrome, Firefox, and Java patches) and robust inventory and reporting tasks, making WSUS patch management simple and easy!
To keep up to date with the latest version of the publication I discussed here, along with many others in the same category, visit http://csrc.nist.gov/publications/PubsFL.html#System & Information Integrity.