When the ransomware NotPetya hit in June 2017, the results were devastating. A variant of the widespread Petya ransomware, NotPetya affected several large companies from a variety of different countries, according to Kaspersky Labs, who initially named the variant. 

After this devastating global cyberattack, Microsoft began conducting research into why customers weren’t practicing proper cybersecurity hygiene. This includes applying security patches, an act that would have helped mitigate NotPetya.

As a result of this effort, and to make it easier for organizations to plan, implement, and improve a patch management strategy, Microsoft is partnering with the U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE). 

In addition to this partnership, Microsoft has spoken with and learned from partners like the Center for Internet Security (CIS), U.S. Department of Homeland Security (DHS) Cybersecurity, and Cybersecurity and Infrastructure Security Agency (CISA). 

Throughout its research Microsoft discovered some expected findings, but also some surprising things. According to Microsoft, it was surprised by how many challenges organizations were facing when it came to processes and standards.

This proved that there is a need for good reference processes. And according to the company, this need was further proven through their observation that a common practice for testing was to just ask in an online forum whether anyone had any issues with a patch. 

Microsoft and NIST’s initiative will “build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit,” Microsoft explained.

Both Microsoft and NIST invite vendors and organizations to join these efforts.