James Kavanagh, National Security Officer, Microsoft Australia
Patching of security vulnerabilities is the single most important activity any organisation can undertake to secure their information systems. Having modern, up-to-date and fully patched software is essential to providing a foundation on which other security controls can be overlaid. This is reflected by Australian Signals Directorate guidance that specifically calls out patching of operating systems and applications as two of the Top 4 mitigations against cyber intrusion.
Yet patching of systems within enterprise environments is often perceived as a complex challenge fraught with cultural, procedural and technical issues. Many organisations find it difficult to effectively prioritise and plan for deployment of patches within a consistent risk management framework. Others face significant challenges in consistently complying with policies for the deployment of patches within specified timeframes.
During 2014, Microsoft worked with some of the largest organisations in Australian government and enterprises to navigate these challenges and develop a pragmatic, realistic approach to improving patch management practices in complex environments. By mapping and optimising processes, identifying the root causes of issues, trialling different strategies and establishing performance metric-driven approaches, these organisations have made remarkable progress. As an illustration, one large organisation with more than 10,000 staff now achieve deployment of all priority patches to 90% of workstations within 48 hours – an improvement in timing of more than 3 months. These improvements have a very real impact on the security posture of organisations that are increasingly under threat from online risks.
So to support the work of the Australian Cyber Security Centre whose Conference begins today in Canberra, Microsoft is releasing a guide on how to perform patching in complex environments such as medium and large Australian government agencies and enterprises. The approach outlined in this paper has been proven and refined in a number of organisations who are gaining significant benefits in terms of reduced risk exposure and improved compliance. Perhaps of even more value, by significantly streamlining processes and resources, those organisations have been able to prioritise their efforts on high value activities and greater innovation.
The guide has been developed by Australian engineers in Microsoft Services, Jimmy Fitzsimmons and Rishi Nicolai, who will be sharing their experiences at 1:20pm at the ACSC Conference today 22nd April.