14 DAY TRIAL // Security updates are an integral part of IT infrastructure maintenance, yet no less than 50% of the Project Quant Survey's respondents indicated that they relied on only informal or even had no patch management process designed to bulletproof as much as possible application software installed on desktops. In this context, Project Quant comes to help streamline and optimize the process of evaluating and deploying software updates, and to enable companies to avoid letting themselves remain open to attacks by neglecting to install patches or by integrating them poorly.
But the optimization of patch management is only one aspect of Project Quant, made public at the Microsoft at Black Hat USA 2009. The software giant explained that the project also delivered a framework designed to permit companies to build a cost model for the processes associated with patch management. Furthermore, Project Quant is in no way tailored to a specific industry or reflecting the needs of companies of a particular circumstance or size. In fact, on the contrary, the generalized model offered can be tailored to the needs of all customers, and leveraged by all companies to fuel a boost in security by keeping software in their IT infrastructure up to date.
Moreover, the model is designed to be vendor-neutral, and through the Project Quant website all companies can join the community already established around the online destination and share their insights, discuss problems and data, as well reveal their particular adaptations of the set of industry best practices made available through the initiative. Project Quant was created by analyst firm Securosis and sponsored by Microsoft. According to the Redmond company, Microsoft security guru Jeff Jones and Rich Mogull of Securosis were responsible for the evolution of the project after its “birth.”
Essentially, Project Quant's model spans across all areas of patch management, from simply monitoring for patches to wrapping up deployment by confirming that the rollout process is complete. Microsoft pointed out that companies could use the framework not only for workstations but also for servers and additional devices in their IT infrastructure.
Under a Creative Commons license, Project Quant offers companies a wide variety of materials, from primary research to surveys, interviews, community participation content and even internal project communications. Microsoft explained that this approach served to guarantee to participants an open and transparent research initiative.
Version 1.0 of the Project Quant Report will be made available this week, bringing to the table a description of the Update Management Model, including the community-developed patch management cycle. The report will be accompanied by the Project Quant Model Spreadsheet 1.0, which will contain metrics and variables critical to adapting the model to specific patch management needs.
Microsoft enumerated the key results of Project Quant:
- Project Quant achieved the goal of community participation, with significant contributions and feedback from customers and IT professionals on the project site.
- The project defined an Update Management Process Lifecycle. Surprisingly, initial project investigations did not find any well-defined patch management life cycle that could be leveraged, so one key result from the Quant community was a 10-stage Update Management Process Lifecycle as detailed on the project Web site and in the published report.
- Project Quant identified further areas of research that need to be explored to complement the Update Management Cost Model: -Workaround/Mitigation Process Model, as an alternative to patching. -Risk Model for Update Deferment. Organizations and vendors may drive down patch costs by simply patching or releasing patches less often. An operational metric is needed to measure the risk trade-off against cost reduction.
- The project created a v1.0 Model. Though the model and report are a v1.0 effort, the process components, key variables and operational metrics are sufficiently well-defined that organizations can begin leveraging them to help describe and define their patch management maturity.