Microsoft and Securosis security analysts are joining forces to develop a model businesses can use to evaluate their patch management processes in terms of cost and efficiency. The effort is being called Project Quant.
Ever wonder how it was that the Conficker worm spread so rapidly even
though there was a patch available for the Microsoft
As it turns out, the patch
is not as straightforward or simple as outsiders might
imagine. With that in mind, Microsoft is teaming up with security consulting
company Securosis to create metrics that can be used to assess the efficiency
of an organization's patching process. In an effort called Project Quant,
the duo will give organizations a model with which to calculate the total
cost of patch management.
"Most of the medium to larger businesses that I have worked with have
at least some sort of a good patch management process in there, particularly
for their desktop patches," said Rich Mogull, founder of Securosis.
"But home users, small businesses [and] all these other organizations
definitely are a lot worse."
Even the big guys don't get it perfect, however.
"A lot of the server stuff is handled separately from desktops, so
these patches go out way slower because they are worried about when can
they take the server down, those kind of things," Mogull said. "[Also]
there's a lot of times a misperception that, 'Oh, we're behind the firewall so
The consequences of being unpatched can be dire. In its Intelligence Report
for the second half of 2008, Microsoft
found that 91.3 percent of attacks
against Microsoft Office exploited
a single vulnerability
that was patched more than two years ago
In an e-mail, Qualys
CTO Wolfgang Kandek
told eWEEK that in general the company sees Microsoft patches being applied quickly
in the beginning, reaching about 50 percent after 30 days. At that point, the
patching slows down.
"I do not know why so many machines remain unpatched, but people are
definitely aware of the state these machines are in through our reporting
tools," Kandek said. "It is possible that these are machines that
have just entered an organization and are temporarily unmanaged, i.e. do not
have automatic patching enabled. Another explanation would be that patching and
potentially impacting on the functioning of the machine poses a greater problem
than the risk of exploitation."
Project Quant will encompass the patching process as a whole and will
not just deal with Microsoft fixes. Ultimately, Project Quant will deliver
a written report and a spreadsheet-based model. It is slated to be finished
around June, according to the Securosis blog.