Project Quant

I am pleased today to announce a project that I have been working to get going for a little while – Project Quant – an open model/method development project being done in conjunction with Rich Mogull of Securosis with the goal of developing a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).

For me, this is a convergence of two passions that I have in my job and the work I do:

  • Helping establish objective metrics for security, and
  • Providing tools that are useful to customers

I’ve spoken with a lot of Microsoft customers and found that within the IT departments, they have a strong desire for metrics that help them drive their day-to-day business.  Many of my past analyses and reports were developed with this in mind, but they tend towards the technical and less towards the business aspects of security.  If we know two software companies both fixed 50 vulnerabilities last year, while that might tell us something about the software, that doesn’t tell us about how it impacted different customers in terms of work required or resources. 

As a small (incomplete) example, here are some things that would affect the IT departments:

  • How many updates were the fixes bundled into and when were they released?
  • Do the vulnerabilities affect software I have in production or not?
  • What were the severity ratings and what is my policy with respect to severity ratings?
  • How many people work in patch management for my company and what are their roles?
  • What sort of tools do I have for deployment?

I think what is needed is a model that captures these and many other aspects of patch management policies and operational realities that is also flexible enough to model small businesses as well as very large corporations.  Project Quant is an effort to get the ball rolling in that effort.

Regards ~ Jeff

Want to participate in Project Quant? Have experience with IT patch management? Opinions? Then we want you to participate! Go check out the Project Quant page on Securosis.com and begin sharing your thoughts and ideas.  Discussion forums will be up within a day or two as well.

Initial Project Quant news coverage:

http://blogs.zdnet.com/security/?p=3151

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=216500918

http://threatpost.com/blogs/microsoft-unveil-patch-management-metrics-project

http://www.eweek.com/c/a/Security/Microsoft-Analysts-Team-Up-to-Improve-Patch-Management-372087/

(and a German article)  Microsoft: Schnelleres Patchen mit Project Quant

Quick Links

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »