Manage Learn to apply best practices and optimize your operations.

What patch management metrics does Project Quant use?

In this Q&A, expert Michael Cobb reviews the open patch management metrics model called Project Quant.

What patch management metrics does Project Quant use?
Patch management has to be one of the most common topics that SearchSecurity.com readers write to me about. I'm sure this is because even though organizations of all sizes have to deploy software updates and patches as a vital part of maintaining the security of their networks, applications and users, the process is one of the few areas of IT security that lacks any real industry standard or best-practice framework. Furthermore, most organizations don't really know or understand the financial and resource costs associated with patching.

To fill this gap, Microsoft is sponsoring the development of an open patch management metrics model called Project Quant. It was created by the information security research and advisory firm Securosis LLC, and aims to provide a framework to help organizations of all sizes and industries evaluate and improve the total cost of the patch management cycle, from testing patches to actual deployment.

The project, released in July, has 10 phases in its "patch management process lifecycle." Phase Two, titled "Evaluate," covers the initial prioritization phase to determine the nature of the patch, its relevance and general priority for your organization. But this is a quantified metrics model focused on understanding patching costs and improving patching activities. It doesn't provide metrics or instructions on how to determine the criticality of a particular patch to your organization. It's more interested in the steps involved and how long it takes to complete them.

You obviously need to determine if a patch is relevant to your environment and whether the threat posed by a particular vulnerability is within your risk tolerance. Vulnerability criticality is essential for calculating a patch's significance, as is the existence of a known exploit that uses the vulnerability being patched as an attack vector. You may want to consider trying the Secunia Enterprise Vulnerability Manager or Secunia Vulnerability Intelligence Feed. The vulnerability reports provided by these offerings clearly show the criticality of vulnerabilities, not something all vendors' alerts do.

The project is certainly in its early days, but it's well worth following while the model is further refined and the project puts out additional research findings. It's always helpful to be able to see how your own processes and maturity align with the model, particularly if it starts being used for industry benchmarking. The model is vendor-neutral and adaptable to different circumstances as not all users will utilize all elements of the model.

This was last published in November 2009

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.