NEWS FROM THE 2009 BLACK HAT BRIEFINGS
Microsoft unveils program to help quantify costs, risks and returns of patch management
Project Quant is one of two initiatives being announced by Microsoft
LAS VEGAS — Microsoft Corp. has unveiled a research program to help organizations quantify the costs, risks and returns of patch management.
The challenge of patch management is demonstrated by the continued success of attacks that exploit known vulnerabilities for which patches are available, said Andrew Cushman, senior strategy director for the Microsoft Security Response Center.
More news from the Black Hat Briefings:
Microsoft calls for united front in war against malware, hackers
New tool could help computer forensics move off the disk and into memory
Exploiting routers can be a high value, and a high effort, activity
New weapon revealed for defense against zero-day attacks
“People haven’t patched,” he said. Project Quant, being undertaken with the analyst firm Securosis, is an effort to develop “a common framework to help understand the problem.”
Project Quant, together with availability of the new Office Visualization Tool that helps detect malicious code within Microsoft Office files, are being announced this week at the Black Hat Briefings security conference. They are part of what Microsoft is calling its “community-based defense” approach to security, under which the software giant is being more forthcoming in the information is shares with the rest of the world, Cushman said.
The community-based initiative began last year with the announcement at Black Hat of three programs that the company says has yielded results. The Microsoft Active Protections Program (MAPP) provides advance details of vulnerabilities to security companies, who have reported significant reductions in development time for signatures and patches. The Exploitability Index is an addition to the Microsoft monthly security update release that predicts the likelihood of a successful exploit to new vulnerabilities. And, the Microsoft Vulnerability Research program now is working with more than thirty vendors to help raise the level of security in third-party products running on Windows.
Project Quant was established to address a major challenge in security: Quantifying the costs and risks of patch management, and ultimately its return on investment. Metrics to measure return on investment are the holy grail of the project, Cushman said, but that probably is a long way off.
“We found we needed a framework to conceptualize the process before we can establish the metrics,” he said. “It’s a work in progress. This is just the beginning of a very long journey.”
A first step in that journey is publication of the first project report, which contains a description of the patch management model including a patch-management lifecycle.
“Surprisingly, initial project investigations did not find any well-defined patch management lifecycle we could leverage, so one key result from the Quant community was a 10-stage Patch Management Process Lifecycle,” the company said in announcing the project.
The project identified areas for further research to complement a patch management cost model. These include a workaround or mitigation process model, as an alternative to patching, and a risk model for patch deferment. “Organizations and vendors may drive down patch costs by simply patching or releasing patches less often,” the company said. “An operational metric is needed to measure the risk trade-off against cost reduction.”
The Office Visualization Tool helps security professionals and researchers better understand the MS Office binary file format in order to deconstruct .doc, .xls and .ppt-based targeted attacks. It graphically shows important data structures and records for Microsoft Word, PowerPoint and Excel. The value of the tool comes from Microsoft’s knowledge of the file formats so that it can more easily recognize well-structured content and identify malicious content, Cushman said.
The tool will be available in the future as a free download.
MAPP now has 47 participating companies that receive technical details of Microsoft vulnerabilities in advance of the company’s security bulletins, Cushman said. It has paid dividends by reducing the time it takes to develop signatures or other tools to address vulnerabilities by as much as 75 percent.
Before MAPP, vendors got no technical details. “They had to reverse-engineer the binary, just like the attackers,” to create solutions, Cushman said. He called the decision to release technical details “a relatively risk step. That information is radioactive. It can be used for good or evil. Microsoft was quite cautious about making it available.”
The Exploitability Index provides information to help prioritize security problems by estimating the likelihood that a vulnerability will be exploited. The severity rating for a security problem is incomplete because it does not include the likelihood of a successful exploit, Cushman said. Of 140 Exploitability Index ratings provided so far there has been only one revision, which lowered the risk assessment severity.
The Microsoft Vulnerability Research program is an initiative to cooperate with third parties to secure applications.
“Not all of the applications that run on Windows are created by Microsoft,” Cushman said.
The program helps other companies in using Secure Development Lifecycle and to identify vulnerabilities. MSVR has identified software vulnerabilities affecting thirty-two vendors, 86 percent of them rated as critical or important. Thirteen percent of third-party vulnerabilities found have been fixed. The program has been credited for publicly fixed issues in the Apple Safari browser, the company said.