Gartner Blog Network

WannaCry or Useful Reminders of the Realities of Vulnerability Management

by Anton Chuvakin  |  May 18, 2017  |  3 Comments

WannaCry whatever. Not that I am keyword trawling, but this recent Windows XP/NSA/North Korea/ransomware/bitcoin/OMG drama made me think about good old vulnerability management again – especially given that it is our current research project.

If you look at social media, you’ll see TWO opposite voices about the situation:

  1. “OMG those idiots use Windows XP and/or don’t patch modern Windows, let the negligent bastards die! Die!! Die!!!”
  2. “You morons never worked in the real world; business and IT don’t let us patch for months. Just you shut up! You don’t understand nothing about how real organizations function!”

Naturally, a lot of hilarity is generated in the process (and, don’t get me wrong – we DO need that in our industry!), but not a lot of useful guidance. In our now-classic vulnerability management guidance, we have this visual:


It makes sense, and it is useful – but it skirts the 3rd option: mitigation. So, if the organizations cannot fix the issue and cannot accept the risk, why don’t they mitigate more? Generally, because mitigation (some call it “virtual patching”) requires controls and controls cost money and/or time (to understand, deploy, manage, update, tune, etc). As a sidenote, I also met a few people who equate “accept the risk” with “magically wish it to never realize” rather than use the real meaning: deep in your heart, be totally OK if the risk manifests itself (as in “when you drive the red light, you are OK with being fined $500 or killed on the spot”).

So, we would probably adjust the visual to something like this:

Activity Pro Con
Patch the issue Fix it for good, never have to deal with it Incur the risk of application conflicts and downtime.
Requires work
Ignore the issue Reduce risk of update going bad.
No work needed
You may get hacked, lose data, clients, etc… the usual 🙂
Mitigate the issue Can be done faster than patching and sometimes without system owner participation Spending time and/or money on controls

So, how do you mitigate? How do you make …ahem … Windows XP safe and secure? How to you deal with unpatchable Android devices? Insecure IoT crap? Or with business that does not allow you to take the system down for patching even in the face of near-certainty of a damaging intrusion?

Posts related to the same research project on patch management:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: patching  security  vulnerability-management  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on WannaCry or Useful Reminders of the Realities of Vulnerability Management

  1. […] WannaCry or Useful Reminders of the Realities of Vulnerability Management (vulnerability management research) […]

  2. […] include additional information on the scope of VM programs, prioritization of vulnerabilities and use of mitigation actions when remediation cannot be applied. It is very pertinent considering the whole WannaCry thing that […]

  3. […] my experiences at a recent Security Summit and of course recent ransomware-like incidents (from WannaCry to […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.