08:29 PM
Connect Directly

Security Spending Still Doesn't Follow Attack And Breach Trends

Databases may be at risk of the most severe damages from attacks, but the network layer still gobbles up most of the security cash

When it comes to lining up IT security spending to protect the assets most at risk to criminal attacks and exposing organizations to costly breaches, priorities still seem to be out of whack. A new survey out this week shows that while IT teams acknowledge that attacks on core infrastructure elements pose some of the most severe risk to their organizations, they're still spending on average less than a quarter of their IT security budget on core infrastructure elements like databases, applications, and servers, as compared to 67 percent on network assets.

"Organizations can't continue to spend on the wrong risks and secure themselves out of business," said Mary Ann Davidson, chief security officer at Oracle, which sponsored the survey. "When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access."

[Is cross-site request forgery still a concern for your organization? See CSRF Still Armed And Dangerous.]

Conducted among more than 110 global companies across all the major verticals, the survey shows that 52 percent of organizations say the risks damage posed by attacks against databases is most severe, compared with just 34 percent who said the same about attacks against the network. And yet 67 percent of the same organizations reported allocating the most resources to network assets, as compared with just 15 percent that throw the most money at database security.

According to Josh Shaul of database security firm Application Security Inc., the big problem IT security faces is getting business executives on board to really believe their core infrastructure is at risk.

"In many cases, it takes a breach for the risk to become believable, even in the face of penetration test results that clearly show an attacker's ability to get in and gain access to sensitive data," he says. "This disbelief seems to get stronger as the systems get more important -- when it comes to databases, some of the most critical systems out there, business executives will go to amazing lengths to retain their belief that these systems are unbreakable."

While the application layer is increasingly a vector for attackers to either enter organizations or escalate attacks further in the network, it is similarly ignored from a budgetary perspective, according to the survey. Just 15 percent of organizations reported spending the bulk of their security budget on application security. This jibes with what John Maddison, Fortinet's vice president of marketing, sees from most organizations today.

"Application security represents a relatively small piece of the overall security pie," Maddison says. "When customers start to embrace a zero trust model beyond just mobile [or] endpoint devices and include Web, application and database servers, then this spending pattern will be reviewed."

He warns that no matter how organizations reprioritize their security spending ratios, they should be mindful not to do it without cohesiveness in mind. This seems to be a problem for many organizations -- the Oracle survey showed that 40 percent of respondents believed that implementing point solutions created gaps in their security.

"What you cannot do is continue adding distinct security applications and appliances all over the place," Maddison says. "There needs to be a platform to consolidate."

Shaul says that the survey highlights yet again that security organizations have to take a holistic look at their assets to understand how adversaries target infrastructure to develop attacks in order to breach information.

"In many cases, those assets are data. Then organizations should put their biggest security focus on the identified 'at-risk' assets," he says. "That probably means moving budgets from the network perimeter and endpoints to the data center, and implementing a true layered defense where security technologies get more sophisticated and harder to bypass as you get closer to the assets you want to protect."

Shaul also couldn't help getting a dig in at Oracle, highlighting how infrastructure companies themselves may need to undo past years of work of inflated security claims in order to let their customers know their products may be at risk.

"It's interesting to see Oracle commenting on the lack of security spending around databases, when it is Oracle who went out and told the world that their databases are unbreakable," says Shaul, saying those long ago words were exactly what many executives wanted to hear and ones that they've bought into at this point. "When the vendor says the system is secure, it's easy to ignore the facts on the street that show otherwise."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/18/2013 | 10:03:17 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Well said. Perimeter defense is table stakes. Actually, if you include the new solutions targeting "APT" or advanced malware detection (FireEye, Damballa, everyone and their mother now) as network perimeter solutions, then that spending might even go up. Also, you have to consider that many "network perimeter" controls provide direct application and database protection. Is a WAF deployed as part of an F5 in the DMZ being counted as a network perimeter control or application control?

"I'm not going to approve implementing database security control X because Oracle is unbreakable"...said no executive, ever. That was marketing, No one is that stupid.
User Rank: Apprentice
7/18/2013 | 5:00:32 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Saying that organizations are spending too much on network security and not enough on database and application security is like saying the bank spends too much on the building and not enough on the safe deposit boxes. But if a bad guy can't get into the building in the first place, isn't the safe already protected?

Likewise, if the perimeter of a network is sufficiently defended, this automatically provides greater protection for servers, applications, and databases.

Extending the metaphor, most banks are robbed by people who entered the building legally, initially posing as customers (a sort of testament to the strength of the outer, or building, defenses). Likewise, many database attacks are attempted by those who got into the network legally, initially posing as visitors (a testament to the strength of the outer network defenses). So, just as safes need to be protected in banks, databases and apps need to be protected within networks. But the bulk of the investment is at the perimeter -- as it should be.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

Published: 2015-07-26
Honeywell Tuxedo Touch before relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!