08:29 PM
Connect Directly

Security Spending Still Doesn't Follow Attack And Breach Trends

Databases may be at risk of the most severe damages from attacks, but the network layer still gobbles up most of the security cash

When it comes to lining up IT security spending to protect the assets most at risk to criminal attacks and exposing organizations to costly breaches, priorities still seem to be out of whack. A new survey out this week shows that while IT teams acknowledge that attacks on core infrastructure elements pose some of the most severe risk to their organizations, they're still spending on average less than a quarter of their IT security budget on core infrastructure elements like databases, applications, and servers, as compared to 67 percent on network assets.

"Organizations can't continue to spend on the wrong risks and secure themselves out of business," said Mary Ann Davidson, chief security officer at Oracle, which sponsored the survey. "When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access."

[Is cross-site request forgery still a concern for your organization? See CSRF Still Armed And Dangerous.]

Conducted among more than 110 global companies across all the major verticals, the survey shows that 52 percent of organizations say the risks damage posed by attacks against databases is most severe, compared with just 34 percent who said the same about attacks against the network. And yet 67 percent of the same organizations reported allocating the most resources to network assets, as compared with just 15 percent that throw the most money at database security.

According to Josh Shaul of database security firm Application Security Inc., the big problem IT security faces is getting business executives on board to really believe their core infrastructure is at risk.

"In many cases, it takes a breach for the risk to become believable, even in the face of penetration test results that clearly show an attacker's ability to get in and gain access to sensitive data," he says. "This disbelief seems to get stronger as the systems get more important -- when it comes to databases, some of the most critical systems out there, business executives will go to amazing lengths to retain their belief that these systems are unbreakable."

While the application layer is increasingly a vector for attackers to either enter organizations or escalate attacks further in the network, it is similarly ignored from a budgetary perspective, according to the survey. Just 15 percent of organizations reported spending the bulk of their security budget on application security. This jibes with what John Maddison, Fortinet's vice president of marketing, sees from most organizations today.

"Application security represents a relatively small piece of the overall security pie," Maddison says. "When customers start to embrace a zero trust model beyond just mobile [or] endpoint devices and include Web, application and database servers, then this spending pattern will be reviewed."

He warns that no matter how organizations reprioritize their security spending ratios, they should be mindful not to do it without cohesiveness in mind. This seems to be a problem for many organizations -- the Oracle survey showed that 40 percent of respondents believed that implementing point solutions created gaps in their security.

"What you cannot do is continue adding distinct security applications and appliances all over the place," Maddison says. "There needs to be a platform to consolidate."

Shaul says that the survey highlights yet again that security organizations have to take a holistic look at their assets to understand how adversaries target infrastructure to develop attacks in order to breach information.

"In many cases, those assets are data. Then organizations should put their biggest security focus on the identified 'at-risk' assets," he says. "That probably means moving budgets from the network perimeter and endpoints to the data center, and implementing a true layered defense where security technologies get more sophisticated and harder to bypass as you get closer to the assets you want to protect."

Shaul also couldn't help getting a dig in at Oracle, highlighting how infrastructure companies themselves may need to undo past years of work of inflated security claims in order to let their customers know their products may be at risk.

"It's interesting to see Oracle commenting on the lack of security spending around databases, when it is Oracle who went out and told the world that their databases are unbreakable," says Shaul, saying those long ago words were exactly what many executives wanted to hear and ones that they've bought into at this point. "When the vendor says the system is secure, it's easy to ignore the facts on the street that show otherwise."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/18/2013 | 10:03:17 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Well said. Perimeter defense is table stakes. Actually, if you include the new solutions targeting "APT" or advanced malware detection (FireEye, Damballa, everyone and their mother now) as network perimeter solutions, then that spending might even go up. Also, you have to consider that many "network perimeter" controls provide direct application and database protection. Is a WAF deployed as part of an F5 in the DMZ being counted as a network perimeter control or application control?

"I'm not going to approve implementing database security control X because Oracle is unbreakable"...said no executive, ever. That was marketing, No one is that stupid.
User Rank: Apprentice
7/18/2013 | 5:00:32 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Saying that organizations are spending too much on network security and not enough on database and application security is like saying the bank spends too much on the building and not enough on the safe deposit boxes. But if a bad guy can't get into the building in the first place, isn't the safe already protected?

Likewise, if the perimeter of a network is sufficiently defended, this automatically provides greater protection for servers, applications, and databases.

Extending the metaphor, most banks are robbed by people who entered the building legally, initially posing as customers (a sort of testament to the strength of the outer, or building, defenses). Likewise, many database attacks are attempted by those who got into the network legally, initially posing as visitors (a testament to the strength of the outer network defenses). So, just as safes need to be protected in banks, databases and apps need to be protected within networks. But the bulk of the investment is at the perimeter -- as it should be.
Register for Dark Reading Newsletters
White Papers
Latest Comment: nice post
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

Published: 2015-07-01
Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Published: 2015-07-01
IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report