Attacks/Breaches
7/17/2013
08:29 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Security Spending Still Doesn't Follow Attack And Breach Trends

Databases may be at risk of the most severe damages from attacks, but the network layer still gobbles up most of the security cash

When it comes to lining up IT security spending to protect the assets most at risk to criminal attacks and exposing organizations to costly breaches, priorities still seem to be out of whack. A new survey out this week shows that while IT teams acknowledge that attacks on core infrastructure elements pose some of the most severe risk to their organizations, they're still spending on average less than a quarter of their IT security budget on core infrastructure elements like databases, applications, and servers, as compared to 67 percent on network assets.

"Organizations can't continue to spend on the wrong risks and secure themselves out of business," said Mary Ann Davidson, chief security officer at Oracle, which sponsored the survey. "When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access."

[Is cross-site request forgery still a concern for your organization? See CSRF Still Armed And Dangerous.]

Conducted among more than 110 global companies across all the major verticals, the survey shows that 52 percent of organizations say the risks damage posed by attacks against databases is most severe, compared with just 34 percent who said the same about attacks against the network. And yet 67 percent of the same organizations reported allocating the most resources to network assets, as compared with just 15 percent that throw the most money at database security.

According to Josh Shaul of database security firm Application Security Inc., the big problem IT security faces is getting business executives on board to really believe their core infrastructure is at risk.

"In many cases, it takes a breach for the risk to become believable, even in the face of penetration test results that clearly show an attacker's ability to get in and gain access to sensitive data," he says. "This disbelief seems to get stronger as the systems get more important -- when it comes to databases, some of the most critical systems out there, business executives will go to amazing lengths to retain their belief that these systems are unbreakable."

While the application layer is increasingly a vector for attackers to either enter organizations or escalate attacks further in the network, it is similarly ignored from a budgetary perspective, according to the survey. Just 15 percent of organizations reported spending the bulk of their security budget on application security. This jibes with what John Maddison, Fortinet's vice president of marketing, sees from most organizations today.

"Application security represents a relatively small piece of the overall security pie," Maddison says. "When customers start to embrace a zero trust model beyond just mobile [or] endpoint devices and include Web, application and database servers, then this spending pattern will be reviewed."

He warns that no matter how organizations reprioritize their security spending ratios, they should be mindful not to do it without cohesiveness in mind. This seems to be a problem for many organizations -- the Oracle survey showed that 40 percent of respondents believed that implementing point solutions created gaps in their security.

"What you cannot do is continue adding distinct security applications and appliances all over the place," Maddison says. "There needs to be a platform to consolidate."

Shaul says that the survey highlights yet again that security organizations have to take a holistic look at their assets to understand how adversaries target infrastructure to develop attacks in order to breach information.

"In many cases, those assets are data. Then organizations should put their biggest security focus on the identified 'at-risk' assets," he says. "That probably means moving budgets from the network perimeter and endpoints to the data center, and implementing a true layered defense where security technologies get more sophisticated and harder to bypass as you get closer to the assets you want to protect."

Shaul also couldn't help getting a dig in at Oracle, highlighting how infrastructure companies themselves may need to undo past years of work of inflated security claims in order to let their customers know their products may be at risk.

"It's interesting to see Oracle commenting on the lack of security spending around databases, when it is Oracle who went out and told the world that their databases are unbreakable," says Shaul, saying those long ago words were exactly what many executives wanted to hear and ones that they've bought into at this point. "When the vendor says the system is secure, it's easy to ignore the facts on the street that show otherwise."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
7/18/2013 | 10:03:17 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Well said. Perimeter defense is table stakes. Actually, if you include the new solutions targeting "APT" or advanced malware detection (FireEye, Damballa, everyone and their mother now) as network perimeter solutions, then that spending might even go up. Also, you have to consider that many "network perimeter" controls provide direct application and database protection. Is a WAF deployed as part of an F5 in the DMZ being counted as a network perimeter control or application control?

"I'm not going to approve implementing database security control X because Oracle is unbreakable"...said no executive, ever. That was marketing, No one is that stupid.
Bruns
50%
50%
Bruns,
User Rank: Apprentice
7/18/2013 | 5:00:32 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Saying that organizations are spending too much on network security and not enough on database and application security is like saying the bank spends too much on the building and not enough on the safe deposit boxes. But if a bad guy can't get into the building in the first place, isn't the safe already protected?

Likewise, if the perimeter of a network is sufficiently defended, this automatically provides greater protection for servers, applications, and databases.

Extending the metaphor, most banks are robbed by people who entered the building legally, initially posing as customers (a sort of testament to the strength of the outer, or building, defenses). Likewise, many database attacks are attempted by those who got into the network legally, initially posing as visitors (a testament to the strength of the outer network defenses). So, just as safes need to be protected in banks, databases and apps need to be protected within networks. But the bulk of the investment is at the perimeter -- as it should be.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

CVE-2014-2966
Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.