08:29 PM
Connect Directly

Security Spending Still Doesn't Follow Attack And Breach Trends

Databases may be at risk of the most severe damages from attacks, but the network layer still gobbles up most of the security cash

When it comes to lining up IT security spending to protect the assets most at risk to criminal attacks and exposing organizations to costly breaches, priorities still seem to be out of whack. A new survey out this week shows that while IT teams acknowledge that attacks on core infrastructure elements pose some of the most severe risk to their organizations, they're still spending on average less than a quarter of their IT security budget on core infrastructure elements like databases, applications, and servers, as compared to 67 percent on network assets.

"Organizations can't continue to spend on the wrong risks and secure themselves out of business," said Mary Ann Davidson, chief security officer at Oracle, which sponsored the survey. "When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access."

[Is cross-site request forgery still a concern for your organization? See CSRF Still Armed And Dangerous.]

Conducted among more than 110 global companies across all the major verticals, the survey shows that 52 percent of organizations say the risks damage posed by attacks against databases is most severe, compared with just 34 percent who said the same about attacks against the network. And yet 67 percent of the same organizations reported allocating the most resources to network assets, as compared with just 15 percent that throw the most money at database security.

According to Josh Shaul of database security firm Application Security Inc., the big problem IT security faces is getting business executives on board to really believe their core infrastructure is at risk.

"In many cases, it takes a breach for the risk to become believable, even in the face of penetration test results that clearly show an attacker's ability to get in and gain access to sensitive data," he says. "This disbelief seems to get stronger as the systems get more important -- when it comes to databases, some of the most critical systems out there, business executives will go to amazing lengths to retain their belief that these systems are unbreakable."

While the application layer is increasingly a vector for attackers to either enter organizations or escalate attacks further in the network, it is similarly ignored from a budgetary perspective, according to the survey. Just 15 percent of organizations reported spending the bulk of their security budget on application security. This jibes with what John Maddison, Fortinet's vice president of marketing, sees from most organizations today.

"Application security represents a relatively small piece of the overall security pie," Maddison says. "When customers start to embrace a zero trust model beyond just mobile [or] endpoint devices and include Web, application and database servers, then this spending pattern will be reviewed."

He warns that no matter how organizations reprioritize their security spending ratios, they should be mindful not to do it without cohesiveness in mind. This seems to be a problem for many organizations -- the Oracle survey showed that 40 percent of respondents believed that implementing point solutions created gaps in their security.

"What you cannot do is continue adding distinct security applications and appliances all over the place," Maddison says. "There needs to be a platform to consolidate."

Shaul says that the survey highlights yet again that security organizations have to take a holistic look at their assets to understand how adversaries target infrastructure to develop attacks in order to breach information.

"In many cases, those assets are data. Then organizations should put their biggest security focus on the identified 'at-risk' assets," he says. "That probably means moving budgets from the network perimeter and endpoints to the data center, and implementing a true layered defense where security technologies get more sophisticated and harder to bypass as you get closer to the assets you want to protect."

Shaul also couldn't help getting a dig in at Oracle, highlighting how infrastructure companies themselves may need to undo past years of work of inflated security claims in order to let their customers know their products may be at risk.

"It's interesting to see Oracle commenting on the lack of security spending around databases, when it is Oracle who went out and told the world that their databases are unbreakable," says Shaul, saying those long ago words were exactly what many executives wanted to hear and ones that they've bought into at this point. "When the vendor says the system is secure, it's easy to ignore the facts on the street that show otherwise."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/18/2013 | 10:03:17 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Well said. Perimeter defense is table stakes. Actually, if you include the new solutions targeting "APT" or advanced malware detection (FireEye, Damballa, everyone and their mother now) as network perimeter solutions, then that spending might even go up. Also, you have to consider that many "network perimeter" controls provide direct application and database protection. Is a WAF deployed as part of an F5 in the DMZ being counted as a network perimeter control or application control?

"I'm not going to approve implementing database security control X because Oracle is unbreakable"...said no executive, ever. That was marketing, No one is that stupid.
User Rank: Apprentice
7/18/2013 | 5:00:32 PM
re: Security Spending Still Doesn't Follow Attack And Breach Trends
Saying that organizations are spending too much on network security and not enough on database and application security is like saying the bank spends too much on the building and not enough on the safe deposit boxes. But if a bad guy can't get into the building in the first place, isn't the safe already protected?

Likewise, if the perimeter of a network is sufficiently defended, this automatically provides greater protection for servers, applications, and databases.

Extending the metaphor, most banks are robbed by people who entered the building legally, initially posing as customers (a sort of testament to the strength of the outer, or building, defenses). Likewise, many database attacks are attempted by those who got into the network legally, initially posing as visitors (a testament to the strength of the outer network defenses). So, just as safes need to be protected in banks, databases and apps need to be protected within networks. But the bulk of the investment is at the perimeter -- as it should be.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.