[BreachExchange] How your security budget helps hackers win

Audrey McNeil audrey at riskbasedsecurity.com
Thu Oct 26 20:54:14 EDT 2017


http://sdtimes.com/security-budget-helps-hackers-win/

When a single breach can cause untold damage to your business, from
millions in losses to reputational damage, operational disruption, and lost
trust, you want to align your security budget with the actual threats you
face. So why does the typical company allocate less than 3% of its security
budget to application security—when a full 30% of successful breaches
strike at the application layer?

For hackers, it’s a dream scenario, like a burglar watching a homeowner
install expensive new door locks while the windows remain wide open. But
it’s a dangerous situation for your business, leaving you one unlucky break
away from making the wrong kind of headlines.

How has application security spending fallen so far out of line with the
actual threats companies now face?
The highly technical nature of this area can make it challenging for
non-specialists to provide meaningful guidance for the allocation of
security budgets—at least, that’s the excuse that’s often given. But
identifying and quantifying risk doesn’t have to require specialized
expertise. The stats above make all too clear that there’s gross
misalignment between current attack and breach trends, and the amounts
being invested in protection at those layers. The conclusion is
inescapable: in light of the prevalence of successful application-layer
attacks, application security spending is inadequate by an order of
magnitude.

The underfunded threat
Often, security budgets tend to follow established industry practices,
focusing on incremental improvements on the types of defenses already in
place rather than making major shifts in approach. That would be fine if
the nature of the threats companies faced remained fairly constant—but it
leaves the organization at risk of falling behind when fundamental shifts
in computing architecture reshape the threat landscape.

Ten years ago, the typical web app amounted to little more than a marketing
channel. The site contained product information, where-to-buy or online
ordering functionality, and so on, but the actual logic and data resided
within the company’s own network. In that light, it made sense for network
security to play the central role in threat protection. Now, however, the
product itself is online, including all of its code and customer
data—making web, cloud, and mobile apps the company’s largest digital
assets. That also makes those assets the largest target to attackers.

DevOps is part of the story as well, as is so often the case these days.
While DevOps isn’t directly responsible for driving the need for more
application security spending—that’s more a factor of the changes described
above—it does create an ideal opportunity to address the changing threat
landscape. As companies seek to leverage the speed and agility made
possible by the DevOps model, they’re re-architecting their systems from
the ground up around cloud services and other next-generation resources.
Threat protection is a natural part of that conversation—as we realign the
broader IT budget with the changing needs of our business, how should we
also realign our security budget according to the changing nature of the
risks we face?

When your biggest digital asset draws only a small fraction of your
security budget, the answer is clear.

Rebalancing the security budget
Even a business-critical area like security can’t be allowed unlimited
resources; increased spending on application security will need to be
accompanied by reductions elsewhere. Again, changes in computing
architecture provide a useful way to think about this.

In discussions with CISOs, network security accounts for approximately 70%
of the typical security budget. This made sense in past years, when the
typical IT organization ran a large number of internal services on physical
hardware that needed continual OS maintenance and firewall management.
Today, the majority of such services have been outsourced to—and protected
by — SaaS, IaaS, or PaaS providers. With far fewer internal services to
protect, and a network perimeter that is being relocated into the cloud, IT
can focus on what still needs to be secured for customers: the application
logic and customer data in web applications. While it might not make sense
to flip the allocation entirely–traditional network security threats aren’t
going away– the fact that your cloud and DevOps teams are building new
software from the ground up for the first time in more than a decade offers
a unique opportunity to rethink and reallocate your budget to more
accurately reflect your risk.

 Security will always be something of a moving target as threats evolve in
tandem with computing architecture. The landscape will likely change as
much ten years from now as it has over the past ten years. But right now,
attackers are exploiting a grievously under secured application layer to
launch an alarming number of successful breaches. Addressing that imbalance
should be at the top of every C-level agenda.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171026/76620f81/attachment.html>


More information about the BreachExchange mailing list