04 Mar Database Security Report 2016
Database Security Report
A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES
The Database Security Report provides trends, statistics, notable employment activity, and resources for chief information security officers (CISOs), IT security staff, database administrators, and software developers.
Database security spending lags behind database hacks
- The database market is a huge and growing industry. According to IDC, the overall database market tops $40 billion today and should reach $50 billion by 2017.
- A recent Ponemon Institute survey found that organizations allocate the bulk of their budget (40%) to network security and only 19% to database security. “The dominant philosophy has been to create an impenetrable perimeter security defense using such things as firewalls and intrusion detection systems (IDS),” said Michael Sabo, Vice President of Marketing at DB Networks. “If you believe that nothing can get through your perimeter it probably seems like a waste of money, time, and effort to invest in database security.”
- The Gartner “Hype Cycle for Data Security” states that data security must evolve to treat data as an asset that is becoming pervasive across traditional data silo boundaries on-premises and in big data platforms and public clouds. Hacking, data residency and compliance issues are challenging the implementation of data-centric security policies. “Database infrastructures are riddled with blind spots. Hackers lurk in the shadows for months stealing data,” explained DB Networks‘ Chairman and CEO Brett Helm. “The problem is many organizations only monitor a subset of their databases rather than identifying and securing all the databases in their database infrastructure”.
- The Washington Post reported that two major breaches last year of U.S. government databases holding personnel records and security-clearance files exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends, according to U.S. officials. The vast majority of those affected — 21.5 million people — were included in an OPM (Office of Personnel Management) repository of security clearance files, officials said. At least 4.2 million people were affected by the breach of a separate database containing personnel records including Social Security numbers, job assignments and performance evaluations.
- High profile commercial database hacks continue to proliferate following last year’s Anthem breach which exposed some 80 million customer records. Vtech, the largest manufacturer of electronic toys, has confirmed that the recent hack of its app store affects more than 10 million accounts that include 6.3 million kid profiles worldwide, according to an article in the International Business Times. IBT states that the hack is the fourth largest consumer data breach. Vtech admitted its app store customer database was not secure enough, leading hackers to obtain access to its system.
- In 2015 there were 781 data breaches which could have affected more than 169 million records, according to the “2015 ITRC Data Breach Report”. The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. ITRC’s Data Breach Category Summary reports the healthcare industry suffered 277 breaches with nearly 113 million records potentially affected – more than any other industry.
- A recent Forbes contribution from Vinod Khosla, a highly respected entrepreneur, technologist and the founder of Khosla Ventures, said that (database) behavioral analysis could have prevented the Anthem breach. Khosla stated that he future of IT security is technology that consistently and accurately identifies behaviors that aren’t normal. Behavior analysis is the key to unlocking a better, faster way of identifying true database threats, says Brett Helm, Chairman and CEO at DB Networks.
- Fortune recently reported that Oracle released an eyebrow-raising set of 154 security fixes in a Critical Patch Update covering many of its key products. Oracle’s database, middleware web and app server products were affected. The Critical Patch Update is Oracle’s primary program for the release of security fixes across Oracle product lines.
- The SQL injection threat consistently ranks among the top cyber attack vectors and has haunted organizations for nearly two decades, according to the report “SQL Injection Defense: There are no Silver Bullets” published by DB Networks. Over that time the threat has become more widespread and evolved to be far more potent. According to Neira Jones, the former head of payment security for Barclaycard, some 97% of data breaches worldwide are still due to SQL injection somewhere along the attack chain.
- In response to the SQL injection plague, we are beginning to see commercial applications ship with code level security enhancements. SAP HANA SPS11 Security features include built-in SQL injection prevention, which can stop malicious SQL code from executing, and a new security dashboard that allows visibility into security key performance indicators.
- In the first “Grid report for NoSQL databases (a.k.a. open source databases)”, published in Fall 2015 by G2 Crowd which calls itself the world’s leading business software review platform – security and ease-of-use were the most common pain points reported by users. Security was rated relatively low, with a 75% satisfaction average. Users routinely requested better role-based security settings for their databases. Open source databases now consume 25% of relational database usage, according to a recent Gartner research report. That number can easily grow to 50% over the next five years as businesses continue to buy and rent NoSQL databases in the cloud.
- “Database security spending lags behind database hacks” says Steve Morgan, Founder and Editor-In-Chief at Cybersecurity Ventures. The major cyber crimes committed over the past year have involved various types of database attacks. We expect to see a big uptick in database security spending between 2016 and 2020, and an evening out of security budgets which will take application and data security as seriously as network security. Enterprises need to understand and implement behavioral analysis and anomaly detection technologies around their databases in order to effectively protect themselves.” adds Morgan.
- “We’ve proven that machine learning, behavioral analysis, and anomaly detection technologies significantly reduce the time necessary to accurately identify database infrastructure threats,” said Steve Hunt, president and COO of DB Networks. “Security operations demand concrete actionable intelligence to rapidly address a situation with the proper and targeted response.”
- After a flurry of database security company acquisitions five to six years ago with IBM purchasing Guarium, Oracle purchasing Secerno, and McAfee purchasing Sentrigo, acquisitions have once again picked up in the database security space over the past year. In February of 2015, HP acquired Voltage Security. Singtel acquired Trustwave for $810 Million in April of 2015. Trustwave’s database security portfolio was itself a result of their acquisition of Application Security, Inc. two years prior. In October of 2015 Thales acquired Vormetric for $400 Million. The sector may continue to consolidate in 2016, with major tech vendors taking over startups and emerging players.
Steven C. Morgan, Editor-In-Chief
- is Founder and CEO at Cybersecurity Ventures, and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies. Steve writes the weekly Cybersecurity Business Report for IDG’s CSO, and he is a contributing writer for several business, technology, and cybersecurity media properties.
© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.