It costs a whopping $3.1m to defend against a $100,000 advanced attack, a security duo claims.
The imbalance - well-known to security pros - was illustrated in research presented by Microsoft security strategist Paul McKitrick and founder of security startup ICEBRG William Peteroy (@wepiv) at the Kiwicon hacker fest in Wellington.
It was tipped well in favour of attackers since they required only a few holes in various security layers to obtain and exfiltrate data, whereas defenders had to plug all vectors.
The pair said attacks costing more than $100,000 were too hard to ward off, while the imbalance ratio remained for smaller intrusions.
"For a $2,500 attack you need to scale defences immensely from firewalls and anti-virus, to application whitelisting, web proxies, and engineers to deal with more advanced attacks," Peteroy said.
"If the attacker has $100,000 or more, you're playing whack-a-mole, and they can go out and buy zero-days, custom exploits and backdoors ... and defenders need things like SIEM (Security Information and Event Management) and people to run it."
"We find ourselves in a really sticky situation because attackers don't find themselves as limited by spending," they said.
Attackers in the lowest of the three identified strata had a maximum of $2,500 to buy a large number of standard tools, while $100,000 bought bad guys access to zero days, backdoors, and custom tooling.
The pair urged the attending security professionals and system administrators to target spending rather than buy gear according to check boxes and marketing, and to introduce attacker bottle-necks throughout the network including single sign-on that foils many automated attacks.
Doing so increased the effectiveness of defensive spend and drove up the cost of attacks launched by typically profit-driven criminals.