English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    ICS/SCADA

    Critical infrastructure on the frontline

    Vulnerability Management

    Stop being an easy target

    Financial Services

    Can your security keep up with you?

    Protection from targeted attacks (anti-apt)

    Early detection, rapid investigation

    PT Industrial Cybersecurity Suite

    PT ICS is an integrated platform for cyberthreat detection and response in industrial systems

    Utilities

    Industrial-grade cybersecurity

    ERP Security

    Take control of your ERP security

    Security Compliance

    Turn policies into protection

    View all →
  • Products
    MaxPatrol 8

    Vulnerability and compliance management system.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT Network Attack Discovery

    NDR system to detect attacks on the perimeter and inside the network.

    PT Sandbox

    Advanced sandbox with customizable virtual environments

    XSpider

    Vulnerability scanner.

    MaxPatrol VM

    Next-generation vulnerability management system.

    MaxPatrol SIEM All-in-One

    Full-featured SIEM for mid-sized IT infrastructures.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT BlackBox

    Dynamic application security testing tool

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    ATM Security Assessments

    Uncover Your Weaknesses

    Web Application Security Services

    Black Box and White Box Analysis

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Penetration Testing

    A Comprehensive Approach

    Forensic Investigation Services

    Prevent Future Incidents

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    View all →
  • Analytics
    Threatscape
    PT ESC Threat Intelligence
    Cybersecurity glossary
    Knowledge base
    View all →
  • Partners
    Authorized Partners
    Distributors
    Technology Partners
    View all →
  • About
    Clients
    Press
    News
    Events
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • Corporate network visibility in 2020

Corporate network visibility in 2020

Published on December 28, 2020

Contents

  • Who participated in the survey
  • Summary: What we learned
  • Traffic visibility
  • Internal network (in)visibility
  • What do traffic analysis tools need to do
  • Encryption vs. network visibility
  • Conclusions

We surveyed information security experts to learn their opinions on:

  1. Visibility of their corporate networks
  2. Expectations for traffic analysis
  3. Perceived trade-offs of encrypting internal traffic

The anonymous survey, with responses from 231 specialists in Belarus, Russia, and Kazakhstan was conducted from August 27 to September 14.

Who participated in the survey

Figure 1. What is your company's industry?
Figure 2. How many employees does your company have?

On the whole, we found that responses did not tend to vary significantly based on a company's size or industry.

Summary: What we learned

  1. The surveyed infosec experts assess the visibility of external traffic as on par with that of internal traffic at their companies.
  2. Over the last year, only 8 percent of respondents have detect- ed attacker lateral movement and only 17 percent detected the use of hacking tools. This is likely because most of the surveyed experts do not have appropriate detection tools in place at their companies.
  3. When asked to choose between encrypting traffic or improving visibility into the internal network, 64 percent of respondents pre- fer the latter.
  4. According to respondents, the most important tasks for traffic analysis tools are to detect attacks inside the network (88%) and on the perimeter (86%), detect network anomalies (71%), and monitor compliance with security standards (71%). These are typi- cal functions performed by network traffic analysis (NTA) (or net- work detection and response, NDR).1
  5. Traffic decryption and retrospective analysis are considered lower-priority tasks, winning the enthusiasm of 29 and 27 percent of experts, respectively.

Traffic visibility

Our survey demonstrates that most companies lack traffic analysis tools, not all network segments are covered, or visibility is hampered by data encryption. "Low" or "average" visibility into external traffic is a complaint of 72 percent of respondents; 68 percent have the same opinion regarding the visibility of internal traffic.

Figure 3. How do you assess the level of traffic visibility at your company?

Traffic visibility by industry

IT and financial companies turn out to be the most satisfied with the visibility of external traffic: 42 percent and 38 percent of these respondents, respectively, assess the visibility level as high. Industrial companies are on the other end of the spectrum: 36 percent of experts consider external traffic opaque.

The situation is similar with internal networks. Almost half of IT companies (47%) claim high visibility, while slightly more than half of respondents at indus- trial companies (52%) assess visibility as low.

Internal network (in)visibility

Over the last year, 51 percent of respondents have detected internal network scanning and malicious activity inside the perimeter. The situation is worse with lateral movement and use of hacking tools to develop attacks. During the last year, such actions were observed by only 8 and 17 percent of experts, respectively.

Figure 4. What have you observed in internal traffic over the last year?

Many protection solutions, such as antivirus software and EDR, can detect net- work scanning and use of hacking tools. It would seem that the experts we questioned performed detection without using NTA, the capabilities of which include detecting lateral movement and use of hacking tools.

What do traffic analysis tools need to do

For the experts we surveyed, threat detection is the top priority. 88 percent of them give the highest priority scores ("4" or "5") to detection of attacks inside the network; 86 percent indicate detection of attacks on the perimeter, and 71 percent mention detection of network anomalies and security policy compliance.

How vital is it to you to perform each task using traffic analysis tools?
Figure 5. How vital is it to you to perform each task using traffic analysis tools?

Traffic decryption is at the top of the "less important" tasks. 29 percent of re- spondents give it a low priority score ("0," "1," or "2"). But this does not mean that they do not care what is going on inside encrypted traffic: 70 percent of re- spondents at large companies recognize the importance of detecting malicious activity in encrypted traffic ("4" or "5"). If network packets are analyzed properly, detection does not require decryption.

Retrospective analysis is also a lesser priority, for 27 percent. This is probably due to the high cost of traffic storage servers.

Encryption vs. network visibility

The need for network visibility outweighs potential encryption benefits in the eyes of 64 percent of respondents. Worries about traffic encryption were re- flected in most responses ("3," "4," or "5") to the following question.

Figure 6. How worried are you that traffic encryption inside infrastructure inhibits network visibility?

0: I do not care about network visibility, traffic must be fully encrypted within the network.

5: I prefer not to encrypt traffic in order to get full network visibility.

This closely matches the findings of a SANS survey: 56.3 percent of respond- ents were worried that encryption prevents network visibility (6–10 points).

Figure 7. Level of concern about traffic encryption

Encryption within corporate networks is a thorny issue. In some cases, encryp- tion is necessary—such as if all passwords and emails must be encrypted in transit. However, many infrastructures, especially large ones, have difficulty with encrypting all traffic because of obsolete server equipment and incom- patible software. And even then, encryption increases the risk of "going dark" because it makes attacker actions more difficult to detect.

Conclusions

  • NTA solutions have a large future ahead of them: companies understand the importance of monitoring the security of internal networks. This is clear from the respondents' stated priorities for what NTA should do.

  • Not all companies have NTA monitoring of internal networks in place. We can conclude this based on what the surveyed security experts managed to detect inside their perimeters over the last year.

  • Most respondents do not support full encryption of corporate networks, giving NTA the maximum of opportunities to detect malicious activity. Those who do choose to encrypt traffic as much as possible can also benefit from NTA for detecting anomalies and malware.

See what NTA can do on your network

Check your network and perimeter for free with a pilot of PT NAD.

Request a pilot



  1. NTA performs analysis of traffic both on the perimeter and inside infrastructure. NTA solutions automatically detect attacks based on a large number of signs, including use of hacking tools and exfiltration of data to an attacker server. They store information about network interactions; some also store raw traffic. Such data can be useful for tracking attacker movements and investigating incidents.
Download PDF
Related articles
  • December 2, 2019 Cybersecurity threatscape: Q3 2019
  • June 17, 2022 Positive Research 2022
  • November 3, 2021 Rootkits: evolution and detection methods
Share:
Link copied
Related articles
February 1, 2018

ICS Security: 2017 in review

January 20, 2020

Cybersecurity 2019-2020

April 9, 2018

Social engineering: how the human factor puts your company at risk

All articles
Solutions
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Protection from targeted attacks (anti-apt)
  • PT Industrial Cybersecurity Suite
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol 8
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Network Attack Discovery
  • PT Sandbox
  • XSpider
  • MaxPatrol VM
  • MaxPatrol SIEM All-in-One
  • PT MultiScanner
  • PT BlackBox
Services
  • ICS/SCADA Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • PT ESC Threat Intelligence
  • Cybersecurity glossary
  • Knowledge base
Partners
  • Authorized Partners
  • Distributors
  • Technology Partners
About
  • Clients
  • Press
  • News
  • Events
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
Find us:
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap