New Research on Network Visibility and Threat Detection: A SANS Survey

In our current work-from-home climate, it's more important than ever to have complete visibility across your network in order to monitor behaviors and detect unusual activity and threats within your environment.

Below is a synopsis of the SANS Network Visibility and Threat Detection Survey commissioned by ExtraHop. The report explores the primary issues security professionals face in detecting threats on a network and the role visibility plays. The research highlights important facts, such as:

• Only 15% of respondents expressed a very high level of confidence that all the devices on their network are discoverable,
• more than 64% of respondents reported suffering at least one successful attack within the last year,
• only 2% of respondents are not at all worried about encrypted traffic, and
• only 16% of respondents believe they have high visibility into their east–west traffic.

The report explores how hybrid network complexity is making it difficult to streamline security practices, dives into the the inhibitors of visibility like advanced encryption, digs into the impediments to making greater use of network data, identifies the most used tools in the security operations center (SOC), and talks about how to fill in the gaps in your network visibility.

To find out more about the challenges your security peers are facing, download the Network Visibility and Threat Detection full survey results and/or watch the SANS webinar with the survey's author, Ian Reynolds, and Extrahop security expert, John Smith. Key takeaways are below.

Network Visibility and Threat Detection: A SANS Survey

As organizations continue to move to the cloud, encrypt communications, adopt IoT, and manage third-party vendors, the complexity of the network increases. This in turn, impedes visibility, slows operations, and impacts security.

For example, of the participating organizations, 59% believe that lack of network visibility poses a high or very high risk to their operations, and 64% of respondents experienced at least one compromise over the past 12 months.

Most Organizations Desire To Reduce Complexity

In the SANS survey, more than 93% of respondents indicated that they manage more than a thousand endpoints, and almost 90% manage between hundreds to thousands of servers. In addition, the majority (68%) expressed a desire to reduce the complexity of their systems by reducing the overall number of tools involved in their operations. Only 6% had no plans, and 9% were unsure.

What does this tell us? Mainly that complexity is a problem for most everyone, and that's not a big surprise. The question is what are the implications of complexity? Well, 59% of the respondents believed that a lack of network visibility poses a high or very high risk to the organization. Let's dive into that a bit.

Most Organizations Tie A Lack Of Visibility To Risk... Interesting...

Only 38% of respondents had high or very high levels of confidence in their ability to discover all of the devices connecting to their networks, with just 6% expressing a very high level of confidence. That lack of confidence is tied to a perception of higher risk for most organizations. While the majority of respondents (52%) claim high visibility into traffic entering and leaving their network (north–south traffic), only 17% claim the same level of visibility into traffic moving within their networks (east–west traffic). That lack of visibility into east-west traffic is a bit disturbing when you consider the erosion of the perimeter, leaving internal traffic exposed.

And, There's The Move To The Cloud

Cloud adoption, coupled with the recent flux of remote workers, means the perimeter is dissolving and applications are moving to the edge. With the shift to cloud-based SaaS options, the challenge continues to evolve. And, as remote access has increased dramatically in light of recent events, the requirements and options for flexible access to corporate data have increased. Greater visibility is needed to combat the increase in cloud misconfigurations that are a concern for security and business continuity.

Additionally, Encryption Is Becoming More Ubiquitous

The report shows that a majority of organizations today use encryption, with approximately 40% of the respondents reporting levels of encryption between 50-74% and another 12% who report 75-100% of traffic encrypted. Many organizations are moving towards adopting advanced encryption like TLS 1.3—which is critical for security, but exacerbates the visibility problem. Encryption guarantees the integrity and confidentiality of the data in transit and at rest, but creates blind spots in the network.

How This Leads To The Importance Of East-West Visibility

A key takeaway outline in the report is that having visibility into every device and how they are meant to behave on your network is crucial to understanding what constitutes normal traffic and what could be considered a deviation. But as we noted earlier, only 17% were confident that they had visibility into east-west traffic. That is disconcerting when you think of how porous the perimeter has become.

The Three Technologies You Need Working Together: EDR, SIEM And NDR

As the report indicates, most organizations have adopted EDR and SIEM solutions. But those solutions have some weaknesses: Endpoints can be tampered with, log data can be too noisy and turned off, and as a result, organizations are missing critical data to find threats within the east–west corridor. Building an equivalent capability to monitor and visualize east–west traffic, whether inside the perimeter or in the cloud, has been a challenge for most organizations.

The missing link has been Network Detection and Response (NDR). Working together, in what Gartner has coined the SOC Visibility Triad, the combined power of EDR, SIEM, and NDR, will now provide complete visibility and decrease the chance that an attacker can operate in your environment undetected.

Four Key Takeaways from SANS

The four key takeaways from the SANS Network Visibility and Threat Detection survey are listed below:

1. Know your corporate network and what behaviors and data flows are.
2. Understand that cloud services will alter the way you monitor and protect the organization.
3. Work with the cloud projects to maintain visibility of what changes are happening.
4. Automate repetitive tasks and choose tools that enable machine learning and improved analytics.

For more data on these conclusions, download the full report and/or watch the SANS webinar.

Stay safe out there, all!