We surveyed information security experts to learn their opinions on:

1. Visibility of their corporate networks
2. Expectations for traffic analysis
3. Perceived trade-offs of encrypting internal traffic

Who participated in the survey

Summary: What we learned

1. The surveyed infosec experts assess the visibility of external traffic as on par with that of internal traffic at their companies.
2. Over the last year, only 8 percent of respondents have detect- ed attacker lateral movement and only 17 percent detected the use of hacking tools. This is likely because most of the surveyed experts do not have appropriate detection tools in place at their companies.
3. When asked to choose between encrypting traffic or improving visibility into the internal network, 64 percent of respondents pre- fer the latter.
4. According to respondents, the most important tasks for traffic analysis tools are to detect attacks inside the network (88%) and on the perimeter (86%), detect network anomalies (71%), and monitor compliance with security standards (71%). These are typi- cal functions performed by network traffic analysis (NTA) (or net- work detection and response, NDR).¹
5. Traffic decryption and retrospective analysis are considered lower-priority tasks, winning the enthusiasm of 29 and 27 percent of experts, respectively.

Traffic visibility

Our survey demonstrates that most companies lack traffic analysis tools, not all network segments are covered, or visibility is hampered by data encryption. "Low" or "average" visibility into external traffic is a complaint of 72 percent of respondents; 68 percent have the same opinion regarding the visibility of internal traffic.

Traffic visibility by industry

IT and financial companies turn out to be the most satisfied with the visibility of external traffic: 42 percent and 38 percent of these respondents, respectively, assess the visibility level as high. Industrial companies are on the other end of the spectrum: 36 percent of experts consider external traffic opaque.

The situation is similar with internal networks. Almost half of IT companies (47%) claim high visibility, while slightly more than half of respondents at indus- trial companies (52%) assess visibility as low.

Internal network (in)visibility

Over the last year, 51 percent of respondents have detected internal network scanning and malicious activity inside the perimeter. The situation is worse with lateral movement and use of hacking tools to develop attacks. During the last year, such actions were observed by only 8 and 17 percent of experts, respectively.

Many protection solutions, such as antivirus software and EDR, can detect net- work scanning and use of hacking tools. It would seem that the experts we questioned performed detection without using NTA, the capabilities of which include detecting lateral movement and use of hacking tools.

What do traffic analysis tools need to do

For the experts we surveyed, threat detection is the top priority. 88 percent of them give the highest priority scores ("4" or "5") to detection of attacks inside the network; 86 percent indicate detection of attacks on the perimeter, and 71 percent mention detection of network anomalies and security policy compliance.

Traffic decryption is at the top of the "less important" tasks. 29 percent of re- spondents give it a low priority score ("0," "1," or "2"). But this does not mean that they do not care what is going on inside encrypted traffic: 70 percent of re- spondents at large companies recognize the importance of detecting malicious activity in encrypted traffic ("4" or "5"). If network packets are analyzed properly, detection does not require decryption.

Retrospective analysis is also a lesser priority, for 27 percent. This is probably due to the high cost of traffic storage servers.

Encryption vs. network visibility

The need for network visibility outweighs potential encryption benefits in the eyes of 64 percent of respondents. Worries about traffic encryption were re- flected in most responses ("3," "4," or "5") to the following question.

This closely matches the findings of a SANS survey: 56.3 percent of respond- ents were worried that encryption prevents network visibility (6–10 points).

Encryption within corporate networks is a thorny issue. In some cases, encryp- tion is necessary—such as if all passwords and emails must be encrypted in transit. However, many infrastructures, especially large ones, have difficulty with encrypting all traffic because of obsolete server equipment and incom- patible software. And even then, encryption increases the risk of "going dark" because it makes attacker actions more difficult to detect.

Conclusions

• NTA solutions have a large future ahead of them: companies understand the importance of monitoring the security of internal networks. This is clear from the respondents' stated priorities for what NTA should do.

• Not all companies have NTA monitoring of internal networks in place. We can conclude this based on what the surveyed security experts managed to detect inside their perimeters over the last year.

• Most respondents do not support full encryption of corporate networks, giving NTA the maximum of opportunities to detect malicious activity. Those who do choose to encrypt traffic as much as possible can also benefit from NTA for detecting anomalies and malware.

---

1. NTA performs analysis of traffic both on the perimeter and inside infrastructure. NTA solutions automatically detect attacks based on a large number of signs, including use of hacking tools and exfiltration of data to an attacker server. They store information about network interactions; some also store raw traffic. Such data can be useful for tracking attacker movements and investigating incidents.