The Bricata team conducted a survey to ask cybersecurity professionals about the challenges and opportunities they face in network security.
64% of respondents say network security is harder this year as compared to last and for a range of reasons. This includes the sophistication of threats, but also the proliferation of IT infrastructure and the complexity of environments given that changes stemming from cloud, IoT and BYOD, among others.
While insider threats (44%) and IT infrastructure (42%) topped the list of network security challenges no single topic drew a simple majority. Lack of leadership support, security technology interoperability, shadow IT, BYOD and the deluge of security alerts were among the top 10.
Most organizations used between 1-10 tools for the purpose of network security. About one-third of respondents said these tools were not integrated, while another 28% said these tools were just somewhat integrated. No respondents indicated tools in their environment were completely integrated.
About a quarter (26%) of respondents say their organization receives 1,000 or more security alerts per day. More importantly, the vast majority (84%) say these require 5 or more minutes each to triage. “A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand, some alerts are- -critical, but we are missing vital information, which we then spend ages trying to locate.” Some admit they just can’t review all alerts.
While just about one-third (32%) say they are doing threat hunting today – a majority (61%) of respondents believe that threat hunting will be either more important or much more important in the next 12 months.
Security analytics, security integration and behavioral analysis were the top three areas of security respondents said organizations should focus on over the next year. Interestingly, collaboration out ranked machine learning and AI as a recommended area of focus.
Some 34% of respondents said the relationship between security and DevOps is strong, while 27% said it isn’t. By contrast, 51% of respondents said the relationship between security and the business is strong, while 22% said it isn’t.
Boost PC performance: How more available memory can improve productivity
The top challenges to expect in network security in 2019 survey report
1. The Top Challenges in Network
Security for 2019
A survey of security professionals identifies network security
opportunities, risks and benchmarks
CC BY-SA 4.0 by Bricata
2. Executive Summary
• Network security is growing more difficult.
64% of respondents say network security is harder this year as
compared to last and for a range of reasons. This includes the
sophistication of threats, but also the proliferation of IT
infrastructure and the complexity of environments given that
changes stemming from cloud, IoT and BYOD, among others.
• Insider threats and IT infrastructure complexity are the
top challenges.
While insider threats (44%) and IT infrastructure (42%) topped the
list of network security challenges no single topic drew a simple
majority. Lack of leadership support, security technology
interoperability, shadow IT, BYOD and the deluge of security alerts
were among the top 10.
• Too many tools that don’t to talk to each other.
Most organizations used between 1-10 tools for the purpose of
network security. About one-third of respondents said these tools
were not integrated, while another 28% said these tools were just
somewhat integrated. No respondents indicated tools in their
environment were completely integrated.
• Networks security faces a deluge of alerts and can’t
investigate them all.
About a quarter (26%) of respondents say their organization
receives 1,000 or more security alerts per day. More importantly,
the vast majority (84%) say these require 5 or more minutes each
to triage. “A decent number of false-positives waste quite a bit of
time,” wrote one respondent. “On the other hand, some alerts are-
-critical, but we are missing vital information, which we then spend
ages trying to locate.” Some admit they just can’t review all
alerts.
• Threat hunting poised for growth.
While just about one-third (32%) say they are doing threat hunting
today – a majority (61%) of respondents believe that threat hunting
will be either more important or much more important in the next
12 months.
• Key network security areas to focus on in the next year.
Security analytics, security integration and behavioral analysis
were the top three areas of security respondents said organizations
should focus on over the next year. Interestingly, collaboration out
ranked machine learning and AI as a recommended area of focus.
• Security has a stronger relationship with the business
than it does with DevOps.
Some 34% of respondents said the relationship between security
and DevOps is strong, while 27% said it isn’t. By contrast, 51% of
respondents said the relationship between security and the
business is strong, while 22% said it isn’t.
2 | CC BY-SA 4.0 by Bricata
3. | 3
64% say securing the network is harder or
much harder this year than last.
3 | CC BY-SA 4.0 by Bricata
4. Network security is growing more difficult
Most respondents (64%) say network security is harder this year as compared to last, while about one-third (32%)
say it’s neither harder or easier. When asked why in an open-ended question, respondents wrote in attributing
challenges to several causes:
• “Increasing array of threats and threat vectors, as
more and more computer systems proliferate
throughout offices.”
• “Playing catch up because security wasn't a
priority with this company until recently.”
• “Increase in threats from third-party networks
and IoT devices.”
• “Doesn't feel like training and education is
keeping pace for defenders with what attackers
are capable of doing.”
• “Hackers are using more complex and
comprehensive tools and internal users seemingly
are less aware of what they do to reduce
protection.”
• “More things keep getting added to the network,
with more vulnerabilities.”
• “Acquisitions have made it more challenging.
Supporting both AWS and Azure are also testing
our support limits as development rushes into this
space headlong.”
• “My responsibilities moved from a traditional
hardware stack to AWS. Networking in AWS is a
whole new ballgame to learn.”
• “More deep hackings into previously thought solid
safe spaces.”
• “Ransomware variants are growing and threats are
evolving.”
4 | CC BY-SA 4.0 by Bricata
6. Network security faces a broad array of challenges
The weakest point in network security may well rest between the keyboard and chair. Some 44% of respondents
named insider threats as the single biggest threat in network security. In our assessment “insider threats” are
not necessarily malicious and likely include accidental incidents set off by well-intended users inside the
network.
The top 10 challenges included:
Those that selected “other” challenges to this question, wrote in to say understaffing, limited budgets and time
constraints were key challenges in their organization. It’s important to note that no single challenge drew a
majority of responses. This underscores the diversity of problems facing network security which vary by
industry, IT environment and perhaps organizational culture. This reinforces the notion that there isn’t a single
solution that will solve every security problem.
1) Insider threats – 44%
2) IT infrastructure complexity – 42%
3) Absence of leader support – 40%
4) Lack of tool interoperability – 37%
5) Shadow IT – 31%
6) Weak controls for provided access – 29%
7) Cloud visibility – 28%
8) BYOD – 26%
9) Too many alerts – 22%
10) Too many tools – 18%
6 | CC BY-SA 4.0 by Bricata
7. | 7
73% of have between 1 and 10 tools for
network security
22% use between 11 and 20 tools for
network security
7 | CC BY-SA 4.0 by Bricata
8. Most organizations use 1-10 tools for network security
The majority of respondents (73%) said their organization uses between 1 and 10 tools for network security.
About one-fifth (22%) said they use between 11-20 tools.
While this particular question is exclusively focused on network security, the responses seem to nest well with
other surveys we’ve observed. For example, a 2017 survey found roughly 70% of enterprises use between 10-50
tools across all sectors of cybersecurity including the network.
Respondents noted tools alone aren’t the answer. Security technologies must be well planned, implemented
properly, adequately resourced with thoroughly-trained security professionals. We will see this more clearly in
the next question.
8 | CC BY-SA 4.0 by Bricata
10. Security tools do not play well with each other
This question brings granularity to the lack of interoperability among security tools. About one-third of
respondents (32%) said tools in their organization simply do not share data. Another 28% said these tools were
just somewhat integrated.
When asked why in an open-ended question, respondents said the following:
• “Tools are purchased without ever sending employees to training or bringing hands-on experience from
the vendor to assist in integration. We just buy things and cross our fingers that it was a good
investment. New leadership, new year, it is getting better.”
• “Different vendor tools that don't communicate to one another.”
• “Lack of standards for interoperability.”
• “Varies by the 'brilliance' of the product.”
• “They don't talk to each other. They do talk to the SIEM but that is not enough.”
• “I inherited a hodge-podge of non-implemented or half-implemented projects.”
• Different solutions have a greater probability of catching issues that the other may not.”
We believe the problem has reached a critical mass and as a result, security integration will be added to the list
of requirements in the security acquisition process. Enterprises will start demanding that new cybersecurity
tools adhere to open standards, open APIs and readily allow the security operations center (SOC) to share data
as they deem fit.
10 | CC BY-SA 4.0 by Bricata
11. | 11
26% say their organization receives 1,000 or more
security alerts per day.
11 | CC BY-SA 4.0 by Bricata
12. | 12
84% say their organization requires 5 or more minutes to
triage a security alert.
12 | CC BY-SA 4.0 by Bricata
13. | 13
82% say their organization spend too much
time triaging alerts at least some of the time.
13 | CC BY-SA 4.0 by Bricata
14. Security cannot investigate every alert
Most organizations get a deluge of alerts. A little more than one-third (35%) of respondents say their
organization gets 100 or fewer alerts per day. About one-quarter (26%) of respondents put that number at more
than 1,000 with 10% of those seeing more than 10,000 alerts. All remaining respondents fell somewhere
between 100 and 1,000 daily alerts.
These alerts require time to investigate. The vast majority (84%) say it takes five or more minutes to effectively
triage an alert. This means an organization with 1,000 alerts – which is a modest example in this survey – would
have to triage 12 alerts per hour, for nearly 3.5 days without pausing to get through all of these.
The problem is compounded by the fact more alerts pour in all the time and some just require more time to vet
properly. For example, 58% of respondents said alerts take double that time – 11 or more minutes to triage. The
vast majority (82%) say their organization spends too much time investigating alerts at least some of the time.
Much of this is caused by a high signal-to-noise ratio. Many alerts are false positives which overwhelms the
resources security teams have at hand.
“A decent number of false-positives waste quite a bit of time,” wrote one respondent. “On the other hand,
some alerts are critical, but we are missing vital information, which we then spend ages trying to locate.”
Some respondents candidly admitted they simply don’t investigate every alert, which risks a sophisticated
threat slipping by in plain sight. It’s clear a better means of prioritizing and triaging alerts is needed.
14 | CC BY-SA 4.0 by Bricata
16. | 16
61% think threat hunting will be more
important over the next year.
16 | CC BY-SA 4.0 by Bricata
17. Threat hunting poised for growth
Threat hunting grew out of the notion that sophisticated threat actors understand how traditional detection
technologies work – and evade detection. Even newer tools that tap artificial intelligence and machine learning,
aren’t perfect, because these technologies focus on finding variations of known threats. If the threat is new or
the technique is novel there isn’t a variation to be detected.
As a result, threat hunting is becoming one of the hottest trends in cybersecurity today. While just about one-
third (32%) say they are doing threat hunting today – that doubles when asked about the future. A majority
(61%) of respondents believe that threat hunting will be either more important or much more important in the
next year or so. The findings are generally in line with another study focused on threat hunting conducted
earlier this year.
17 | CC BY-SA 4.0 by Bricata
19. Areas where security should focus
Where should security organization focus their future efforts? On a weighted average based on a five-point scale
(which takes into account those that think the concept is less or much less important) the answers stack up like
this:
Some observations include:
• Security integration is liable to become a must-have requirement in procurement;
• Behavioral analysis is rising because it’s harder to hide abnormal behavior on the network;
• It’s interesting to see that collaboration tops machine learning and AI – human collaboration still
matters; and
• Signature detection will find 80% of the known malware, but a layered security posture with interwoven
advanced capabilities is necessary for identifying sophisticated threats.
1) Security analytics (4.20)
2) Security integration (4.12)
3) Behavioral analysis (4.07)
4) Collaboration (4.00)
5) Machine learning / AI (3.97)
6) Threat hunting (3.88)
7) Signature detection (3.33)
19 | CC BY-SA 4.0 by Bricata
20. | 20
34% say the relationship cybersecurity has
with DevOps is strong
27% say the relationship cybersecurity has
with DevOps is NOT strong
20 | CC BY-SA 4.0 by Bricata
21. | 21
51% say the relationship cybersecurity has
with the business is strong
22% say the relationship cybersecurity has
with the business is NOT strong
21 | CC BY-SA 4.0 by Bricata
22. Stronger relationship with the business than DevOps
Security seems to have a stronger relationship with the business than with DevOps. Some 34% of respondents
said the relationship between cybersecurity and DevOps is strong, while 27% said it isn’t. By contrast, 51% of
respondents said the relationship between cybersecurity and the business is strong, while 22% said it isn’t.
On some level this makes sense: cybersecurity serves the business while it often finds itself at odds with the
change management processes DevOps champions. This is because a newly revealed exploit will exist in a
production environment and the risks associated with changing the production environment are precisely why
the process is intentionally slow and methodical.
Still, it’s surprising because conventional wisdom says both sides have similar goals and speak the same
language. If the pace an innovation of threats in the modern cybersecurity landscape have thrust this
relationship into focus.
22 | CC BY-SA 4.0 by Bricata
23. Security professionals in their own words
This survey asked one final open-ended question – What is one thing you wish the business would understand
about cybersecurity? – and it received 46 responses. A representative sample follows:
• “What you get in results, will rarely be outdone by what you give; but what you get, can and almost
always does, outweigh what you give.”
• “Security culture is extremely important since people are the weakest link in the security chain.”
• “It is a continuous process that must encompass every operating, development and planning activity
within an institution.”
• “That DevOps needs to communicate more clearly and ask security for help, DevOps should not be
making security decisions.”
• “Its easier with a lower TCO if done correctly up front than it is to try to fix problems after something
has been deployed.”
• “How much damage one human being can accidentally do through negligence.”
• “Cybersecurity is a strategic investment.”
• “It is everyone's business and responsibility.”
• “It takes money to protect the enterprise, and the IT department requires an adequate budget to
implement.”
• “[Security] is complex and does not scale easily; it requires budget and FTEs.”
• “An understanding of the resources required in order to achieve a rapid response could be improved.”
A word cloud of all responses follows on the next page.
23 | CC BY-SA 4.0 by Bricata
29. Survey methodology
This survey was conducted online from November 1, 2018, until November 30, 2018. Survey respondents were
solicited by email distributed through two third-party organizations with well-established cybersecurity
subscribers.
Sixty eight mostly senior respondents with more than 10 years of experience completed the survey.
Respondents hailed from a wide distribution of industries. Respondents were most widely represented by
technology (29%) and financial (22%) vertical markets, though many also stem from government, education,
healthcare and non-profit.
Respondents were incentivized with a chance to win one of three $50 gift cards.
29 | CC BY-SA 4.0 by Bricata
30. Recommended resources
• Here’s What Network Threat Hunting Means, Why It Matters, and How to Get Started [blog]
• 7 Simple but Effective Threat Hunting Tips from a Veteran Threat Hunter [blog]
• Layers of Cybersecurity: Signature Detection vs. Network Behavioral Analysis [blog]
• 7 Security Trends Shaping Intrusion Detection Technology [blog]
• Snort, Suricata and Bro: 3 Open Source Technologies for Securing Modern Networks [blog]
• Introduction to Network Threat Hunting [webinar]
• Threat Hunting: Finding Hidden & Undetected Network Threats [webinar]
Connect with Bricata on Twitter, LinkedIn or Facebook.
30 | CC BY-SA 4.0 by Bricata
31. About Bricata, Inc.
Bricata is the leader in comprehensive network protection. The Bricata flagship solution
provides unparalleled network visibility, full-spectrum threat detection, true threat
hunting, and threat resolution capabilities in an intuitive, tightly-integrated and self-
managing system. Its automated detection, productive GUIs, and expert system workflows
make it easy-to-use for novices; while granular control of its engines, access to rich
network metadata and PCAPs, and true threat hunting capabilities give experts the power
and control they demand. Bricata has been proven to speed incident resolution by eight
times by reliably detecting threats and providing the context necessary to get to the truth
quickly and act. For more information visit www.bricata.com.