2016 Netwrix Visibility Report

Visibility has been generating a lot of discussion lately. The reason is that no one can foresee and prevent all cyber risks, so timely detection is prioritized ahead of preventive measures. It is hardly possible for IT departments to be efficient and proactive without a deep understanding of what is happening in IT environments. Meanwhile failure to quickly spot malicious activity and investigate the issue often impacts business processes. Damage may occur in various forms: data breaches, operational downtime, noncompliance etc. All of them eventually lead to financial losses and affect customer loyalty. Thus, visibility is vital not only in terms of increasing efficiency of IT departments and enhancing working environments, but for security and success of businesses above all.

Despite being widely discussed, especially at the recent RSA Conference, visibility is nevertheless understood differently by each vendor. However, it was not a purpose of this survey to identify what solutions are used for achieving visibility into what is happening in corporate networks, nor was it an intention to evaluate specific solutions. Here we talk about visibility in general—from visibility into system configurations and cyber-attacks from the outside to insider activity.

The goal of the survey was to learn what issues organizations are trying to solve when implementing visibility software, whether they succeed in achieving their goals and to assess the level of visibility they have now into various parts of the IT infrastructure. We hope that information presented in this report will help IT pros identify areas that can be improved in their organizations.

This report is based upon a survey of 838 IT professionals that was conducted by Netwrix from April 26 till May 16, 2016. The mixture of respondent roles and industries, geographic regions and organizational sizes of surveyed companies serves to provide a broad and objective picture of the actual state of visibility.

The Netwrix team thanks all the respondents for their contributions to the research.

Introduction

In this report we will be using the term visibility software, by which we mean any kind of software that delivers a deep understanding of what is going on across the IT infrastructure. Advanced visibility software supports a broad variety of on-premises and cloud-based IT systems and provides unified data on sequence of events to gain a profound insight into user behavior, data access and IT infrastructure changes. Visibility software overcomes limitations of perimeter security, enables stronger control over users and helps mitigate the risks of insider misuse, compromised user credentials, data exfiltration and external attacks, including malware.

Companies

Industries

Large Enterprises

Small and Medium Companies

838

30+

39%

61%

Highlights

State of visibility

• Automation of user activity monitoring is quite well spread among companies, with the majority of them (68%) using third-party, in-house or both types of visibility software. Visibility software is mainly implemented to ensure security of systems and data, to minimize system downtime and to mitigate human factor.

• About 25% of organizations claim to have zero visibility into unstructured data, another 53% have only limited visibility into their file storage.

• Almost 75% of companies admit that they have no or insufficient visibility into what is happening in their cloud-based systems and data.

• More than 80% of organizations have zero or only partial visibility into users’ personal devices used for work purposes.

Future of visibility • Almost 47% of respondents believe that the increasing complexity of IT infrastructures would negatively impact its transparency and would complicate achieving visibility in the future despite all the efforts.

Visibility software in use

• More than 70% of organizations stated that visibility software allowed them to improve threat prevention.

• Almost 67% of organizations that allow partners, contractors and other third-parties into the corporate IT networks have none or just partial visibility into their activities.

• The same number of respondents (67%) have no or limited knowledge about user activities across the IT infrastructure.

• A little fewer—61%—surveyed organizations have zero or partial visibility into activities of privileged users, like system administrators.

Part 1: State of visibilityThe time when technology served just the purpose of automation of manual work has passed long ago. Now, technology gives organizations a competitive advantage. Rapidly changing business realities, economies, priorities and government-set requirements, growing global presence and regional specifics complicate IT landscape, set a huge number of various challenges for IT infrastructures and data and, as if it was not enough, require well-balanced decisions and complete overview of what is going on, preferably in real-time.

In this context, visibility serves as the necessary background for ensuring cyber security of business critical data, compliance with regulatory requirements, system uptime and business continuity. Visibility combined with analytics provides knowledge about deviations and suspicious activity and allows organizations to proactively address these issues and minimize the damage. In this chapter we analyze the reasons why organizations need visibility, how they are trying to achieve it and whether they succeed in doing so.

1.1 Value of visibility

We asked our respondents to rate the importance of visibility for various tasks. Overall, the majority of respondents perceive visibility to be a key part of ensuring security, compliance and IT operations efficiency and optimization of IT infrastructure and file storages.

The most popular reasons for implementation of visibility software are ensuring security of systems and data and minimizing system downtime—aspects that

are vital for any business worldwide.

The most popular use cases (important or critical for more than 85% of respondents) are ensuring security of systems and data and minimizing system downtime—aspects that are vital for any business worldwide. Both of them directly impact a business’ financial standing and success. Visibility becomes a critical component of the overall IT strategy, giving to the IT departments knowledge and speed needed to deal with various incidents or even prevent them.

Primary reasons to use visibility software

70%

60%

50%

40%

30%

20%

10%

0%

11%

44%43%

13%

43%42%

57%

18%

59%

15%

Not important More or less important Important Absolutely critical

24% 24% 26%

17%

54%

22%

39%

31%

To ensure overall security of network and data

To minimize system downtime

To optimize IT processes and operations

To optimize IT infrastructure and storage

management

To formally comply with internal or external

requirements

To mitigate human factor

2% 2% 1% 2%3% 8%

The third most popular answer is mitigation of human factor (75%), which obviously also belongs to the security field. However, since the human factor is one of the biggest cyber security challenges nowadays, we wanted to point it out separately. It is impossible to guess people’s intentions and predict their actions, as it is impossible to build a 100% guaranteed protection against malicious activities. There will always be someone who outsmarts security algorithms and systems and takes advantage of their privileged position for fraud. Or, there can be unintentional mistakes or actions that trigger an unforeseen chain of events, which result in a breach. The findings of our survey show that 75% of respondents consider visibility to be important or absolutely critical for mitigation of hum----an factor.

Overall, 75% of respondents consider visibility to be important or absolutely critical for mitigation of human factor.

Complex IT infrastructures with growing number of systems, applications, devices and users even in small organizations push IT departments to automate time-consuming user activity monitoring. According to the received results the majority of respondents are already using third-party or custom-built, or even both, solutions (68% of total) to enable visibility into their IT environment. Around 17% of companies are planning to implement visibility tools, while 15% of organizations claim to hold back with any visibility software.

Popularity of third-party solutions (42%) is natural, as vendors specialize in certain types of solutions, have their own R&D teams and usually offer the necessary balance of price and functionality. Custom-built solutions, while meeting organizations’ specific requirements, take time and considerable budget to be developed and supported. Mainly large enterprises have demand for in-house solutions due to the IT infrastructure’s unique character and complexity.

1.2 Visibility software in use

Almost 70% of respondents already use visibility software, and 17% areplanning to implement it.

Use of solutions that aim to provide any kind of visibility into data and/or IT environment

45%

40%

35%

30%

25%

20%

15%

10%

5%

0%

Third-party solutionsSolutions developed in-house

None, but we plan to implement them

None, and we don’t plan to implement them

Third-party and in-house developed solutions

42%

11%15%15%

17%

As stated before, for the absolute majority of surveyed organizations visibility is important for maintaining security of IT systems and data. However, if we look into different aspects of IT infrastructure, it becomes obvious that the newer technology is, the worse it is protected.

Over the past few years, the increase in mobility of workers and use of mobile devices for work purposes has challenged IT departments to deal with an extended potential attack surface and greater cyber risk. Many organizations do not even have partial visibility and lack control over personal (39%) and corporate (25%) devices, so it seems that mobile devices are going to continue to be a dark spot on IT landscapes, at least for a while.

Another dark spot is unstructured data, which includes various documents (Word, PDF, Excel, etc.), emails, pictures, etc. File analysis, a method to achieve visibility into data, is quite a new area in IT, so enterprises are the main consumers of this software. According to the research, only 22% of respondents claim to have complete visibility into what is happening across their file shares. On the other hand, one-quarter of organizations admitted to having zero visibility into unstructured data and file storage. With volumes of files growing exponentially, visibility into this aspect of the IT infrastructure is crucial not only for security reasons, but also for better information governance and optimizing storage costs.

As to the cloud, it turned out to be another problem area for the majority of organizations. Although cloud technology has been on the rise lately, organizations still struggle with getting the best out of the two worlds: lower costs and the same level of control over data they have on-premises. Almost 24% of cloud users admit to have no visibility into what is happening in their systems and data in the cloud, while 53% of organizations claim to have only partial visibility. The situation with hybrid cloud is no better, as only 27% of organizations have complete visibility into the mixed environment.

Although organizations feel more confident about visibility across databases, network, virtual infrastructure and endpoints, ensuring complete visibility is still a challenge for the majority of them.

1.3 Visibility into critical systems

Providing visibility into hybrid and cloud infrastructures, BYOD and unstructured data is still a challenge for the majority of organizations.

Please evaluate the level of visibility you have:

60%

50%

40%

30%

20%

10%

0%

56%

37%

7%

51%

41%

8%

42%

46%

12%

29%

46%

25%

Endpoint protection

Virtual infrastructure Network

Databases

Corporate mobile devices

Hybrid infrastructureCloud

Unstructured data and file storage

BYOD (personal devices)

26%

47%50%

46%

None / almost none Partial Complete

24%

53%

23%25%

53%

22%

39%

17%

44%

4%

27%

Part 2: Visibility software in use The majority of organizations use various visibility software to improve security and ensure system uptime. However, collection of logs about every single activity in the network is not enough to become a useful solution that empowers companies to fulfil various tasks. This reminds one of car options, while all of the cars have 4 wheels, one steering wheel, brakes and doors, nor all of them are ready to provide advanced features like climate control or parking-assist, which would simplify your life tremendously. So going further we asked if deployed solutions have only wheels and doors, or they fully meet organizations’ needs and provide protection against cyber threats and insider misuse.

2.1 Impact on threat prevention

Analytics provided by visibility software allows 70% of companies to succeed in achieving their primary goals and prevent cyber threats. Visibility enables organizations to see anomalies and suspicious activities, investigate them, find the root cause (and—in case of insider misuse—the threating actor’s account), and deconstruct the kill chain and stop the attack before it turns into serious damage.

Despite certain disadvantages of visibility software in use, two out of three respondents have improved threat prevention with its help.

80%

70%

60%

50%

40%

30%

20%

10%

0%

Does your visibility solution enable you to prevent cyber threats?

Yes No I don’t know

19%

70%

11%

In the recent 2016 Netwrix IT Risks Report, we discovered that the human factor remains a major concern for organizations worldwide when they deal with cyber risks. Then almost half of respondents (47%) admitted they had experienced security incidents due to human mistakes, and 13% had detected cases of insider misuse. These findings forced us to dig deeper and continue asking whether visibility into user and third-party activities is a priority for organizations and whether there are any efforts to get visibility, or do companies perceive user-related risks as an inevitable evil that nothing can be done about.

Seeking security, organizations are compelled to keep a close watch on activities of anyone who is given access to corporate IT network—users, IT personnel, partners, contractors, etc. On average, one-third of respondents has complete visibility into user and third party activities. This number is not yet large enough to state that visibility into user activities in the network is a generally solved issue, especially considering the fact that one-fifth of organizations that allows third parties onto corporate IT networks don’t have any visibility into what they are doing there. Also 12% and 15% of surveyed organizations have zero visibility into IT personnel and user activities, respectively. No wonder that breaches involving insiders have become a sad reality. Overall, the results demonstrate that although there are some efforts to understand what users are doing, still there is a lot to be done.

2.2 Visibility into user activity in IT infrastructures

Disturbingly, a fair amount of organizations don’t have any or sufficient visibility into third-party (67%), user (67%) and IT personnel (61%) activities in corporate IT systems.

Visibility for user activity in IT infrastructures

60%

50%

40%

30%

20%

10%

0%

None Partial Complete

12%

39%

49%

19%

33%

48%

33%

52%

15%

IT admins and IT staff activities Third-party activities in corporate systems User activities in IT systems

Part 3: Future of visibility As we saw in the previous chapters, visibility in organizations is somewhat uneven and quite often nonexistent. Organizations of all sizes are trying to gain maximum awareness of what is happening in their IT environments. Meanwhile, visibility gaps have caused some serious data breaches in companies around the globe (JP Morgan Chase, European Central Bank, Target, eBay, Yahoo Japan and Korea Credit Bureau to name a few). Whether it is immaturity of technology, or human factor, organizations are still very vulnerable. And the future doesn’t look too bright.

3.1 Future state of visibility in organizations

Visibility has a clearly defined leading role for IT infrastructure security. Its importance is commonly recognized and will increase even more with the growing volumes of data, users and systems used. We also expect to see more vendors and more specialized IT solutions. Does it mean that it is going to become extremely easy to understand what is happening in IT environments? According to the survey respondents the answer is no. Almost half of them (47%) said they believe that increasing complexity of IT infrastructures would negatively impact visibility despite all the efforts made. Meanwhile, one-third of respondents presumes it will be easier to achieve visibility into IT infrastructures. Only 5% of organizations do not consider lack of visibility as an issue (though we should give them some slack as they are probably all small businesses).

Almost 50% of respondents believe that increasing complexity of IT infrastructures would negatively impact visibility despite all the efforts made.

Your opinion about the future state of visibility

I don’t think lack of visibility into IT infrastructure is a problem

0% 10% 20% 30% 40% 50%

47%

31%

17%

5%

Complicated IT infrastructures will make it harder to gain visibility into all IT systems

It will be easier to gain visibility with various IT solutions

It won’t get any harder or easier to gain visibility into all IT systems

Part 4: Demography

Geography

For this report we surveyed organizations from around the world. The majority of them (64%) are headquartered in North America and have a global reach and 31% are from Europe and Asia.

838 companies

North America

Asia/Pacific

Europe

Latin America

Middle East

Africa

Organizational size

The surveyed organizations were grouped by size using Gartner’s* definitions of small businesses (1–99 employees), midsize enterprises (100–999 employees) and large enterprises (more than 1,000 employees).Two-thirds of the respondents represent small and medium businesses, and one-third of them work for large enterprises.

64%

16%

15%

3%1 1

Small Businesses Midsize Enterprises Large Enterprises

41%39%

20%

* Based on Gartner’s definition of small and midsize business (SMBs) by the number of employees.

Part 4: Demography

Industry vertical top 5

Overall, we surveyed organizations that operate in more than 30 industries. The majority of respondents come from technology and IT, manufacturing, banking and finance, education and health care.

Job title

IT specialists of various levels and areas of responsibility were involved in the survey in an attempt to get an objective picture of the state and perception of visibility in organizations. More than 40% of respondents are system administrators, about one-third is IT management and the rest (almost 30%) are represented by engineers, analysts, consultants and compliance and security officers.

Technology & IT

Manufacturing

Health Care

Banking & Finance

Education

15%

10%

5%

0%

9%10%

11% 11%

14%7%

Other (network & system engineers, IT support specialist, IT analysts etc.)

50%

40%

30%

20%

10%

5%

0%

4% 5%

9%

22%

41%

19%

System administrator

IT manager

CIO / IT director

Consultant

Security / compliance officer

Visibility is an absolute necessity but not the only condition for maintaining security. Yet, organizations continue to struggle when trying to understand what is going on in their IT infrastructures. On one hand, we see that companies have good understanding of visibility’s importance for security and overall business processes, they make efforts and invest in solutions to achieve visibility.

On the other hand, when we dig deeper and ask about what kind of visibility companies have, we see insufficient coverage of systems, security gaps and lack of user behavior analytics. The human factor remains one of the biggest challenges for all types of organizations. As technology develops and becomes more sophisticated, its vulnerabilities continue to be explored by attackers. When it comes to data security, human-related risks cannot be neglected, nor can they be prevented. So it is not surprising that user behavior analytics is already used by one-third of respondents. While simple user activity tracking is no longer enough, organizations are actively seeking comprehensive analytics to enhance visibility.

Also the survey revealed that there is a strong interest in visibility software from organizations of all sizes and industries. Since there are areas where visibility is not yet comprehensive enough, the market demand will stay high in the upcoming years. The vendors are expected to offer advanced solutions for gaining visibility into the cloud, unstructured data and mobile devices.

Conclusions & recommendations

• App-store capability. Due to complexity of IT infrastructures and diversity of IT systems it will be hard to get visibility into everything. Also visibility software vendors will not be able to support all IT systems and applications on the market, especially a variety of cloud-based SaaS applications. Organizations are recommended to carefully evaluate their needs and opt for maximum coverage to keep pace with a dynamic IT environment. Visibility solutions should support API to enable easy scalability and integration of all required IT systems. Given the speed of cloud migration and cloud benefits, support of hybrid environments is also critical for comprehensive visibility software.

• Single point of access. Once data from all relevant sources is collected, it should be available in one place in a single format. This will ensure integrated visibility and thorough and reliable analysis via identification of various events across different IT systems. Besides that, a single point of access contributes to greater speed when investigating security incidents. Organizations should integrate visibility software with other available data sources (such as SIEM, help desk, CRM, etc.) to get more value from existing solutions.

Recommendations

• Actionable analytics. Collection of data is the first step on the way to visibility. The next step is understanding what is going on. Visibility software should provide profound analysis of user behavior that allows organizations to identify threat patterns via malicious activities, see where they originate from and deconstruct the data breach kill chain, preventing or minimizing the damage.

• Hidden costs. It only makes sense to deploy technology that can be used to its fullest potential and that can bring maximum value. Sophisticated solutions require a lot of additional investments like skilled and well-paid professionals and software and hardware upgrades, which will not deliver the expected results in the context of a limited budget. Companies are recommended to conduct thorough research and opt for solutions that offer the right balance of TCO and benefits or provide virtual appliance to minimize time-to-value.

There are some general recommendations based on the survey findings that would help to improve visibility and security of IT environments and business-critical data. Organizations that are evaluating visibility software for deployment should pay attention to such factors as:

Corporate Headquarters: 300 Spectrum Center Drive, Suite 1100 Irvine, CA 92618

netwrix.com/social

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other

trademarks and registered trademarks are the property of their respective owners.

The report is brought to you by Netwrix Research Lab, which conducts industry surveys among IT pros worldwide to discover up-to-date interests and granular trends' analysis of the industry. For more reports, please visit: www.netwrix.com/go/research

About NetwrixNetwrix Corporation was the first to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments. More than 150,000 IT departments worldwide rely on Netwrix to detect insider threats on premises and in the cloud, pass compliance audits with less expense and increase productivity of IT security and operations teams. Founded in 2006, Netwrix has earned more than 90 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S. For more information, visit www.netwrix.com

About the Report