There’s No Network ‘Normal’ Without IT

What’s normal network activity, anyway? It’s the question that admins most want – and most struggle – to answer quickly.

After all, knowing network health and understanding regular performance at a glance can raise the alarm whenever traffic strays from expected norms.

The problem, however, is getting an accurate reading. Too many teams still work across disparate platforms and siloed workflows. Further, the ongoing, historic divide between IT and OT means that alerts can get lost in the noise – a particular concern as attackers use automation to more effectively discover and exploit backdoors. Once inside ecosystems that lack deep observability, bad actors can remain undetected for weeks.

This is why having a finger on the network pulse is more important than ever, and why establishing “normal” activity is the best way to both combat intruders and improve infrastructure efficiency.

Why network visibility matters now

More endpoints, users, and data – admins across telecoms and enterprises with significant network infrastructure oversee ever-growing and intersecting ecosystems. The scale of sensitive information and operations under their watch explains why establishing a network baseline matters.

Done right, a baseline captures expected behavior across traffic volume, communication patterns, connection frequency, and data flows. When a device suddenly queries systems it’s never talked to, or when traffic spikes at an unusual hour, the deviation is immediately apparent against the established norm, enabling easier and faster investigation.

This kind of visibility and agility are much needed against bad actors doing more with less. Empowered by automation, hackers are more often testing and penetrating network defenses with newfound speed. For example, recent vulnerability reports have been reverse-engineered into working hacks within a day. And, at the same time, detecting such incursions is getting slower.

The global median dwell time recently increased to 14 days, giving bad actors two weeks within the network to map the environment, siphon credentials, and stage their strike. Worse, in OT environments, where systems are often deliberately left unmonitored for fear of disrupting production, that figure can stretch to more than 40 days. Admins increasingly realize that attackers need only one blind spot to succeed, whereas they need visibility everywhere to defend. The issue is that the very teams responsible for providing this insight are working from separate dashboards and different sides of the network.

An unknown baseline made worse by the IT/OT divide

The separation between IT and OT isn’t a mistake. The two have been operating independently for years, with the former overseeing security and network performance and the latter covering production and uptime. But thanks to convergence, OT devices are connecting to enterprise networks and data flows freely in both directions. The traditional boundary is effectively gone.

Unfortunately, today’s organizational structures largely lag behind this network reality and neither team sees the full picture. The same incident can look like noise to one team and be invisible to the other. Protocol incompatibility only compounds the problem – IT tools don’t speak Modbus, OPC UA, or Profinet, so operational and industrial devices don’t always appear in the monitoring picture. An accurate network baseline needs to go the extra mile to monitor production devices in addition to IT-visible assets. Otherwise, admins define “normal” for only half the network.

We are starting to see movement in this direction. CISO responsibility for OT security has jumped from 16% in 2022 to more than half of organizations today, with projections pointing toward 80% consolidation in the near term. This is good news because it builds accountability into the security function. Now, network visibility and subsequent standardization must follow.

Establishing and understanding the network ‘normal’

The first step in understanding the network is speaking the same language. From SNMP and WMI to Modbus TCP and MQTT, broad protocol support brings OT devices into the same monitoring picture as IT assets, so the baseline reflects the full environment, not just the half that’s easy to reach.

Then, with all information feeding into a centralized console, AI can establish a sense of “normal” behavior. Static thresholds can’t keep pace with dynamic, converged environments. The stronger approach is AI-driven baselining that continuously learns and automatically surfaces deviations. Remember: attackers can hide malware but they can’t hide traffic. An intelligent baseline catches the behavioral fingerprint of an intrusion even when the payload is invisible. AI-assisted anomaly detection is increasingly making this scalable and it’s where the industry is heading.

The driving idea is to build visibility into the foundation. Unified monitoring isn’t an upgrade to layer on top of existing operations but the precondition for everything else. Security response, compliance, capacity planning, and incident containment work best with a complete picture of the network. Organizations that treat visibility as optional are effectively defending half of their infrastructure and hoping the other half isn’t targeted. There’s no network “normal” until you can see it all and respond in kind.

The views expressed in this article belong solely to the author and do not represent The Fast Mode. While information provided in this post is obtained from sources believed by The Fast Mode to be reliable, The Fast Mode is not liable for any losses or damages arising from any information limitations, changes, inaccuracies, misrepresentations, omissions or errors contained therein. The heading is for ease of reference and shall not be deemed to influence the information presented.