Exploring Endpoint Telemetry: Discovering Its Strengths and Limitations

Share :

The attack surface is bigger than ever before, and it’s only going to keep growing. As the hybrid work model puts endpoints in employee homes, IoT devices grow in number and complexity, and the very definition of endpoint itself evolves, the task of seeing into and securing all endpoints in an organisation’s environment has grown into a colossal task for already overworked and overtaxed IT teams.  

Why Endpoint Telemetry Matters 

There’s a saying in the cybersecurity world: You can’t protect what you can’t see.

That’s where telemetry comes in. 

Telemetry, broadly, is the measurement and transmission of data from one source to another, often a central source. This measurement and transmission can occur internally or remotely. In the world of IT, telemetry is used constantly to measure activity within a system or network environment. 

Each element of an organisation’s environment has a role to play in proactive protection and reactive response. As cybercriminals continue to evolve and expand their attacks, it’s crucial that organisations understand their sources of telemetry and the types of observations they provide.  

The telemetry provided by endpoints is a crucial component of holistic visibility. Without it, you lack the comprehensive insight into each endpoint that is essential for real-time visibility into the activity on a key piece of your environment. Without this telemetry data, and without the proper analysation and correlation of that data, you lose the ability to contain and isolate threats when they inevitably occur. 

The good news?

Most modern security teams are aware of the importance of visibility into endpoints. 

The bad news?

Too many of them stop there, ignoring the remaining six chief sources of security telemetry. Even worse, many don’t invest enough time, talent, and budget in the proper tuning of their endpoint security tools to provide the telemetry data that’s actually needed to protect their environment. It’s likely for reasons like these that 30% of organisations feel that their current endpoint technology tool provides the least value in their tech stack.   

To combat this problem, the cybersecurity industry has developed security operations solutions to help organisations gain visibility into endpoint traffic and activate threat responses when needed. But not all endpoint telemetry tools are created equal.

Let’s take a look at two major solutions in this space, endpoint detection and response (EDR) and endpoint protection, to uncover their purpose, what they can see, what they can’t, and why neither solution is enough on its own. 

What is Endpoint Detection and Response?   

Developed to overcome the limitations of antivirus, the original endpoint security tool, endpoint detection and response (EDR) records critical activity like process executions, command line activity, running services, network connections, and file manipulation on endpoints to observe behaviors and flag suspicious ones that fall outside the normal behavior. This is where the “detection” part of EDR comes in. 

When a suspicious action occurs, the EDR agent installed on the endpoint will trigger an alert, letting the security professional know that something potentially malicious has been detected. The idea being that — although the attack itself may change — the behavior of malicious software and malicious actors often remains the same.  

Additionally, EDR allows the security professional to act once a detection has occurred — the “response” part of endpoint detection and response. While features vary by vendor, most include the ability to isolate the host system from the rest of the network to prevent the attack from spreading to other endpoints in the environment. 

Beyond the isolation capability, some vendors offer more advanced responses, including terminating processes or killing services. The ability to take these actions on an endpoint should be approached cautiously as there are situations where they may result in additional harm to the host system or business operations.      

Limitations of EDR  

Although EDR drastically improves on the flaws of antivirus, it is not without some drawbacks of its own. It places an outsize emphasis on detection of threats rather than the prevention of them, recording the actions taking place on the endpoint and triggering an alert when suspicious activity is detected. 

Unfortunately, detection alone does not guarantee that the threat is mitigated.      

Consider an environment that utilises EDR but has limited security staff. This staff may be tasked with validating and responding to a high volume of alerts. This results in a delay between the time an alert is generated and the time an analyst responds to it. This can result in two situations that are highly detrimental to an organisation, alert fatigue and delayed mean time to response (MTTR).

Alert fatigue is the result of tools generating an overwhelming amount of alerts, resulting in decreased emphasis being placed on these alerts. This in turn can lead to extended delays in mean time to response, or the gap in time between when an alert is generated and when an analyst investigates and responds to the threat.  

What is an Endpoint Protection Platform 

Endpoint Protection Platforms (EPP) were developed to build off what was seen as the best benefits of EDR and antivirus. EPPs record actions occurring on the endpoint in the same fashion as EDR. These actions are then processed against a database of known suspicious behaviors in near real-time, as with antivirus. 

When it is assumed that a malicious action is about to occur, the EPP agent will interfere and prevent the threat from executing.  

Prevention is the key differentiator between EDR and EPP. Where some EDRs may include the ability to develop specific preventions, it is primarily a reactive tool, designed to record endpoint activity and detect potential threats. EPP takes the proactive approach of focusing on prevention. In this way it often only records enough activity to allow it to decide if an action should be prevented from executing.  

By following this approach, EPPs can prevent a range of both malware and actions attempted by threat actors.  

Limitations of EPP 

This is not to say that there are no potential drawbacks to EPP, however. There is a balance that these platforms must find between preventing legitimate actions that simply appear suspicious versus allowing threats to run for fear of preventing business activities from being executed.   

In many cases these platforms will allow the customer to set their own standards for prevention. This can result in some environments lowering their prevention threshold, resulting in greater cyber risk. Shifting the focus to prevention rather than detection also modifies the extent of what telemetry is being recorded.

Where EDR will record any and all activity that is considered significant, EPP will generally record just enough activity to make a determination if something malicious is about to occur.  

How To Achieve Holistic Visibility 

The major drawback to all types of endpoint protection and telemetry tools is that they only give you visibility into a portion of your environment. For endpoint telemetry to be truly valuable, it needs to be correlated with other sources of telemetry, such as network, cloud, and identity telemetry to offer IT teams the full picture of who is in their environment, and what they are doing.  

Learn about the seven sources of telemetry, their benefits and drawbacks, and how to achieve comprehensive visibility into your entire environment in our new Holistic Telemetry interactive resource. 

Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Categories