As cybercrime evolves and organisations migrate to the digital realm, there’s been an ongoing race among businesses to evade bad actors, stay ahead of emerging threats, and mature their security posture. While tools are a critical component of these proactive and reactive defenses, tools alone are not enough, especially when it comes to telemetry.
If an organisation doesn’t understand the telemetry their tools are providing, or worse yet, if there’s a gap in that visibility, far-off threats can turn into immediate incidents. In addition to gathering data from specific sources, organisations need to be able to read, interpret, and act on that information to maintain a strong security posture.
Understanding telemetry, and how to implement better visibility is the core of “Seeing is Securing: The Case for Holistic Visibility,” but before we dive too deep into the data, we need to understand what telemetry is.
What Is Telemetry?
Telemetry, broadly, is the wireless measurement and transmission of data from one source to another, often a central source. This measurement and transmission can occur internally or remotely.
In the world of IT, telemetry is used constantly to measure activity within a system or network environment. For example, this telemetry could be text logs of who is accessing a specific application, an unusual slowdown in performance for a specific part of the system, a decrease in quality, or even sudden traffic changes within a network.
There are multiple kinds of telemetry data, but most fall into four categories: logs, actions, metrics, and traces. These four categories cover specific data from user logins to CPU performance to timestamped text records to even unusual user behavior or errors.
How specific telemetry data is measured depends on the source and the organisation’s needs, and every organisation will have different parameters for different telemetry sources. Understanding what should be measured, and how, is critical to making sure telemetry is not only being employed properly but that the data analysed is the correct data. Mismeasurement is where gaps appear and where threats can go undetected.
Telemetry is utilised not only for measurement, but for action. This data, and visibility, is vital when responding to incidents — from understanding where an incident originated to seeing where movement has been made within a network — and influences proactive cybersecurity decisions including vulnerability management and security environment upgrades or changes.
Types of Telemetry Monitoring
Many parts of an IT environment can be monitored using telemetry, and doing so holistically is by far the best approach to create broad visibility.
For a strong security posture, it’s recommended that the following seven areas of an organisation’s environment are monitored:
However, understanding how these seven parts are monitored is more complicated than identifying them. While the specifics of how each source is monitored can vary by use case (for example certain logins to a specific application during a narrow time frame), all fall into two categories: observability and monitoring.
While the two terms sound interchangeable, there are key differences. Observability delves into the field of assessing data. It’s simply the ability to assess a state based on specific data. This can be achieved through rule-based systems, machine learning, or humans.
Monitoring makes observability possible. It’s the collection of all of that data from given sources. You monitor, then observe, then take action. Both objectives work together to create a full picture of an IT environment and create full visibility.
If you aren’t monitoring the right sources for the right actions, you can’t know there’s an issue in a certain area, and if you aren’t assessing the data that’s being monitored, you could also miss the same issue. When thinking about it through an investigatory lens, monitoring is the who and what, and observability is the why.
The best telemetry tools offer both monitoring and observability while providing end-to-end visibility, allowing organisations to customise what is monitored, what is observed, and develop strategies that fuel their security goals.
How Telemetry Can Transform Your Cybersecurity Strategy
You can’t protect what you can’t see, and that’s why telemetry is a critical pillar of security architecture. While every aspect of telemetry has benefits and challenges — for example endpoints are a major part of the security environment, but every tool defines endpoint differently — what should be noted is that a single source of telemetry will never be sufficient, as every source could lead to an incident.
Having complete visibility allows for, not only, better detection and response if an incident occurs, but can help an organisation see where their weaknesses lie and harden their posture against future threats.
Each source of telemetry will be explored in our upcoming seven-part series:
- What is Telemetry?
- Log Sources/Ingestion
- Putting it all together: Cross-Telemetry Detection
The Arctic Wolf Security Operations Cloud is built upon that idea, utilising machine learning and the Concierge Security Model to collect telemetry from endpoint, network, and cloud services, including, but not limited to, AWS, Office 365, Salesforce, and Microsoft Azure.
Explore telemetry in-depth with “Seeing is Securing: The Case for Holistic Visibility.”