Threat actors don’t just try to gain access to an organization by targeting a single area of their environment. In today’s complex, connected IT environments, threat actors are utilizing multiple techniques, maneuvering through various parts of an organization’s attack surface, and launching sophisticated attacks across multiple components of the IT environment – from identity to endpoint to the cloud and beyond.
For security teams to stay one step ahead, they need broad visibility into their environments, meaning they need access to, and the ability to correlate, all the different data points and activities happening simultaneously to detect a threat actor’s behavior and potential next steps. They need telemetry.
What is Telemetry?
In cybersecurity, telemetry refers to the process of gathering and analyzing data from sources, including networks, applications, endpoints, cloud environments, and other sources to gain insights into an IT environment. In cybersecurity, telemetry is used to not only gain broad visibility into an attack surface but to better identify and correlate actions that may signal a security threat or in-progress cyber attack.
Telemetry is critical for threat detection, incident response, and attack surface hardening measures, and can be gathered in a central location or interface for swift and thorough analysis and action.
Types of Telemetry Sources
While the sources of telemetry can be plentiful, there are a few broad sources that are highly valuable when it comes to detecting threats.
- Endpoints: This includes any network connected device such as workstations and servers
- Cloud Environments: This includes any public or private clouds an organization may use and all associated logs
- Software-as-a-Service (Saas) applications: This includes common web-based applications such as email, Microsoft tools and apps, sales management tools, and more.
- Firewalls: This includes firewalls throughout the environment
- Networks: This includes the complete network and all associated assets
- Identities: This includes all users and applications that are identity-based, from email logins to single-sign-on (SSO) applications to identity and access management (IAM) tools such as Microsoft Active Directory
- Security logs: This includes all logs from in-use security tools such as endpoint security, managed detection and response (MDR) solutions, and antivirus software
Telemetry can be measured in a number of ways and there are multiple key indicators gathered from telemetry sources that can show something may be amiss in an environment. These include, but are not limited to, unusual traffic flows in a network, odd logins to a SaaS application, changes to a network or application configurations, new and sudden file creation or deletion, access and permission changes, and more.
Monitoring vs. Telemetry vs. Observability
Observability, monitoring, and telemetry are essential for maintaining a systems’ performance and reliability. While interconnected, each plays a distinct role in delivering insights to understand system health and capture the data required to alert on abnormalities like potential threats.
Observability: Observability is the ability to assess a system’s state in a given time period based off specific data. Observability allows an organization to understand the current state of their environment and IT infrastructure, such as if certain applications are functioning and if the infrastructure is operational. Observability can also allow organizations to troubleshoot certain issues pertaining to system events. This differs from telemetry, which gathers data from the infrastructure you’re observing.
Monitoring: The action of having “eyes-on-glass” for a telemetry source. Monitoring is also often narrower in scope than telemetry. Organizations monitor their telemetry sources for specific events or behavior patterns based on predefined metrics and alerts in order to inform specific actions. Telemetry, in contrast, is the culmination of the data collected during monitoring and can be used for a variety of purposes.
Telemetry: This is the data itself and the automated process of collecting and transmitting that data. Telemetry can be vast and broad and does not provide insights or analysis. Telemetry is often transmitted to monitoring tools, where alerting specifications are in place, which allows security teams to then act on the data from the telemetry sources.
When combined, these components create a comprehensive approach with observability providing proactive insights to address unexpected issues, monitoring offering immediate insights and alerts, and telemetry delivering foundational data from various sources to feed both monitoring and observability.
How Telemetry Works
Telemetry – often collected, enriched, and analyzed by modern cybersecurity tools and solutions – gathers data points from the various sources mentioned above, measures that data, and transmits it for various uses.
However, telemetry can be highly variable. The process and outcomes are dependent on the tools and solutions an organization has in place, what telemetry sources are being monitored, whether that monitoring is happening in real time or not, what rule sets are in place for data transmission and alerting, and the capabilities of any security monitoring, detection, and response solution that is in place.
To better explain telemetry in action, let’s look at how Arctic Wolf was able to stop a threat actor from launching a ransomware attack on a customer by correlating multiple telemetry sources during an investigation of an endpoint monitoring alert:
1. The Arctic Wolf® Agent detected PowerShell commands occurring on an endpoint (in this case an exchange server)
2. In the timeframe, the Agent saw credentials to a local account on a server (identity source) were reset, which constitutes a suspicious activity
3. The user associated with the reset credentials was then seen, in real time, moving to a different device, indicating lateral movement common in sophisticated attacks
In this instance, multiple sources of telemetry were collected by the Arctic Wolf Aurora ™ Platform and analyzed by the Arctic Wolf Security Teams, allowing them and the customer to take immediate remediation steps, minimizing the outcome of the intrusion. If just the endpoint were being monitored, or just the identity sources, the threat actor – in this case a ransomware group – might have been able to keep escalating the attack while evading detection, or the security teams might not have known which actions to take to prevent that escalation.
That’s the power of holistic telemetry.
Benefits of Comprehensive Telemetry
Utilizing multiple telemetry sources to gather and act on data is critical for robust security operations. Whether occurring in-house, managed through a third-party provider, or a combination thereof, having solutions in place that gather telemetry for cybersecurity purposes offers a wide range of benefits.
- Improved efficiency around proactive security measures as well as detection and response
- Better decision-making around real-time threat detection and response, as well as broader investments in security policies and technology
- Swifter detection of threats and potential prevention of serious cyber attacks
- Proactive risk management that is based on internal, real-time data
- Detailed incident analysis post-incident
- Compliance support for logs and other data needed to meet compliance obligations
In short, you can’t protect what you can’t see, and having various telemetry sources offers insights into your environment and provides the chance for your organization to implement stronger proactive and reactive security measures based on that data.
How Telemetry Fuels Threat Intelligence
Threat intelligence is valuable for security and IT teams as they work to detect and respond to threats in their own environments, as well as when those teams work to prioritize and implement proactive security measures. And while threat intelligence can come from a number of external sources, knowing how that intelligence applies to your specific environment is entirely dependent on telemetry. If there are reports of certain indicators of compromise (IOCs) happening in your sector or geographic region that pertain to the endpoint or even cloud applications, and your organization lacks visibility into those sources, those IOCs offer less value, increasing your overall risk.
From the perspective of the cybersecurity community, telemetry is how threat intelligence is gathered at scale. Arctic Wolf Threat Intelligence, which enables organizations to stay ahead of evolving threats, leverages over 7 trillion weekly security observations across 10,000+ customers, spanning industries and geographies. That’s only possible because of the robust telemetry we gather, ingest, and analyze in our customers’ environments.
Learn more about Arctic Wolf Threat Intelligence.
Comprehensive Telemetry and the Arctic Wolf Aurora™ Platform
The Arctic Wolf’ Aurora Platform is an industry-leading, open-XDR platform that collects, enriches, and analyzes data at scale to help our customers stay protected from immediate and future threats.
Our platform, which gathers telemetry from endpoint, network, cloud, human, identity, and application sources, offers broad visibility, unlimited event data, and on-demand access to logs. Additionally, that data is enriched with threat intelligence, allowing organizations to focus on what’s important. From a detection and response point of view, the use of machine learning (ML), backed by security expertise, allows organizations to respond to threats that matter most – early and quickly – reducing alert fatigue and improving security outcomes.
Learn more about how Arctic Wolf utilizes telemetry to make security work.
