What Is Telemetry?
Modern corporate enterprise and data center network topographies are complex. They include many different devices (routers, switches, local and cloud servers, hypervisors, firewalls and other security appliances, workstations, etc), use various transmission mediums such as ethernet, fiber-optics, and Wi-Fi, and host a wide range of applications that are critical for business operations. These digital environments need complex reporting solutions to provide administrators broad and granular visibility into network activities.
Telemetry is data collected from a network environment that can be analyzed to monitor the health and performance, availability, and security of the network and its components, allowing network administrators to respond quickly and resolve network issues in real-time. Telemetry data contributes to maintaining a highly available, optimized, and resilient network. Advanced telemetry analysis can also employ artificial intelligence and machine learning to provide actionable event-driven data about network operations and detect anomalous network activity and indicators of potentially malicious behavior.
To facilitate the collection and analysis of telemetry data, devices must be configured with software that will forward relevant metrics to a centralized system where it is ingested into an analytics engine, processed, and made available to IT team members via an analytics dashboard. Network telemetry is focused on the performance of a network and all of its critical appliances, and endpoint telemetry is focused on reporting activity happening on individual endpoints.
To gain a high-level understanding of network telemetry, the functionality of a computer network can be modeled as three theoretical "planes." These three planes are:
Data Plane: Forwards packets/frames from one interface to another. If data flow is analagous to highway traffic, compare the data plane to roads and the communications as vehicles.
Control Plane: Operationalizes the rules for determining which paths data takes between devices, such as a router or switch's routing protocols. In the traffic analogy, the control plane can be compared to traffic lights and signs.
Management Plane: Controls and monitors devices. The management plane can be compared to a combination of a navigational app with real-time traffic data and a city planner who adjusts traffic lights and signs to optimize traffic flow.
Telemetry from the data and control plane can be used to make informed changes to network architecture or configuration to improve performance and security. Advanced network engineering tools and security products—such as Extended Detection and Response (XDR)—operate on the management plane to adjust the network topography and configuration automatically.
For example, when a device's hardware resources (CPU, RAM, hard drive, and network interface) are nearing exhaustion or failing, or a device or application is behaving unexpectedly, alerts can be created for IT team members, and load balancers or failovers can automatically assign new resources such as VPS to maintain network performance.
Endpoint Telemetry Benefits
Data Loss Protection
Monitoring services such as those for email, file-sharing, and cloud APIs or employee workstations to detect anomalous behavior concerning data transfer that may indicate an attacker attempting to exfiltrate data.
Authentication and Authorization
Monitoring services for attempts to authenticate and access hosted resources to detect suspicious activity.
Monitoring an operating system for rogue processes and processes that may be spawned by the compromise of an application in a cyberattack.
System File Changes
Monitoring an operating system or application for any changes to critical system files or configuration settings.
Monitoring an endpoint for activity such as keyboard strokes and mouse movement, opening documents, or internet usage.
Telemetry for Cybersecurity
Telemetry data is applied to cybersecurity in several ways. Network engineers can use telemetry to observe network traffic in real-time to ensure all systems' availability and high performance. In more advanced cybersecurity scenarios, telemetry data can be used to respond to an IOC and respond.
For example, XDR solutions ingest telemetry from network endpoints and automatically react to a reported IOC by quarantining an endpoint and further protecting the rest of the network by using the IOC telemetry to adjust defenses across the network environment. This allows a defensive cybersecurity strategy beyond traditional virus scanning of incoming files for known signatures and allows for real-time monitoring of all systems for anomalous behavior. The result is a lower dwell time.
Endpoint telemetry helps security teams to enhance threat detection coverage and identify malicious activity earlier.