Telemetry for Cybersecurity

What Is Telemetry?

Modern corporate enterprise and data center network topographies are complex. They include many different devices (routers, switches, local and cloud servers, hypervisors, firewalls and other security appliances, workstations, etc), use various transmission mediums such as ethernet, fiber-optics, and Wi-Fi, and host a wide range of applications that are critical for business operations. These digital environments need complex reporting solutions to provide administrators broad and granular visibility into network activities. 

Telemetry is data collected from a network environment that can be analyzed to monitor the health and performance, availability, and security of the network and its components, allowing network administrators to respond quickly and resolve network issues in real-time. Telemetry data contributes to maintaining a highly available, optimized, and resilient network. Advanced telemetry analysis can also employ artificial intelligence and machine learning to provide actionable event-driven data about network operations and detect anomalous network activity and indicators of potentially malicious behavior.

Telemetry Components

To facilitate the collection and analysis of telemetry data, devices must be configured with software that will forward relevant metrics to a centralized system where it is ingested into an analytics engine, processed, and made available to IT team members via an analytics dashboard. Network telemetry is focused on the performance of a network and all of its critical appliances, and endpoint telemetry is focused on reporting activity happening on individual endpoints.

To gain a high-level understanding of network telemetry, the functionality of a computer network can be modeled as three theoretical "planes." These three planes are:

Data Plane: Forwards packets/frames from one interface to another. If data flow is analagous to highway traffic, compare the data plane to roads and the communications as vehicles.

Control Plane: Operationalizes the rules for determining which paths data takes between devices, such as a router or switch's routing protocols. In the traffic analogy, the control plane can be compared to traffic lights and signs.

Management Plane: Controls and monitors devices. The management plane can be compared to a combination of a navigational app with real-time traffic data and a city planner who adjusts traffic lights and signs to optimize traffic flow.

Telemetry from the data and control plane can be used to make informed changes to network architecture or configuration to improve performance and security. Advanced network engineering tools and security products—such as Extended Detection and Response (XDR)—operate on the management plane to adjust the network topography and configuration automatically.

For example, when a device's hardware resources (CPU, RAM, hard drive, and network interface) are nearing exhaustion or failing, or a device or application is behaving unexpectedly, alerts can be created for IT team members, and load balancers or failovers can automatically assign new resources such as VPS to maintain network performance.

Endpoint Telemetry

Endpoint telemetry includes information from operating systems, services, and applications on each endpoint. Endpoint telemetry is used to monitor individual systems and applications to identify system failure caused by normal operational conditions and malicious activity caused by malware. The components of endpoint telemetry are highly flexible and depend on the service provided by the endpoint being monitored. An agent on each endpoint will relay relevant data to the centralized repository so it can be analyzed for indicators of compromise (IOCs) or other activity.

Endpoint Telemetry Benefits

Data Loss Protection

Monitoring services such as those for email, file-sharing, and cloud APIs or employee workstations to detect anomalous behavior concerning data transfer that may indicate an attacker attempting to exfiltrate data.

Authentication and Authorization

Monitoring services for attempts to authenticate and access hosted resources to detect suspicious activity.

System Processes

Monitoring an operating system for rogue processes and processes that may be spawned by the compromise of an application in a cyberattack.

System File Changes

Monitoring an operating system or application for any changes to critical system files or configuration settings.

User Behavior

Monitoring an endpoint for activity such as keyboard strokes and mouse movement, opening documents, or internet usage.

Telemetry for Cybersecurity

Telemetry data is applied to cybersecurity in several ways. Network engineers can use telemetry to observe network traffic in real-time to ensure all systems' availability and high performance. In more advanced cybersecurity scenarios, telemetry data can be used to respond to an IOC and respond.

For example, XDR solutions ingest telemetry from network endpoints and automatically react to a reported IOC by quarantining an endpoint and further protecting the rest of the network by using the IOC telemetry to adjust defenses across the network environment. This allows a defensive cybersecurity strategy beyond traditional virus scanning of incoming files for known signatures and allows for real-time monitoring of all systems for anomalous behavior. The result is a lower dwell time.

Endpoint telemetry helps security teams to enhance threat detection coverage and identify malicious activity earlier.

As a human-centric subscription-based 24x7x365 Managed Detection and Response service, CylanceGUARD® provides the expertise and support that CISOs need. CylanceGUARD combines the deep expertise embodied by BlackBerry Cybersecurity Services with AI-based Endpoint Protection through CylanceENDPOINT. In short, CylanceGUARD provides businesses with the people and technology needed to protect the enterprise from the modern threat landscape.