As cybercrime evolves and organizations migrate to the digital realm, there’s been an ongoing race among businesses to evade bad actors, stay ahead of emerging threats, and mature their security posture. While tools are a critical component of these proactive and reactive defenses, tools alone are not enough, especially when it comes to telemetry.
As a managed service provider (MSP), if you don’t understand the telemetry your tools are providing for your customers, or worse yet, if there’s a gap in that visibility, far-off threats can turn into immediate incidents. In addition to gathering data from specific sources, MSPs need to be able to read, interpret, and act on that information to ensure their customers maintain a strong security posture.
Understanding telemetry, and how to implement better visibility is the core of “Seeing is Securing: The Case for Holistic Visibility,” but before we dive too deep into the data, we need to understand what telemetry is.
What is Telemetry
Telemetry, broadly, is the wireless measurement and transmission of data from one source to another, often a central source. This measurement and transmission can occur internally or remotely. In the world of IT, telemetry is used constantly to measure activity within a system or network environment. For example, this telemetry could be text logs of who is accessing a specific application, an unusual slowdown in performance for a specific part of the system, a decrease in quality, or even sudden traffic changes within a network.
There are multiple kinds of telemetry data, but most fall into four categories: logs, actions, metrics, and traces. These four categories cover specific data from user logins to CPU performance to timestamped text records to even unusual user behavior or errors.
How specific telemetry data is measured depends on the source and the organization’s needs, and every organization will have different parameters for different telemetry sources. Understanding what should be measured, and how, is critical to making sure telemetry is not only being employed properly but that the data analyzed is the correct data. Mismeasurement is where gaps appear and where threats can go undetected.
Telemetry is utilized not only for measurement, but for action. This data, and visibility, is vital for an MSP when responding to incidents — from understanding where an incident originated to seeing where movement has been made within a network — and influences proactive cybersecurity decisions including vulnerability management and security environment upgrades or changes.
Types of Telemetry Monitoring
Many parts of an IT environment can be monitored using telemetry, and doing so holistically is by far the best approach to create broad visibility, especially when delivering security as a managed service.
For strong security posture it’s recommended that the following seven areas of the network environment are monitored:
- Endpoints
- IaaS
- SaaS
- Firewall
- Network
- Identity
- Risks
However, understanding how these seven parts are monitored is more complicated than identifying them. While the specifics of how each source is monitored can vary by use case (for example certain logins to a specific application during a narrow time frame), but all fall into two categories: observability and monitoring.
While the two terms sound interchangeable, there are key differences. Observability delves into the field of assessing data. It’s simply the ability to assess a state based on specific data. This can be achieved through rule-based systems, machine learning, or humans.
Monitoring makes observability possible. It’s the collection of all of that data from given sources. You monitor, then observe, then take action. Both objectives work together to create a full picture of an IT environment and create full visibility.
If you aren’t monitoring the right sources for the right actions, you can’t know there’s an issue in a certain area, and if you aren’t assessing the data that’s being monitored, you could also miss the same issue. When thinking about it through an investigatory lens, monitoring is the who and what, and observability is the why.
The best telemetry tools offer both monitoring and observability while providing end-to-end visibility, allowing MSPs to customize what is monitored, what is observed, and develop strategies that fuel their security goals.
How Telemetry Can Transform Your Cybersecurity Services
You can’t protect what you can’t see, and that’s why telemetry is a critical pillar of your security practice. Every aspect of telemetry has benefits and challenges. For example, endpoints are a major part of the security environment, but every tool defines endpoint differently. This fact reinforces that a single source of telemetry will never be sufficient, as every source could lead to an incident.
Having complete visibility not only allows for better detection and response if an incident occurs but can help managed service providers by reducing impacts to service delivery teams chasing down alerts that turn out to be false positives in the end.
The Arctic Wolf Security Operations Cloud, along with the Arctic Wolf Data Exploration module, is built upon that idea, utilizing machine learning and the Concierge Security Model to collect telemetry from endpoint, network, and cloud services, including, but not limited to, Office 365, Microsoft Azure, Sentinel One, Webroot, Duo Mimecast, and more.
Explore telemetry in-depth with “Seeing is Securing: The Case for Holistic Visibility.”
Guest blog courtesy of Arctic Wolf. Read more Arctic Wolf guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.
