Jamf Blog
Multiple trains queued up for departure.
February 13, 2023 by Jesus Vigo

Telemetry series: Full automation and correlation

Part three of the blog series on telemetry goes to the next level, specifying what administrators can do with the granular data collected from endpoints within their infrastructure. Particularly how this data is useful when detecting suspicious and unknown threats that may lurk undetected, as well as how pairing telemetry data with security solutions can enhance efficiency and your security posture through automation.

In the previous entry in this series, we expanded on telemetry data gathering and storage aspects. We also discussed the options available to organizations that help them meet their needs, including tips on working with rich telemetry data to get the most out of your management workflows.

New to compliance management?

Discover the in's and out's of implementing a comprehensive compliance management program to maximize your information security strategy with Jamf's Compliance Management for Beginners eBook. Download your free copy today to get started increasing the efficacy of your endpoint security solutions to ensure a strong, security posture.

In this blog, we endcap the series by detailing how telemetry data collection can be used by Security teams to aid their efforts when hunting for threats that may be lurking within their devices – without alerting endpoint security to the presence of bad actors within your organization. We also dive into the various ways telemetry data can be leveraged via automation, by:

  • detecting and being alerted to threats in real-time
  • converting alerts into actionable response tasks
  • executing remediation workflows to mitigate risk

Turning the hunter into the prey

Not every organization has a dedicated threat-hunting team. Depending on the size of your organization and its unique needs, this scenario may or may not seem applicable to you, but with the increase in cybersecurity threats and advancements in endpoint security solutions, choosing a solution that leverages machine learning (ML) technology like MI:RIAM can help even the smallest of IT departments find and eliminate novel threats from their devices before they can evolve into an attack or data breach.

While the path of threat hunting is far from linear, the approach to the skill is fairly straightforward: to find active or persistent threats lurking within your organization. Seasoned analysts working as part of a dedicated security team, like Jamf Threat Labs, pair data scientists and security professionals from all backgrounds to successfully hunt down threats and mitigate risk on a routine basis.

But what about smaller businesses or those with lean business operations? Are they left out in the cold? Absolutely not! The fact is that implementing your own threat-hunting team – regardless of size – will benefit your organization immensely. And what’s the secret sauce used by threat hunters to identify unknown threats? Rich telemetry data.

By already collecting telemetry data, analyzing it and using it to drive actionable tasks in the service of managing your endpoints, administrators are already performing many of the tasks necessary when actively hunting for threats.

Granted, significantly more goes into threat hunting than that, but with increased experience in working with and reviewing telemetry data for anomalies and other suspicious behaviors, administrators will have an easier time triaging alerts. This becomes especially useful in determining the appropriate next steps, such as whether a false positive is yielded or a true positive detects a risky app as a risk to data security.

Automation

Let’s face it, most individuals wouldn’t choose to work hard when a simpler, less vexing alternative exists, no? Of course not! And we’re not referring to laziness but rather about being more efficient. After all, as with anything technology-driven, the focus is almost always to work smarter, not harder.

Enter automation. The saving grace of IT and Security professionals the world over. The ability to do more with less, or output more while inputting less is not a new concept in IT by a long shot, but one that is increasingly relied upon to help admins focus less on the tedious, repetitive management tasks performed countless times a day; instead allowing them to focus more on better processes and workflows to help all stakeholders.

Well, telemetry data can and does have something to do with automating various tasks and workflows that help IT and Security teams perform their roles with aplomb while cutting down on some of the more manually intensive tasks.

Notifications

Let’s say for example you’re an IT administrator and are responsible for managing one hundred mobile devices across multiple regions. Now, each mobile device equals one user, and one evening after work hours, you receive a call from a worried employee that something’s not quite right with their device. This is followed by another and then another, quickly building into a steady volley of phone calls, texts and emails from concerned users.

Something is clearly going on, but what, you ask? And with this many calls coming through (and more on the way), where do you start?

  1. You could go device by device, reviewing the logs individually to identify the unique issue(s) affecting that single device, but that could take a long time and meanwhile, the other issues aren’t getting resolved.
  2. A review of your SIEM solution will help cut down on the review time and help identify the problem(s) faster, but it will require you to still perform somewhat manual processes to isolate and prioritize issues before they can be resolved.
  3. By checking the notifications on your console’s dashboard, you get an itemized readout of each alert, pre-sorted and prioritized as well as grouped together by risk, allowing you to move onto the next step in verifying and then remediating the issue(s).

Each option above features the next step in the triage scenario, with the level of automation increasing in descending order.

Another benefit to securely sharing telemetry with your endpoint security solutions is that, if configured appropriately, as telemetry data is gathered and processed in accordance with implemented policies, alerts are sent to administrators to notify them in real time of the issue being detected.

Whether it’s coming through as an SMS text message with little more than a classification rating and timestamp, an in-depth email message that comprehensively explains the issue found, alongside a timestamp, risk tolerance, priority level and a link detailing the steps necessary to remediate – or something in between – the availability of the information needed to take corrective action is provided front and center to administrators as it occurs. This allows them to immediately take action to mitigate the risk and prevent the issue from growing into a full-blown incident.

Incident Response

So you’ve received an alert and it says that an issue has been identified with low severity but it affects several endpoints. You could certainly reach out to each user to further triage the issue – and perhaps in certain instances like one-off cases, it would make the best sense to do just that.

But when needing to triage multiple devices, it makes for far more efficient use of your time to find commonalities between endpoints, itemizing the problems and sorting them by greatest severity in order to target those first, then make your way down the list.

If only there was a way for that type of organization to be enabled…oh wait, there is! As part of the incident response workflow, your endpoint security solution and the telemetry data it gathers is a critical part of addressing the problem, but not the only one. When aligned with information security frameworks, telemetry data can be mapped to known issues, like threats and vulnerabilities which shine a brighter light on the severity of the incident.

Armed with this knowledge, response team members have a greater understanding of which issues pose the greatest threats to data security and the organization's overall security posture. For example, a single endpoint flagged with a vulnerability classified as “high” would normally take precedence over a “low” classification. However, if that single instance high-severity endpoint belongs to a smartphone that requires an app update compared to several low-severity instances related to endpoints that have been infected with a trojan, it may be wise to leverage automation to quarantine the latter, allowing responders to focus instead on the former, providing an incident response to both without running the risk of permitting the low-value targets to potentially continue infecting other endpoints.

Remediation

Continuing with the example above, let’s consider an alternative scenario. Instead of manually triaging the high-severity target, we instead rely on telemetry data and policy-based management to create a workflow that automatically determines the current patch level of the affected endpoint and triggers a remediation workflow that effectively mitigates the risk by performing the update to the app, remediating the incident and closing out the issue altogether without impacting the security team members or user productivity.

This type of automated remediation is made possible through integration and that can only occur when telemetry data is shared over a secure medium, like an API, between your endpoint security solution and mobile device management solution.

By sharing granular telemetry data in real-time between solutions, as endpoints are queried for device health data, this information is transmitted back to the console (and SIEM solution, if enabled) for central processing and storage. When integration is enabled between solutions, any changes to endpoint health are shared again in real-time, where policies configured within the MDM are triggered.

The trigger, in this case, is endpoint health-related which has caused the device to fall out of compliance. The result? An automated response executes the necessary workflow that remediates the incident in question. Think of workflows that can remove potentially unwanted applications, perform app and/or operating system updates or block actions that may be linked to risky behavior, such as data exfiltration or attempts by ransomware to communicate with command and control servers (C2) before maliciously encrypting data.

Each incident being remediated automatically prevents the identified risk from further affecting the endpoint – all upon initially being detected through the collection and analysis of telemetry data.

Do you know what risk factors affect your Mac endpoints?

Jamf Protect’s telemetry data does, as well as how to mitigate it for you.

Photo of Jesus Vigo
Jesus Vigo
Jamf
Jesus Vigo, Sr. Copywriter, Security.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.