Telemetry series: Collection and Storage (SIEM)

In the previous entry in this series, we discussed what telemetry is, why it’s important and how it works by allowing IT and Security teams to keep their finger on the pulse of endpoints within your infrastructure, especially when integrated with device management solutions to aid threat hunting and automate remediation workflows (more on automation in the next blog).

In this blog, we turn the topic toward telemetry collection and storage. Specifically, we scope how critical it is for organizations to obtain rich telemetry data and how it makes their security posture that much stronger by:

• helping to meet their unique requirements, such as auditing their compliance goals
• properly configuring endpoints to stream log data to centralized log management for in-depth analysis
• aligning with best practices to make the best use of telemetry data and facilitate effective incident response workflows

Without further ado, let’s dive right in, shall we?

How telemetry data helps organizations meet their needs/requirements

Security is no easy task. Working within cybersecurity certainly poses its challenges – never-ending challenges that change dynamically – just as the needs and requirements of your organization evolve over time.

Exacerbating cybersecurity concerns are challenges that directly and indirectly affect an organization’s security posture and ability to mitigate threats and fend off various attacks. Some of these issues, like limited budget allocations or a lack of dedicated IT and Security staff, find organizations behind the eight ball as far as security is concerned.

But the ability to gather, store, analyze and leverage rich telemetry data gathered from endpoints is a powerful ally when it comes to hardening devices, shrinking the attack surface and ultimately limiting the risk that would otherwise lead to exploitation of threats and worse, full-on data breaches.

You may be asking yourself, “how can telemetry do all that?” Simply put, that’s the crux of what logging data combined with the information gleaned from actively monitoring your endpoints brings. It’s the vital health stats for each device in your organization. Relevant data bits provide answers to questions like:

• What are a device’s patch levels?
• Which actions were performed by the system?
• When were processes executed?
• Where was the device communicating from?
• Why did the device, app or thread behave this way?
• Who carried out a particular task or action?
• How was this vulnerability able to be exploited?

So on and so forth, logging data records every instance of every action carried out on a device. Timestamps, user info and a plethora of metadata are essential to providing a snapshot of the device at any given time and place for each recorded occurrence.

By harnessing gathered data, organizations can better understand how effective (or ineffective) a project’s plan may be or the efficacy of security controls in place to mitigate certain threats, simply by reading the output generated as it pertains to the sensors and analytics tied that a particular goal.

Setting your organization up for success

The great thing about telemetry, apart from the obvious insight and visibility into the devices on your network, is that when incorporated into best-of-breed solutions, the process of gathering data, sorting and analyzing it is made a vastly simple task. Plus, manipulating telemetry data by exporting it to customized reports and other visual representations makes auditing needs against compliance requirements easy to read and understand.

Think of it like a car rated at forty miles per gallon (MPG) during highway driving. Your goal is to stick as close as possible to that number during a road trip because the closer you are to forty the fewer times you’ll need to stop for gas, in turn resulting in money saved by purchasing less fuel. But how can you verify your car is hitting the expected target number? You don’t just take the manufacturer’s word for it, you monitor your mileage against the total number of miles driven between fill-ups, dividing that by the total number of gallons your car can hold. That is your MPG calculation, and that number alone confirms whether your car was on target with manufacturer estimates.

Some of the integrations that extend telemetry data are:

Security Information and Event Management (SIEM)

For those that aren’t familiar with the term SIEM, it’s a service that operates either on-premises or in the cloud that provides centralized collection, storage, sorting and analysis and reporting of telemetry data gathered from just about any network-connected device. Think computers, mobile devices, networking appliances, servers and services, etc. – anything that generates logs that can have those logs streamed over to the SIEM for a greater, holistic view of your organization's environment and how each device lends itself to its overall security posture.

The alternative is manually checking each device within your infrastructure – tantamount to hundreds, thousands or potentially tens of thousands of logs – to find threat instances. Talk about finding the proverbial needle in a haystack. SIEMs whittle that all down to a central reporting location for admins to check. Furthermore, SIEMs are designed for this, so they naturally have advanced logic to filter out unnecessary entries, allowing you to focus on exactly what you’re looking for. Whether they’re indicators of compromised endpoints, credential reuse attacks or to verify that mission-critical data remains compliant by ensuring that devices that access it are configured properly and within policy requirements.

Mobile Device Management (MDM)

MDM solutions are known for well, managing devices from a centralized console. Among its core strengths is the ability to deploy software, install configurations, manage device settings and locate and track managed devices that have gone missing.

Beyond that, MDM solutions incorporating policy-based management can leverage telemetry data to dynamically group devices that meet (or do not meet) certain requirements to automate certain tasks. For example, in the case of endpoints that require OS-level patches, one of Jamf’s remediation workflows would work like this:

1. Telemetry data is gathered by the Jamf Protect which is installed on each managed device and centrally streamed to your preferred SIEM solution.
2. The SIEM solution securely shares the collected data with the Jamf Pro via the Application Programming Interface(API) in real-time.
3. On Jamf Pro, policies are configured to enforce up-to-date patching of macOS/iOS-based devices, comparing the current state of device records to the telemetry data.
   • Devices found to be up-to-date with patches are left as-is;
   • Devices found to be missing the necessary patches are dynamically added to a Smart Group.
4. The policy-based management in Jamf Pro then executes the remediation workflow to update the affected devices, bringing them into compliance.
5. Upon successful completion of the workflow, Jamf Pro rescans the device to update its record and Jamf Protect continues to actively monitor and gather telemetry data on the devices as well to verify its health status, ensuring compliance.

Pro Tips for working smarter, not harder

Technology is largely considered a tool that should aid users to be more productive and succeed in the workplace. And while telemetry goes to great lengths to help administrators ensure managed endpoints, users and data remain secure, there are a few tips that further extend the capabilities of how we use can leverage telemetry – regardless of whether you have dedicated IT and Security teams, outsource your IT/Security management infrastructure or are simply a one-person team pulling double-duty.

Use a cloud-based SIEM

As mentioned previously, SIEM solutions can exist on-premises or be hosted in the cloud. The latter is a far more effective solution than the former given its flexibility. Many organizations have chosen remote and hybrid work environments with many more providing employee choice programs that support mobile devices. This means a majority of the endpoints accessing company resources could potentially be doing so remotely, from outside the relative safety of the network perimeter. This requires a SIEM solution that can always communicate with endpoints, regardless of where they connect from, making cloud-based SIEMs the best choice to centrally collect rich telemetry data, but the integration capabilities of cloud-based offerings make securely sharing that stored data with your preferred device management solution easy peasy.

Outsource a security team to help

Let’s say your organization doesn’t have a dedicated team of Security professionals at its disposal. This doesn’t mean you should skimp on securing your endpoints, right? Of course not! Perhaps a better solution to address the company’s unique needs is to work with a Managed Detection and Response (MDR) service.

This team of cybersecurity experts leverages telemetry data to provide active monitoring of your endpoints, networks and cloud-based environments 24/7, typically on a subscription model or for a set fee per month. They respond to incidents and remediate them as needed when an alert is triggered. Often, MDRs offer additional services, such as threat hunting to identify unknown threats that may be lurking on your endpoints waiting to perform a data breach.

Or outsource your entire security stack

Unlike MDR above which provides outsourced monitoring and management of the security devices your company uses, a Managed Security Service Provider (MSSP) takes the services provided by MDR and extends them further by adding managed network appliances, VPN, vulnerability scanning and endpoint security software in concert with 24/7 support.

By completely managing the end-to-end security space, organizations are free to focus on business operations while IT and Security operations are fully handled by the MSSP to keep endpoints, users and data secure while upholding the company’s security posture.