What is telemetry?

While not among the more exciting topics in the IT and infosec world, there are arguably fewer topics that are as significant to the determination of device health and to a greater extent, ensuring the security of your endpoints, than telemetry.

In this blog series, this unsung hero highlights the various needs, uses and functionality made possible through telemetry data. Future articles in this series will focus more closely on its:

• Collection and storage
• Automated alerting and reporting
• Full automation and correlation

What is telemetry?

Think of each login authenticated, commands executed, processes performed, and so on and so forth. In a nutshell, most changes that occur on a device are recorded in logs detailing:

• The actions performed
• Programs affected
• Diagnostic information
• System services utilized
• Date and time stamps

Among other useful data recorded that provides a window into your Mac endpoint to determine current health and security vital statistics that speak directly to the operational, functional, technical and security status of apps and data contained within your Mac.

Why is telemetry critical?

To exemplify the importance of telemetry data, it might be easier to look at it as we do our own vital statistics. For example, we visit the doctor, and they draw a vial of blood, which is processed, to determine if any health-related issues are present. Factors like certain forms of disease or too little or a build-up of vitamins and minerals signal that something may be off in our bodies and medical action may be necessary to correct it before it leads to something far more troubling.

The same can be said for telemetry data, except it refers to the overall health of your Mac fleet. It is the culmination of data gathered from various sources and subsystems within Mac that paint the picture of how healthy your endpoints are and based on that, inform what remediation workflows should be taken to correct the issue(s) identified to:

• Mitigate risk
• Keep data secured
• Uphold user privacy
• Maintain compliance

"If you cannot measure it, you cannot improve it." - Lord Kelvin

How does telemetry work?

Armed with the “what” and “why”, we now tackle how telemetry works by providing some scenarios in which collection and analysis of granular telemetry data are imperative to:

• identifying security threats
• resolving security incidents
• complying with regulations

that your organization may be the target of and/or pertaining to the industry your organization belongs to, making it subject to governmental oversight.

Threat defense and investigation

As mentioned prior, device health information provides IT and Security teams with the details necessary to best defend their endpoints, as telemetry data provides granular insight into what parts of the system require remediation. This could be something as simple as an app that is not up-to-date or something more significant, such as a critical macOS security update that patches a vulnerability with a high severity rating.

Without this rich telemetry data available, administrators would not have the visibility into their fleet to remediate such a threat proactively. This leaves affected devices unprotected and at risk of exploitation from bad actors, and potentially worse.

Similarly, let’s assume that the unpatched vulnerability example used above happened and the device was unfortunately exploited, leading the device to be compromised. The user may report something weird occurring with their Mac, but administrators will be hard-pressed to understand exactly what’s happening and why it’s happening. These are two critical pieces of information required when triaging an issue to determine the next steps.

This is another watershed moment for telemetry data because, with it, administrators have the answers to those questionsand will be able to trace how the exploit came to pass and the way through to where the system currently stands. With this data in tow, remediation workflows can be executed to purge the threat, remediate the vulnerability and restore functionality to the user’s Mac – mitigating the threat – and saving time in the process, which is a crucial commodity during any attack.

Regulatory compliance

Earlier we touched upon compliance, more specifically governmental oversight of highly regulated industries. Examples of these would be healthcare, fintech and education. Depending on where your company is located, certain local, state, federal and/or regional laws may apply. Furthermore, what countries your organization does business with may also make it subject to regulatory requirements in those regions, like GDPR and its user privacy protections being legally enforceable for any organization collecting personally identifiable information (PII) from European citizens – regardless of if your organization has a physical presence in Europe.

In fact, many government security policies surrounding regulatory oversight mandate telemetry to prove that organizations are actively taking steps to comply with regulations. The general guidance being: If you can’t verify that your data was protected – then it wasn’t.

Make no mistake, telemetry data alone does not equal compliance. But rather, if your organization has implemented the proper controls and policies to ensure the security of compliant data types alongside the requisite checks and balances to maintain compliance, then the rich telemetry data will reflect this when gathered and is used to verify compliance with regulators during audits.

Cybersecurity insurance

With growing security threats and increased risk, it’s no surprise that cybersecurity insurance is a popular option among organizations that are choosing risk deferment as part of their security strategy. That said, recent concerns over tightened policies from insurers “based in part on the frequency, severity, and cost of cyber attacks”, according to CNBC, means that it may become more difficult for organizations to obtain cyber insurance or limitations of coverage may require organizations to face added scrutiny during the underwriting process.

The latter indicates a possible shift that finds insurers requiring verification of risk mitigation strategies in place and actively maintained in order for coverage to be obtained and/or kept. Not dissimilar to insurance companies in other sectors, for example, auto and home insurance which contains provisions requiring owners to act using due diligence to maintain their cars and homes, as failure to do so could render the coverage null and void. Telemetry, in this case, verifies such due diligence on behalf of the organization, providing proof that the necessary security controls and policies are in place in accordance with insurance requirements.

Taking it one step further, say your organization has cyber insurance and unfortunately becomes a victim of a cyberattack. You may be thinking, how can telemetry help you then when the damage is done?

Well, telemetry data is still critical for internal and criminal investigations, as mentioned previously. Also, it plays an essential role when gathering evidence for a cyber insurance claim to determine what happened, how it occurred and potentially, who the bad actors are, especially as growing awareness surrounding insider threats and how devastating those types of attacks can potentially be. Lastly, telemetry data helps digital forensics professionals glean details important to the investigation from seemingly insignificant data artifacts.

Jamf Protect is telemetry (and much more)

Jamf Protect is endpoint security that is purpose-built for Mac. You know that.

But did you know that the deep visibility that it provides into your Mac fleet is supported and informed directly from the telemetry data that it actively collects from each managed endpoint?

That’s right! As Jamf Protect constantly monitors Mac endpoints for threats, this and all activity generates entries in the log data (telemetry). This is sent via the Jamf Protect agent to the cloud-based console, or your preferred Security Information and Event Management (SIEM) solution (more on this in the second blog in this series).

Upon receiving this data, IT and Security professionals can leverage it to proactively monitor for and detect unknown threats on macOS computers in their environments. And with the release of agent version 3.6.0.727, new functionality for Protect Telemetry and Protect Offline Deployment mode are made available.

The former has been discussed throughout this blog and will continue in future installments in this series. While the latter incorporates much of the data stream feature set from Jamf’s previous acquisition, Compliance Reporter is for all Jamf Protect customers!