What is Security Telemetry?

Table of Contents

Security telemetry consists of the IT-environment-generated data that IT and security operations center (SOC) teams use to monitor for, detect, investigate, and respond to incidents. Some examples of security data sources include: 

  • Network connections and traffic, including data from firewalls and servers 
  • User activity, including data from Identity and Access Management (IAM) tools 
  • Database access, including data from cloud-based and on-premises resources 
  • Endpoint activity, including data from workstations, Internet of Things (IoT) devices, and endpoint detection and response (EDR) tools 
  • Application activity, including data from web application firewalls (WAF) 
  • Vulnerability scanners 

Typically, organizations forward this telemetry data to a security information and event management (SIEM) tool that cybersecurity teams use to build alerts that detect malicious activity and perform investigations.  

Why is telemetry important? 

Telemetry is technical raw data, often scattered like the 1000 pieces in a puzzle box. When disaggregated, the individual data points make no sense. When aggregated and correlated, they can give a comprehensive picture of the organization’s security program and of the organization’s overall activity, which may include security risks and threats. Aggregating, correlating, and analyzing this data enables operations, security, and compliance teams to: 

  • Define normal behavior 
  • Build high-fidelity alerts 
  • Detect abnormal activity 
  • Investigate root cause 

For example, security teams may: 

  1. Define typical business hours for each employee based on network traffic 
  2. Build alerts for when high volumes of network traffic occur outside of normal business hours 
  3. Detect a device accessing sensitive data outside of normal business hours 
  4. Trace that device to a user with credentials compromised during a data breach 

Meanwhile, an operations team may: 

  1. Define acceptable incoming network traffic to prevent backend servers from becoming overwhelmed 
  2. Build alerts for when incoming traffic exceeds the acceptable tolerance level 
  3. Detect potential bottlenecks that impact end-user access 
  4. Trace the network traffic to the overloaded server and redirect it to available servers 

What are the types of telemetry data? 

Several types of telemetry data provide insights, especially when organizations apply analytics models to the raw data.  

Four primary data types are: 

  • Metrics: aggregated measurement indicating performance over time 
  • Events: specific environment features when a type of activity occurs 
  • Logs: timestamped records that a technology automatically generates 
  • Traces: hierarchically related spans, timestamped data representing application activity  

Sources of Security Telemetry Data  

Security data can provide real-time visibility into activities across an organization’s IT environment. The security tools that the organization implements provide information that security teams use to monitor, detect, and investigate abnormal behavior indicating an incident. Additionally, digital assets generate health data that security teams can use to supplement their cybersecurity technology stack when they build detection rules in a SIEM.  

Security Data 

Most organizations integrate security-specific solutions that enable their data protection initiatives. These technologies generate data that security teams use to detect, investigate, and recover from incidents.  

Some examples of technologies that generate security data include: 

  • Identity and Access Management (IAM): manages user access to digital resources 
  • Endpoint Detection and Response (EDR): monitors end-users devices for threats like malware and ransomware 
  • Extended Detection and Response (XDR): integrates network analysis and visibility, email security, identity and access management (IAM), cloud security and other security functions 
  • Intrusion Detection System (IDS)/Intrusion Prevention System (IPS): identifies malicious network activity or policy violations 
  • Firewall/Next-gen firewalls: monitors and controls inbound and outbound network traffic based on company-defined security rules 
  • Vulnerability Scanner: scans the network to identify and detect device misconfigurations or security weaknesses  
  • Cloud Access Security Broker (CASB): enforces cloud security policies when users or devices access resources 
  • SaaS Security Posture Management (SSPM): tracks threats to and misconfigurations in Software-as-a-Service (SaaS) applications 
  • Cyber Threat Intelligence Feeds: provides information about known attacks, like Indicators of Compromise (IoCs) indicating an advanced persistent threat 
  • And the list goes on… 
Network Data 

Network monitoring technologies provide telemetry that supplements security data. While an operations team may use this data to maintain appropriate connectivity and service, security teams correlate it with their security tools to detect an attack. 

Network devices, like routers and switches, provide data that security teams can use like: 

  • Bandwidth: amount of data, in bytes, sent or received by a network 
  • Central Processing Unit (CPU) utilization: network device’s computational capacity 
  • Throughput: rate of traffic, in bytes per second, passing through a network device during a specific timeframe 
  • Interface errors: errors causing a receiving device to drop packets 
Application Data 

The data the operations team uses to monitor application health also provides insights into security.  

Some application telemetry that enhances security monitoring include: 

  • Database access: open database connections 
  • Database processing: number of queries, response times, and data passed between the database and application 
  • Errors: abnormal activity, requests, and database errors 
Server data 

Server data provides insights on resource allocation and visibility into connections between the public internet and the organization's resources.

Some server telemetry that enhances security monitoring includes: 

  • CPU utilization: ability to handle network requests to the application 
  • Server statistics: information about server health, including physical memory and input/output over time 
  • User activity and requests: people using the server and its associated application 
Device data 

Attackers exploit known vulnerabilities on devices to achieve their objectives. Beyond endpoint security tools, security teams should have a comprehensive asset inventory. 

Some device telemetry that enhances security monitoring includes: 

  • Configuration management database (CMDB)data: information about the operating system and software versions deployed on a device as well as configurations applied 
  • Mobile device management (MDM): data about the operating system and applications installed on a mobile device, like a smartphone, tablet, or laptop 

What are challenges when trying to use security data?  

As an organization matures its digital transformation strategy, it integrates more technologies into its environment. Meanwhile, as threat actors evolve their attack methodologies, organizations add new security technologies. Each new technology adds to the amount of data that security, operations, and GRC teams must monitor, leading to various challenges.  

Collection and Storage of Large Amounts of Data 

Each digital asset generates data, but some, like EDR tools, can generate terabytes of data daily. In an enterprise IT environment, this can mean: 

  • Thousands of users and devices 
  • Multiple geographic locations and time zones 
  • Hundreds of SaaS applications 
  • Over 100 security tools

Storing this collected data can quickly become expensive unless the organization can find a way to use a cost-effective data lake. For example, having access to historical data enables security teams to trace activity arising from an advanced persistent threat (APT).  Further, most corporations must comply with records retention regulatory requirements, typically between three and five years at a minimum.  

Disparate Data Formats 

Every technology generates data in a different format. Business and cybersecurity technologies both generate log data. However, each vendor decides how it wants to format the log files. For example, Microsoft event logs use a format different from nearly every other vendor. Without a single format, organizations struggle to correlate data, especially when they have complex, interconnected environments consisting of various applications, devices, and storage locations. 

Log formats can include: 

  • JavaScript Object Notation (JSON) 
  • Windows Event  
  • Common Event Format (CEF) 
  • NCSA Common Log Format (CLF) 
  • Extended Log Format (ELF)

Meanwhile, security vendors often use proprietary data formats that require organizations to undertake time-consuming data manipulation and preparation before correlating and analyzing it. Further, when vendors apply their proprietary risk analyses, they choose the important components or weight fields in ways that fail to respond to the customer’s unique data set and risk evaluations. 

Data Leakage 

In some cases, security data contain protected information.

Some examples of sensitive data contained in security telemetry include: 

  • Application logs containing a user identifier, like a name or email 
  • Proxy or web servers logging requests when the URL structure contains information like customer name or email address

Threat actors that compromise the telemetry storage location may gain unauthorized access to this protected information within the security data, causing a privacy violation or enabling them to use the data to access the IT infrastructure.  

Data Governance and Quality 

To gain the value of their analytics models, organizations need clean data. In a complex enterprise IT and cybersecurity technology stack, devices and tools can lead to duplicated or contradictory data.

Further, some data management models create data access and governance challenges. For example, a data mesh architecture takes a decentralized, data-owner-controlled approach that may create inconsistencies between corporate and resource access policies. 

Regulatory Compliance 

Sometimes, security telemetry contains personally identifiable information (PII). This creates another challenge as companies complying with data privacy laws often must meet data residency requirements and store data in a specific geographic region. These organizations need to use their data while also retaining authority over it.  

Benefits of Using Security Data and Analytics 

When combined with operational data, security telemetry enables organizations to build robust data analytics models that enable various stakeholders to make critical, on-time decisions about the business. 

Risk Management 

When organizations build a data strategy to enhance security telemetry with business intelligence and logic, they can manage risk more effectively to stay ahead of threats. For example, gaining a comprehensive view of risk could mean combining data from: 

  • Asset inventory to identify device owners 
  • Identity and access management to identify high-risk users 
  • EDR data for visibility into coverage 

Organizations can use this aggregated, correlated, and analyzed data to identify the high-risk users and devices that should be prioritized when deploying the EDR solution.

Threat Hunting 

With artificial intelligence (AI) and machine learning (ML) powered by the organization’s security data, threat hunters can reduce administrative costs arising from time-consuming, repetitive processes. When organizations optimize their security telemetry using a data fabric and analytics, threat hunters can combine disparate data like: 

  • Parent processes running on hosts 
  • Indicators of Compromise (IoCs), like rare command line strings 
  • MITRE ATT&CK Framework data 
Intrusion Detection and Prevention 

Organizations have access to vast quantities of data, but high storage costs and countless hours spent fine-tuning information often mean they cannot optimize its value. When corporations use a data lake to store their security data, they can reduce ingestion spend for log management and SIEM tools. Further, by leveraging analytics, they can create high-fidelity alerts, without wasting time on fine-tuning information, that uncover more anomalies and IoCs in datasets traditionally discarded due to lack of capacity or high storage cost. 

Vulnerability and Patch Management 

Installing security updates to operating systems and software is critical since threat actors often gain unauthorized access to systems and networks by exploiting known vulnerabilities. However, vulnerability and patch management teams often become overwhelmed due to the sheer number of security weaknesses that researchers publish.

These teams can more accurately prioritize their remediation activities by leveraging data analytics. Further, by correlating vulnerability data with organizational hierarchy data, they can more efficiently:  

  • Identify responsible parties 
  • Use trending metrics to identify points of failure 
  • Share remediation suggestions more efficiently
Incident Investigation and Forensic Analysis 

In complex IT environments, detection is only part of the security operations team’s responsibility. With aggregated and correlated data, they can leverage AI/ML to pinpoint sophisticated threats faster during an investigation by conducting multiple queries simultaneously without planning for outward scaling. 

Use case example: How security telemetry enables continuous controls monitoring  

Continuous controls monitoring (CCM) is an overlapping responsibility between security analysts and GRC teams. Security analysts must monitor to ensure the technical controls remain effective. Meanwhile, the GRC team must have documentation to provide assurance over the organization’s security program.

When security and GRC teams implement continuous controls monitoring powered by security data and analytics, they can collaborate more effectively to make data-driven recommendations about business strategy and future security tool optimizations and investments.

Additionally, by correlating security and organizational data, organizations can use business intelligence tools to provide executives and board members with reports that align cybersecurity risk and proficiency with business objectives. Through these capabilities, organizations strengthen cross-functional communications to build the continuous accountability that proves governance.