Product

Cybersecurity: telemetry explained

What is the use of telemetry in cybersecurity? What are its uses and benefits for cyberanalysts? How is it collected, and when can it be used? We explain. 
7 min

Telemetry: definition 

Telemetry collects and transmits data for control and analysis purposes. To this end, probes are placed on the system to monitor, retrieve and interpret various forms of events occurring on a system.   

In cybersecurity, telemetry is useful for effective investigation when a security event is detected. 
 

How telemetry is useful for cyber analysts 

In the event of an alert, cybersecurity analysts need to verify what the attacker has done on the system, or possibly proceed to investigations. Also, the wider the perimeter monitored, the more data there is, the easier it is to understand an attacker’s path.  

Telemetry gives analysts the best possible visibility of what’s happening on an IT infrastructure, and a better understanding of the context of an incident, in the knowledge that even events that seem insignificant at first glance can be significant in the context of an attack.  

But how does an EDR retrieve telemetry? 

 Telemetry: the data available in an EDR

The advantage of an EDR is that it can not only detect and block threats, but also investigate and understand the scenario of an attack.   

To do this, the EDR has probes placed on endpoints, which intercept system events and transmit them to the agent, which passes them on to its detection engines.   
The detection engine then identifies whether the action is legitimate or malicious, and can generate alerts in the EDR console.  

Without telemetry, only system events detected as malicious are accessible in the console.   
With telemetry, system events considered legitimate are also collected, and it can provide additional information for investigation or remediation. We’ll come back to this later.  

In this way, an EDR not only tracks the events that trigger an alert, but also collects other system events, stores them for a certain period of time, and retrieves them.   

In the event of an attack, an analyst can, for example, identify all the processes, network connections or scripts launched by an attacker.   
In the case of a more sophisticated attack, an attacker may seek to modify system or application files, modify registry keys, load malicious libraries… Multiple sources of telemetry are therefore needed to track his activity.  

In fact, the more numerous and richer these sources are, the more time analysts gain to understand the context of an alert, effectively block the attack if necessary, respond and harden protection. 

Telemetry data to go back in time 

As we have seen, using probes, an EDR collects and stores data relating to system events, which helps analysts’ investigative work. It is thanks to telemetry that they can understand what happened before an alert, and around an incident.   

Beware, however: while an EDR can be deployed during an attack to remediate it, it is better to install it well in advance to collect data over time.  

Indeed, a solution can only collect information if its probes are active, but it cannot retrieve data prior to its activation. That’s why it’s better to anticipate and integrate an EDR into a security stack, rather than wait for an incident to occur before equipping yourself. Only then will analysts be able to take full advantage of pre-alarm telemetry. 

What’s more, although an EDR cannot collect telemetry data prior to its installation, HarfangLab includes a complete toolbox of forensic and investigation jobs, enabling the collection and analysis of the attacker’s actions on the system, even before the agent is installed! 

EDR telemetry: a major asset for countering attackers 

To evade the vigilance of security experts and tools, attackers are constantly innovating. So the hunt for telemetry sources is never-ending!  

Having a maximum number of probes on a maximum number of sources is a trap set for attackers.   

To this end, EDR publishers are also redoubling their efforts to enrich telemetry sources, and security teams have every interest in using them to reinforce their protection capabilities. 

An advantage for speeding up investigations 

To carry out an investigation, analysts have to launch a job with the EDR (for example: collect and extract data from the MFT, collect prefetch, USN logs or the AmCache registry…), and without telemetry, they can only rely on the results of these forensic collections, which give a partial and fixed view of the workstation analyzed.  

Conversely, if telemetry is enabled, as soon as the attacker performs an action on which the EDR reports data, this action is recorded and easily retrieved. This saves time, which counts for a lot during a cyber crisis. 

Real-time visibility of your IT assets 

With investigation or forensic tools, analysts can have a snapshot of their IT infrastructure at a given moment, but this doesn’t allow them to follow the movements and successive actions of the attacker.   

The advantage of an EDR is that it enables data to be collected in real time, so that we can follow the evolution of the attack and intervene effectively, in the right place, at the right time.  

Now that you’ve understood the importance of the telemetry available in an EDR, let’s take a closer look at some of HafangLab EDR’s assets for optimizing the processing of this data. 

How HarfangLab EDR makes analysts’ work (even easier) with telemetry 

Different telemetry activation modes 

As mentioned earlier, an EDR can retrieve telemetry data from a wide range of sources, and store it for use in due course.  

However, some sources are more complicated to manage than others, due to the sheer volume of data they generate.   

For example, file modifications can occur by the dozens or even hundreds per second. These modifications may be interesting, but the volume of data is colossal. Analysts may need to explore them, but only in the event of an alert.  

To meet this need and avoid being drowned in data from overly verbose sources, HarfangLab EDR offers various options for telemetry:   

  • Off – no telemetry is collected;   
  • Live – telemetry is collected continuously and stored for a period chosen by the customer;  
  • On alert – telemetry is only collected in the event of an alert. 

Pro tip 

“When it comes to telemetry, don’t hesitate to activate everything! Make the most of the information available to exploit it when you need it: authentications, DNS requests, PowerShell scripts, URLs, downloaded files…  
Don’t forget to keep an eye on your EDR to regularly activate the new telemetry options available!”  
Benoit Maïzi, Cybersecurity Engineer – HarfangLab  

Short detection cycles and accessible data 

HarfangLab EDR collects telemetry data from some twenty regularly evolving sources, such as processes, network connections, DNS, Files, authentications and eventlogs…  

The Cyber Threat Intelligence team continuously monitors trends, works on very short detection cycles, and regularly and rapidly integrates new sources.   

What’s more, all the data collected is stored and made available to EDR users for easy exploitation.  

So, even if not all stored data is analyzed following an alert, it can be explored for hunting purposes, as we mentioned earlier.  

Indeed, this information can be used to search for the presence of attackers on an IT infrastructure, which is useful for organizations that may be the target of sophisticated attacks, in which attackers seek to break into an Information System and slip under the radar (e.g. advanced persistent attacks, or APTs). 

In short, to protect and monitor the activity of workstations and servers, an EDR offers optimum visibility and provides the maximum amount of information needed to remedy an attack as quickly as possible, and protect against future incidents.  

Other probes can also provide data on network activity, routers, firewalls… And it’s thanks to the CISO’s expertise that the organization can equip itself with the most appropriate solutions for securing all its information system assets. 

 

To know more about our EDR :