Telemetry: the vital ingredient in MDR
Telemetry sounds like something out of a sci-fi movie. It does rely on science, but it is certainly not fiction. The word comes from the Greek for remote and measure. In IT terms, it refers to data that is collected from multiple points to give a complete view of network activity. By gaining a comprehensive view, organisations will be better able to effectively manage threats and make more informed decisions regarding what actions to take.
In order to gain that enhanced visibility, data must be collected from an ever growing array of data sources that include endpoints, networks, security controls and cloud services. The data that must be collected includes NetFlow, packet capture, endpoint forensics, and log and event data to provide information about were data is flowing, from what devices and to what IP addresses. The amount of data collected can amount to hundreds of terabytes of telemetry information per month. A key challenge is to narrow all that data into a tractable stream in order to find signals through the noise that can be used for targeted analytics.
All MDR providers ingest and make sense of these huge data lakes of information on behalf of their customers. At their heart, all MDR providers have endpoint detection and response (EDR) technology that collects data from multiple points for analysis and response to threats uncovered. Those labelled EDR-based MDR have their own EDR technology at the root of their capabilities, whilst those labelled as MDR pure plays use EDR technology from other vendors. Of the pure plays included in Bloor’s first MDR market guide, three use Carbon Black as the basis, although some are extending to others as well. However, pure play MDR vendors take telemetry one step further as they have built platforms that are designed to ingest telemetry from an extremely wide range of sources.
MDR service providers use telemetry to help them become the eyes and ears that organisations need to understand how threats and vulnerabilities uncovered through analysis of such information impacts them, and what the best response to take is. The key to stopping the advanced threats that organisations are tackling is to gain full visibility over the network and events that traverse it. Telemetry is vital for that.
This is the fourth part in a series of MDR blogs by Fran Howarth. You can read the previous blogs below: