In every domain, you reach a point where in order to manage a system, you need the appropriate amount of telemetry. Without telemetry, actions and calibrations happen too slowly and the system becomes too sluggish to adapt to the dynamic environment in which it hopes to thrive. This is what is happening in all of IT infrastructure these days, especially when it comes to security processes. Enterprises are having to re-architect their security infrastructure to retrofit it with more precise and timely telemetry. I’d like to explore this transformation and how the IT security industry is not alone in this need to evolve.
Auto racing has seen this transformation. In the early years there was no telemetry coming from the car itself but today’s Formula One cars produce terabytes of data per race. In fact, more terabytes of telemetry were collected at last year’s Grand Prix than all of the data in the Library of Congress. Early on in the evolution of Formula One, it was all about getting horsepower from the drive train to the pavement. Today all of the major parts of a Formula One car send data continuously back to an analytics platform that drive decision making before, during and after the race.
Telemetry-based IT systems are no longer optional for any large, dynamic hyperscale system. Modern systems like those of Netflix or Twitter are instrumented with telemetry so that their scale dynamically expands and contracts to meet the demands of their users. You cannot design a dynamic, modern service without each part of the microarchitecture sending data about its current state.
If you are following me so far, you can see that these domains had to become more dynamic, more elastic and more automated. Telemetry became mandatory, and with the right analytics, new levels of performance were achieved. But the value of telemetry doesn’t stop at performance monitoring and optimization. It can also be used to identify anomalous behavior that could be indicative of a serious problem.
I cannot think of a more dynamic, more hostile and more performance-oriented domain than that of cybersecurity, and yet people still treat telemetry as optional. Does your infrastructure look more like a Formula One car from the 1970s or one of current day? This is the heart of the problem because security must be dealt with at the business and infrastructure level, not as disparate systems working only in a few regions of the enterprise.
Your attackers are winning because you have yet to deal with security at the architecture level. If there’s an area on your network that you are not collecting and analyzing telemetry, you are offering to your attacker a place to operate and persist. If you want to get rid of an advanced persistent threat, don’t make it feasible for them to persist. Your network will be penetrated; you just want to leave your attacker with nowhere to hide.
[su_box title=”TK Keanini, CTO, Lancope” style=”noise” box_color=”#0e0d0d”]
Lancope, Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day Malware and insider threats. Through pervasive insight across distributed networks, including mobile, identity and application awareness, Lancope accelerates incident response, improves forensic investigations and reduces enterprise risk. Lancope’s security capabilities are continuously enhanced with threat intelligence from the StealthWatch Labs research team.[/su_box]