Log retention refers to the regular archiving of event logs, particularly those significant to cyber security. Handling logs from security systems including SIEM is a complex topic. Event logs provide several services to adhere to compliance measures and address forensic cases. While retaining logs for extended periods is more secure and provides more historical information, it can become quite costly.
With the public cloud, storing cyber security logs and files span many different options, services, and price points. All these factors will have varying degrees of impact on your company’s bottom line. Storing all security logs can be extremely costly given the ongoing aggregation of network security and other synchronous data. When determining how much security data should be captured and stored, it is also important to have an expert who is informed of the relevant laws, regulations, and agreements which pertain to your industry’s policy and audits.
The Importance of Log Retention
Retaining cyber security logs is a critical aspect of any cyber security strategy. Some of the important questions you should be considering include: what type of information is stored; for how long; online vs offline; and whether the data is confidential. A good starting point would be to store compressed copies of your audit logs, firewall logs (network or host), and intrusion detection system (IDS) logs.
Cyber security log files are also critical to investigating and prosecuting incidents because they contain sensitive information. Companies should, therefore, control and monitor access to log files whether in the cloud or in a centralized repository. They should also ensure that they are securing the integrity of log files by encrypting files that contain sensitive data or that are transmitted over the network and set logging parameters to disallow any modification to previously written data.
Best Practices for Log Retention Compliance
It is a good idea to develop a cyber security log policy for your company with regard to log storage requirements. While many organizations find that a minimum of one year meets most regulatory requirements, log retention for some laws can reach up to seven years. There are several standards for guidance in building a log management strategy. Standards include VISA CISP, SOX, GLBA, FFIEC, Basel II, HIPAA. NISPROM, and NERC.
- The Basel II Accord – Affects international banks. Became effective in 2006 to promote greater stability in financial systems. The retention for these logs should be retained 3-7 years.
- Federal Financial Institutions Examination Council (FFIEC) – Affects financial institutions governed by the Federal Reserve, and FDIC.
- Gramm-Leach-Bliley Act (GLBA) – GLBA focuses on the protection of customer data by financial institutions.
- The Health Insurance Portability and Accountability Act (HIPAA) – Affects healthcare industry and stresses the existence of a reliable audit trail to protect the personal data of medical patients. Logs should be retained for up to 6 years.
- North American Electric Reliability Council (NERC) – Affects electric power providers. Specifies log retention for 6 months and audit record retention for 3 years.
- National Industrial Security Program Operating Manual (NISPOM) – NISPO is of interest to government agencies and private contractors with staff who have access to sensitive and classified data. The standard states that security auditing involves recognizing, recording, storing, and analyzing information related to security-relevant activities. Specifies log retention of at least one year.
- The Sarbanes-Oxley Act (SOX) – Sarbanes-Oxley applies to US publicly-traded corporations in excess of $75 million, or by extension, private firms to be acquired by public companies. The procedures laid out in Sarbanes-Oxley can also be used in addressing the requirements of Basel II, GLBA, HIPAA, and PCI. Sorbanes-Oxley specifies log retention for up to seven years.
- VISA Cardholder Information Security Program (CISP) – Specifies retaining audit logs for at least six months.
Defining your policy should address these industry-focused standards and your company’s own cyber security concerns.
Ways to Manage Cyber Security Logs
SIEMs filter out noise in logs to keep data that is pertinent to your company’s compliance and security needs. It then indexes and optimizes that relevant data for further analysis when needed. Lastly, it allows your company to conduct correlation and analysis to fully leverage stored logs.
To ensure that the most important data is captured for analysis, and to minimize storage costs, there are a few practices that companies take to reduce the number of files. SIEMs use the following strategies to reduce volumes during log retention:
- System Logging Protocol Servers – System logging protocol (syslog) is a standard that normalizes logs, retaining only essential information. System logging protocols also let you compress logs and retain high volumes of historical data. In fact, event log data in flat files compress down to 5% of the original size.
- Deletion Schedules – SIEMs can be set up to automatically clear logs that are no longer needed for compliance by accessing log files directly from storage.
- Log Filtering – Logs can be filtered by source system, times, or by other rules defined by the SIEM administrator.
- Summarization – Log data can be summarized to maintain only important data elements such as the count of events or unique IPs.
A higher level of retention may make sense for organizations with less mature or less established security operations capabilities.
Log Retention Solutions with NIC IT
Managing your logs to optimize storage is cost-efficient and allows your team to simplify security forensics and analysis. As a cyber security partner, NIC IT can work with your team to implement a log retention strategy that meets your compliance needs while simplifying monitoring and management for your team.