About SIEM Hot(Active, Online, Searchable) Logs and Retentions

✳️ “11 Strategies of a World-Class Cybersecurity Operations Center” by MITRE suggests a minimum online log retention of six (6) months to 2+ years within the SOC, recognizing the distinct needs of SOC triage analysts, SOC forensics/investigations analysts, and external audit and investigation support.
https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
✳️ The “Memorandum for the Heads of Executive Departments and Agencies,” published by the Executive Office of the President, Office of Management and Budget, mandates 12 months of active storage (hot logs) and 18 months of cold data storage.
https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
✳️ The “Memorandum for the Heads of Executive Departments and Agencies,” published by the Executive Office of the President, Office of Management and Budget,”Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” mandates
Timely access to logs and refers to M-21–31
https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf

✳️ https://www.gartner.com/en/articles/searching-for-a-siem-solution-here-are-7-things-it-likely-needs
✳️ A102017-Insufficient Logging & Monitoring, OWASP Top 10, 2017,Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 day…
✳️ https://www.vita.virginia.gov/media/vitavirginiagov/it-governance/ea/docs/Event-Log-Management.docx
✳️ “Event Logging Guidance From the Treasury Board of Canada Secretariat” establishes log retention times of 90 days to 2 years.
https://www.canada.ca/en/government/system/digital-government/online-security-privacy/event-logging-guidance.html
✳️ “Provides online access to current and archived log data, and additional artifacts such as reports and visualization snapshots” SANS An Evaluator’s Guide to NextGen SIEM
https://www.sans.org/media/vendor/evaluator-039-s-guide-nextgen-siem-38720.pdf
✳️ https://chroniclesec.medium.com/retaining-logs-for-a-year-boring-or-useful-9b04c1e55fba
✳️ http://vadodarasmartcity.in/vscdl/assets/tenders/17.09.2020/2021_499-1.pdf
✳️ https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/ KIM ZETTER “The Untold Story of the Boldest Supply