Strategizing Storage Solutions for Your SIEM Project: Planning for Future Needs

Gartner advises, “Plan ahead for storage needs.” Use the event source groupings described above to understand the potential amount of storage required and to establish a plan to retain logs for as long as is cost-feasible (one year would be ideal). Some Gartner clients report that 90 days is commonly retained in their SIEM tools, but specific log sources may require longer retention periods due to compliance and regulatory mandates (such as PCI DSS, which requires one year). A benefit of log management tools is their compression and archiving features. Logs can be stored more efficiently in a dedicated tool compared with the way they’re stored on the hosts or devices where they’re generated. If possible, aim for a year of retention, at least for critical log sources.

In today’s rapidly digitizing world, SIEM solutions play a central role in organizations’ defense against cyber threats. These systems keep organizations safe by recording events on networks and analyzing log data containing valuable information. Cybersecurity experts and other authorities agree that log data should be kept live for at least a year. This recommendation reflects a fundamental truth of cybersecurity: Understanding past events means being prepared for future threats. Additionally, the ability to quickly use log data for any attack analysis strengthens the process of detecting security vulnerabilities and responding quickly.

However, implementing this recommendation can sometimes raise concerns about disk space. The increasing use of disk space can be a daunting situation for many organizations. However, this is where some SIEM products come in. Some SIEM products that solve high disk usage problems eliminate the difficulty of keeping logs live for a long time and solve the disk cost problem. Properly selected SIEM products effectively address the high disk usage issue by offering organizations the flexibility to keep live logs for a long time. This way, the storage period of logs can be adjusted according to the organization’s needs, providing an ideal balance in terms of both efficiency and security.

Keeping log data live for a long time is now not only a requirement for cybersecurity experts but also an official requirement. For example, the Office of the President in the United States, MITRE, and the Treasury Board of Canada Secretariat mandate specific retention periods for log data. Companies often do not encounter questions about live log data in specific audits, or these questions may be superficial. However, providing instant access to live logs when an incident response is needed is critical for quick and effective intervention. According to IBM reports, detection times for attacks range from 250 to 300 days. Rapid incident response during this time can accelerate organizations’ response to an attack and minimize damage. The lack of live logs can lead to significant costs for organizations. For example, according to IBM’s 2022 report, the total cost of a data breach incident is estimated to be an average of $4.35 million.

According to a report by Accenture, businesses prepared for cyber attacks have seen a 48% reduction in damage costs compared to others. This shows that organizations that quickly identify and intervene in security vulnerabilities can minimize the effects of an attack.

Sample of some well-known regulations:

· “11 Strategies of a World-Class Cybersecurity Operations Center” by MITRE suggests a minimum online log retention of six (6) months to 2+ years within the SOC, recognizing the distinct needs of SOC triage analysts, SOC forensics/investigations analysts, and external audit and investigation support.

· The “Memorandum for the Heads of Executive Departments and Agencies,” published by the Executive Office of the President, Office of Management and Budget, mandates 12 months of active storage (hot logs) and 18 months of cold data storage.

· “Event Logging Guidance From the Treasury Board of Canada Secretariat” establishes log retention times of 90 days to 2 years.

· SANS An Evaluator’s Guide to NextGen SIEM: “Provides online access to current and archived log data, and additional artifacts such as reports and visualization snapshots.”

References:

1. https://www.gartner.com/en/documents/3982367
2. https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
3. https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
4. https://www.accenture.com/_acnmedia/PDF-165/Accenture-State-Of-Cybersecurity-2021.pdf