Answer yes if your organisation records and stores administrator activity logs for its IT production systems, network devices and endpoint devices.
What is the control?
While collecting logs is important (as discussed in the previous article), it’s of little use if they are not retained for a useful period. In short: your logs must go far back enough to allow you to investigate or reconstruct any potential event.
There are also reasons for not keeping all logs forever (you’d need ever more storage which has cost implications and there may be legal and regulatory requirements around keeping or not keeping certain types of data), so it’s important to find a reasonable middle ground as simply maintaining all logs isn’t realistic for most organisations.
Why should I have it?
It’s important to consider the usefulness of various kinds of log data and to specify an appropriate retention period for each.
For example, if there is a report of an incident that occurred 4 months ago, but you only maintain 3 months’ worth of user logs for the affected system, your logging processes have essentially been rendered useless in this case as you won’t have the data.
Public figures on the mean/average time to detection for major security breaches are often between 6 and 9 months. Therefore, we recommend your retention for security and event logs be 9 months or better to increase the likelihood that you will have logs covering the full duration of a breach. This will allow you to investigate the incident from the beginning and increases the likelihood of identifying the full extent of potentially compromised systems and data.
Without logs for the full-time span of a breach, it becomes impossible to maintain assurance in any system or data in your environment because you simply won’t know if it was affected.
Ensure that you have a policy that dictates how long logs should be kept for. This should be based on an assessment of what a practical log retention duration is for you (or simply adopt best-practices for your industry sector and company size). You may wish to tailor this duration based on the types of systems and data depending on which scenarios may apply to you. Once you have a policy, ensure it is applied by all your teams for their respective areas.
Ideally, you also want these logs to be immediately sent to a central system such as a SIEM for safekeeping (as opposed to leaving them on each individual system where they could be more easily tampered with) and to make pulling them up and correlating them easier.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.