As enterprises pursue digital transformation, they migrate from on-premises security information and event management (SIEM) to cloud-based SIEM. To meet the security challenges in this process, CISOs are revamping their security incident and event log retention policies.
To meet regulatory compliances organizations need to retain logs from one year through to seven years, depending on advice by the legal counsel.
With public cloud, there are endless ways to store and access security events and logs like backups, ‘hot’ access, ‘cold’ access, and blob storage. With the price of cloud storage dropping each year, it’s cheap and easy to store everything forever. However, hot data, which is more expensive than the cold option, allows defenders quick access during real-time threat hunting. Since keeping data hot for SIEM use is more costly data storage option, experts suggest a need for balance between instant access to SIEM for active threat hunting and to resolve queries, and long-term storage of event and log data that is regulatory-driven.
The mean- time to discover a breach ranges from 190 to 220 days and a breach containment window is generally between 60 to 100 days. Hence, keeping 220 days security event logs ‘hot’ in a cloud SIEM can help to identify 50% of an organization’s breaches.
To the organizations that are new to cloud SIEM, experts’ advice to begin with a rolling window of only a year’s worth of event logs while measuring both time to mitigate and the frequency of breaches. Depending on the security operations (SO) teams’ capacity for mitigating the events raised by cloud SIEM, it can be financially beneficial to reduce the rolling window if the unit is overwhelmed with unresolvable events. CISOs with under-resourced teams are recommended to find and engage a managed security services provider for filling the skills gap.
It is also beneficial to organize a threat hunt, twice-annually, against years of event logs by leveraging the latest available indicator of compromise (IoC) information and threat intelligence as seeds for investigation. These bi-yearly events can reduce the average monthly cloud SIEM operating costs and also allow teams to change the mode to ‘deep dive’ into a broader set of data when they are looking for ‘low and slow’ compromises.
However, caution over infinite event logs retention may be warranted. If the breached organization only has a few years of logs, versus tracing breach from inception, their public disclosure sound worse to some ears. To make it a board-level decision, it is crucial to find the sweet-spot in log retention needs. While moving to cloud SIEM, CISOs need to decide on the logs that must be included and the log settings to be used.
Ideally, every event log must be passed to the cloud SIEM, as the AI and log analytics systems powering automated response and threat detection thrive on data. Also, the inclusion of logs from the broad spectrum of enterprise applications and devices can help remove potential false positives and reduce detection times, which increases overall confidence in the system’s recommendations.
The symbiotic development of cloud AI innovation and cloud SIEM continues at an astounding pace. Cloud SIEM has the ability to harness the innate capabilities of public cloud are transforming security operations. Threats are being uncovered quicker, while responses are being managed more efficiently.