Enterprise systems and software generate a plethora of log entries every day for your security team to handle. For instance, operating system (OS), anti-malware/anti-virus systems, firewalls, user software, intrusion detection and prevention systems (IDS/IPS) are some of the most common log sources. Given that logs record every event, regular log reviews can help identify errors, anomalies, or suspicious activity in your IT infrastructure. This article looks at how log policy can be useful in your security operations.
What Is Log Policy?
Security-related event logs seek to provide comprehensive information for detecting and reacting to security incidents. Generally, log policy’s scope includes all the systems, applications, and software within the ambit of your IT infrastructure. This policy defines:
- Types of events that will be logged
- Protection of log data from unauthorized access
- Duration of retention
- Destruction of log records
- Roles and responsibilities concerning the handling of log data
- Monitoring and reviewing processes for log monitoring
What Is Log Retention?
Log retention is basically the duration for which you will store the log entries. In particular, your organization’s Log Policy may contain a section for Log Retention that talks about various types of information you will retain. For example,
- Activities performed on the system
- User account and application/software involved in the activity
- Time of the activity
- The outcome of the activity (success, failure, error)
What Should You Log?
In short, an organization should record log entries for at least the following:
- Creation, modification, and deletion of authentication information such as usernames, passwords, and multi-factor authentication (MFA).
- Established network connected and requests for network connections.
- User authentication and authorization to networks and systems.
- Granting, modification, and revocation of access rights.
- Adding or removing existing users.
- Changing user privileges, database permissions, passwords, or file permissions.
- Software updates and patches.
- Changes in system, network, or services.
- Startup, shutdown, and restart of applications and services.
- Failure of network services.
- Hardware faults.
- User activities of privileged/administrator accounts.
- Abortion, abnormal end, and failure of ongoing processes.
- Detection of suspicious activity by security tools such as IDS/IPS, anti-malware/anti-virus tools, firewalls etc.
- Events related to shared access, modified registry values, and exported data.
How Long Should You Keep Them?
In essence, there is no correct answer to this. Every organization operates in a different business environment and faces its own set of threats. Our experts recommend a duration between 12-18 months; however, you must check applicable laws. To clarify, retaining logs for audit and compliance purpose is a mandatory requirement of multiple standards, laws, and regulations. It is ideal to aggregate log data from different sources to a central system. With this intention, modern-day organizations prefer adopting a Security Information and Event Management (SIEM) solution to simplify log management activities. Moreover, efficient SIEM tool also helps organizations in correlation and advanced analysis of log data. Using machine learning algorithms, a SIEM tool can look out for similarities and trends in the collected data in real-time.
Endnotes
With a well-defined log policy and log retention process, log management can turn out to be an effective exercise. However, carelessness in log management can exponentially increase your data storage costs. To increase the effectiveness of their log management programs, organizations should avoid pricing plans proportional to the amount of data. Given that, service providers with big data architecture can provide affordable storage options with minimal downtime.