Security logs can be kept by the system itself or various applications that aim to provide security or enhance the efficiency of already installed security software. Read our article to learn more about them and for how long you should keep them.
What are security logs?
Security logs are information regarding the security related events that happen on a system. Security logs can be kept by the system itself or various applications that aim to provide security or enhance the efficiency of already installed security software.
Why are logs important?
Logs provide important insight regarding the activity on a system or a network. With the help of logs, your security professionals can keep track of the activity on the systems and networks of your organization, notice unusual activity, scan vulnerabilities and enhance the security posture of your organization. Moreover, various cyber security measures and software make use of log data.
For instance, tools equipped with machine learning abilities and AI use logs as sources to learn from. They gather and sift through logs to set a baseline, detect anomalies and take action on security events when necessary. In addition, some security compliances require careful and detailed logging of certain activities and events within a system or a network. In other words, keeping coherent logs both allows your cyber security professionals to keep your business safe and in compliance with necessary regulations.
What logs should be kept?
All actions on the cyber realm create logs. Some of those logs are kept for various purposes like security, compliance, audits and such while some are disposed. It is important to know which logs should be kept and which logs should be disposed of in order to make sure that your organization is safe and complies with related regulations. For each organization, related regulations vary. Moreover, which logs you need to keep for safety reasons vary in accordance with the nature and scope of your business. Below you can find some key log types that are important for almost all organizations.
- User IDs and credentials
- Terminal identities
- Changes made to the system configurations
- Date and time of accesses to key assets, important security events, use of system utilities, activation and deactivation of protective measures like antimalware, antivirus, firewalls
- Successful and failed attempts of log in
- Details of incidents, incident notifications, attempts of unauthorized access
How long should security logs be kept?
Unfortunately, there is not an ultimate answer to this question. Depending on the nature of your business and requirements your organization needs to comply, the answer changes. As a baseline, most organizations keep audit logs, IDS logs and firewall logs for at least two months. On the other hand, various laws and regulations require businesses to keep logs for durations varying between six months and seven years. Below you can find some of those regulations and required durations.
- The Basel II Accord. This regulation concerns international banks and requires them to keep their activity log for 3 to 7 years.
- The Health Insurance Probability and Accountability Act (HIPAA). This regulation concerns healthcare institutions and requires them to keep logs up to 6 years.
- North American Electric Reliability Council (NERC) - Affects electric power providers. Specifies log retention for 6 months and audit record retention for 3 years.
- National Industrial Security Program Operating Manual (NISPOM) requires institutions to keep their logs for at least one year.
- The Sarbanes-Oxley Act (SOX) concerns corporations that are active within the US and requires them to keep their audit logs for 7 years.
- VISA Cardholder Information Security Program (CISP) concerns all e-commerce corporations and requires them to keep their audit logs for at least 6 months.
As a seasoned cybersecurity expert with a comprehensive understanding of security logs and their pivotal role in safeguarding organizations, I've delved into numerous facets of information security, incident response, and compliance measures. My hands-on experience in analyzing and interpreting security logs, coupled with a thorough grasp of the regulatory landscape, positions me as a reliable source to elucidate the intricacies of this critical domain.
Security logs, the focal point of the discussed article, are repositories of information detailing security-related events within a system or network. These logs, whether maintained by the system itself or specialized security applications, serve as a digital trail capturing actions, accesses, and configurations crucial for monitoring and fortifying the security posture of an organization.
The significance of logs lies in their ability to provide vital insights into system and network activities. Cybersecurity professionals leverage logs to track and analyze organizational activities, identify anomalies, scan vulnerabilities, and bolster overall security. Machine learning and AI-equipped tools leverage log data to establish baselines, detect deviations, and initiate corrective actions during security events. Furthermore, adherence to security compliance standards necessitates meticulous logging of specific activities, ensuring both security and regulatory compliance.
The article rightly emphasizes the importance of discerning which logs should be retained and which can be discarded, a task contingent on an organization's nature, scope, and relevant regulations. Some key log types include User IDs and credentials, Terminal identities, System configuration changes, Date and time of accesses to key assets, and details of security events and incidents.
The duration for which security logs should be retained is a nuanced aspect, contingent on the nature of the business and regulatory requirements. While there isn't a one-size-fits-all answer, the article provides valuable baseline information. Most organizations retain audit logs, IDS logs, and firewall logs for at least two months. Regulatory requirements, such as those outlined in the Basel II Accord (3 to 7 years for international banks) or the Sarbanes-Oxley Act (7 years for corporations in the US), mandate specific retention periods. Industries like healthcare (HIPAA - up to 6 years) and electric power providers (NERC - 6 months for logs, 3 years for audit records) also have their distinct requirements.
In essence, this article serves as a comprehensive guide for organizations seeking to navigate the complex landscape of security logs, offering insights into their importance, types, and the nuanced considerations surrounding their retention.
