The Critical Role of Live Logs in Cybersecurity for One Year and Beyond: Regulations, Practices, and Cost?Impacts
Ertugrul A.
Founder at SureLog SIEM | Faculty Member | IEEE Senior Member | EB1-A "Einstein Visa" Recipient | LinkedIn Top Voice | Human Rights-Ethics | Speaker | Blogger
In today's rapidly digitizing world, Security Information and Event Management (SIEM) solutions play a central role in helping organizations establish defenses against cyber threats. These systems utilize log data to monitor events occurring within networks and analyze valuable information, ensuring the security of organizations. Cybersecurity experts and other authorities unanimously agree on the necessity of keeping log data live for at least one year. This recommendation reflects a fundamental truth in cybersecurity: understanding past incidents is crucial for being prepared against future threats. Additionally, the ability to swiftly utilize log data for any attack analysis strengthens the processes of detecting vulnerabilities and responding promptly.
?
However, implementing this recommendation can sometimes raise concerns about disk space. The increasing disk usage can be a daunting prospect for many organizations. Nevertheless, certain SIEM products come into play in such situations. Some SIEM solutions effectively resolve the issue of high disk usage, eliminating the challenge of keeping logs live and solving the problem of disk costs. Properly chosen SIEM solutions address the problem of high disk usage effectively, providing organizations with the flexibility to store live logs for extended periods, thereby achieving an ideal balance between efficiency and security.
?
Keeping log data live for extended periods is now not just a principle advocated by cybersecurity experts but also a necessity dictated by official regulations. For instance, government offices in the United States [1], as well as institutions in Turkey such as the Central Bank of the Republic of Turkey (TCMB) [2] and the Banking Regulation and Supervision Agency (BDDK) [3], mandate organizations to keep log data live and ready for inspection for a minimum of three years. Moreover, many regulations and laws worldwide require live log data to be retained for one year or longer. For instance, MITRE has defined this duration as two years [4].
?
Companies often may not face questions related to live log data during specific audits. Such questions might be superficial or could be resolved by the company conforming to the necessary laws, directives, regulations, or standards before facing penalties. However, having immediate access to live logs in the event of an incident is of paramount importance for effective incident response. According to IBM reports, the detection period for attacks varies between 250 to 300 days. During this period, swift incident response facilitated by access to live logs can expedite the organization's response to an attack and minimize damage. The absence of live logs can lead organizations to substantial financial costs. For instance, according to IBM's 2022 report, the total cost of a data breach incident is estimated to be an average of 4.35 million dollars.
?
领英推荐
A report by Accenture states that businesses prepared for cyberattacks experience a 48% decrease in cost compared to others [5]. This emphasizes that organizations capable of quickly detecting and responding to security vulnerabilities can minimize post-attack impacts.
?
In conclusion, effective utilization of SIEM systems enhances organizations' cybersecurity, making them more secure. The necessity of keeping log data live for extended periods is not just a security measure but also a legal requirement. This obligation enables organizations to respond swiftly, minimize attacks, and maintain their reputation and financial stability in the long run. Therefore, acknowledging the significance of live logs while formulating cybersecurity strategies is vital. An effective security approach is indispensable for ensuring the security of both organizations and their customers.
References