A security log is a digital record of all server activity, and gives IT and Security teams a centralized view to log and track users, changes, and more. Security logs are critical to your company for maintaining cybersecurity needs and meeting industry data compliance regulations. This article explains the importance of security logging and outlines eight security log retention best practices to follow.
Why Is Security Log Retention Important?
Maintaining a reliable security log is not only good security posture, but brings you and your company peace of mind. Following security log retention best practices for event logs makes it easier to confirm your security logging processes protect your overall IT infrastructure. Event logs provide important insights into system and network activity. With proper visibility, cybersecurity teams can track activity on the systems and networks within a business, and flag a security event, any unusual activity, or system vulnerabilities. In addition, many industry and security compliance requirements demand detailed activity logs of specific actions within a system or network. Keeping logs is important to keep your business safe and within compliance.
What Security Logs Should Be Kept?
All digital actions create event logs. Some of them are kept in order to meet compliance and/or security needs, while others are disposed of. In each industry, related regulations vary widely. The logs needed for security differ according to individual business needs. Log types that are important for most organizations include user IDs and credentials, terminal identities, system configuration changes, date and timestamp information for access to key assets, successful and failed login attempts, and activity logs of unauthorized access attempts.
How Long Should Security Logs Be Kept?
There is more than one answer to this question. Ultimately, meeting security log retention best practices regarding timelines depends on the cycles of your business and the regulations your organization must adhere to. Most companies keep audit logs, IDS (Intrusion Detection System) logs, and firewall logs for a minimum of two months. There are also numerous laws and regulations that dictate how long businesses must keep event logs. Some examples are:
- The Basel II Accord: This regulation requires international banks to keep their activity log for three to seven years.
- HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare institutions to keep logs for up to six years.
- NERC: The North American Electric Reliability Corporation (NERC) applies to electric power providers, and specifies log retention for six months and audit record retention for three years.
- SOX: The Sarbanes-Oxley Act (SOX) concerns corporations active in the United States and requires them to keep audit logs for seven years.
- CISP: The Cardholder Information Security Program (CISP) pertains to all ecommerce corporations and requires them to keep their logs for a minimum of six months.
- NISPOM: The National Industrial Security Program Operating Manual (NISPOM) requires log retention for at least one year.
Eight Security Log Retention Best Practices to Follow
Here are top items to keep in mind when developing your company’s security log protocols:
1: Define Audit Categories
Decide if a security event is worth capturing in the event logging of your servers and workstations.
2: Monitor Logs
Have a tool that actively monitors event logs and can identify and alert on issues. Security monitoring software is available for this, and keeps tabs on security logs to make sure there are no cybersecurity breaches, like malware or hacking. Read tips on how to prevent cybersecurity breaches for recommendations on how to protect against outside data breaches.
3: Consolidate Records
To obtain a big picture view of network trends, security administrators merge records into a central data store for complete monitoring, analysis, and reporting. Consider automation, the more humans are in the process they increase the likelihood of human error. Automating logs is a good way to make sure the right data is collected and the security logs themselves are reliable.
4: Practice Redundant Data Storage
Keeping data in more than one place is good for cybersecurity, and using two formats creates an auditing advantage. Experts recommend storing log data in database records and as compressed flat files. Event Log Management (ELM) software can be a useful tool for storage and reporting.
5: Monitor Known Threats
Effective security log monitoring includes comparison against a database of known threats. Security logging software often contains this capability. A strong tool may be capable of responding to threats with early action, including sending alerts, logging off users, or even shutting down and restarting systems.
6: Track Users
Most organizations have a collection of users too large to trust the motivations of every password-protected user. Plus, hackers have been known to obtain verified access. For these reasons it’s important to use defensive security strategies separate from outsider monitoring. Using a tool that focuses on user activity can run reports based on user activity logs, and pay special attention to accounts with privileged access, while keeping watch for abnormal usage.
7: Evolve Event Monitoring
When determining an event logging monitoring plan, remember every organization has different rules about what they monitor. An IT or Security department may want to focus solely on security functions, but monitoring other events and actions can indicate issues with applications or hardware, or help find malware. The number of events configured, systems targeted, and frequency of polling will dictate the amount of bandwidth used. If you aren’t yet sure what system needs to configure, start wide and then pare down, decreasing elements as you finalize what to capture.
8: Report Reliably
Good data readouts and reporting is critical for meeting needs of key stakeholders, senior management, auditors, and security or compliance officers. Solid reporting will help you advocate for updating security policies when needed, and also provides the evidence required to show a business meets compliance.
How Long Should Security Incident Reports Be Retained?
Security incident reports are the documentation created with data captured after a security breach or suspicious security event. Current guidelines require that organizations retain all security incident reports and logs for at least six years. The six year count begins at the date of the last entry within the security incident report.
Ready to Start Improving Your Security Log?
This outline of security log retention best practices should make clear what’s needed to ensure your business is able to meet security logging needs and requirements. It’s easy to start improving your security log procedures by using AuditBoard’s connected risk model, starting with our compliance management software.
