Security logs can be kept by the system itself or various applications that aim to provide security or enhance the efficiency of already installed security software. Read our article to learn more about them and for how long you should keep them.
What are security logs?
Security logs are information regarding the security related events that happen on a system. Security logs can be kept by the system itself or various applications that aim to provide security or enhance the efficiency of already installed security software.
Why are logs important?
Logs provide important insight regarding the activity on a system or a network. With the help of logs, your security professionals can keep track of the activity on the systems and networks of your organization, notice unusual activity, scan vulnerabilities and enhance the security posture of your organization.
Moreover, various cyber security measures and software make use of log data. For instance, tools equipped with machine learning abilities and AI use logs as sources to learn from. They gather and sift through logs to set a baseline, detect anomalies and take action on security events when necessary.
In addition, some security compliances require careful and detailed logging of certain activities and events within a system or a network. In other words, keeping coherent logs both allows your cyber security professionals to keep your business safe and in compliance with necessary regulations.
What logs should be kept?
All actions on the cyber realm create logs. Some of those logs are kept for various purposes like security, compliance, audits and such while some are disposed. It is important to know which logs should be kept and which logs should be disposed of in order to make sure that your organization is safe and complies with related regulations. For each organization, related regulations vary. Moreover, which logs you need to keep for safety reasons vary in accordance with the nature and scope of your business. Below you can find some key log types that are important for almost all organizations.
- User IDs and credentials
- Terminal identities
- Changes made to the system configurations
- Date and time of accesses to key assets, important security events, use of system utilities, activation and deactivation of protective measures like antimalware, antivirus, firewalls
- Successful and failed attempts of log in
- Details of incidents, incident notifications, attempts of unauthorized access
How long should security logs be kept?
Unfortunately, there is not an ultimate answer to this question. Depending on the nature of your business and requirements your organization needs to comply, the answer changes. As a baseline, most organizations keep audit logs, IDS logs and firewall logs for at least two months.
On the other hand, various laws and regulations require businesses to keep logs for durations varying between six months and seven years. Below you can find some of those regulations and required durations.
- The Basel II Accord. This regulation concerns international banks and requires them to keep their activity log for 3 to 7 years.
- The Health Insurance Probability and Accountability Act (HIPAA). This regulation concerns healthcare institutions and requires them to keep logs up to 6 years.
- North American Electric Reliability Council (NERC) – Affects electric power providers. Specifies log retention for 6 months and audit record retention for 3 years.
- National Industrial Security Program Operating Manual (NISPOM) requires institutions to keep their logs for at least one year.
- The Sarbanes-Oxley Act (SOX) concerns corporations that are active within the US and requires them to keep their audit logs for 7 years.
- VISA Cardholder Information Security Program (CISP) concerns all e-commerce corporations and requires them to keep their audit logs for at least 6 months.