Skip to content

How Long Should You Keep Security Data?

August 24, 2009

In digging back through some of my bookmark archives, I came across this post from Burton’s Trent Henry about how much (and what kind) of log data should you be storing. Now to level set, Trent is talking specifically about logs and we all know that Log Data is Not Enough, so I’d extend the same conversation to include a broader data set, including configuration, asset, performance, vulnerability and network flow data. Yet the general discussion and concepts are consistent when considering the idea of security data, regardless of how broadly you define that term.

It reminds me of when I was in the anti-spam business and we came across those customers that wanted to keep everything INDEFINITELY. That’s right, there were organizations out there that wanted to keep everything (spam included). I just scratched my head, and that is really Trent’s point here.

Each organization needs to understand what kind of data will be:

  1. Useful from a security operations standpoint
  2. Useful from a compliance standpoint.

In dealing with security operations, you need enough data to isolate the root cause of any abnormalities you find in your IT systems.

We also believe this data should be kept for a longer, rather than a shorter amount of time. The reality is with today’s low and slow attacks, a patient adversary may take months to perpetrate an attack. Once you roll over that data or don’t archive it, you can’t get it back. That doesn’t mean you keep stuff indefinitely, but you should be thinking in terms of years, not months.

When thinking about compliance, your assessor will tend to have opinions about what data you need or don’t need. And unfortunately those opinions can vary between assessors (or depending on which way the wind blows). So what enterprises need to do is DOCUMENT their retention policies and be able to defend them.

You can certainly have a difference of opinion with the assessor, but unless you have your data retention policies well-thought out and documented, you don’t have a leg to stand on when the assessor challenges you.

Finally, Trent’s point about the “skeletons in the closet” is exactly right. Every organization has them and hopefully we all have learned the lessons of all the high profile cases where emails provided pretty damning evidence. Just imagine your CEO doing stammer stammer stammer backpedaling during a video deposition. That worked pretty well for Microsoft a couple of times.

So only keep what you definitely need, but that’s only the third decision point – after meeting security ops and compliance data requirements.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: