The Ethical Hacker Network - Cost of the logs storage

alucian

Full Member

Offline

Posts: 225

Cost of the logs storage

« on: November 20, 2012, 08:57:32 AM »

Hello guys,

I have a question for you: How much costs (in average) the logs storage (1 year, 3, and most important 7 years).

The reason of my question is that I am trying to convince my client to get rid of some usefull IDS/SIEM rules, and even to stop collecting some events.

Besides the noise they generate, they cost a lot of money to store them for a long time.

So, if you have some data, or some links please share them with me/us.

Thank you very much!

P.S. If you have data about how much space different events/logs take ... it would be welcome


	Logged

CISSP ISSAP, CISM/A, GWAPT, GCIH, eCPPT, OSWP

jimbob

Newbie

Offline

Posts: 14

Re: Cost of the logs storage

« Reply #1 on: November 26, 2012, 09:25:00 AM »

Hi,
I would approach this from a different angle. Storage is comparatively inexpensive so trying to justify reducing a retention period on this basis may be hard. It may be easy to counter your argument with space is cheep, we will keep everything forever.

What is your reason for wanting to reduce the retention period? I assume you mean to get rid of some useless (not usefull [sic]) IDS alerts. Tuning is an important part of managing any IDS solution so time would be well spent reducing noise and false positives. That does not mean you have to reduce the time you keep the alerts for. You could certainly sell the need for a clean up based on the effectiveness of the system and reduced overhead on those reading the logs.

Regards,
Jim


	Logged

alucian

Full Member

Offline

Posts: 225

Re: Cost of the logs storage

« Reply #2 on: November 26, 2012, 03:16:23 PM »

Hi Jim,

Thanks for the answer.

My idea is not to reduce the retention period, but to give an extra argument to get rid of many useless alerts. If they have to keep the logs for 7 years (as an ex), they must comply, but keeping garbage for 7 years...

Also, it will be a very useful exercise for all the analysts (and not only), exercise that will make them think twice before using all the default alerts.


	Logged

CISSP ISSAP, CISM/A, GWAPT, GCIH, eCPPT, OSWP

tturner

Sr. Member

Offline

Posts: 432

Re: Cost of the logs storage

« Reply #3 on: November 26, 2012, 03:23:18 PM »

There's a big difference between collecting and alerting. My preference is to collect as much data as feasible and then filter the data set down to a manageable level. I would rarely condone collecting less data but almost always recommend trimming alertable events, tuning, and filtering so as to not DOS the analyst. You can always expand your filters if necessary as long as you have the data.


	Logged

Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, OPSE, CSWAE, CSTP, VCP

WIP: OSWP, GSSP-JAVA, GXPN

Udacity on hold, again. I suck.

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

jimbob

Newbie

Offline

Posts: 14

Re: Cost of the logs storage

« Reply #4 on: November 27, 2012, 02:15:14 PM »

Quote from: tturner on November 26, 2012, 03:23:18 PM

There's a big difference between collecting and alerting

Agreed. The big issue is what to expose via alerts, dashboards etc. and what to keep. If capacity is not an issue keep everything. By all means trim down on noisy alerts that add no value but let the value of this filter down. Frequently you don't know what you need until after the fact and finding out you have deleted something useful could be embarassing.

Again, look at the junk as useful as a metric. What are the number of alerts following a tuning exercise versus untuned? This is a quantifiable metric to show improvement.

Regards,
Jimbob


	Logged

alucian

Full Member

Offline

Posts: 225

Re: Cost of the logs storage

« Reply #5 on: November 28, 2012, 08:59:20 AM »

Thanks for the answers!

I'll think about your opinions.


	Logged

CISSP ISSAP, CISM/A, GWAPT, GCIH, eCPPT, OSWP

Pages: [1] Go Up

« previous next »