November 20, 2012 at 2:57 pm #8035
I have a question for you: How much costs (in average) the logs storage (1 year, 3, and most important 7 years).
The reason of my question is that I am trying to convince my client to get rid of some usefull IDS/SIEM rules, and even to stop collecting some events.
Besides the noise they generate, they cost a lot of money to store them for a long time.
So, if you have some data, or some links please share them with me/us.
Thank you very much!
P.S. If you have data about how much space different events/logs take … it would be welcome
November 26, 2012 at 3:25 pm #50960jimbobParticipant
I would approach this from a different angle. Storage is comparatively inexpensive so trying to justify reducing a retention period on this basis may be hard. It may be easy to counter your argument with space is cheep, we will keep everything forever.
What is your reason for wanting to reduce the retention period? I assume you mean to get rid of some useless (not usefull [sic]) IDS alerts. Tuning is an important part of managing any IDS solution so time would be well spent reducing noise and false positives. That does not mean you have to reduce the time you keep the alerts for. You could certainly sell the need for a clean up based on the effectiveness of the system and reduced overhead on those reading the logs.
November 26, 2012 at 9:16 pm #50961
Thanks for the answer.
My idea is not to reduce the retention period, but to give an extra argument to get rid of many useless alerts. If they have to keep the logs for 7 years (as an ex), they must comply, but keeping garbage for 7 years…
Also, it will be a very useful exercise for all the analysts (and not only), exercise that will make them think twice before using all the default alerts.
November 26, 2012 at 9:23 pm #50962tturnerParticipant
There’s a big difference between collecting and alerting. My preference is to collect as much data as feasible and then filter the data set down to a manageable level. I would rarely condone collecting less data but almost always recommend trimming alertable events, tuning, and filtering so as to not DOS the analyst. You can always expand your filters if necessary as long as you have the data.
November 27, 2012 at 8:15 pm #50963jimbobParticipant
There’s a big difference between collecting and alerting
Agreed. The big issue is what to expose via alerts, dashboards etc. and what to keep. If capacity is not an issue keep everything. By all means trim down on noisy alerts that add no value but let the value of this filter down. Frequently you don’t know what you need until after the fact and finding out you have deleted something useful could be embarassing.
Again, look at the junk as useful as a metric. What are the number of alerts following a tuning exercise versus untuned? This is a quantifiable metric to show improvement.
November 28, 2012 at 2:59 pm #50964
Thanks for the answers!
I’ll think about your opinions.
- You must be logged in to reply to this topic.