.

Cost of the logs storage

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Tue Nov 20, 2012 9:57 am

Cost of the logs storage

Hello guys,

I have a question for you: How much costs (in average) the logs storage (1 year, 3, and most important 7 years).

The reason of my question is that I am trying to convince my client to get rid of some usefull IDS/SIEM rules, and even to stop collecting some events.

Besides the noise they generate, they cost a lot of money to store them for a long time.

So, if you have some data, or some links please share them with me/us.

Thank you very much!

P.S. If you have data about how much space different events/logs take ... it would be welcome
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

jimbob

User avatar

Newbie
Newbie

Posts: 14

Joined: Tue Aug 01, 2006 3:56 pm

Post Mon Nov 26, 2012 10:25 am

Re: Cost of the logs storage

Hi,
I would approach this from a different angle. Storage is comparatively inexpensive so trying to justify reducing a retention period on this basis may be hard. It may be easy to counter your argument with space is cheep, we will keep everything forever.

What is your reason for wanting to reduce the retention period? I assume you mean to get rid of some useless (not usefull [sic]) IDS alerts. Tuning is an important part of managing any IDS solution so time would be well spent reducing noise and false positives. That does not mean you have to reduce the time you keep the alerts for. You could certainly sell the need for a clean up based on the effectiveness of the system and reduced overhead on those reading the logs.

Regards,
Jim
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Nov 26, 2012 4:16 pm

Re: Cost of the logs storage

Hi Jim,

Thanks for the answer.

My idea is not to reduce the retention period, but to give an extra argument to get rid of many useless alerts. If they have to keep the logs for 7 years (as an ex), they must comply, but keeping garbage for 7 years...

Also, it will be a very useful exercise for all the analysts (and not only), exercise that will make them think twice before using all the default alerts.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Nov 26, 2012 4:23 pm

Re: Cost of the logs storage

There's a big difference between collecting and alerting. My preference is to collect as much data as feasible and then filter the data set down to a manageable level. I would rarely condone collecting less data but almost always recommend trimming alertable events, tuning, and filtering so as to not DOS the analyst. You can always expand your filters if necessary as long as you have the data.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

jimbob

User avatar

Newbie
Newbie

Posts: 14

Joined: Tue Aug 01, 2006 3:56 pm

Post Tue Nov 27, 2012 3:15 pm

Re: Cost of the logs storage

tturner wrote:There's a big difference between collecting and alerting


Agreed. The big issue is what to expose via alerts, dashboards etc. and what to keep. If capacity is not an issue keep everything. By all means trim down on noisy alerts that add no value but let the value of this filter down. Frequently you don't know what you need until after the fact and finding out you have deleted something useful could be embarassing.

Again, look at the junk as useful as a metric. What are the number of alerts following a tuning exercise versus untuned? This is a quantifiable metric to show improvement.

Regards,
Jimbob
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Wed Nov 28, 2012 9:59 am

Re: Cost of the logs storage

Thanks for the answers!

I'll think about your opinions.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software