I'd like to ask the community's opinion about how long security logs (access control, firewall, DAM) should be retained for SIEM purposes.
I know, for instance, that PCI-DSS requirements are for 12 months and the UK's NCSC guidance is for 6 months for non-financial data but I thought it would be interesting to gauge members' thoughts, particularly around balancing the cost of storage vs the ability to spot a long term attack.
My two cents on this topic.
In general terms, storage is quite cheap and cost of storage shouldn't be too high.
As personal consideration, I always consider 12 months as minimum period for log retention, but this is just my personal approach, and it obviously change based on the scenario and compliance needed (as you mentioned, PCI has a specific retention period, and other standards too).
On my experience the longest retention period was 5 years for a specific project with financial implications.
From security prospective, If you have a SIEM solution of behavioral analysis tool, you should be able to detect an attack in a reasonable amount of time.
I believe the avg time to detect an intrusion is around 200 days, which should be another aspect to consider for investigation.
In general I see Financial Institutions asking for log retention of 3 months, but often ask for the archive to last for 7 years to meet legislative requirements.
In government, normally it varies 90 days is the log retention by policy and the archive 24 months, before falling off the edge. However, the events integrity must be retained even under retention via SHA 256 bit or SHA 384 bit hash and often the SIEM will include compression techniques to squash the archive down to 90% of the original.
All depends on the current policies, legislation, country you dwell within by default.
While the volume of the events we log did explode in the last few years, the cost of long term storage has become more reasonable.
If you are in a position of using cloud services for the archive retention, decent data life cycle schema is your friend. For instance, in AWS, you can retire older logs to Glacier and let them expire at the predefined age.
The retrieval time used to be an issue, but I believe that now there are options for expedited recovery at cost.