In Episode 18 of Season 5 of “Star Trek: The Next Generation,” the USS Enterprise becomes ensnared in a time loop, a phenomenon that causes the ship to repeatedly experience the same sequence of events. This time loop not only endangers the ship, but also poses a severe threat to the crew's safety and the ship's mission
The character Data, played by Brent Spiner, is an android with a positronic brain that enables him to retain memories in ways that the rest of the crew cannot. As the time loop repeats, Data begins to experience a sense of déjà vu. It becomes apparent that he is the key to understanding the situation and finding a way to break free from the cycle.
Just as Data's memories provide a record of events in each time loop, enterprises must maintain comprehensive logs that capture all relevant data related to their digital operations. These logs include system activities, user actions, and network events. Without comprehensive logging, crucial information may be missed, leaving an organization vulnerable to threats and compliance issues.
As the time loop continues, Data's memories accumulate, highlighting the necessity of adequate storage. In an enterprise, it is essential to ensure that logging destinations have sufficient storage capacity to handle the volume of audit logs generated over time. Running out of storage can result in the loss of valuable data, hampering incident response, forensic analysis, and compliance efforts.
Ensure that logging systems have sufficient storage capacity in line with the organization's log management policies. Audit log storage is crucial for compliance with legal and regulatory standards and provides necessary data for forensic activities post-security incidents.
Essential audit log data includes:
- User IDs and Credentials: Record of user access and authentication
- Terminal Identities: Information on the devices or terminals used
- System Configuration Changes: Details of any alterations to system settings
- Event Timing: The date and time for each recorded event
- Access Attempts: Records of both successful and failed login attempts
Refer to NIST publication SP 800-92, Sections 5.1 and 5.4, for guidelines on policy development and the management of long-term log storage. The organizational policy should dictate the duration of log retention based on the data's value and other relevant considerations, ranging from immediate disposal for insignificant data to long-term centralized storage for critical information. Regular log rotation should be part of this policy to ensure ongoing logging without storage overflow.
Retention periods vary by business nature and policy, typically spanning from two months to several years. For extended retention, select a uniform log format and appropriate backup media, ensuring the integrity and secure offsite storage of the logs.
Here’s a link to Audit Log Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/audit-log-management-policy-template-for-cis-control-8
Here are some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 8 – Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Implementation Group 1
CIS Safeguard 8.3 - Ensure Adequate Audit Log Storage
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.