CIS Safeguard 8.10: Retain Audit Logs

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

In Blade Runner 2049 (2017), the central mystery hinges on memory. What was recorded, what was preserved, and what was lost determines who can understand the truth and who remains in the dark. The film makes a simple but powerful point: without reliable memory, reconstruction becomes speculation.

CIS Safeguard 8.10 is built on that same idea. If audit logs are not retained long enough, incidents can’t be fully understood, investigated, or learned from, no matter how good your detection tools are.

What Is CIS Safeguard 8.10?

CIS Safeguard 8.10: Retain Audit Logs is part of CIS Critical Security Control 8 – Audit Log Management. The safeguard requires organizations to:

• Retain audit logs for a defined minimum period
• Ensure logs remain accessible, readable, and protected
• Support incident response, forensics, and compliance needs

The safeguard assumes logs are already being collected and centralized (Safeguards 8.6–8.9). Safeguard 8.10 answers the final—and often neglected—question:

How long will the evidence still be there when you need it?

Why Log Retention Is a Security Control, Not Storage Hygiene

Many organizations treat retention as a cost problem. In reality, it’s a risk management decision.

Modern attacks are rarely detected immediately:

• Compromised credentials may be abused quietly
• Persistence mechanisms may lie dormant
• Cloud and SaaS misuse may blend into normal activity

By the time suspicious behavior is identified, the initial activity may be weeks or months old. If logs have already rolled off, critical questions become impossible to answer.

What Retained Logs Enable

Safeguard 8.10 ensures organizations can move beyond alert handling to true understanding.

1. Full Incident Reconstruction

Retention allows responders to:

• Identify initial access points
• Trace lateral movement
• Confirm scope of compromise
• Validate remediation effectiveness

Without historical logs, teams are forced to assume—not verify—what happened.

2. Detection of Slow, Low-and-Quiet Attacks

Not all attacks are noisy. Retained logs make it possible to:

• Identify long-term credential abuse
• Spot rare but recurring behaviors
• Detect attackers who intentionally avoid thresholds

These patterns often only emerge when weeks of activity are analyzed together.

3. Post-Incident Learning and Improvement

Retention supports:

• Root cause analysis
• Control gap identification
• Detection rule tuning
• Executive and regulatory reporting

If logs disappear too quickly, organizations lose the opportunity to improve—not just respond.

What Logs Should Be Retained?

Safeguard 8.10 applies broadly to audit-relevant logs, including:

• Authentication and identity logs
• Endpoint and command-line logs
• DNS, URL, and network activity logs
• Cloud and SaaS service logs
• Administrative and configuration changes

The goal isn’t indefinite retention of everything, but intentional retention of what matters.

How Long Is “Long Enough?”

CIS does not mandate a single retention period, because risk varies by organization. However, practical security-aligned guidance often includes:

• 30–90 days readily searchable (“hot” storage)
• 6–12 months archived but accessible (“warm” or “cold” storage)
• Longer retention for high-risk systems, regulated data, or critical infrastructure

The key principle is consistency: retention periods should be documented, enforced, and reviewed.

Retention Without Protection Is False Confidence

Retained logs must also be:

• Protected from tampering or deletion
• Access-controlled
• Integrity-checked

Attackers frequently attempt to delete or modify logs precisely because they understand their value. Retention only matters if the data can be trusted.

How Safeguard 8.10 Completes Control 8

CIS Control 8 follows a logical progression:

• 8.6–8.8: Capture meaningful activity
• 8.9: Centralize it
• 8.10: Keep it long enough to matter

Without Safeguard 8.10, the value of every previous safeguard decays over time.

Practical Implementation Tips

To implement Safeguard 8.10 effectively:

1. Define Retention by Risk
   Critical systems deserve longer retention than low-impact assets.
2. Automate Retention Enforcement
   Manual processes fail silently.
3. Test Historical Access
   Ensure archived logs are actually retrievable during incidents.
4. Review Retention Annually
   Business risk, threat models, and regulations change.

Final Thoughts

CIS Safeguard 8.10 exists because security without memory is guesswork. Detection finds signals, response contains damage—but retention preserves truth.

Retained audit logs determine whether defenders can separate fact from assumption. When an incident surfaces weeks later, logs are often the only reliable witness left.

The ability to remember clearly is often the difference between repeating mistakes—and preventing the next breach.

Resources

Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 8 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

CIS Safeguard 8.10: Retain Audit Logs

Retain audit logs across enterprise assets for a minimum of 90 days.

Shameless Marketing Information

Gotham Technology Group offers a Security Operations Center as a Service (SOCaaS) powered by Arctic Wolf Networks. Our team will work alongside your team to support and mature your security operations.