The last segment of Security Weekly #477 featured an interview between Paul and Alex Horan on SAP security. Setting up the conversation, Alex says the following about logging (at 1:41:39):
Now we’re seeing with more modern installations that logging is enabled. It’s not a negative. It’s not a drain at all. What’s missing “what level of detail should you be applying to that logging?” That is kind of a gray area. If you don’t know what you’re doing, you could either turn everything on, in which case you’re consuming a lot of disk space, and you’re not looking at those logs, and that, in turn, defeats the purpose of logs, or you missing the relevant information because you’re just turning on random flags.
This statement makes a fundamental assuming about logs that the only reason one would use them would be for breach or incident detection, which misses a second key function of logging – Actually figuring out what happened when you do have an incident.
When (not if) there is some kind of incident, the forensics team is going to look at the logs to figure out what happened. If logs are not being collected, then they are blind to that history.
Especially given the environment today, where the Verizon Data Breach Investigations Report shows that only around 15% of breaches are identified internally, and third party and law enforcement make up the vast majority of incident initiators, an organization is going to want to have as many logs as possible to understand what’s going on when a notification arrives.
It is slightly unfair to read so much into this comment, as it wasn’t the main point of the conversation. Beyond that, this is on a podcast targeted at pentesters, and it makes sense that their bias would be towards incident identification.
But the point is still critical to network defense. Networks are going to be breached. When they are breached, they will want as much evidence as possible. Obviously there are constraints on how much any given organization can store. Obviously it’d be ideal if the security team was looking over everything that was stored. But practically, storing logs for some period of time does have benefit even if they can’t be analyzed in real time.