Information and Event Management on a systems with sufficient scale to operate controls and consolidate data

Photo by Carlos Muza on Unsplash

Information and Event Management on a systems with sufficient scale to operate controls and consolidate data

Menno Drescher's photo
Menno Drescher
·

4 min read

SIEM Data Storage Requirements and the consolidation of data and deletion of underlaying transactions

Security Information and Event Management (SIEM) systems are crucial for monitoring and analyzing security events in real-time. Here are some key points regarding SIEM data storage requirements, data consolidation, and the deletion of underlying transactions:

SIEM Data Storage Requirements

  1. Volume and Scalability: SIEM systems need to handle large volumes of data from various sources like firewalls, intrusion detection systems, servers, and applications. The storage system must be scalable to accommodate growing data needs1.

  2. Performance: High ingest performance is essential to capture relevant data without impacting the system’s ability to collect and analyze events2.

  3. Compliance: SIEM storage must comply with regulatory requirements such as PCI-DSS, GDPR, and HIPAA. This includes maintaining logs for specific periods and generating audit trails1.

  4. Data Types: The storage system should support unstructured data (file- and object-based storage) and provide high performance, availability, and cost-effective scalability2.

Data Consolidation

  1. Centralized View: Consolidating data from multiple sources into a single SIEM system provides a centralized view of the security landscape, aiding in early threat detection and efficient incident management1.

  2. Normalization: Data from various sources must be normalized for effective analysis. This involves converting data into a common format to facilitate correlation and detection tasks1.

  3. Efficiency: Consolidation helps in reducing the complexity and cost associated with managing multiple SIEM systems. It also ensures that all relevant data is available for analysis in one place3.

Deletion of Underlying Transactions

  1. Retention Policies: SIEM systems should have clear data retention policies to determine how long data should be kept. This is often dictated by compliance requirements1.

  2. Secure Deletion: When data is no longer needed, it should be securely deleted to prevent unauthorized access. This involves overwriting the data to ensure it cannot be recovered1.

  3. Automated Processes: Implementing automated processes for data deletion can help ensure that data is removed in a timely and consistent manner, reducing the risk of retaining unnecessary data1.

Would you like more detailed information on any of these aspects?

Include frequency to determine the amount of dats that is to be terminated on the same frequency of data is consolidated reviewed and reported with possible internal of the following frequencies daily, weekly, monthly, quarterly, semi annually and annual review including the annual review of the auditor that confirms the required reports and reviews have taken place in line with the capacity storage retainment requirements to make a proper review

To effectively manage SIEM data storage, consolidation, and deletion, it’s crucial to establish a structured schedule for reviewing and terminating data. Here’s a breakdown of how you can approach this with different frequencies:

Daily

  • Data Consolidation: Aggregate logs and events from various sources.

  • Review: Perform initial checks for anomalies or critical alerts.

  • Reporting: Generate daily summary reports for immediate issues.

  • Deletion: Remove non-critical data that is no longer needed.

Weekly

  • Data Consolidation: Consolidate data from the past week.

  • Review: Conduct a more detailed analysis of weekly trends and patterns.

  • Reporting: Create weekly reports highlighting significant events and trends.

  • Deletion: Purge data that has been reviewed and deemed unnecessary.

Monthly

  • Data Consolidation: Compile data from the past month.

  • Review: Perform a comprehensive review of monthly security events.

  • Reporting: Generate detailed monthly reports for management and compliance purposes.

  • Deletion: Delete data that exceeds the retention period for daily and weekly logs.

Quarterly

  • Data Consolidation: Aggregate data from the past quarter.

  • Review: Conduct in-depth analysis of quarterly security trends.

  • Reporting: Prepare quarterly reports for strategic planning and compliance.

  • Deletion: Remove data that is no longer required for daily, weekly, and monthly reviews.

Semi-Annually

  • Data Consolidation: Consolidate data from the past six months.

  • Review: Perform a thorough review of semi-annual security events.

  • Reporting: Generate semi-annual reports for higher-level management and compliance.

  • Deletion: Purge data that exceeds the retention period for shorter intervals.

Annually

  • Data Consolidation: Compile data from the entire year.

  • Review: Conduct a comprehensive annual review of security events and trends.

  • Reporting: Create annual reports for auditors and regulatory compliance.

  • Deletion: Remove data that is no longer needed for operational or compliance purposes.

Annual Auditor Review

  • Audit Confirmation: Ensure that all required reports and reviews have been completed.

  • Compliance Check: Verify that data retention and deletion policies are in line with regulatory requirements.

  • Capacity Planning: Assess storage capacity and plan for future data retention needs.

By following this structured approach, you can ensure that your SIEM system remains efficient and compliant with data retention policies12. Would you like more details on any specific frequency or process?

Did you find this article valuable?

Support CBA Value Proposition by becoming a sponsor. Any amount is appreciated!