Forensic Log Storage
By storing logs offsite in our Cloud SIEM, DEFEND, your logs are protected from physical threats, such as fires, floods, and natural disasters, which could damage or destroy on-premises storage. Additionally, offsite storage can protect against insider threats, ensuring that logs are not tampered with or deleted by employees with malicious intent. This can be important for regulatory compliance and investigation purposes.
In the event of a security incident, these logs can offer invaluable insights. They provide the context necessary to understand what actions were taken, by whom, when, and possibly even why. For instance, if an unauthorized access incident is detected, SIEM logs could provide information about the source of the access, the targeted system, the time of access, and what actions were taken post-access.
A forensic investigation of an attack might involve tracing the steps of an attacker, identifying the entry point of a breach, understanding the timeline of the incident, and determining what actions were performed. SIEM logs, therefore, are not only useful in detecting and mitigating security incidents but also in learning from them to improve future security measures.
How Does It Work?
All the log data we collect from your IT environments is securely stored in our Cloud-based SIEM, running in the AWS London region. Here it is protected at rest through encryption and protected from tampering through a chain of hashes (a technology similar to blockchain).
We typically store these logs for 1 year – both in a JSON format that can be exported for external investigations and in our searchable repository that we use for threat hunting.