11
Got in a debate with a SOC analyst about log retention periods
I was talking to this senior SOC analyst at a meetup in Denver last month. He argued that keeping logs for more than 90 days is a waste of storage because most threats are caught or missed in the first month anyway. I always thought longer retention was just safer and made auditors happy. But he pointed out that half our alerts are false positives from stale data, and trimming retention actually improved their detection rate. Now I'm wondering if my team's 12-month policy is doing more harm than good. Has anyone else run into performance issues from keeping too many logs, or is this guy just pushing a hot take?
2 comments
Log in to join the discussion
Log In2 Comments
the_nathan7d ago
Betty126, that analyst is wrong. Real threats hide in old logs.
6
betty1267d ago
Isn't that how most advice works though? You hear something that sounds good, then you think about it and realize it's like cleaning out your closet. Sure, you might want to keep that old shirt from five years ago, but it's just taking up space and making it harder to find what you actually wear. Same with logs - too much clutter and your team's spending time digging through junk instead of spotting real problems. I've noticed this pattern in pretty much every part of life, from my kitchen cabinets to my email inbox. Less really does help you focus.
4