Log Storage and Hot Data
Hot data necessary for live security monitoring and cold data is for which you may need one day. One reasonable approach to this problem was separating system event data into live short-term expensive storage (or ‘hot’ storage) that is ready in an instant for more current or critical security queries, and long-term storage (‘cool’ or ‘cold’ storage) for historical data that is stored more cheaply in some form of archive or data lake, but is less readily accessible and much slower to search. SureLog addresses this expensive solution problem and keeps a log on a hot state on inexpensive storage for a long time – 1 year.
Gartner recently predicted that storage requirements for any SIEM environment can be expected to double every year. Unfortunately, while some storage costs are dropping, the on-demand storage required for a SecOps team environment may not fall as fast. This means data storage costs could quickly outstrip other security IT investments by a wide margin.
The mean- time to discover a breach ranges from 190 to 220 days and a breach containment window is generally between 60 to 100 days. Hence, keeping 220 days security event logs ‘hot’ in a SIEM can help to identify 50% of an organization’s breaches. SureLog keeps logs 365 days ‘hot’ in a small amount of disk which is inexpensive.
SureLog SIEM keeps more data. More data typically means storage tiers, sprawling infrastructure, and not collecting or retaining that data the way you wish. Not with SureLog. Our net average data reduction is 20:1, allowing all data to be kept hot for years—very affordably