Survivorship Bias
This is a really good post from Microsoft. Transparency is becoming more important - for all companies.
Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center
Results of Major Technical Investigations for Storm-0558 Key Acquisition
My thoughts? Not on this but to take forward?
For big players attacker dwell times (time from compromise to nefarious action) can be months. Easily six months. Analysis tells us dwell time averages are under 30 days. Log retention on average is about 30 days. Is that falling into the trap of ‘survivorship bias’?
I think I’d really check with 3rd party SOC/SIEM what it is they are actually doing with logs and what are they looking for before they rotate. I’m not sure I’d be content with a conclusion that said “We’re not sure how, as we rotated logs” anymore. That’s getting a little stale.