5 min read time

It’s Not a Guideline, It’s a Directive: NIS2 and Log Management

by   in Cybersecurity

I recall seeing a meme on LinkedIn of a security analyst rushing into a burning building and out of all the security-related server and storage devices available to rescue, she only had time to grab one of them. The choice was a no-brainer—she went for the device storing the logs. It's all about the logs. 

Why are logs so important?  

Logs are more than record-keeping tools, they are crucial for detecting potential cyber threats (e.g., via a SIEM or log management tool), facilitating forensic investigations post-security breaches, ensuring regulatory compliance, and fostering accountability within organizations. The 2018 Marriot data breach (involving 340 million guest records) went undetected for 4 years. This highlights how important it is to retain logs over a long period of time in order to re-trace those breadcrumb trails and identify the threat actor’s method of ingress and TTPs. And it's not only cybersecurity professionals that place great importance on log retention but also the people behind the The European Union's NIS2 Directive, of which, log management and retention is a cornerstone. 

What is NIS2? 

Not to be confused with NIST, the National Institute for Standards and Technologies, NIS (Network and Information Security) is the European Union’s commitment to fortifying its cybersecurity framework. The deadline for Member States to transpose the NIS2 Directive into national law is set for 17 October 2024. Does that mean those organizations outside the EU get to ignore this directive? Not so fast. NIS2 has the potential to reverberate globally in the same way that GDPR did. I remember when, with my European IP address, I was not able to access Los Angeles Times’ news articles for quite some time, as the LA Times, even though this was a relatively minor fix, hadn’t yet adjusted their privacy policies to conform to GDPR.  

The NIS2 directive, conceived in response to the escalating threat of cybercrime, mandates organizations to adopt specific cybersecurity measures, such as: 

  • Implementing technical and organizational controls 
  • Providing comprehensive training and awareness programs for staff 
  • Establishing incident response teams 
  • Instituting a holistic risk management strategy that anticipates both existing and potential future threats 

How big are the fines for non-compliance? 

Member states have the authority to impose financial penalties on entities that fail to comply with the directive. While the exact amount can vary, some states can impose fines of up to €10 million or 2% of the global turnover. But more of a concern for CISOs and senior executives, non-compliance can lead to personal liabilities, including substantial fines, reputational damage, and potential legal actions. In severe cases, they might face criminal charges, especially if negligence results in significant incidents.  

So, what does NIS2 mandate with regards to log management?  

Organizations are compelled to: 

  • Maintain Detailed Logs: These logs should chronicle a wide array of activities, from routine operations to potential security breaches. 
  • Secure Storage: Given the sensitive nature of the data, logs must be stored securely to prevent unauthorized access. 
  • Regular Analysis: Merely accumulating logs isn't sufficient. They must be routinely scrutinized to detect anomalies or suspicious activities. 
  • Mandatory Retention: The directive specifies a retention period for logs, ensuring they can be accessed and reviewed when necessary. 

Sounds reasonably straightforward, right? 

It is, until you dig deeper. The phrases ‘routinely scrutinized’ and ‘retention period’ are key here. ‘There’s the rub’ as Shakespeare’s Hamlet said i.e., herein lies the challenge. Storing and searching security logs is not a non-trivial exercise due to the vast volume of data generated, which can strain storage resources and complicate real-time analysis. Ensuring data integrity and compliance with retention regulations is crucial, while normalizing diverse log formats and filtering out routine entries to detect genuine threats adds complexity. Additionally, concerns about data privacy, scalability, costs, and the need for specialized querying expertise further complicates log management. Integrating log data with other systems for comprehensive insights and ensuring data redundancy to prevent loss are also essential considerations. 

So how does ArcSight by OpenText address these NIS2 mandates using our next-generation Recon and ArcSight SaaS Log Management and Compliance solutions? 

  • Maintain Detailed Logs: Security events logs can be stored at scale with our off-Cloud/customer-hosted Cloud-native log management solution, Recon. Recon scales seamlessly to accommodate growth. You can add 'compute nodes' to enhance the unified data platform and 'worker nodes' to bolster the Recon infrastructure. And ArcSight SaaS offers limitless data retention, constrained only by the service contract duration. 
  • Secure Storage: The ArcSight SaaS Center-of-Excellence's controls exceed ISO 27001 and SOC2 requirements, built on NIST SP 800-53. Stored security events are tamper-resistant via data immutability, complemented by event data integrity checks. Data transfer occurs through secure channels. 
  • Regular Analysis: Both Recon and ArcSight SaaS Log Management and Compliance provide the following capabilities for log analysis: 
    • Analyst ease-of-use through natural language-like querying (CyPL), search engine-like autocompletion, and automatic search criteria saving.  
    • CyPL querying language eliminates the need for analyst-entered vendor specifics by leveraging our Common Event Format’s categorization capabilities, thus boosting efficiency, and reducing query fatigue. For instance, a complex Recon search that may require ca. twenty lines on a comparable platform condenses down to a single line e.g.: categoryDeviceGroup = "/Proxy" and requestClientApplication contains "jndi:" 
    • Speed: Through our internal testing, we've demonstrated that the majority of search queries conducted on our next-generation on- and off-Cloud log management solutions exhibit an up to fivefold speed improvement compared to our cherished Logger product.  
  • Mandatory Retention: Both our off-Cloud/customer-hosted Cloud-native and SaaS log management and compliance solutions are designed to accommodate long retention periods as specified not only by NIS2 but also by other compliance mandates and jurisdictions worldwide.  

Sounds good. How can I see both products in action? 

  • Recon: test drive Recon today by clicking on this free trial link. We’ll also put you in touch with an SME that will guide you through the trial process so that you can test Recon in the context of your own use cases. 
  • ArcSight SaaS Log Management and Compliance: Book a meeting with a representative here for a demo and check out our Logger to ArcSight SaaS Log Management and Compliance transition guide here. 

Join our Community | ArcSight User Discussion Forum | ArcSight Idea Exchange 



Security Operations