Microsoft prolongs storage of security logs after State Department cyber-attacks

Microsoft prolongs storage of security logs after State Department cyber-attacks

Microsoft has announced an extension to the retention period of audit logs in its Purview service, allowing organizations to retain these logs for up to 10 years. This move comes in response to increased demands for robust security measures and transparency in the software industry.

The extended retention period provides a significant advantage for incident response teams, particularly in the context of cyberattacks. With a longer archival, forensic investigations can be conducted months or even years after an incident, enabling security teams to reconstruct attack timelines, analyse user activities, and detect suspicious behaviours retrospectively.

Organizations can create and manage custom retention policies tailored to specific Microsoft 365 services and user groups. This feature helps focus incident response efforts on high-risk or critical users by preserving their logs longer. The logs capture high-value audit events such as access to mailboxes, eDiscovery case views, modifications to retention policies, and other crucial events that assist in understanding attacker actions and insider threats during investigations.

The extended retention also integrates with compliance and legal holds, ensuring forensic data remains unaltered and available for audits or regulatory inquiries. Moreover, Purview enables organizations to set retention scopes, labels, and automate lifecycle management to optimize data storage without compromising audit log availability.

For incident response teams, the extension means broader visibility over historical activities, increasing the chances of identifying long-term or stealthy cyberattacks. It also ensures compliance with regulatory and legal requirements for audit data retention, avoiding data loss that could weaken investigations or legal proceedings. The extended retention period also allows for faster response times with comprehensive historical context, improving root cause analysis and mitigation planning.

Rudra Mitra, corporate vice president of Microsoft Data Security and Compliance, stated in a blog post that log data is not a preventative measure against cyberattacks but plays a pivotal role in incident response. He further added that the extension is part of a wider security collaboration with the Cybersecurity and Infrastructure Security Agency.

The extension of audit log retention is a response to the severe backlash Microsoft faced from federal officials due to concerns about the security of their products and the requirement for customers to pay additional money to access audit logs. The White House and CISA's push may lead to changes in the software industry's approach to product security and customer requirements for audit logs.

The incident involving the cyber espionage group Storm-0558, which hacked approximately 25 Microsoft customers' email accounts and stole an inactive consumer signing key and about 60,000 emails from the State Department, underscores the importance of robust security measures and transparency in the software industry. The push is to ensure products are safe out of the box and customers are not forced to make complicated configuration changes to secure their systems.

The software industry is being urged to prevent customers from having to pay a premium for audit logs. Premium license holders have the option to extend the retention of their logs to 10 years, while the default retention for premium license holders will extend to one year.

The rollout will begin with worldwide enterprise customers, and it will later extend to government customers. This move is a significant step towards enhancing cybersecurity and incident response capabilities, providing organizations with the tools they need to respond effectively to cyberattacks and maintain compliance with regulatory requirements.

[1] Microsoft Tech Community: Microsoft Purview Audit log retention extension [2] Microsoft Security: Microsoft Purview Audit logs [3] Microsoft Security: Microsoft Purview Audit logs retention policies [4] Microsoft Tech Community: Microsoft Purview labels and retention scopes [5] Microsoft Tech Community: Microsoft Purview retention policies and legal holds

1. The extended retention period of Microsoft's Purview audit logs enables incident response teams to conduct forensic investigations retrospectively, reconstructing attack timelines and detecting suspicious behaviors.
2. The integration of the extended retention period with compliance and legal holds ensures forensic data remains unaltered for audits or regulatory inquiries.
3. For organizations, the extension of retention policies allows for customization based on specific Microsoft 365 services and user groups, focusing incident response efforts on high-risk users.
4. The software industry is being urged to avoid customers having to pay a premium for access to audit logs, with Microsoft offering the extension as an option for premium license holders, increasing transparency and enhancing cybersecurity and incident response capabilities.

Read also: