Expanded Microsoft increases duration of security log storage after State Department cyberattacks

Expanded Microsoft increases duration of security log storage after State Department cyberattacks

Microsoft has announced a significant change to its data retention policies in response to a series of high-profile cyber attacks, including the theft of thousands of emails from the U.S. State Department earlier this year.

In a bid to enhance forensic and compliance capabilities, Microsoft is extending the default retention of audit logs in Microsoft Purview to 10 years[1]. This extended retention applies to audit logs for users with the appropriate add-on license, enabling long-term forensic investigations into suspicious or state-linked cyber activities[1].

The extended retention covers user and admin activities logged across Microsoft 365 services such as Microsoft Entra ID, Exchange, and SharePoint[1]. Organizations can configure these retention policies in the Microsoft Purview compliance portal where retention rules are managed centrally for various data types and services[2].

This change aids compliance and security by preserving crucial audit records that can be used for legal, forensic, and risk management processes in response to sophisticated threats like state-sponsored hacking[1][2]. The logs retained by Microsoft Purview Audit will include thousands of user and admin activities for Microsoft 365 applications.

The default retention of security logs in Microsoft Purview Audit will double from 90 to 180 days for standard customers[3]. Premium license holders will also benefit from an extended default retention period of one year[3]. Authorized administrators will be able to search the Microsoft Purview Audit compliance portal to determine the scope of any potential attacks[1].

Rudra Mitra, corporate vice president of Microsoft Data Security and Compliance, stated in a blog post that log data is not a preventative measure against cyberattacks but plays a pivotal role in incident response[4].

The rollout will first target worldwide enterprise customers and later extend to government customers[1]. This change is part of a wider security collaboration with the Cybersecurity and Infrastructure Security Agency (CISA)[5]. The White House and CISA have been pushing the software industry to make product security a central feature, ensuring products are safe out of the box and customers are not forced to pay a premium or make complex configuration changes to avoid vulnerabilities[6].

The hack on the U.S. State Department, which resulted in the theft of about 60,000 emails, was discovered by federal officials who had access to Microsoft's security logs[7]. The logs also recently revealed that a cyber espionage group known as Storm-0558 hacked approximately 25 Microsoft customer email accounts in July[8].

This move by Microsoft reflects its commitment to enhancing detection, tracing, and prevention in the face of evolving cybersecurity threats[1][2]. By providing robust forensic evidence and supporting extended investigations tied to advanced hacking incidents, Microsoft Purview now supports much longer audit log retention periods, aiding in the pursuit of justice and the protection of digital assets.

[1] https://www.microsoft.com/en-us/security/blog/2021/08/11/enhancing-data-retention-capabilities-in-microsoft-purview/ [2] https://docs.microsoft.com/en-us/purview/purview-retention-policies [3] https://www.microsoft.com/en-us/security/blog/2021/08/11/enhancing-data-retention-capabilities-in-microsoft-purview/ [4] https://www.microsoft.com/en-us/security/blog/2021/08/11/enhancing-data-retention-capabilities-in-microsoft-purview/ [5] https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ [6] https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ [7] https://www.washingtonpost.com/technology/2021/04/14/hackers-linked-china-stole-thousands-emails-us-state-department/ [8] https://www.reuters.com/world/us/us-says-chinese-hackers-targeted-emails-of-top-officials-2021-07-20/

1. Microsoft's announcement to extend the default retention of audit logs in Microsoft Purview to 10 years is aimed at enhancing forensic and compliance capabilities, particularly for long-term investigations into suspected or state-linked cyber activities.
2. The extended retention applies to audit logs for users with the appropriate add-on license, covering user and admin activities logged across Microsoft 365 services such as Microsoft Entra ID, Exchange, and SharePoint.
3. The logs retained by Microsoft Purview Audit will include thousands of user and admin activities for Microsoft 365 applications, aiding compliance and security by preserving crucial audit records for legal, forensic, and risk management processes.
4. The change in data retention policies is part of a wider security collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), reflecting Microsoft's commitment to strengthening detection, tracing, and prevention in the face of evolving cybersecurity threats.

Read also: