Snare Insider Issue #12 July 2-26

Newsletter Issue #12

MORE LOGS SHOULD NOT MEAN MORE COST

Control the volume. Preserve the evidence. Investigate faster.

Why stronger cyber resilience depends on controlling security data, not simply collecting more of it.

Cybersecurity frameworks and regulations are moving in a consistent direction. Organisations must collect more detailed evidence, centralise security logs, protect them from tampering, monitor for signs of compromise, and reconstruct incidents within increasingly compressed reporting timeframes.

At the same time, cloud services, endpoints, identities, applications, AI systems and connected infrastructure are generating unprecedented volumes of telemetry. Across the first half of 2026, that pressure has only intensified: regulators are moving faster, attackers are increasingly walking in through valid credentials rather than exploits, and SIEM bills continue to climb with data volume.

For security teams, this creates a difficult equation: more security data is required, more data must be retained, but sending every event into a volume-priced SIEM can become financially and operationally unsustainable.

The answer is not to collect less. It is to gain greater control over what is collected, what is sent for immediate analysis, what is retained for investigation and compliance, and how intelligence is applied to the data.

only 22%

of surveyed Australian Government entities achieved Essential Eight Maturity Level Two or higher across all eight strategies in 2025.

TL:DR

1.Global update: logging, traceability and response are converging

NIS2, the EU AI Act and DORA are converging on the same four outcomes. We map the specific articles, including AI Act Article 12’s automatic-logging mandate and its €15M / 3%-of-turnover penalty tier, ahead of the 2 August 2026 deadline.

Three major frameworks are converging on the same evidentiary expectations. NIS2 (Directive (EU) 2022/2555) now requires MSSPs and digital infrastructure providers to demonstrate the resilience and independent availability of their own logging systems, not just receive customer logs.

The EU AI Act (Regulation (EU) 2024/1689) requires automatic event logging for high-risk AI systems under Article 12, a minimum six-month retention period under Article 26(6), and carries penalties of up to €15 million or 3% of global turnover under Article 99, with transparency obligations landing 2 August 2026.

DORA (Regulation (EU) 2022/2554) sets parallel expectations for financial services incident reporting and third-party risk.

Across all three, logging is expected to support detection, investigation, reporting and assurance.

2.The Essential Eight is being retired

ASD confirmed it on 24 June 2026: Essential Eight is being phased out over 24 months, replaced by the “Essentials” series. Consultation on the first chapter closes 12 July 2026.

Essential Eight will be formally retired within two years and replaced by a broader, principles-based “Essentials” series covering enterprise IT, operational technology, cloud and, eventually, agentic AI. Nothing changes immediately — the Essential Eight remains the live, audited framework, and consultation on the first chapter, “Essentials for Enterprise IT,” runs until 12 July 2026.

The rationale is structural: the current model was built in 2017 for on-premises, Windows-centric environments and doesn’t map cleanly onto cloud shared-responsibility models or SaaS. With only 22% of surveyed government entities achieving Maturity Level Two or higher across all eight strategies in 2025, the section sets out the confirmed transition timeline, the logging implications common to both frameworks, and a readiness checklist.

What the confirmed timeline means, and why nothing changes for you today.

3.Australia’s ransomware reporting regime: now in active compliance

Australia’s mandatory ransomware and cyber-extortion payment reporting obligation, in Part 3 of the Cyber Security Act 2024 (Cth), has moved from an education-first phase into active compliance and enforcement since 1 January 2026.

Entities with turnover above AUD $3 million, or responsible entities for critical infrastructure assets, have 72 hours to report a ransomware or cyber-extortion payment to ASD, with non-compliance risking a civil penalty of up to $19,800.

Industry data shows 69% of Australian businesses experienced a ransomware attack in 2024 (up from 56% in 2023), with 84% of victims paying an average of $1.35 million. The section explains why complete, tamper-evident logs are what actually make a 72-hour report achievable, and provides an evidence-readiness checklist.

4.Threat spotlight: they didn’t break in, they logged in

The defining pattern behind 2026’s biggest breaches has been identity, not exploitation, MITRE ATT&CK’s Valid Accounts technique (T1078) at scale.

A ShinyHunters-linked SaaS/CRM extortion wave hit Salesforce and Microsoft 365 tenancies through May and June 2026 via phished SSO tokens and social-engineered help-desk resets, while KDDI and five other Japanese ISPs disclosed on 17 June 2026 that a third-party software vulnerability had exposed up to 14.22 million customer accounts.

The full article sets out why authentication, SSO, MFA, SaaS/CRM admin activity, service-account usage and privileged access logging, not just infrastructure logs, are what catch this pattern, with a dedicated identity logging checklist.

5.Feature: the SIEM Cost Paradox

SIEM pricing tied to ingestion volume is colliding with telemetry growth of roughly 20–30% a year, driven by cloud, SaaS, containers and identity proliferation.

Sampled list pricing shows the spread: Splunk at roughly USD $2,000–$3,500 per GB per year, Microsoft Sentinel at USD $2.96–$5.59 per GB, and Elastic Security at USD $0.55–$1.10 per GB.

IBM’s Cost of a Data Breach Report 2025 puts the average US breach at USD $10.22 million, with detection and containment time, both dependent on log availability, as leading cost drivers.

Gartner’s Market Guide for Log Monitoring and Analysis Solutions (April 2025) independently recommends evaluating a telemetry pipeline before choosing an analytics platform, and SANS’s 2025 Detection and Response Survey found 73% of teams now name false positives their top detection challenge, a direct consequence of uncontrolled ingestion.

6.The Snare Log Control Framework

A six-part model for sustainable logging:

collect with purpose (map collection to detection, response and compliance use cases rather than defaulting to “collect everything”); control data before it reaches the SIEM through filtering, aggregation and de-duplication;

separate retention from real-time analytics so not every log sits in the most expensive tier;

route each category of data to the destination where it has the most value; replay historical evidence when its relevance changes rather than paying to keep everything hot indefinitely;

and apply AI only once the underlying evidence is trusted, since AI cannot compensate for logs that were never collected, altered, or discarded too early.

7.Snare perspective: optimise the pipeline, not the evidence

Snare provides a control layer, Snare Agent for high-integrity collection, Snare Central for centralised retention, aggregation and replay, Snare Reflector for policy-based routing to one or many destinations, and AskSnare for AI-driven investigation, trusted by more than 4,000 organisations across five continents with 2.5 million-plus agents deployed and typical storage savings of 90–98% at rest.

A dedicated subsection addresses MSSPs specifically: NIS2 now requires providers to demonstrate the resilience of their own logging service independently across every tenant, and Snare Reflector’s per-policy routing lets a single collection layer serve multiple tenants and downstream SIEMs without duplicating the full data stream for each one.

8.AskSnare: from passive logs to proactive investigation

AskSnare lets analysts interrogate the Snare data layer using natural language, tracing account activity before and after a suspicious login, correlating privileged access with new service creation, or building an incident timeline on demand, with the reasoning behind each finding shown, not hidden.

This closes the cross-source correlation gap described in Section 4. It also matters for retention: SANS’s 2025 survey found 70% of analysts with five years or less experience leave within three years, citing false positives and alert fatigue, and AI-assisted correlation is framed here as one of the few practical levers against that structural SOC attrition problem. AskSnare operates human-in-the-loop, it recommends and explains; the security team decides and acts.

9.Quick read: the 5 logs most often missing during an incident

Across breach investigations, the same evidence gaps tend to resurface. If any of these look thin in your environment, it’s worth checking before an incident, not during one.

☐  Authentication logs from before the breach window, retention windows are often shorter than the time it takes to discover a compromise

☐  DNS query logs, frequently the first and cheapest signal of command-and-control activity, and one of the first things disabled to save cost

☐  Command-line and PowerShell execution history, essential for reconstructing how an attacker moved once inside

☐  Cloud API and control-plane logs, the equivalent of privileged access logs for infrastructure that has no physical perimeter

☐  East-west (internal) network traffic, most environments log the perimeter well and the inside poorly, which is exactly where lateral movement happens

10.Practical next steps

An eight-step action plan that doesn’t require replacing an existing SIEM: inventory current log sources and destinations; map logs to specific security and compliance outcomes; establish an ingestion baseline by source, event type and destination; classify logs by operational value; aggregate and de-duplicate safely without losing investigative context; validate that archived evidence remains complete and can be replayed; monitor the logging infrastructure itself for silent failures; and only then introduce AI, once the underlying evidence is confirmed complete and trustworthy.

  1. Inventory your current log sources

Document which systems are producing logs, where the data is sent, what is retained and which sources are missing.

  1. Map logs to security and compliance outcomes

Identify the events required for Essential Eight / Essentials maturity, threat detection, incident response, audit and regulatory reporting.

  1. Establish an ingestion baseline

Measure daily volume by source, event type and destination. Identify duplication, unexpected growth and high-volume sources delivering limited security value.

  1. Classify logs by operational value

Determine which events require immediate SIEM analytics, which need searchable retention and which are primarily required for historical evidence.

  1. Aggregate and de-duplicate safely

Reduce repetitive events before forwarding while retaining the context required to detect and investigate malicious activity.

  1. Validate integrity and replay

Test whether archived evidence remains complete, protected, searchable and capable of being replayed into investigation platforms.

  1. Monitor the logging infrastructure

Alert when agents stop reporting, volumes fall unexpectedly, configurations change or forwarding destinations become unavailable.

  1. Introduce AI on a trusted data foundation

Use AI to accelerate investigation and anomaly detection only after confirming that the underlying evidence is complete, governed and reliable.

11.Key takeaway

The next stage of cyber resilience will not be achieved by sending every available event into the most expensive analytics platform. Nor will it be achieved by reducing security visibility to remain within a licensing limit.

The stronger model is to collect high-integrity evidence, control unnecessary volume before ingestion, retain complete records cost-effectively, route information according to its purpose, replay historical evidence when required, and apply AI to investigate and respond faster.

Frameworks including the Essential Eight (soon Essentials), NIS2, DORA and the EU AI Act are increasing the need for trustworthy, accessible and auditable evidence. At the same time, expanding technology environments, and increasingly, identity-based attacks, are making uncontrolled log ingestion more expensive and more difficult for analysts to navigate. These challenges must be solved together

More logs should create more intelligence, not simply more cost.

12.SOURCES & REFERENCES

This issue draws on primary regulatory text and named industry benchmarking rather than secondary summaries. Key sources:

  • Australian Signals Directorate / cyber.gov.au, Consultation on evolution of the Essential Eight (June 2026)
  • iTnews, “ASD to retire Essential Eight cyber security framework within next two years”, comments from Chris Horlyck, ACSC (June 2026)
  • Australian Government, Commonwealth Cyber Security Posture Report 2025
  • Cyber Security Act 2024 (Cth), Part 3; Cyber Security (Ransomware Payment Reporting) Rules 2025; Security of Critical Infrastructure Act 2018 (Cth), Part 2B
  • Regulation (EU) 2024/1689 (EU AI Act), Articles 12, 26 and 99; Directive (EU) 2022/2555 (NIS2); Regulation (EU) 2022/2554 (DORA)
  • IBM, Cost of a Data Breach Report 2025
  • Gartner, Market Guide for Log Monitoring and Analysis Solutions, Gregg Siegfried and Pankaj Prasad, 8 April 2025 (G00817552)
  • SANS Institute, 2025 SOC Survey (Christopher Crowley) and 2025 Detection and Response Survey
  • MITRE ATT&CK®, Technique T1078: Valid Accounts
  • Vendor list pricing and independent SIEM cost benchmarking (Splunk, Microsoft Sentinel, Elastic Security), sampled Q1–Q2 2026, cross-referenced against public Gartner and Ponemon Institute commentary
  • Public breach disclosures and incident reporting, May–June 2026 (including KDDI and affiliated ISP notifications)

Figures and dates are current as at the time of writing and are subject to change as consultations close and enforcement practice develops. Gartner and MITRE ATT&CK are referenced for analysis purposes only; this issue is not sponsored by, endorsed by, or produced in partnership with either organisation. This is not legal advice, organisations should confirm specific obligations with qualified counsel.

Snare Solutions
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.