One of the most important things you can do, in the event of a breach, is trace back through the logs on the firewall to determine when the breach started – so you have an idea of how long the “bad guys” have been on your network – and hopefully determine where they have traversed on the network.
Most MSP’s configure firewalls to overwrite the logs once the log storage is full. If your firewall is not managed properly with an alternate storage set up for the logs, then crucial evidence could be lost.
We manage SonicWALL, Fortinet, and Cisco firewalls for our clients. This means not only are they configured to storage of the logs, but we have setup important alerting and we manually review the logs ourselves. This helps up pick up things like bandwidth bottlenecks, remote access problems, inappropriate website browsing, and applications being used to exfiltrate data that should not be on the network.