What is a likely cause for mismatched event logs during a security breach investigation?

Accurate incident response depends on all devices referencing the same time source so that their event timestamps can be aligned into a single timeline. When network devices like routers, switches, and firewalls aren’t all synchronized, their clocks drift relative to each other. That clock skew means logs produced across these devices show inconsistent times, making it hard to determine the order of events during a breach and to correlate actions across the network. The remedy is to configure a reliable time source, typically via NTP, and ensure all devices point to it with correct time zones and minimal drift. Logs being encrypted at rest or formats varying between devices don’t directly cause timing mismatches, and the core issue for mismatched logs in this scenario is the lack of synchronized network device clocks.