I was recently lucky enough to attend a talk by Sourcefire CTO Martin Roesch (creator of Snort). He mentioned the Cybertrust Breach report which is wotrh a read.
One of the interesting facts is that the time from an initial breach of a network to compromising data is in MINUTES 27% of the time and in HOURS 21% of the time. This is very startling data. What the report concludes as well as Mr. Roesch is that folks aren’t monitoring their logs. Almost everyone is running IDS/IPS these days and generating thousands of events but no one is actually watching them. I’ll post a review of Martin’s talk in the next few days.
In the meantime you can find the 2009 breach report here.