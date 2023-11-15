In 42 percent of incident response (IR) cases analyzed by Sophos, organizations didn't have the requisite telemetry logs needed to properly analyze an event. The security company reckons that in 82 percent of these cases, cybercriminals were at fault after disabling or wiping telemetry and logging capabilities. The primary goals of attackers when wiping logs include evading detection, identification, and attribution, and maintaining access within a system.

"This was due to a variety of factors, including insufficient retention, re-imaging, or lack of configuration," Sophos says in its latest. "In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn't available." When organizations lack adequate logging measures, it's often due to resource constraints, and limited IT and data capabilities generally, Peter Mackenzie, director incident response at Sophos, told. These entities are often small to medium-sized businesses and those that aren't in IT-focused sectors, he added.

