Poole council said it used the legislation to watch a family at home and in their daily movements because it wanted to know if they lived in the catchment area for a school, which they wanted their three-year-old daughter to attend.

This kind of thing happens again and again. When campaigning for a law's passage, the authorities invoke the most heinous of criminals -- terrorists, kidnappers, drug dealers, child pornographers -- but after the law is passed, they start using it in more mundane situations.

Another article. And this follow-up.

To add more  substance to this, let's review some of the key requirements for a log management platform:

• Overall platform requirements (good intro here): having an access API is central to this.
• Data access:  in case of  a log management platform,  API should let users receive their log data in either raw or  processed (i.e. "parsed" or tokenized) form.
• API for control: log analysis is not just searching,  but also includes alerts and other things that sometimes needs to be tuned. API should allow that.
• Also, platform should enable broad, non-siloed approach to log management (silos are evil!) and thus allow any type of analysis and data access: not security-specific, not troubleshooting-specific, but broad, cross-domain approach, suitable for many types of users, from system admin to a CIO.

Finally, you know what? "Developer-centric ethos"  sucks - I would much prefer a "user-centric ethos,"  since ultimately a platform is not built for people to play with it (like his? :-)), but for the end-users to do something useful with it and to solve problems that they have ... Development based on the platform is indeed critical - but not as critical as solving a problem at hand!

• Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
• Primary costs continue to be driven through applying people, not technology to the problem.
• and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

The reality is even more mundane:

...the attacker convicted today isn't a member of the Russian military, nor is he an embittered cyber warrior in Putin's secret service. He doesn't even live in Russia. He's an [20-year-old] ethnic Russian who lives in Estonia, who was pissed off over that whole statue thing.

The court fined him 17,500 kroons, or $1,620 dollars, and sent him on his way.

So much for all of that hype.

So, just as in 2006 and 2007, I am coming up with security predictions that cover both technology and market.  I just posted a review of my last's year's prediction where I mostly erred on the conservative side. I promise to be more 'extreme' this year, while still keeping the old wisdom of Richard Feynman in mind: if you predict the status quo, you are more likely to be correct...

Here is my 'twitter-style' (I guess what used to be called telegraph-style :-)) view of predictions in no particular order:

Platform security:

• Vista makes us secure = no. People start to actually use it (in large numbers)  = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.
• Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"
• Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.

Vulnerabilities:

• 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

Hacking, data theft, etc:

• Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers.  The implications of this are pretty horrifying!  
• Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...
• Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ... 
• A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.

Malware:

• The year of  mobile malware = no (not yet, if you insist!).  As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)
• More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
• Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...
• Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not  stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...

Compliance:

• PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)
• ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Risk management:

• Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Security technologies:

• eVoting security will flare up = yes. Expect  big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)
• Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)
• NAC= huh. Huh?  The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)
• More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.
• Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!
• Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!
• IPv6 = no (while most think 'not yet', some start thinking 'not ever') In other words, Internet 'secure by design' = pipe dream in 2008.

Security market:

• Mid-market and SMB  security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too.   They lose data
• More security SaaS (software as a service) = yes.  It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!
• 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

Logging and log management:

• Database logging = yes.  2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.
• Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other  large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ... 
• Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

Last year's drag-ons :-) and ongoing trends:

• Some things make dumb predictions since they are so pitifully obvious and have been going on for years already. Thus, I pile them in this section...
• So, client vs server exploitation: it started a few years back and will continue, for sure: more client vulnerabilities will be used to 0wn more desktops. Similarly, application vulnerabilities will beat platform ones.  And targeted, commercially-driven attacks will overtake indiscriminate ones (another "no-brainer" that some try to sell as a prediction...)
• Both of the above will power further evolution  of network and system security into data and broader information security (it will be happening for another 3-5 years)
• More fun "web 2.0" threats will come our way, but then again, this is true about most of the technologies that are being actively adopted ...

Dark horses, that will influence security in a major but unknown way in 2008:

• Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.
• Privacy =  I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

Come back in Jan 2009 to see how I did!

Any comments? Additional predictions?

What can we conclude from this?

First, a "duh" conclusion is in order! No matter how many times one can utter the word "compliance," logs are still most useful for mundane (one would hope! :-)) system administration. Yes, indeed, sysadmins are the primary consumers of logs - yesterday, today, and - likely! - tomorrow as well.

Second, I am saddened by the fact that application developers have not warmed up to logs, at least no en masse (and not according to this limited poll...). I am guessing when they start thinking of logging when creating their applications, they will be more aware of the fact that you can troubleshoot the applications using logs ...

Third, incident response team showing that low is some kind of fluke, I am sure. Everybody knows that logs are indispensable during incident response (yes, even if only a little logging was enabled or even logging defaults left in place, logs often reveal answers unobtainable via any other mechanisms)

Am I reading too much into this? Hey, maybe I am! :-) Then again, I am a former theoretical physicist - thus, I can explain anything!

Next poll coming soon!