NEW YORK -- More than 4,500 security professionals today begin attending sessions on security management, best practices, advanced technical, legal and regulatory compliance, and storage and government security at the Infosecurity New York conference.
Among the highlights is a keynote by former New York mayor Rudy Giuliani on "Leadership in Difficult Times" and a panel discussion by security officers at Oracle, DuPont, Qualys, Geisinger Health Systems and WesCorp focused on billions of dollars in damages being lost to malicious code attacks -- particularly by zero-days.
Panelist Gerhard Eschelbeck, CTO and vice president of engineering of Qualys Inc. in Redwood Shores, Calif., shared his views on what security managers should watch for in 2005.
Security enforcement moves to the heart of the network
Security enforcement will shift into the heart of the network infrastructure. Based on the premise that every endpoint can be the catalyst for a significant security incident, systems have to be validated before being granted access and screened while accessing a network. Various network infrastructure vendors have announced initiatives and partnerships with security vendors to deliver an integrated network admission management architecture. This will have significant impact preventing worm outbreaks, as well as the ability to dynamically control network traffic based on security exposure and health of individual endpoint systems.
The security industry is in the midst of an important transition. A few years ago, an industry of tactical solutions for solving individual security problems -- antivirus, firewalls, IDS, etc. -- was sufficient. Next year will bring security integration, developing open and standardized interfaces to share, distribute and correlate security relevant events and information. Security vendors without such capabilities will fade from the security market, no matter what their current level of dominance.
Organizations reduce the window of exposure for internal networks
Enterprise organizations have made significant progress on speeding up their patch cycles on perimeter networks. Based on Eschelbeck's "Laws of Vulnerabilities" research, organizations improved reaction time to the half-life of critical vulnerabilities from 30 to 21 days in 2004. In 2005, security professionals need to focus on improving the half-life of critical vulnerabilities in internal networks from its current 62 days to less than 40, emphasizing awareness, prioritization and automation.
Unified networks drive next generation Internet protocols
Migration of our diverse communication infrastructure into unified packet-based networks will be a dominant theme for the coming years. We will see data networks, cellular phones and telephone communication moving toward IP networks. Beginning in 2005, businesses will install Voice over IP networks [VoIP] as the de-facto standard for telephony and communication. This emerging infrastructure wasn't designed for a hostile environment and the dependency on increased connectivity and security will trigger rapid adoption of next generation Internet protocols. New devices connected to the network will be required to support IPv6 to address today's inherent security and privacy issues.
On demand applications replace enterprise software
Securing the infrastructure of our highly distributed enterprise application model, where applications are run and managed in a decentralized architecture within organizations is now a real challenge for enterprises, and security incidents will continue to double year over year. The lack of security and manageability will be the catalyst for the upcoming generation of applications delivered as On Demand Web services [a.k.a. software-as-a-service]. Already, there is widespread availability of applications delivered as Web services. By the end of 2005 more than 30% of medium and large enterprises will rely on Web service applications (i.e. financial and sales, as well as security applications) for their businesses.