Phising is becoming sophisticated and more rampant, targeting the customers’ credit cards, said Arun Chandrasekaran of Frost & Sullivan.

"The threat to the network is getting bigger, more damaging, faster and becoming more behaviour-based," said Arun.

Ed Eliff, director of VeriSign for Asia Pacific Securities Services, shared the same view with Arun.

"The threats are becoming more sophisticated and well organized that are targeting the database," said Eliff.

He stressed the need for a strong identity and regulatory protection as well as strong authentication to protect the private identity. "It needs a global cooperation around strong authentication and standards."

However, trust is required to have a consolidated approach to protect the core and the application layer, said Eliff.

The concerns of most companies are on proactive security and accountability, said Karl Verhulst, director for marketing for CA Asia South.

He noted that firewalls are not enough to protect the network against spyware and identity thief. Internal threat is also a concern where employees who had been removed from the organizations still have the access to the systems and applications.

To address these threats, an identity and access management should be defined that includes single sign-on, an access control and a federated approach.

The speed of virus attacks is becoming faster and the response by vendors to provide patches would take months.

The vulnerability gap is wider, increasingly faster but hard to manage and the vendors’ response is slow, said Dong Ng, field director of Symantec Singapore.

"We have reached an inflection point where the latest threats are faster than our ability to respond," said Ng. Winning this battle requires a new strategy for keeping information available and secure, he said.

Ng noted that the current IT environment is increasingly complex that needs both proactive and reactive approaches.

The attacks come from multiple points and are directed at the operating system, applications, browser, network, device and user’s ignorance.

The current defenses being deployed by companies include anti-virus solutions on gateways, servers and desktops; perimeter firewalls, patch management process on reported vulnerabilities, network intrusion prevention systems (IPS) on critical segments and host-based IPS.

Ng said there are limitations to the current security mechanisms. For instance, perimeter firewall can’t block access to ports used for legitimate purposes, while packet scanning is only effective against recognizable signatures.

The network intrusion detection can only detect worms after they have compromised some systems and are actively spreading.

The basic personal firewall can’t lock down the system enough to prevent worms from acting an authorized applications or traffic.

Ng said that patch management solutions are getting longer and ineffective against unknown attacks.

The solutions, he said, would require an endpoint compliance and network access control for managed systems, a comprehensive firewall, IPOS and non-AV host protection for managed PCs and on-demand host integrity and malicious code prevention for unmanaged systems.

Tim Pickard, area vice president for international marketing of RSA Security said that companies want to deal with few security vendors because it is expensive to buy different products.

RSA is now part of EMC following its acquisition. EMC wants to create a -billion security business over the next two years with RSA under its wings.