IoT
1/12/2016
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Q&A: Trend Micro CEO Chen On IoT Security

Eva Chen on what it takes to secure IoT devices, the TippingPoint acquisition, and 'reverse-engineering' engineers.

Eva Chen has served as the CEO of Trend Micro for 11 years. She co-founded the company in 1988, and recently led Trend's $300 million acquisition of IPS vendor TippingPoint from HP. Trend Micro is now doubling down on security products and services for Internet of Things devices, including automobiles, and business and consumer IoT devices and gadgets.

Dark Reading Executive Editor Kelly Jackson Higgins recently spoke with Chen about the IoT security space and her vision for Trend as a security company of the future -- and beyond its antivirus roots.

Eva Chen, CEO of Trend Micro
Eva Chen, CEO of Trend Micro

Dark Reading: What is driving the industry's more intense focus now on Internet of Things security?

Chen:  I was driving on the highway [in a] Tesla, and the navigation system shut off. The car was still working, but the screen went blank and I didn't know where I was driving to, or how much power I had. At that point, I suddenly realized I was driving a computer with these four wheels.

Software is running inside that computer … and there's always a bug somewhere [in software]. Especially when the software is connected with the outside Internet, and then if you can access it remotely, people can attack it remotely. If a device vendor can update it remotely, then someone else can [potentially] do that, too. That's why IoT security has become such a hot topic.

IoT security is a very different ecosystem. This device market doesn't know how to manage the software security … they don't know how to patch.

Dark Reading: So how do you secure IoT devices of all sizes?

Chen: What we need to do is enable IoT device makers to easily [add security]. Have them understand how to implement secure devices.

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example. The second layer we offer is on the network … [so] you can block an attack from outside as soon as possible before it reaches [inside]. You need visibility: how many IoT devices do I have? Then are you able to block vulnerabilities on those new devices and create a signature for it. I call it next-generation IPS [intrusion prevention system]. The reason last quarter we acquired TippingPoint was because we believe IoT devices will be in the financial sector, medical and healthcare, and manufacturing.

This type of new network should be separate from the office network; they cannot be connected. It should have separate protection.

The third layer is cloud: IoT cannot do anything without the cloud. Most data is sent to the cloud and you need to have proper protection and make sure the cloud is always available. Otherwise, IoT will be lost.

Dark Reading: But patching IoT security flaws poses more of a conundrum than patching IT systems. How can it work?

Chen: That's why we talk about this next-generation IPS. Then you can buy more time if you decide to patch or not.

The next-generation IPS is a very important investment for IoT … We need to evolve to advanced detection capabilities before it reaches the network. It's not just pure signature [detection]. You need to go deeper with packet inspection, event content inspection, and sandboxes to analyze [the threat].

Dark Reading: Is there a market now emerging for IoT security products beyond IoT products baking security into their devices and systems?

Chen: It's like an 'Intel Inside.'  A device-maker is like a PC-maker, and security vendors are like an Intel [processor] inside the device, and need to figure out … this new ecosystem. Is there a way to make it scalable and deployable for device-makers to use? There are so many of them [device makers], so you need to choose which is most important.

Enterprises need to consider if IoT devices need new security policy or management, and then choose the right ones and enable them to do that.

Dark Reading: Consumers, meanwhile, are notoriously apathetic or unaware when it comes to patching and proper security best practices for their home computers and mobile devices. How can you secure their home IoT devices if they don't even bother to protect their laptop's data?

Chen: In Japan, we [Trend Micro] have a home security in a box [product]. It's a secure home router that will also enable home security services remotely to manage that.

We can prepare with IoT vendors to publish a patch, [such as] your refrigerator has a new patch. We can tell you how to apply a new patch. Our thinking is there [also could be] a managed service provider to enable remotely to do this for you.

In Diamond, we know that your camera is using default passwords, so we warn and guide you from a mobile app to [fix] that device.

Dark Reading: Are consumers or businesses facing a more imminent security threat with IoT?

Chen: In terms of risk, consumer is higher. It's easier to hack.

But the damage [of an attack] is much higher on the enterprise side.

An enterprise must be able to certify its equipment maker: what's your security implementation so you can at least check. You need to be able to secure information gathered by IoT devices.

Dark Reading: What specific threats do you see to IoT devices? Botnets? Other abuses?

Chen: Probably the biggest risk is that [an attacker] would want to make a big impact.

With car hacking, [for example], it's not just about targeting one person. If you target one type of model, suddenly … you could create big chaos in traffic. A certain model… suddenly all shuts down. We might see something like [the early PC] virus outbreaks, where they just want to make a big impact.

Dark Reading: How has Trend Micro's strategy evolved from traditional antivirus vendor to today?

Chen: I usually describe Trend Micro as a threat defense company. That's a category of security that has special core competence.

In threat defense, you need to understand hackers' behavior, psychology. Threat defense is something constantly changing both on vendor and customer's side, they need to constantly update it.

Dark Reading: How difficult is it to shake the AV image?

Chen: That's not a big problem for us now. Still, [some of] our competitors that are startups will say 'those are AV companies who don't know how to deal with the new threat.'

Dark Reading: Any plans for more acquisitions since the TippingPoint buy? What's next for Trend Micro in 2016?

Chen: Whenever there's a good [acquisition] opportunity, we would [not] deny it.

Our user protectoin will get next-generation endpoint capabilities. That's a big part because of our TippingPoint acquisition. And our breach detection product line is growing very fast … network security is a major growth area for Trend Micro, and our service [offerings].

Dark Reading: There's still a gap in cybersecurity talent. Are their skills for cybersecurity jobs that are not being emphasized or required that might attract more talent?

Chen: I've been challenging Trend's HR group: let's find out with our best engineers, the common traits they have. Maybe it has nothing to do with school … Why did they get into this field? Why are they so passionate about security? Do they like to read, and what kind of books? 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
1/12/2016 | 8:40:38 PM
Yes, layer security on top, but first build it in
The three layers of defense are good, along with the a secure API to provide for updates.  But designing security into the original operation of the device is a good idea also.  See InformationWeek on the EZCast smart TV dongle. http://www.informationweek.com/iot/ezcast-smart-tv-dongle-may-threaten-home-network-security/d/d-id/1323792 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers