Q&A: Trend Micro CEO Chen On IoT Security

Eva Chen on what it takes to secure IoT devices, the TippingPoint acquisition, and 'reverse-engineering' engineers.

Eva Chen, CEO of Trend Micro

Eva Chen has served as the CEO of Trend Micro for 11 years. She co-founded the company in 1988, and recently led Trend's $300 million acquisition of IPS vendor TippingPoint from HP. Trend Micro is now doubling down on security products and services for Internet of Things devices, including automobiles, and business and consumer IoT devices and gadgets.

Dark Reading Executive Editor Kelly Jackson Higgins recently spoke with Chen about the IoT security space and her vision for Trend as a security company of the future -- and beyond its antivirus roots.

Dark Reading: What is driving the industry's more intense focus now on Internet of Things security?

Chen:  I was driving on the highway [in a] Tesla, and the navigation system shut off. The car was still working, but the screen went blank and I didn't know where I was driving to, or how much power I had. At that point, I suddenly realized I was driving a computer with these four wheels.

Software is running inside that computer … and there's always a bug somewhere [in software]. Especially when the software is connected with the outside Internet, and then if you can access it remotely, people can attack it remotely. If a device vendor can update it remotely, then someone else can [potentially] do that, too. That's why IoT security has become such a hot topic.

IoT security is a very different ecosystem. This device market doesn't know how to manage the software security … they don't know how to patch.

Dark Reading: So how do you secure IoT devices of all sizes?

Chen: What we need to do is enable IoT device makers to easily [add security]. Have them understand how to implement secure devices.

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example. The second layer we offer is on the network … [so] you can block an attack from outside as soon as possible before it reaches [inside]. You need visibility: how many IoT devices do I have? Then are you able to block vulnerabilities on those new devices and create a signature for it. I call it next-generation IPS [intrusion prevention system]. The reason last quarter we acquired TippingPoint was because we believe IoT devices will be in the financial sector, medical and healthcare, and manufacturing.

This type of new network should be separate from the office network; they cannot be connected. It should have separate protection.

The third layer is cloud: IoT cannot do anything without the cloud. Most data is sent to the cloud and you need to have proper protection and make sure the cloud is always available. Otherwise, IoT will be lost.

Dark Reading: But patching IoT security flaws poses more of a conundrum than patching IT systems. How can it work?

Chen: That's why we talk about this next-generation IPS. Then you can buy more time if you decide to patch or not.

The next-generation IPS is a very important investment for IoT … We need to evolve to advanced detection capabilities before it reaches the network. It's not just pure signature [detection]. You need to go deeper with packet inspection, event content inspection, and sandboxes to analyze [the threat].

Dark Reading: Is there a market now emerging for IoT security products beyond IoT products baking security into their devices and systems?

Chen: It's like an 'Intel Inside.'  A device-maker is like a PC-maker, and security vendors are like an Intel [processor] inside the device, and need to figure out … this new ecosystem. Is there a way to make it scalable and deployable for device-makers to use? There are so many of them [device makers], so you need to choose which is most important.

Enterprises need to consider if IoT devices need new security policy or management, and then choose the right ones and enable them to do that.

Dark Reading: Consumers, meanwhile, are notoriously apathetic or unaware when it comes to patching and proper security best practices for their home computers and mobile devices. How can you secure their home IoT devices if they don't even bother to protect their laptop's data?

Chen: In Japan, we [Trend Micro] have a home security in a box [product]. It's a secure home router that will also enable home security services remotely to manage that.

We can prepare with IoT vendors to publish a patch, [such as] your refrigerator has a new patch. We can tell you how to apply a new patch. Our thinking is there [also could be] a managed service provider to enable remotely to do this for you.

In Diamond, we know that your camera is using default passwords, so we warn and guide you from a mobile app to [fix] that device.

Dark Reading: Are consumers or businesses facing a more imminent security threat with IoT?

Chen: In terms of risk, consumer is higher. It's easier to hack.

But the damage [of an attack] is much higher on the enterprise side.

An enterprise must be able to certify its equipment maker: what's your security implementation so you can at least check. You need to be able to secure information gathered by IoT devices.

Dark Reading: What specific threats do you see to IoT devices? Botnets? Other abuses?

Chen: Probably the biggest risk is that [an attacker] would want to make a big impact.

With car hacking, [for example], it's not just about targeting one person. If you target one type of model, suddenly … you could create big chaos in traffic. A certain model… suddenly all shuts down. We might see something like [the early PC] virus outbreaks, where they just want to make a big impact.

Dark Reading: How has Trend Micro's strategy evolved from traditional antivirus vendor to today?

Chen: I usually describe Trend Micro as a threat defense company. That's a category of security that has special core competence.

In threat defense, you need to understand hackers' behavior, psychology. Threat defense is something constantly changing both on vendor and customer's side, they need to constantly update it.

Dark Reading: How difficult is it to shake the AV image?

Chen: That's not a big problem for us now. Still, [some of] our competitors that are startups will say 'those are AV companies who don't know how to deal with the new threat.'

Dark Reading: Any plans for more acquisitions since the TippingPoint buy? What's next for Trend Micro in 2016?

Chen: Whenever there's a good [acquisition] opportunity, we would [not] deny it.

Our user protectoin will get next-generation endpoint capabilities. That's a big part because of our TippingPoint acquisition. And our breach detection product line is growing very fast … network security is a major growth area for Trend Micro, and our service [offerings].

Dark Reading: There's still a gap in cybersecurity talent. Are their skills for cybersecurity jobs that are not being emphasized or required that might attract more talent?

Chen: I've been challenging Trend's HR group: let's find out with our best engineers, the common traits they have. Maybe it has nothing to do with school … Why did they get into this field? Why are they so passionate about security? Do they like to read, and what kind of books? 


About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights