Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:00 AM
Connect Directly

Q&A: Trend Micro CEO Chen On IoT Security

Eva Chen on what it takes to secure IoT devices, the TippingPoint acquisition, and 'reverse-engineering' engineers.

Eva Chen has served as the CEO of Trend Micro for 11 years. She co-founded the company in 1988, and recently led Trend's $300 million acquisition of IPS vendor TippingPoint from HP. Trend Micro is now doubling down on security products and services for Internet of Things devices, including automobiles, and business and consumer IoT devices and gadgets.

Dark Reading Executive Editor Kelly Jackson Higgins recently spoke with Chen about the IoT security space and her vision for Trend as a security company of the future -- and beyond its antivirus roots.

Dark Reading: What is driving the industry's more intense focus now on Internet of Things security?

Chen:  I was driving on the highway [in a] Tesla, and the navigation system shut off. The car was still working, but the screen went blank and I didn't know where I was driving to, or how much power I had. At that point, I suddenly realized I was driving a computer with these four wheels.

Software is running inside that computer … and there's always a bug somewhere [in software]. Especially when the software is connected with the outside Internet, and then if you can access it remotely, people can attack it remotely. If a device vendor can update it remotely, then someone else can [potentially] do that, too. That's why IoT security has become such a hot topic.

IoT security is a very different ecosystem. This device market doesn't know how to manage the software security … they don't know how to patch.

Dark Reading: So how do you secure IoT devices of all sizes?

Chen: What we need to do is enable IoT device makers to easily [add security]. Have them understand how to implement secure devices.

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example. The second layer we offer is on the network … [so] you can block an attack from outside as soon as possible before it reaches [inside]. You need visibility: how many IoT devices do I have? Then are you able to block vulnerabilities on those new devices and create a signature for it. I call it next-generation IPS [intrusion prevention system]. The reason last quarter we acquired TippingPoint was because we believe IoT devices will be in the financial sector, medical and healthcare, and manufacturing.

This type of new network should be separate from the office network; they cannot be connected. It should have separate protection.

The third layer is cloud: IoT cannot do anything without the cloud. Most data is sent to the cloud and you need to have proper protection and make sure the cloud is always available. Otherwise, IoT will be lost.

Dark Reading: But patching IoT security flaws poses more of a conundrum than patching IT systems. How can it work?

Chen: That's why we talk about this next-generation IPS. Then you can buy more time if you decide to patch or not.

The next-generation IPS is a very important investment for IoT … We need to evolve to advanced detection capabilities before it reaches the network. It's not just pure signature [detection]. You need to go deeper with packet inspection, event content inspection, and sandboxes to analyze [the threat].

Dark Reading: Is there a market now emerging for IoT security products beyond IoT products baking security into their devices and systems?

Chen: It's like an 'Intel Inside.'  A device-maker is like a PC-maker, and security vendors are like an Intel [processor] inside the device, and need to figure out … this new ecosystem. Is there a way to make it scalable and deployable for device-makers to use? There are so many of them [device makers], so you need to choose which is most important.

Enterprises need to consider if IoT devices need new security policy or management, and then choose the right ones and enable them to do that.

Dark Reading: Consumers, meanwhile, are notoriously apathetic or unaware when it comes to patching and proper security best practices for their home computers and mobile devices. How can you secure their home IoT devices if they don't even bother to protect their laptop's data?

Chen: In Japan, we [Trend Micro] have a home security in a box [product]. It's a secure home router that will also enable home security services remotely to manage that.

We can prepare with IoT vendors to publish a patch, [such as] your refrigerator has a new patch. We can tell you how to apply a new patch. Our thinking is there [also could be] a managed service provider to enable remotely to do this for you.

In Diamond, we know that your camera is using default passwords, so we warn and guide you from a mobile app to [fix] that device.

Dark Reading: Are consumers or businesses facing a more imminent security threat with IoT?

Chen: In terms of risk, consumer is higher. It's easier to hack.

But the damage [of an attack] is much higher on the enterprise side.

An enterprise must be able to certify its equipment maker: what's your security implementation so you can at least check. You need to be able to secure information gathered by IoT devices.

Dark Reading: What specific threats do you see to IoT devices? Botnets? Other abuses?

Chen: Probably the biggest risk is that [an attacker] would want to make a big impact.

With car hacking, [for example], it's not just about targeting one person. If you target one type of model, suddenly … you could create big chaos in traffic. A certain model… suddenly all shuts down. We might see something like [the early PC] virus outbreaks, where they just want to make a big impact.

Dark Reading: How has Trend Micro's strategy evolved from traditional antivirus vendor to today?

Chen: I usually describe Trend Micro as a threat defense company. That's a category of security that has special core competence.

In threat defense, you need to understand hackers' behavior, psychology. Threat defense is something constantly changing both on vendor and customer's side, they need to constantly update it.

Dark Reading: How difficult is it to shake the AV image?

Chen: That's not a big problem for us now. Still, [some of] our competitors that are startups will say 'those are AV companies who don't know how to deal with the new threat.'

Dark Reading: Any plans for more acquisitions since the TippingPoint buy? What's next for Trend Micro in 2016?

Chen: Whenever there's a good [acquisition] opportunity, we would [not] deny it.

Our user protectoin will get next-generation endpoint capabilities. That's a big part because of our TippingPoint acquisition. And our breach detection product line is growing very fast … network security is a major growth area for Trend Micro, and our service [offerings].

Dark Reading: There's still a gap in cybersecurity talent. Are their skills for cybersecurity jobs that are not being emphasized or required that might attract more talent?

Chen: I've been challenging Trend's HR group: let's find out with our best engineers, the common traits they have. Maybe it has nothing to do with school … Why did they get into this field? Why are they so passionate about security? Do they like to read, and what kind of books? 


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
1/12/2016 | 8:40:38 PM
Yes, layer security on top, but first build it in
The three layers of defense are good, along with the a secure API to provide for updates.  But designing security into the original operation of the device is a good idea also.  See InformationWeek on the EZCast smart TV dongle. http://www.informationweek.com/iot/ezcast-smart-tv-dongle-may-threaten-home-network-security/d/d-id/1323792 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
Arista’s CloudVision eXchange (CVX) server before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (crash and restart) in the ControllerOob agent via a malformed control-plane packet.
PUBLISHED: 2020-10-26
AntSword contains a cross-site scripting (XSS) vulnerability in the View Site funtion. When viewing an added site, an XSS payload can be injected in cookies view which can lead to remote code execution.
PUBLISHED: 2020-10-26
This affects all versions of package pathval.
PUBLISHED: 2020-10-26
An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c.
PUBLISHED: 2020-10-23
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.