Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:00 AM
Connect Directly

Q&A: Trend Micro CEO Chen On IoT Security

Eva Chen on what it takes to secure IoT devices, the TippingPoint acquisition, and 'reverse-engineering' engineers.

Eva Chen has served as the CEO of Trend Micro for 11 years. She co-founded the company in 1988, and recently led Trend's $300 million acquisition of IPS vendor TippingPoint from HP. Trend Micro is now doubling down on security products and services for Internet of Things devices, including automobiles, and business and consumer IoT devices and gadgets.

Dark Reading Executive Editor Kelly Jackson Higgins recently spoke with Chen about the IoT security space and her vision for Trend as a security company of the future -- and beyond its antivirus roots.

Eva Chen, CEO of Trend Micro
Eva Chen, CEO of Trend Micro

Dark Reading: What is driving the industry's more intense focus now on Internet of Things security?

Chen:  I was driving on the highway [in a] Tesla, and the navigation system shut off. The car was still working, but the screen went blank and I didn't know where I was driving to, or how much power I had. At that point, I suddenly realized I was driving a computer with these four wheels.

Software is running inside that computer … and there's always a bug somewhere [in software]. Especially when the software is connected with the outside Internet, and then if you can access it remotely, people can attack it remotely. If a device vendor can update it remotely, then someone else can [potentially] do that, too. That's why IoT security has become such a hot topic.

IoT security is a very different ecosystem. This device market doesn't know how to manage the software security … they don't know how to patch.

Dark Reading: So how do you secure IoT devices of all sizes?

Chen: What we need to do is enable IoT device makers to easily [add security]. Have them understand how to implement secure devices.

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example. The second layer we offer is on the network … [so] you can block an attack from outside as soon as possible before it reaches [inside]. You need visibility: how many IoT devices do I have? Then are you able to block vulnerabilities on those new devices and create a signature for it. I call it next-generation IPS [intrusion prevention system]. The reason last quarter we acquired TippingPoint was because we believe IoT devices will be in the financial sector, medical and healthcare, and manufacturing.

This type of new network should be separate from the office network; they cannot be connected. It should have separate protection.

The third layer is cloud: IoT cannot do anything without the cloud. Most data is sent to the cloud and you need to have proper protection and make sure the cloud is always available. Otherwise, IoT will be lost.

Dark Reading: But patching IoT security flaws poses more of a conundrum than patching IT systems. How can it work?

Chen: That's why we talk about this next-generation IPS. Then you can buy more time if you decide to patch or not.

The next-generation IPS is a very important investment for IoT … We need to evolve to advanced detection capabilities before it reaches the network. It's not just pure signature [detection]. You need to go deeper with packet inspection, event content inspection, and sandboxes to analyze [the threat].

Dark Reading: Is there a market now emerging for IoT security products beyond IoT products baking security into their devices and systems?

Chen: It's like an 'Intel Inside.'  A device-maker is like a PC-maker, and security vendors are like an Intel [processor] inside the device, and need to figure out … this new ecosystem. Is there a way to make it scalable and deployable for device-makers to use? There are so many of them [device makers], so you need to choose which is most important.

Enterprises need to consider if IoT devices need new security policy or management, and then choose the right ones and enable them to do that.

Dark Reading: Consumers, meanwhile, are notoriously apathetic or unaware when it comes to patching and proper security best practices for their home computers and mobile devices. How can you secure their home IoT devices if they don't even bother to protect their laptop's data?

Chen: In Japan, we [Trend Micro] have a home security in a box [product]. It's a secure home router that will also enable home security services remotely to manage that.

We can prepare with IoT vendors to publish a patch, [such as] your refrigerator has a new patch. We can tell you how to apply a new patch. Our thinking is there [also could be] a managed service provider to enable remotely to do this for you.

In Diamond, we know that your camera is using default passwords, so we warn and guide you from a mobile app to [fix] that device.

Dark Reading: Are consumers or businesses facing a more imminent security threat with IoT?

Chen: In terms of risk, consumer is higher. It's easier to hack.

But the damage [of an attack] is much higher on the enterprise side.

An enterprise must be able to certify its equipment maker: what's your security implementation so you can at least check. You need to be able to secure information gathered by IoT devices.

Dark Reading: What specific threats do you see to IoT devices? Botnets? Other abuses?

Chen: Probably the biggest risk is that [an attacker] would want to make a big impact.

With car hacking, [for example], it's not just about targeting one person. If you target one type of model, suddenly … you could create big chaos in traffic. A certain model… suddenly all shuts down. We might see something like [the early PC] virus outbreaks, where they just want to make a big impact.

Dark Reading: How has Trend Micro's strategy evolved from traditional antivirus vendor to today?

Chen: I usually describe Trend Micro as a threat defense company. That's a category of security that has special core competence.

In threat defense, you need to understand hackers' behavior, psychology. Threat defense is something constantly changing both on vendor and customer's side, they need to constantly update it.

Dark Reading: How difficult is it to shake the AV image?

Chen: That's not a big problem for us now. Still, [some of] our competitors that are startups will say 'those are AV companies who don't know how to deal with the new threat.'

Dark Reading: Any plans for more acquisitions since the TippingPoint buy? What's next for Trend Micro in 2016?

Chen: Whenever there's a good [acquisition] opportunity, we would [not] deny it.

Our user protectoin will get next-generation endpoint capabilities. That's a big part because of our TippingPoint acquisition. And our breach detection product line is growing very fast … network security is a major growth area for Trend Micro, and our service [offerings].

Dark Reading: There's still a gap in cybersecurity talent. Are their skills for cybersecurity jobs that are not being emphasized or required that might attract more talent?

Chen: I've been challenging Trend's HR group: let's find out with our best engineers, the common traits they have. Maybe it has nothing to do with school … Why did they get into this field? Why are they so passionate about security? Do they like to read, and what kind of books? 


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
1/12/2016 | 8:40:38 PM
Yes, layer security on top, but first build it in
The three layers of defense are good, along with the a secure API to provide for updates.  But designing security into the original operation of the device is a good idea also.  See InformationWeek on the EZCast smart TV dongle. http://www.informationweek.com/iot/ezcast-smart-tv-dongle-may-threaten-home-network-security/d/d-id/1323792 
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Give us your best shot! You might win an Amazon gift card!
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.