Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
1/12/2016
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Q&A: Trend Micro CEO Chen On IoT Security

Eva Chen on what it takes to secure IoT devices, the TippingPoint acquisition, and 'reverse-engineering' engineers.

Eva Chen has served as the CEO of Trend Micro for 11 years. She co-founded the company in 1988, and recently led Trend's $300 million acquisition of IPS vendor TippingPoint from HP. Trend Micro is now doubling down on security products and services for Internet of Things devices, including automobiles, and business and consumer IoT devices and gadgets.

Dark Reading Executive Editor Kelly Jackson Higgins recently spoke with Chen about the IoT security space and her vision for Trend as a security company of the future -- and beyond its antivirus roots.

Dark Reading: What is driving the industry's more intense focus now on Internet of Things security?

Chen:  I was driving on the highway [in a] Tesla, and the navigation system shut off. The car was still working, but the screen went blank and I didn't know where I was driving to, or how much power I had. At that point, I suddenly realized I was driving a computer with these four wheels.

Software is running inside that computer … and there's always a bug somewhere [in software]. Especially when the software is connected with the outside Internet, and then if you can access it remotely, people can attack it remotely. If a device vendor can update it remotely, then someone else can [potentially] do that, too. That's why IoT security has become such a hot topic.

IoT security is a very different ecosystem. This device market doesn't know how to manage the software security … they don't know how to patch.

Dark Reading: So how do you secure IoT devices of all sizes?

Chen: What we need to do is enable IoT device makers to easily [add security]. Have them understand how to implement secure devices.

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example. The second layer we offer is on the network … [so] you can block an attack from outside as soon as possible before it reaches [inside]. You need visibility: how many IoT devices do I have? Then are you able to block vulnerabilities on those new devices and create a signature for it. I call it next-generation IPS [intrusion prevention system]. The reason last quarter we acquired TippingPoint was because we believe IoT devices will be in the financial sector, medical and healthcare, and manufacturing.

This type of new network should be separate from the office network; they cannot be connected. It should have separate protection.

The third layer is cloud: IoT cannot do anything without the cloud. Most data is sent to the cloud and you need to have proper protection and make sure the cloud is always available. Otherwise, IoT will be lost.

Dark Reading: But patching IoT security flaws poses more of a conundrum than patching IT systems. How can it work?

Chen: That's why we talk about this next-generation IPS. Then you can buy more time if you decide to patch or not.

The next-generation IPS is a very important investment for IoT … We need to evolve to advanced detection capabilities before it reaches the network. It's not just pure signature [detection]. You need to go deeper with packet inspection, event content inspection, and sandboxes to analyze [the threat].

Dark Reading: Is there a market now emerging for IoT security products beyond IoT products baking security into their devices and systems?

Chen: It's like an 'Intel Inside.'  A device-maker is like a PC-maker, and security vendors are like an Intel [processor] inside the device, and need to figure out … this new ecosystem. Is there a way to make it scalable and deployable for device-makers to use? There are so many of them [device makers], so you need to choose which is most important.

Enterprises need to consider if IoT devices need new security policy or management, and then choose the right ones and enable them to do that.

Dark Reading: Consumers, meanwhile, are notoriously apathetic or unaware when it comes to patching and proper security best practices for their home computers and mobile devices. How can you secure their home IoT devices if they don't even bother to protect their laptop's data?

Chen: In Japan, we [Trend Micro] have a home security in a box [product]. It's a secure home router that will also enable home security services remotely to manage that.

We can prepare with IoT vendors to publish a patch, [such as] your refrigerator has a new patch. We can tell you how to apply a new patch. Our thinking is there [also could be] a managed service provider to enable remotely to do this for you.

In Diamond, we know that your camera is using default passwords, so we warn and guide you from a mobile app to [fix] that device.

Dark Reading: Are consumers or businesses facing a more imminent security threat with IoT?

Chen: In terms of risk, consumer is higher. It's easier to hack.

But the damage [of an attack] is much higher on the enterprise side.

An enterprise must be able to certify its equipment maker: what's your security implementation so you can at least check. You need to be able to secure information gathered by IoT devices.

Dark Reading: What specific threats do you see to IoT devices? Botnets? Other abuses?

Chen: Probably the biggest risk is that [an attacker] would want to make a big impact.

With car hacking, [for example], it's not just about targeting one person. If you target one type of model, suddenly … you could create big chaos in traffic. A certain model… suddenly all shuts down. We might see something like [the early PC] virus outbreaks, where they just want to make a big impact.

Dark Reading: How has Trend Micro's strategy evolved from traditional antivirus vendor to today?

Chen: I usually describe Trend Micro as a threat defense company. That's a category of security that has special core competence.

In threat defense, you need to understand hackers' behavior, psychology. Threat defense is something constantly changing both on vendor and customer's side, they need to constantly update it.

Dark Reading: How difficult is it to shake the AV image?

Chen: That's not a big problem for us now. Still, [some of] our competitors that are startups will say 'those are AV companies who don't know how to deal with the new threat.'

Dark Reading: Any plans for more acquisitions since the TippingPoint buy? What's next for Trend Micro in 2016?

Chen: Whenever there's a good [acquisition] opportunity, we would [not] deny it.

Our user protectoin will get next-generation endpoint capabilities. That's a big part because of our TippingPoint acquisition. And our breach detection product line is growing very fast … network security is a major growth area for Trend Micro, and our service [offerings].

Dark Reading: There's still a gap in cybersecurity talent. Are their skills for cybersecurity jobs that are not being emphasized or required that might attract more talent?

Chen: I've been challenging Trend's HR group: let's find out with our best engineers, the common traits they have. Maybe it has nothing to do with school … Why did they get into this field? Why are they so passionate about security? Do they like to read, and what kind of books? 

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
1/12/2016 | 8:40:38 PM
Yes, layer security on top, but first build it in
The three layers of defense are good, along with the a secure API to provide for updates.  But designing security into the original operation of the device is a good idea also.  See InformationWeek on the EZCast smart TV dongle. http://www.informationweek.com/iot/ezcast-smart-tv-dongle-may-threaten-home-network-security/d/d-id/1323792 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15246
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v...
CVE-2020-15247
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permi...
CVE-2020-15248
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the ...
CVE-2020-15249
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG ...
CVE-2020-28927
PUBLISHED: 2020-11-23
There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.