For Trend Micro, securing organizations against threats is a social responsibility
Raimund Genes, CTO - Trend Micro in an interview with VARINDIA highlights the cyber threats that the world faces, about its market and positioning in India and its strategy in getting an upper hand as a security company in dealing with some of the most alarming threats that organizations nowadays remain vulnerable to -
How was your experience at RSA-2016 conference this time?
There was a lot of marketing and promotional activities happening at RSA. Many anti-virus security start-ups were present about whom I had never known. If you look at the bottom-line there was nothing but a lot of money invested in advertisement and marketing. We were forced to pullout our Sandboxes but we made more money because we are established players; we know where our market is. Sandboxing is not a standalone product; it is combined with other technologies. We didn’t see the market as big as ours.
Then the APT wave was totally down and ransomware came. By the time they mentioned that they also protect against ransomware, it was too late. They portrayed themselves as a company to reach out to, when a state attacks you. However, ransomware is pure profit for cyber criminals.
This year at RSA we looked at companies using terms like consumer analytics, where when an employee changes his usual behaviour, he becomes suspicious. If you look at the start-ups you will see some of them have been bought up by established players like Trend Micro, Symantec, McAfee or Checkpoint.
Technology always keeps on changing. There is a certain wave that comes and then it goes away. Currently, we are investing more on cloud security. Few years ago, a senior person from Symantec said that AV on the desktop is dead, so let’s not invest in it anymore. I heard a few years ago from IDC that the gateway is dead but, people still invest in gateway products to filter emails and web traffic. We created this market back in the year 1999. After Intel acquired McAfee they looked at it and spoke to IDC about it and said that gateway is dead and they decided on no gateway products anymore.
For few years, our gateway products revenue was stable but we didn’t get new customers. Since, then ransomware wave came, our gateway business has gone up.
As the ransomware wave came, it has become profitable. So, the fundamental problem with the industry is that we do not create something new. Our competitor is not McAfee or Symantec; our competitors are the cyber criminals. Therefore, we must be very active because they are fast and dynamic and they change their behaviour very fast. We know a lot about malware and we all have invested in machine learning. It is important that we combine all the technologies because the bad guys will focus on machine learning, as in US there is a huge hype around it. Hence, we need a combination of technologies. Some of the technology in our product portfolio is 20 years old. Like the gateway is in use since the year 1996, its still working as it has adapted to the threat landscape.
But when you look at the new start-ups, who mainly survive on marketing, they might find a new technology and commercialise it for their benefit. But, they might not survive when the new technology wave comes. We have a wide portfolio because we are old in the industry. We knew that the desktops/PC market will decline as most people are using tabloids, mobile phones. A lot of established players still rely on consumer revenue, for instance Kaspersky, but we knew that consumer market will decline in 3-4 years. We have been able to cover it with some of our product portfolio like cloud security, AI, machine learning, network security. We must react to our competitor.
Are there any threats which are not real and just blown out of proportion?
Instead of APT (Advanced Persistent Threats) we should call it targeted attacks. Every company can today face targeted attacks by cyber criminals as they all share data on social media. Now you don’t exist if you don’t share information on social media. But, by doing so we create a big window of vulnerability. So, there is no hype in malware now, not from the big players. Customers are getting knowledgeable about it day-by- day and they know when it is over-hyped. It is better that we realise that everybody is under cyberattack, it’s not just one vector. According to me what is over-hyped is end user IOT if its beyond DDOS. DDOS is the area where governments and regulators need to pay attention because anybody can try to hijack 1million web cams using user name and password as admin and admin. We have some basic standards for routers and IOT devices, where the first thing should be that one cannot have stupid passwords. But, we still use IOT devices and they are used for DDOS.
Companies should use a checklist with the vendor pointing out all the software to use. The basic standard for IOT devices is that companies do not set easy passwords. Now-a-days we all have a digital life on mobile phones and everything is interconnected. Will we see ransomware on IoT devices? Would somebody put ransomware on your fridge? Would you pay if your fridge gets hijacked? Will you pay when your car gets a ransomware? If somebody got into the control system on your car, it will lose road certification. That’s why I don’t think a lot of people would pay. When a car gets attacked people would blame the car company and say they have not done their work, and the insurance company will say you just paid for ransomware and they are not paying. So, it’s cool when we inform the car manufacturers that such attacks can happen. We have highlighted security risks in various consumer items but it was done as a means of showcasing the possibility rather than create fear and uncertainty. Therefore, in IOT it’s about economy of scale. A lot of sales are generated in the US for security products purely based on marketing push rather than the actual need for a security software.
At Trend Micro, when we did drone hacking, it sounded cool but the hacker will always ask how much money is there in drone hacking. At CeBIT last year, we hacked sex toys because even they are connected to the internet. Will the bad guys use it? Unlikely. It is the security researchers highlighting a possibility.
We believe it’s our social responsibility to inform people about such attacks, as they might happen. We at Trend Micro are good at research and lab predictions. Last year we predicted about cyber propaganda and then two weeks later Barack Obama himself agreed on the intervention of Russia in US elections. Last year we talked about consumer market virus which is happening.
In Netherlands and Amsterdam where people cannot drive very fast, they use autonomous cars. But, these can be hijacked with cars not moving the correct path. This is the difference with autonomous cars. So, we are doing a lot of research in this area. We also do a lot of vulnerability research and we inform affected vendors. We last acquired TippingPoint and we do a lot of research around other areas, and we are now the biggest independent research team worldwide. We report a lot of vulnerabilities to the vendor, the moment there is a problem.
We protect our customers against every protection and that’s how we make money. Everybody talks about IOT but nobody talks about IIOT. Today bad guys can blow up a power generator; could shut a smart city. We just released Shodan research which is most exposed in US. Shodan is an internet database of devices which is a complete internet, it marks devices and based on the pinned behaviour it sets IOT device. Shodan pings complete internet and based on this ping behaviour, Shodan directs one to set a Linux server or a home router or an IOT device or sets a nuclear plant.
Somebody from US government once said that Shodan is a scary thing because it can show all the webcams on just a click. We are working with people from Shodan. We used Shodan database and our data scientists worked on it. We did a top ten list on public information from Shodan which showed US in the top 10 list. We did tests everywhere - Greater London, India, France except China, as access is not easy. If one wants to find vulnerable routers, firewall, ports focussing on a company they can easily do it with Shodan. So, it is a possible entry point if one needs to connect IIOT and shut down a big system. The cyber criminals haven’t found a business model to make money with it.
There are many instances where we have seen that the cyber criminals have always been a way ahead in terms of both terminologies and technologies. Maybe 15-20 years down the line companies like Trend Micro can be ahead of them. Your views on this?
We could be ahead of the cyber criminals. We already have technologies ahead of them, but with time the way technology is used changes, and we cannot do anything for that. If I would be a consultant, I would go to your company and ban every BYOD device, Andoid phones and all Windows PC. PC was the best invention for the mankind but, in terms of IT security it was the worst. Now-a-days people will do whatever they wish to do on their PCs. So, we have created the whole ecosystem and we will be facing attacks.
If you compare iOS and Android, iOS is way more difficult to crack than Android. When Google says, there is no security problem with Android, when you look at statistics with Google Play, you will not see any problem. But, what they never say at conferences is that there’s no Google Play in China and users have an option to deactivate security ecosystem and download from other places.
Using Windows in critical systems such as ATM machines, nuclear power plants or POS terminals can be disastrous unless it is used in a lock down mode, wherein no new applications are allowed to be installed by anyone into the system. Vendors often push selling anti-virus software for such systems, whereas if you just lock down the systems from installing new applications, you don’t need any anti-virus at all.
We have new functionality version in our portfolio, Deep Security 10 has application control with file integrity monitoring and file inspection unit where the server tells the administrator that the configuration has been changed. In version 10, the focus is not on Windows as it is hybrid cloud. In most of the systems which are Linux based so the application control, is fully Linux. This changes the way people work because then one cannot apply any change they must take approval before they deploy otherwise it will be stopped.
Printer security has not been talked about for a long time. Is it a real threat?
We saw incidents last year; HP doesn’t talk a lot about printer security. It says printer itself can’t be used any more to get into a company if one configures it right. In the past it was easy but look at your printer server. You better lock down all the systems but this is just a scenario. It doesn’t happen very often, but then still there are instances where it has happened. It can’t be used anymore to get into a company, because in the past it was easy to get intrusive printer and then do a lateral movement on other systems, but look at your printer server with Linux device without monitoring, not lock down. You better lock down these systems. But, think about potential return of Investment. We see a lot of Business Email Compromise (BEC) and Business Process Compromise (BPC).
Printer companies are coming up with encryption and Security features in Printer itself. But what about printer spooler which is normally a server?
Apart from providing technology security solutions of best of the breed, what kind of measures you have taken to educate your customers about the kind of insider attacks and the breach happening. How do you update your customers on regular basis to inform them about the threats?
We do this in a scalable way, so it’s been a mass development of content like threat research reports. We just released reviews, where we are very honest. A few years ago, we didn’t predict ransomware, last year we said extortion, everybody will try to blackmail you, totally right. So far we are right because, we know what we are talking about.
This is a mass education and we do not do penetration testing as we are a product company. We don’t want to be a service company either. We have tools now which help you to see something; we do some models with some selected customers at the moment. These are all test cases, because we don’t want to be a service company. We want to work with partners here, System Integrators in India. We have some in Japan, German, US because we have a lot of element. We want to be scalable.
For instance, FireEye acquired Mandiant. What I learnt from the financial communities is that FireEye is in trouble because it called itself a product company, but they provide all service. Service is not scalable. When you are a product company, you build it once and if it’s good, you could replicate software and it’s profitable. It’s better to not mix it up and we are not doing it.
We do educational programs as we have social responsibility. We train and educate kids on cyber safety, cyber risk pooling, etc. We have Internet of safety for kid’s initiative where we donate money, where we even do contests where schools could send in videos and we promote the best video.
We work with bigger consultants say Deloitte or someone like IBM, HP; we work with local System Integrators (SI’s). We work more and more with system integrators because it’s getting so complex and all our products are getting complex. For visibility in a bigger enterprise environment, we talk about SIM - Security Incident Management, we decided that we don’t do by ourselves, but we decided that we work with HP.
We just started a program for the Middle East. We don’t know when we will expand it, but so far it seems to be successful. We created a training centre in Cairo where we got people from universities who just finished computer science degree and put them through a Trend Micro product training, at our own cost. Now, we will have two of them for 6 months in Germany.
Do you see India will be able to offer IT security at global standards?
I think to manage security services will be a big thing and India being a service based country, could play an important role. US security companies are hard to trust considering the possibility of a backdoor in each one of them.
If an enterprise asks a US software vendor that will you sign a guarantee that there is no backdoor in your software for the government, they’ll never sign, because under the US law the government can force them to build some backdoor. Indian security companies have a big opportunity there because they can easily sign such a document. Even we can because we are Japanese.
We have seen a lot of companies involved in big data setting institutes to produce their own data scientists. Can we also see a similar kind of situation in the security space?
We have a lack of data scientists. We are lacking some good ones in Trend Micro. We started big data way back in the year 2005, so we have a lot of know-how and we do a lot in this space. You need to be very careful with big data because to do big data analytics you need relevant data.
I believe that companies make a mistake when they grab all the information because they think they might need in the future, and they are overwhelmed. I think they don’t have proper data scientists, and they make wrong assumptions.
Do you think India doesn’t have any strict cyber security policies?
I can’t say yes or no. For instance, when I compare Taiwan and US, Taiwan has stronger security policies than US. When we ask, who has the strongest cyber security policy on Earth, it is Singapore. Singapore government doesn’t want something bad to happen in this space so they are very strict. This may be too much but on the cyber space perspective it is good. It is also easy for them but then India is huge. EU may be a first world country in terms of many thing but it is not in terms of data security. It’s difficult to judge which company is stronger. We see more focus from cyber criminals on India because India is pouring more business.
With all the smart cities, cashless economy especially after demonetisation, it has become a heyday for the cybercriminals, what do you think?
Regulations are sometimes good and then sometimes bad. They may hinder innovation but then one also need security. When you ask EU what state-of-the-art security they have, they will say they need to be flexible. So, sometimes it gets over regulated, also for critical systems it is important. Let’s see some other critical processes like voting, in US they use electronic machines for voting and YouTube videos are available on how to hack it. In Germany for upcoming 2017 elections, no electronic voting will be done. A simple piece of paper will be used for voting. So, we as a cyber security company do research, release report and inform other companies. We are not sure if cyber criminals would do it but, we inform them to be careful. So, the regulators need to be careful and not ship a router to India with simple passwords, there must be unique password.
If we use devices as personal computers, cyber-attacks will happen. Many companies are now moving away from bring your own devices (BYOD). BYOD was cool in US and other countries earlier, and they purchased mass devices.
We at Trend Micro looked at BYOD and we decided never-ever to use them. We have 150 employees in Germany and we didn’t use it for even one. With time, companies totally lose control over the BYOD with no legal implications. For instance, in Europe when an employee brings a private device on a personal expense, company can’t force him to install a software because it his private device. We cannot win it over cybercriminal not until we use PCs.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.