Eva Chen has spent most of her professional career building security vendor TrendMicro, which she co-founded back in 1998 and currently leads as CEO. Over the years, multiple types of security challenges have emerged, from the early PC era to mobile devices and now the emerging Internet of things (IoT) landscape, where Chen sees a real need for security and an opportunity to grow her company.
"A lot of people just don't understand that IoT is really just a bunch of small computers that are all connected to the Internet," Chen told eWEEK. "All those small computers need security, but a lot of IoT device makers are not traditional IT vendors, and they lack an understanding about what security is needed."
There are many things that vendors in the IoT world have overlooked. The high-profile hack of Chrysler's Jeep Cherokee at the Black Hat 2015 security conference, which led to a recall of 1.4 million vehicles, serves as an example for Chen of what's missing from IoT security today. Among the multiple security missteps that Chrysler took were not fully encrypting data and not closing all the data ports. In the Jeep hack, security researchers were initially able to gain access to the vehicle by way of an open connection on port 6667, which they were able to find using the open-source Nmap port mapping tool.
When looking at IoT, there is also more to consider than just the device manufacturers, Chen said TrendMicro is also talking to telecom and service providers to help bring security to IoT end users. Of particular interest for telecoms is the emerging use of network functions virtualization (NFV), which can play a key role in securing IoT.
"Originally, the users and companies would buy devices and then they would choose security products on top of that," Chen said. "But in the IoT environment, it's impossible for the user to choose security on top, so therefore we have to work with the IoT vendors or the network service provider to make security happen."
Securing the Three Layers of IoT
When looking at the full IoT security landscape, there are three primary layers that need to be considered and secured, according to Chen. The first layer is the device itself, where Chen sees a need for some form of embedded security.
The second layer is the network that the IoT device uses. Whenever an IoT device communicates over a network, there needs to be some form of network security and monitoring. The network layer security can be embedded as part of a user's router, or it can be delivered as a hosted service model.
The third layer is the cloud back end that provides remote management capabilities for IoT devices. Chen advises that the IoT cloud back end has proper security measures in place to protect the privacy of user information. Enabling full IoT user privacy requires proper due diligence of security controls at all three layers, she added.
TrendMicro is going after the full IoT security stack with technologies that address the concerns of all three layers, including device, network and cloud components. Chen said that for on-device security, her company has security APIs for device makers. To address network security, TrendMicro recently acquired TippingPoint from Hewlett-Packard for $300 million. TippingPoint's network security portfolio includes intrusion prevention system (IPS) products. In the cloud, TrendMicro has cloud security products to protect infrastructure.
Security research is another area where Chen is putting her company's energies, as IoT represents an attractive target for hackers.
"Hackers go after valuable data, and therefore we have to understand what data IoT devices collect," Chen said. "Then we can focus our research on the most valuable data sources."
Looking at the broader TrendMicro business for 2016, Chen noted that the enterprise and cloud sides of the business are solid. The big challenge is the consumer segment, which represents approximately a third of TrendMicro's business. With PC shipments continuing to decline, there isn't quite as much opportunity for TrendMicro as there once was. Plus, Chen noted, the consumer mobile phone security business has not really taken off either.
"Our challenge is making sure that our IoT security technology will be a major part of our consumer security efforts," Chen said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.