Trend Micro has a solid reputation for pure endpoint protection, but in recent years it’s gradually moved towards a broader product offering based around detection, control and intelligence, across multiple devices and also the network level and the cloud. What’s with the change of tack?
In the past we designed IT security systems so that the intranet was kept clean and separated from the ‘bad’ internet – that just doesn’t work anymore. Yet we still see companies investing in gateway products and yet not recognising when an intruder is already inside.
Too much emphasis on gateway defence is an outdated security model. Organisations still need them, but they also, more critically, need methods to shield their critical systems, risk management, breach detection, visibility of a network, and bringing in additional layers protection for whatever your core assets are.
Now the focus of the cyber criminal has shifted to thinking about the whole supply chain and supplier network around the larger organisation, which is easier to exploit than the actual end goal. You could sign all the contracts with the supplier, and control security standards with all suppliers. But are you really controlling and auditing security standards or just relying on a piece of paper?
This is why you shouldn’t trust your intranet anymore, because if someone wants to get in through a third party, they will find a way. Even if you did everything possible there’s always disgruntled employees, someone who was bribed to do something, someone who didn’t pay any attention. You need to have a ‘zero trust’ network based on breach detection and looking at the traffic patterns of your supply chain.
Detection is a relatively new technology and yes it creates extra workload for the computer, but it’s a very efficient and effective way to detect you’re under attack do necessary counter measures and analyse.
Trend Micro collaborates with global law enforcement to help root out cybercriminals themselves, and has recently installed a permanent employee at Interpol’s cybercrime base in Singapore. Where’s the profit in that side of things?
There isn’t any. Vendors used to design solutions themselves in isolation, before seeing what sticks and what customers liked. We used to work like that, didn’t do a lot of checks, we designed based on what we knew about malware. But times have changed- now customers are a lot more knowledgeable, hackers are skilled, and you have to listen to your customer but also have an ear to what the attacks are going to do next through underground research.
It’s not our role, but we now work with law enforcement around the world, because our job is protect our customers against malware -that’s what they’re paying us for. We’ll never wipe out cyber crime and put ourselves out of business, because as long as it’s ‘risk free’ money new malware will always come along. It’s easier to write a piece of malicious code than rob a bank, it’s easier to hide your traces and the ROI is normally higher. The challenge is that cyber criminals don’t work with any borders- it’s international.
What effect do you think the upcoming EU data protection laws will have on your customers?
It really depends on which country they’re in. In my home country of Germany the laws are very relaxed because they’ve already implemented everything on the back of recommendations, but other countries have barely applied them at all. The country that has been least compliant with the directives is actually the UK, so it’s going to be a big change here.
In Germany the main change will be the mandatory breach notification, which there has been some backlash against. Companies don’t want to be in the news for a breach. But I think it’s a good thing because it’s an incentive not to be in the news, so organisations will design better systems based on the regulation.
When you’re talking about being fined up to 5% of your yearly turnover, this makes it a boardroom topic. At the moment security practitioners have no call to justify in front of the board why they need more investment. And in hindsight, once a company has been breached the first guy fired is the CISO or security admin. It’s a sad thing because that’s the guy you slaughter, but he’s normally told the board or manager ‘we need to invest more.’ So the security and IT community should benefit.
What about on the vendor side, how do you anticipate it affecting you and the rest of the industry?
The fact that the same rules will be brought in all over the EU makes it easier for companies to exchange data it’s clearly defined what it means to protect the data. In France ‘personal information’ has a different definition than it does in the UK or Germany, so it’s difficult to do business around the world or Europe. At the moment if you offer web products around Europe you have to adapt to different regulations and markets.
If you look at Europe, it’s the biggest trading place on Earth. It should have the same trading rules. So I think it’s really positive this is happening. A lot of companies are complaining it’ll cost money to adapt to it, but with a clear set of rules and regulations in place and everyone following the same standards it can only be good for trade.
There’s been a lot of debate about whether to revoke the safe harbour agreement with the US, since the Snowden revelations shocked a lot of Europe. For those that don’t comply, there will definitely be consequences. Germany already has the ‘no spy’ agreement you have to sign if you’re a vendor, and have already kicked out US vendors because they didn’t sign, so it has an impact.