Trend Micro recently made multiple announcements around different elements of their IoT strategy, with a new program that leverages and publicizes Trends vulnerability research to provide IoT device makers with risk assessment services before they go to market being particularly important.
The cybersecurity industry has recently been deepening its presence around security in the Internet of Things. Trend Micro’s early experiences around the IoT have been fairly typical of companies in this space. They have recently intensified their IoT initiatives however, with a particular focus on deepening their relationships with IoT device manufacturers. This includes both deep strategic relationships with some, and the leveraging of technology from the Trend Micro family to provide broad programmatic assistance to a much larger number of manufacturers. The former is reflected in a new partnership with Moxa, while the latter is expressed in a new program that leverages the Trend Micro-associated Zero Day Initiative vulnerability research effort to provide risk assessment services for device manufacturers to identify and fix security vulnerabilities before they go to market.
“We have a multi-pronged strategy around the Internet of Things,” said Mark Nunnikhoven, the Vice President, Cloud Research at Trend Micro, who is based in their Ottawa offices. “We know the IoT will lead to a massive increase in the number of things and devices online every year, and that they are vulnerable to threats specific to the IoT. There’s no one product or approach that will address them all. We need to be able to solve all of them. Risk assessment capabilities are part of this. So is our threat intelligence research, making sure that all our products are aware, and covering the full breadth of consumer, commercial and industrial IoT protection. Partners are critical in this, both our traditional solution provider channel, and the device manufacturers themselves.”
Trend Micro’s IoT strategy has been around in some form or another for years, but has only really picked up more recently.
“The Internet of Things has been a deliberate focus at Trend Micro for the last three years or so,” Nunnikhoven said. “We have had encounters with it before that, but the big push came in the last three years.”
The IoT is still a miniscule part of Trend’s revenues.
“Right now, in terms of transaction volume, it’s still a small part of the business, but that’s not in line with the importance that either Trend Micro places on it, or the security concerns around it,” Nunnikhoven said. “In the commercial IoT space specifically, the key question is how to defend these devices, because they tend to be sealed black boxes. Most of our efforts to date have been focused on education, to make people aware of the challenges here.”
The demand right now is coming out of the commercial side.
“The consumer side just isn’t aware of it, even though Mirai, BrickerBot and other high-profile threats have targeted consumers,” Nunnikhoven indicated. “The commercial side is more aggressive in seeking solutions.”
Trend’s go-to-market strategy for IoT is fairly diverse.
“There’s quite a bit of interest from our traditional channel, although the strategies depend on the market in the region,” Nunnikhoven said. “In APAC, we went directly to the consumer IoT market with a home router. In North America, we thought it made no sense to go directly, so we partnered with companies around home routers. On the industrial side, it’s about helping manufacturers, with our Tipping Point intrusion prevention product line playing a key role.”
Strategic partnerships with vendors with a firm foothold in the Operational Technology [OT} space as well as IT is critical to this effort. Trend just announced a new strategic partnership with Moxa, a global maker of industrial networking, computing, and automation solutions. The two companies will jointly develop state-of-the-art solutions to protect Industrial Internet of Things environments like smart manufacturing and smart energy through Trend’s Technology Alliance Partner Program. The focus will initially be on a joint offering around endpoint lockdown, firewalls for OT networks, and embedded security, around edge connectivity, device management and product longevity for Industrial IoT applications. It’s still too early in the relationship for specific product announcements, Nunnikhoven indicated.
“We have a small number of these kinds of partnerships,” Nunnikhoven said. “We believe in being strategic with our strategic partnerships. We like to partner where it makes sense for both sides. Moxa has a deep expertise in their particular space. They are also willing to work back and forth and be a true partner. The mutual deep shared vision and willingness to work together to make a better end result makes for a really exciting type of partnership for us.”
Deepening strategic partnerships is at the heart of another initiative Trend Micro launched in late August, in which they announced a new program around its long-standing [13 years] Zero Day Initiative [ZDI] vulnerability research effort, which will facilitate risk assessment services for device manufacturers.
“Our strategic partnerships are a key step of our overall strategy for IoT security, and this announcement, which focuses on enabling device vendors to do IT assessments early on, is an element of this,” Nunnikhoven noted.
The new program’s definition could best be described as ‘opaque,’ with its parameters and components somewhat loosely defined. Nunnikhoven said that this is deliberate program design.
“The challenge and issues around IoT is that one company does a little bit of everything and each IoT solution has a different set of concerns,” he stated. “Because each case will be different, having very prescriptive solutions wouldn’t make sense. The ZDI is a fantastic resource of information for IoT. We wanted to highlight this expertise. While the ZDI is independent of Trend, there is still an association on the sharing side. What the program does is utilize the technology from the ZDI to help IoT manufacturers, with a service to do risk assessment, so that before they go to market with a device, they can assess possible vulnerabilities and mitigate them. It uses the ZDI’s threat intelligence to enhance their ability to do risk assessments.”
Nunnikhoven said that the program will greatly scale up what Trend had been doing before in this area.
“It is based on work we have been doing with strategic partners, in which we realized this need for a strong risk assessment capability,” he noted. “It’s something we have done with individual partners before, in small numbers, but the program can scale it up to deal with the much bigger need.”
Education is a key component of this initiative, as it has been for Trend’s IoT strategy as a whole.
“The educational effort is the biggest thing here,” Nunnikhoven said. “The new service will help people be aware of the Zero Day Initiative, and the research that Trend Micro is doing.” SCADA [Supervisory Control and Data Acquisition] control system architecture and Industrial IoT vulnerabilities have comprised around 30 per cent of submissions to the ZDI so far this year.