A Conversation With Trend Micro's Eva Chen

Trend Micro CEO Eva Chen recently sat down with ChannelWeb Managing Editor of Technology Jennifer Hagendorf Follett to discuss the evolving security landscape and how the company plans to tackle emerging Web threats. Here are edited excerpts of the conversation.

What is it about today's Web threats that makes them so hard to defend against?

Usually [hackers] send spam mail to the user with a [compromised] URL in it. Then the user receives it, clicks on it and they go to a site. But then quietly that site is redirected to another malware site and a hosting site will download the malware. This first download usually looks very innocent, like it does nothing. But it goes to another malware site to download another component, and it will repeat that until it is compiled into a unique virus sample. Think about this: each of the samples becomes unique. Using patterns to detect it is almost impossible. Usually at the end it becomes a bot. And then the bot will receive a command from the hacker, usually to steal passwords or usernames, accounts, there are a lot of things they can do.

How long have hackers been using this model?

Almost one year. Last year, in July, was the first one. It was called Italian Job. It was the validation of this whole scheme. But for Trend Micro, for two years we have seen this trend going on, so we have been talking about Web threats. This is the new type of Web threat.

And these individual components are recognizable as threats even before they're brought together?

Right, right. We recognize the small components, we recognize the sites that will redirect users, we recognize the malware hosting site and we recognize the spam mail, so when this is all completed, the next e-mail will be blocked. So my customer will not even receive the e-mail and will not be tricked into clicking the Web site. The next customer will not even go to the compromised site, so they will not be able to download the malware. Even if they did, we've already identified all of the small components. Completing this has taken Trend Micro three years of investment for completing this in the cloud.

What's wrong with the way the security industry has been blocking threats up until now?

The [model for] the antivirus business has always been to get the virus sample, create a pattern file and deploy the pattern file to millions of computers ... But if you look at the threat landscape, in 2007 alone, 5.5 million unique new virus samples were created by the malware industry. I call it an industry now because they make more money than the AV industry. They made $8.3 billion last year. The AV industry was $6 billion. So if you look at that, creating a pattern file with 5.5 million virus signatures and deploying it to millions of computers is a very unhealthy competition for the whole industry. And it actually is not working. It's impossible, just the scale of it. That's why this time when we announce Smart Protection Network, the whole concept is that you don't need to deploy a pattern file anymore. The threat is prevented in the cloud before it reaches you. That's the only way we can stop malware and stop them from stealing critical data from customers.

How does your Smart Protection Network work?

The whole strategy of Smart Protection Network is client/cloud: On the client side, whether it's a gateway device or it's a host server or a client computer, there's a small agent sitting here that monitors traffic in the host. Whenever there's a file coming into the computer, this small agent will analyze the file and create a checksum, a checksum value, and then we send only this checksum value up to [the cloud]. It's like a DNS query. The cloud will answer and say either, "It's a good file, you can go," or "it's a bad file," which means its malware, or "it's unknown." The file doesn't need to be sent, it's just a query, so the bandwidth used is very small and the comparison is done in the cloud. The performance and the pattern file on the client is very small.

How will channel partners see this technology in Trend Micro products?

A portion of the Smart Protection Network is already in our products ... The thinner client piece will roll out to our different products in the coming year. For instance, in Q4, we will have new client protection for the enterprise. We haven't even decided the name yet, but there will be a new version of that coming out. It will be a pilot.

And that will be the first product to feature this new thinner client technology?


How well is Trend Micro positioned to deliver this kind of technology?

As it is, Trend Micro is the only one in the industry that can deliver this kind of correlation and Smart Protection Network. Why? Because you can see that it requires all of these three components: file reputation, Web reputation and e-mail reputation, all in house because you need to do correlation. Websense has Web reputation, but they don't have malware knowledge. They OEM it from Sophos. McAfee doesn't have the spam part, because they OEM it from Postini and Symantec doesn't have the reputation part. They did not put it into their client piece, where Trend Micro has already put it in for three years. So that's compared with the big players. For smaller players, this infrastructure is difficult to establish. Trend Micro is already a $900 million company, and for the past three years the money we've invested to establish the data centers and the infrastructure is significant enough for our investors to question me, "What are you spending this money for?" So it's not a small amount of investment.

What will this mean for channel partners?

It will revise the value they can provide to customers. With this type of knowledge they can provide more value to customers by merging the threat knowledge with their knowledge about customer environments. When they are matched together, they can provide the solution that is better protection and is less complex.